Phan Đức Thanh Duy

Deployed a comprehensive LAN and WAN infrastructure for company with one main office and one branch. Designed VLANs for departments across floors, ensuring segmentation and traffic optimization.

Configured VLANs to isolate traffic for departments such as Marketing, HR, R&D, and Accounting. Implemented Trunk links between switches and VTP for VLAN synchronization across the network.

Enabled inter-VLAN routing using ROAS on a Layer 3 device. Integrated Layer 3 switching for performance optimization across VLANs.

Applied ACLs to control traffic access. Enabled Port-Security to restrict unauthorized MAC addresses. Configured NAT (PAT & Static) to allow internet access and public-to-private service publishing.

Deployed FHRP (HSRP/VRRP) to ensure default gateway redundancy. Configured IPsec VPN for secure site-to-site connection between HQ and branch.

Integrated Syslog for centralized log collection and SNMP v3 for secure device monitoring and management.

Designed and deployed centralized server systems for company, improving user access, data security, and IT manageability. Included File Server, ADDS, DHCP, DNS, RADIUS, and domain controller redundancy.

Configured Active Directory, Certificate Services, DHCP, DNS, and Network Policy Server on Windows Server 2022. Applied GPOs for user restrictions and access control across organizational units.

Built redundant web servers with Apache HTTP + NGINX Plus load balancing. Hosted a WordPress-based intranet site integrated with MariaDB running on Red Hat Enterprise Linux 9.

Deployed Zabbix for server and network monitoring, Xcitium EDR for endpoint protection, Veeam for backup & replication, and TrueNAS for on-premise secure storage.

Built and managed virtual environments using VMware Workstation for local labs and VMware ESXi for enterprise-grade server virtualization. Deployed multiple guest operating systems for testing, server simulation, and service isolation.

Created an Azure virtual network with multiple subnets and deployed a VPN Gateway to securely connect an on-premises network. Configured point-to-site VPN using self-signed certificates and tested cross-premises connectivity.

Deployed a VM in Azure with custom NSGs, public/private IP, storage, and extensions. Enabled RDP access through security rules and monitored metrics in Azure Monitor.

Integrated on-premises Windows Server with Microsoft Entra ID. Enabled SSO and tested user provisioning using Entra Connect. Managed role-based access via Entra roles and conditional access policies.

Set up Azure File Shares for secure cloud storage. Configured shared access signatures (SAS) for temporary secure file access and mounted file shares on Windows and Linux VMs using SMB.

Launched EC2 instances using preconfigured AMIs. Created an S3 bucket for object storage and enabled versioning. Applied IAM policies to control access and enabled logging for audit compliance.

Deployed Compute Engine VMs with custom firewall rules. Configured service accounts and IAM roles to grant least-privilege access. Integrated Stackdriver for logging and monitoring.

CVE-2023-38831 is a critical vulnerability in WinRAR, a widely used file compression tool. It allows attackers to execute arbitrary code by exploiting the way WinRAR handles specially crafted archive files. This flaw has been actively used in targeted attacks, posing a serious threat to WinRAR users.

Conducted an attack to capture NTLMv2 hashes via email phishing by embedding a UNC path, exploiting an unpatched Outlook vulnerability (CVE-2024-30103). When the victim opens the email, the client automatically initiates an SMB connection, thereby exposing the NTLMv2 hash.

CVE-2022-26810: RCE in Windows RPC, allowing remote code execution via crafted network packets.

CVE-2023-24934: Security bypass in Microsoft Defender, enabling malware to evade detection.

Combined, they allow stealthy remote attacks, malware deployment, and persistent access.

CVE-2024-27956 is a high-severity SQL Injection vulnerability in the WordPress Automatic plugin (versions prior to 3.92.1). It allows unauthenticated attackers to execute arbitrary SQL queries, potentially creating admin accounts and gaining full control over the web server.

CVE-2024-49112 is a severe vulnerability in the Lightweight Directory Access Protocol (LDAP) service of Microsoft Windows Server. The flaw exists in how the LDAP server processes specially crafted Connectionless LDAP (CLDAP) requests over UDP. An attacker can send a malicious CLDAP request to a Domain Controller, causing it to mishandle memory pointers during referral processing. This leads to remote code execution without authentication, potentially allowing full system compromise or denial of service.

Monitored and maintained 24/7 network and server uptime using Zabbix ensuring rapid incident response and system reliability according to procedure.

Worked in a high-pressure healthcare environment requiring strict adherence to protocols, attention to detail, and reliable handling of critical systems building soft skills like discipline, precision, and process thinking valuable for IT operations and administration roles.

Assisted in on-site replacement and configuration of Wi-Fi 6 devices, gaining practical experience with networking hardware, customer environments, and troubleshooting foundational skills for system and network administration roles.