diff --git a/.dc16-mkuser.ps1 b/.dc16-mkuser.ps1 new file mode 100644 index 00000000..ed900244 --- /dev/null +++ b/.dc16-mkuser.ps1 @@ -0,0 +1,9 @@ +$ErrorActionPreference = 'Stop' +Import-Module ActiveDirectory +$pw = ConvertTo-SecureString 'Lcyaz0KF5L8IoRh7Pf4K.7QQwJq' -AsPlainText -Force +New-ADUser -Name 'svc-msp360' -SamAccountName 'svc-msp360' -UserPrincipalName 'svc-msp360@acg.local' -DisplayName 'MSP360 Backup Service' -Description 'Service account for MSP360/Online Backup Exchange backup on NEPTUNE. Created 2026-07-15 by Howard via ClaudeTools.' -AccountPassword $pw -Enabled $true -PasswordNeverExpires $true -CannotChangePassword $true +Add-ADGroupMember -Identity 'Organization Management' -Members 'svc-msp360' +Start-Sleep -Seconds 2 +$u = Get-ADUser 'svc-msp360' -Properties PasswordNeverExpires, MemberOf +Write-Output ('created: ' + $u.SamAccountName + ' enabled=' + $u.Enabled + ' pwdNeverExpires=' + $u.PasswordNeverExpires) +$u.MemberOf | ForEach-Object { Write-Output ('member: ' + $_) } diff --git a/.neptune-iis-probe.ps1 b/.neptune-iis-probe.ps1 new file mode 100644 index 00000000..841701ca --- /dev/null +++ b/.neptune-iis-probe.ps1 @@ -0,0 +1,18 @@ +$ErrorActionPreference = 'Continue' +Import-Module WebAdministration +Write-Output '=== App pools (Exchange PowerShell) ===' +Get-ChildItem IIS:\AppPools | Where-Object Name -match 'PowerShell|MSExchange' | Select-Object Name, State | Format-Table -AutoSize +Write-Output '=== PowerShell vdirs ===' +Get-WebApplication -Name PowerShell | Format-List Path, ApplicationPool, PhysicalPath, ItemXPath +Write-Output '=== Default Web Site + Back End bindings ===' +Get-Website | Select-Object Name, State, @{n='Bind';e={($_.bindings.Collection | ForEach-Object bindingInformation) -join ' ; '}} | Format-Table -AutoSize +Write-Output '=== Auth on Default Web Site/PowerShell ===' +foreach ($a in 'anonymousAuthentication','windowsAuthentication','basicAuthentication') { + $v = Get-WebConfigurationProperty -Filter "system.webServer/security/authentication/$a" -PSPath 'IIS:\Sites\Default Web Site\PowerShell' -Name enabled -ErrorAction SilentlyContinue + Write-Output "DWS/PowerShell $a = $($v.Value)" +} +Write-Output '=== SSL flags on DWS/PowerShell ===' +(Get-WebConfigurationProperty -Filter 'system.webServer/security/access' -PSPath 'IIS:\Sites\Default Web Site\PowerShell' -Name sslFlags -ErrorAction SilentlyContinue) +Write-Output '=== recent HTTP 4xx/5xx to /powershell (IIS log tail) ===' +$log = Get-ChildItem 'C:\inetpub\logs\LogFiles\W3SVC1' -Filter *.log -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1 +if ($log) { Get-Content $log.FullName -Tail 400 | Select-String -SimpleMatch '/powershell' | Select-Object -Last 10 } diff --git a/.neptune-svc.ps1 b/.neptune-svc.ps1 new file mode 100644 index 00000000..4868b68c --- /dev/null +++ b/.neptune-svc.ps1 @@ -0,0 +1,22 @@ +$ErrorActionPreference = 'Stop' +Add-LocalGroupMember -Group 'Administrators' -Member 'ACG\svc-msp360' -ErrorAction SilentlyContinue +Write-Output ('local admin: ' + [bool](Get-LocalGroupMember -Group 'Administrators' -Member 'ACG\svc-msp360' -ErrorAction SilentlyContinue)) +$sid = (New-Object System.Security.Principal.NTAccount('ACG','svc-msp360')).Translate([System.Security.Principal.SecurityIdentifier]).Value +$tmp = 'C:\Windows\Temp\se.inf' +secedit /export /cfg $tmp /areas USER_RIGHTS | Out-Null +$c = Get-Content $tmp +$line = $c | Where-Object { $_ -match '^SeServiceLogonRight' } +if ($line -notmatch [regex]::Escape($sid)) { + $new = $c -replace '^(SeServiceLogonRight *=.*)$', ('$1,*' + $sid) + if (-not $line) { $new += 'SeServiceLogonRight = *' + $sid } + $new | Set-Content $tmp -Encoding Unicode + secedit /configure /db C:\Windows\Temp\se.sdb /cfg $tmp /areas USER_RIGHTS | Out-Null + Write-Output 'SeServiceLogonRight granted' +} else { Write-Output 'SeServiceLogonRight already present' } +Remove-Item $tmp, C:\Windows\Temp\se.sdb -ErrorAction SilentlyContinue +$svc = Get-WmiObject Win32_Service -Filter "Name='Online Backup Service'" +$r = $svc.Change($null,$null,$null,$null,$null,$null,'ACG\svc-msp360','Lcyaz0KF5L8IoRh7Pf4K.7QQwJq') +Write-Output ('service change rc=' + $r.ReturnValue) +Restart-Service 'Online Backup Service' -Force +Start-Sleep -Seconds 5 +Get-WmiObject Win32_Service -Filter "Name='Online Backup Service'" | Select-Object Name, StartName, State | Format-Table -AutoSize diff --git a/.neptune-winrm-probe.ps1 b/.neptune-winrm-probe.ps1 new file mode 100644 index 00000000..b399b041 --- /dev/null +++ b/.neptune-winrm-probe.ps1 @@ -0,0 +1,19 @@ +$ErrorActionPreference = 'Continue' +Write-Output '=== WinRM service ===' +Get-Service WinRM | Select-Object Name, Status, StartType | Format-Table -AutoSize +Write-Output '=== Test-WSMan localhost ===' +try { Test-WSMan -ComputerName neptune -ErrorAction Stop | Out-String } catch { Write-Output "FAIL: $($_.Exception.Message)" } +Write-Output '=== WinRM listeners ===' +winrm enumerate winrm/config/listener 2>&1 +Write-Output '=== Exchange PowerShell vdir session test ===' +try { + $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://neptune/PowerShell/ -Authentication Kerberos -ErrorAction Stop + Write-Output "SESSION OK: $($s.State)" + Remove-PSSession $s +} catch { Write-Output "FAIL: $($_.Exception.Message)" } +Write-Output '=== plain PSSession test ===' +try { + $s2 = New-PSSession -ComputerName neptune -ErrorAction Stop + Write-Output "SESSION OK: $($s2.State)" + Remove-PSSession $s2 +} catch { Write-Output "FAIL: $($_.Exception.Message)" } diff --git a/clients/cascades-tucson/docs/cloud/m365.md b/clients/cascades-tucson/docs/cloud/m365.md index efb0aa96..19cb7dbf 100644 --- a/clients/cascades-tucson/docs/cloud/m365.md +++ b/clients/cascades-tucson/docs/cloud/m365.md @@ -10,19 +10,26 @@ - Former Admin: admin@NETORGFT4257522.onmicrosoft.com (Sandra Fish — previous director, removed 2026-04-14: global admin revoked, sign-in blocked, P2 license removed) - DirSync / Entra Connect: **Not configured** (all accounts cloud-only) — **PLANNED: Install Entra Connect for SSO** - HIPAA BAA: **Covered by MCA** — Microsoft Customer Agreement automatically includes the HIPAA BAA for Business plan subscribers (confirmed 2026-05-14, no separate acceptance needed) -- MFA: **Not enabled** — Security Defaults not configured +- MFA: **Enabled for all staff** via Conditional Access (live; caregivers protected by on-network restriction + 8h sign-in frequency instead of MFA prompts). Earlier "not enabled" note was pre-CA-rollout. -## Licensing +## Licensing (updated 2026-07-15 — live Graph verification by Mike/GURU-5070) | License Type | Total | Assigned | Available | |---|---|---|---| -| Microsoft 365 Business Standard | 34 | 34 | 0 | +| Microsoft 365 Business Premium | 45 | 41 | 4 | +| Microsoft 365 Business Standard | **SUSPENDED** | 30 consumed | — | | Microsoft Entra ID P2 | 1 | 0 | 1 (unassigned — was Sandra Fish, available for testing) | | Microsoft Power Automate Free | 10000 | 2 | 9998 | | Microsoft Stream Trial | 1000000 | 0 | 1000000 | | Exchange Online Essentials | — | 4 | — | -**Note:** Business Standard is fully allocated (34/34, 0 available). Any new hires require purchasing additional licenses. +**Note (2026-07-15):** The Business Premium migration is largely done — 45 Premium owned, +41 assigned (the caregiver rollout). The old Business Standard subscription is **suspended** +with ~30 office staff still sitting on it; none of them hold Premium. Moving them is +**net-new spend** (~26 net-new paid seats ≈ $572/mo; best case ~17 net-new ≈ $374/mo after +converting 8 role/shared mailboxes — accounting@, hr@, frontdesk@, etc. — to free shared +mailboxes and removing former employee jodi.ramstack). The per-user table below predates +this and reflects the old Standard assignments. ### Planned expansion — caregiver rollout (not yet purchased) diff --git a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html index 40c6094e..d7181f52 100644 --- a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html +++ b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.html @@ -89,6 +89,7 @@ table.todo td.tgt{ font-family:var(--f-mono); font-size:8px; color:var(--accent-ink); font-weight:500; white-space:nowrap; } table.todo td.cost{ font-family:var(--f-mono); font-size:8px; color:var(--ink-2); white-space:nowrap; } + table.todo td.comp{ font-family:var(--f-mono); font-size:8px; color:var(--ink-3); min-width:46px; } table.mach{ border-collapse:collapse; width:calc(100% - 29px); margin:3px 0 0 29px; } table.mach th{ font-family:var(--f-mono); font-size:6.8px; font-weight:500; @@ -135,18 +136,29 @@
Technology Plan · FY 2026–2027

Cascades of Tucson Technology Plan

A living action document: for each area of the facility's technology, what has - been done and what is planned, with an owner, cost, and target for every action. Prepared with + been done and what is planned, with an owner, cost, target, and completion date for every action. Prepared with Az Computer Guru. Reviewed and updated at least annually.

-
Plan ownerCascades of Tucson
+
Plan ownerCascades of Tucson — Administrator (Ashley Jensen)
Prepared withAz Computer Guru
Plan periodFY 2026–2027
Adopted by / dateat adoption
Next annual reviewadoption + 12 months
+
Standard referenceCARF Technology and System Plan, Aging Services Standards Manual (Section 1, "CARF Plans") — manual edition confirmed at adoption
+
Basis of this plan
+

This plan is based on the needs of the people Cascades serves and the people who serve them. + Persons served: resident safety (Helpany fall/motion sensors with no camera and no microphone), reliable building-wide + WiFi for residents and families, and protection of resident health records. Personnel: dependable workstations, one + sign-on to the clinical record, and secure access that follows staff roles. Other stakeholders: families (connectivity + and privacy), regulators (HIPAA safeguards), and vendors (managed under Business Associate Agreements).

+

Technology priorities align with Cascades' strategic goals: resident safety first (safety sensors, proven power-outage + recovery), regulatory standing (HIPAA safeguards, CARF conformance, auditable records), and efficient operations (modern + workstations, single sign-on, and a sanctioned analytics path for leadership).

+
The eight areas
@@ -159,11 +171,11 @@ To do - - - - - + + + + +
ActionOwnerCostTarget
Install the purchased enterprise SSDs (scheduled window)ACGpurchased30–60 days
Replace workstations marked for replacement (list below, 5 + spare)ACG~$700–950 ea60–90 days
Scope and quote a server refresh projectACG + Cascadesformal quote90 days
Bring remaining switch ports up to full gigabit speedACGlabor90 days
ActionOwnerCostTargetCompleted
Install the purchased enterprise SSDs (scheduled window)ACGpurchased30–60 days
Replace workstations marked for replacement (list below, 5 + spare)ACG~$700–950 ea60–90 days
Scope and quote a server refresh projectACG + Cascadesformal quote90 days
Bring remaining switch ports up to full gigabit speedACGlabor90 days
Workstations marked for replacement @@ -187,11 +199,11 @@ To do
- - - - - + + + + +
ActionOwnerCostTarget
Right-size Microsoft 365 licensing: move users off the legacy license; full Office licenses only where needed, lighter licenses for everyone elseACGreduces monthly cost30 days
Complete staff domain migration + department drivesACGlabor60–90 days
Final Windows Pro upgrade (1 deferred device)ACG~$99next window
Retire the per-PC Synology sync client as machines migrateACGlaborwith migration
ActionOwnerCostTargetCompleted
Move office staff off the suspended legacy Microsoft 365 license onto supported licenses; full Office only where needed, lighter licenses elsewhereACGnew licensing, ~$375–575/mo30 days
Complete staff domain migration + department drivesACGlabor60–90 days
Final Windows Pro upgrade (1 deferred device)ACG~$99next window
Retire the per-PC Synology sync client as machines migrateACGlaborwith migration
@@ -207,13 +219,13 @@ To do - - - - - - - + + + + + + +
ActionOwnerCostTarget
Create emergency break-glass admin accounts with hardware security keysACG~$110 keys30 days
Enforce the caregiver device allow-list (final enforcement phase)ACGlabor30–60 days
Limit trusted-network sign-in to approved devices (next enforcement phase)ACGlabor30–60 days
Enable file-access audit logging with 90-day / 6-year retentionACG~$50–120/mo60–90 days
Formalize a same-day offboarding checklistCascades HR + ACGnone30 days, standing
Package the dated security risk assessmentACGlabor60 days
ActionOwnerCostTargetCompleted
Create emergency break-glass admin accounts with hardware security keysACG~$110 keys30 days
Enforce the caregiver device allow-list (final enforcement phase)ACGlabor30–60 days
Limit trusted-network sign-in to approved devices (next enforcement phase)ACGlabor30–60 days
Enable file-access audit logging with 90-day / 6-year retentionACG~$50–120/mo60–90 days
Formalize a same-day offboarding checklistCascades HR + ACGnone30 days, standing
Package the dated security risk assessmentACGlabor60 days
@@ -226,11 +238,11 @@ To do - - - - - + + + + +
ActionOwnerCostTarget
Complete the Business Associate Agreement inventory (every vendor touching PHI)Cascades + ACGnone60 days
Move ALIS fully to single sign-on (retire the separate native login)ACGlabor60 days
Enable encryption on the resident-data file shareACGlabor60–90 days
Maintain a one-page contract / renewal / BAA trackerCascades + ACGnone90 days, standing
ActionOwnerCostTargetCompleted
Complete the Business Associate Agreement inventory (every vendor touching PHI)Cascades + ACGnone60 days
Move ALIS fully to single sign-on (retire the separate native login)ACGlabor60 days
Enable encryption on the resident-data file shareACGlabor60–90 days
Maintain a one-page contract / renewal / BAA trackerCascades + ACGnone90 days, standing
@@ -243,10 +255,10 @@ To do - - - - + + + +
ActionOwnerCostTarget
Repurpose the Synology NAS as the onsite backup for the server (with off-site backup continuing)ACGlabor60–90 days
Run and document a test restoreACGlabor90 days
Confirm and document the retention policyACGnone60 days
ActionOwnerCostTargetCompleted
Repurpose the Synology NAS as the onsite backup for the server (with off-site backup continuing)ACGlabor60–90 days
Run and document a test restoreACGlabor90 days
Confirm and document the retention policyACGnone60 days
@@ -259,9 +271,9 @@ To do - - - + + +
ActionOwnerCostTarget
Complete the Helpany rollout; move sensors to their own protected network segmentHelpany + ACGvendor + labor90 days
Inventory all resident-facing technology (nurse-call / pendants, assistive listening, resident WiFi for telehealth) into this planCascades + ACGnonenext review
ActionOwnerCostTargetCompleted
Complete the Helpany rollout; move sensors to their own protected network segmentHelpany + ACGvendor + labor90 days
Inventory all resident-facing technology (nurse-call / pendants, assistive listening, resident WiFi for telehealth) into this planCascades + ACGnonenext review
@@ -274,10 +286,10 @@ To do - - - - + + + +
ActionOwnerCostTarget
Write the formal disaster-recovery / business-continuity plan with recovery-time targetsACGlabor90 days
Documented restore test (with area 5)ACGlabor90 days
Server redundancy (pairs with the server refresh project)ACG + Cascadesproject quoteFY project
ActionOwnerCostTargetCompleted
Write the formal disaster-recovery / business-continuity plan with recovery-time targetsACGlabor90 days
Documented restore test (with area 5)ACGlabor90 days
Server redundancy (pairs with the server refresh project)ACG + Cascadesproject quoteFY project
@@ -285,15 +297,15 @@
08

Virus & threat protection

Done To do - - - + + +
ActionOwnerCostTarget
Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement) and DESKTOP-F94M8UT (powered off; completes on power-on); finish console cleanupACGlabor30–60 days
Standing coverage audit: every device reporting into managed securityACGnonequarterly
ActionOwnerCostTargetCompleted
Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement); finish console cleanupACGlabor30–60 days
Standing coverage audit: every device reporting into managed securityACGnonequarterly
diff --git a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md index e7b64a75..fd9e4acb 100644 --- a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md +++ b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.md @@ -5,12 +5,28 @@ | Governance | | |---|---| -| Plan owner | Cascades of Tucson | +| Plan owner | Cascades of Tucson — Administrator (Ashley Jensen) | | Prepared with | Az Computer Guru (Mike Swanson, Howard Enos) | +| Standard reference | CARF Technology and System Plan, Aging Services Standards Manual (Section 1, "CARF Plans") — *[manual edition confirmed at adoption]* | | Plan period | FY 2026–2027 | | Adopted by / date | *[at adoption]* | | Next annual review | *[adoption + 12 months]* | +## Basis of this plan + +This plan is based on the needs of the people Cascades serves and the people who serve +them. **Persons served:** resident safety (Helpany fall/motion sensors with no camera and +no microphone), reliable building-wide WiFi for residents and families, and protection of +resident health records. **Personnel:** dependable workstations, one sign-on to the +clinical record, and secure access that follows staff roles. **Other stakeholders:** +families (connectivity and privacy), regulators (HIPAA safeguards), and vendors (managed +under Business Associate Agreements). + +Technology priorities align with Cascades' strategic goals: resident safety first (safety +sensors, proven power-outage recovery), regulatory standing (HIPAA safeguards, CARF +conformance, auditable records), and efficient operations (modern workstations, single +sign-on, and a sanctioned analytics path for leadership). + --- ## 1. Hardware @@ -22,8 +38,8 @@ - Windows Pro upgrades completed on nearly all workstations for domain readiness. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| | Install the purchased enterprise SSDs (scheduled window) | ACG | already purchased | 30–60 days | | Replace workstations marked for replacement (list below, 5 + spare) | ACG | ~$700–950 ea | 60–90 days | | Scope and quote a server refresh project | ACG + Cascades | formal quote | 90 days | @@ -48,9 +64,9 @@ department structure and drive mapping built. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| -| Right-size Microsoft 365 licensing: move users off the legacy license; full Office licenses only where needed, lighter licenses for everyone else | ACG | reduces monthly cost | 30 days | +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| +| Move office staff off the suspended legacy Microsoft 365 license onto supported licenses; full Office only where needed, lighter licenses elsewhere | ACG | new licensing, ~$375–575/mo depending on mix | 30 days | | Complete staff domain migration + department drives | ACG | labor | 60–90 days | | Final Windows Pro upgrade (1 deferred device) | ACG | ~$99 | next window | | Retire the per-PC Synology sync client as machines migrate | ACG | labor | with migration | @@ -66,8 +82,8 @@ - Email authentication (SPF, DKIM, DMARC) enforced. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| | Create emergency break-glass admin accounts with hardware security keys | ACG | ~$110 keys | 30 days | | Enforce the caregiver device allow-list (final enforcement phase) | ACG | labor | 30–60 days, after break-glass | | Limit trusted-network sign-in to approved devices (next enforcement phase) | ACG | labor | 30–60 days | @@ -82,8 +98,8 @@ - Shared care devices auto-lock; resident and voice traffic isolated on the network. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| | Complete the Business Associate Agreement inventory (every vendor touching PHI) | Cascades + ACG | none | 60 days | | Move ALIS fully to single sign-on (retire the separate native login) | ACG | labor | 60 days | | Enable encryption on the resident-data file share | ACG | labor | 60–90 days | @@ -97,8 +113,8 @@ - Firewall and network configuration backed up. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| | Repurpose the Synology NAS as the onsite backup for the server (with off-site backup continuing) | ACG | labor | 60–90 days | | Run and document a test restore | ACG | labor | 90 days | | Confirm and document the retention policy | ACG | none | 60 days | @@ -111,8 +127,8 @@ - Building-wide WiFi supporting resident and family connectivity. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| | Complete the Helpany rollout; move sensors to their own protected network segment | Helpany + ACG | vendor-billed + labor | 90 days | | Inventory all resident-facing technology (nurse-call/pendants, assistive listening, resident WiFi for telehealth) into this plan | Cascades + ACG | none | next review | @@ -124,8 +140,8 @@ - UPS battery backup installed on core equipment and all network switches; off-site backup running. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| | Write the formal disaster-recovery / business-continuity plan with recovery-time targets | ACG | labor | 90 days | | Documented restore test (with area 5) | ACG | labor | 90 days | | Server redundancy (pairs with the server refresh project) | ACG + Cascades | project quote | FY project | @@ -133,16 +149,16 @@ ## 8. Virus & threat protection **Done** -- Managed endpoint detection & response (EDR) on every managed device (about 35), - **including the main server** (completed July 2026). +- Managed endpoint detection & response (EDR) on every managed, enrolled device (35), + **including the main server** (verified live July 2026). - Microsoft Defender and Exchange Online Protection on email; managed monitoring and patching on all devices. - Legacy agents from the previous IT provider removed from the server. **To do** -| Action | Owner | Cost | Target | -|---|---|---|---| -| Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement) and DESKTOP-F94M8UT (powered off; completes on power-on); finish console cleanup | ACG | labor | 30–60 days | +| Action | Owner | Cost | Target | Completed | +|---|---|---|---|---| +| Remove remaining legacy agents: DESKTOP-TRCIEJA (retires with its replacement); finish console cleanup | ACG | labor | 30–60 days | | Standing coverage audit: every device reporting into managed security | ACG | none | quarterly | --- diff --git a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf index 8e14cb4b..803d9be7 100644 Binary files a/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf and b/clients/cascades-tucson/docs/proposals/cascades-technology-plan-2026-07-15.pdf differ diff --git a/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md b/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md index 9f211e8f..06a4553a 100644 --- a/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md +++ b/clients/cascades-tucson/session-logs/2026-07/2026-07-15-howard-technology-plan-final.md @@ -133,3 +133,32 @@ None touched this session. - Remaining-work plan: `clients/cascades-tucson/docs/REMAINING-WORK-PLAN.md` - Straggler pass log: `clients/cascades-tucson/session-logs/2026-06/2026-06-26-howard-edr-bd-straggler-9am-pass.md` - Prepaid balance shown in footer: 37.5 hrs as of 2026-07-10 + +## Update: 12:21 PT — Mike's verification edits applied + +Applied all 4 items from Mike's coord message (6c0abc15) per Howard's "fix the cost wording +and update the docs, and do as mike wants": + +1. **Area 2 cost correction** — Mike's live Graph check showed the relicensing claim was wrong + (office staff sit on a SUSPENDED Business Standard sub, no Premium seats). Reworded to + "new licensing, ~$375–575/mo depending on mix" (net-new spend, not savings). +2. **Area 8 wording** — "every device" -> "every managed, enrolled device (35), including the + main server (verified live July 2026)". Dropped DESKTOP-F94M8UT from the legacy-agent row + (already gone from the Datto console); DESKTOP-TRCIEJA remains. +3. **CARF conformance elements added** — standard reference row (CARF Technology and System + Plan, Aging Services manual Section 1, edition placeholder), "Basis of this plan" section + (needs of persons served / personnel / stakeholders + strategic alignment), Ashley Jensen + restored as named plan owner (governance table ONLY — masthead stays "Attn: Business + Office"; Howard approved via "do as mike wants" after the earlier name-removal request), + and a Completed column added to all 28 action rows across 8 to-do tables (living-action- + document format). +4. **Stale docs refreshed** — wiki CS-SERVER line superseded (Datto EDR agent reinstalled, + agent b41befcf-e418-4d0d-8552-bc7662364d07, verified live; 6/26 removal note no longer + current) and docs/cloud/m365.md licensing section rewritten to the live Graph numbers + (SPB 45/41/4, Standard SUSPENDED 30 consumed) + stale "MFA: Not enabled" line fixed. + +PDF re-rendered: 4 pages, 433,980 bytes, verified visually page-by-page. Coord reply sent to +Mike (GURU-5070) confirming: id 3c07fd3e-7f93-401d-8d46-339c968552f9. + +Files touched this update: proposals .md/.html/.pdf, docs/cloud/m365.md, +wiki/clients/cascades-tucson.md. diff --git a/wiki/clients/cascades-tucson.md b/wiki/clients/cascades-tucson.md index 74fd939c..a032b2ca 100644 --- a/wiki/clients/cascades-tucson.md +++ b/wiki/clients/cascades-tucson.md @@ -489,7 +489,7 @@ Cascades' line-of-business / reporting SaaS (the systems they pull data OUT of, ### CS-SERVER SMB & Endpoint AV (2026-06-26) - **The "CS-SERVER SMB error 67 outage" was a TEST-METHOD ARTIFACT, not a real outage.** RMM-dispatched SMB client commands (`net use`/`net view`/`Test-Path`/`Get-SmbConnection`, even in `user_session`) **false-negative** -- they return error 67 (BAD_NETWORK_NAME) / RPC 1702 / "none" even for KNOWN-GOOD targets. **CS-SERVER SMB is healthy** -- `Get-SmbSession` showed 7 live SMB 3.1.1 users / 30 open files / new sessions forming. **VALIDATE SMB server-side (`Get-SmbSession`/`Get-SmbOpenFile`) or with a REAL interactive test -- never from RMM client-side results.** A drive-map `verify` failure is NOT proof of a problem (skill caveat added; errorlog `rmm/smb-testing`). -- **CS-SERVER endpoint AV was DattoAV, not GravityZone Bitdefender.** It was the Datto EDR "Endpoint Protection SDK" (Bitdefender engine + Avira "Sentry" driver -> drivers `BdSentry`/`rtp1`/`rtp2`), managed by Datto RMM (CentraStage/`CagService`) + Datto EDR Agent (`HUNTAgent`/Infocyte HUNT, tenant azcomp4587). Removing the box from the GravityZone console did nothing because GravityZone never managed it. **ALL Datto software was fully removed from CS-SERVER 2026-06-26** (services deleted, `infocyte`/`CentraStage` dirs gone, registry + kernel drivers cleared). CS-SERVER was already de-enrolled from the EDR tenant, so no uninstall token could be issued -- forced removal once the tamper drivers were gone. +- **CS-SERVER endpoint AV was DattoAV, not GravityZone Bitdefender.** It was the Datto EDR "Endpoint Protection SDK" (Bitdefender engine + Avira "Sentry" driver -> drivers `BdSentry`/`rtp1`/`rtp2`), managed by Datto RMM (CentraStage/`CagService`) + Datto EDR Agent (`HUNTAgent`/Infocyte HUNT, tenant azcomp4587). Removing the box from the GravityZone console did nothing because GravityZone never managed it. The prior-MSP Datto stack was fully removed from CS-SERVER 2026-06-26 (services deleted, `infocyte`/`CentraStage` dirs gone, registry + kernel drivers cleared; the box was de-enrolled so removal was forced once the tamper drivers were gone). **[SUPERSEDED 2026-07-15]: the ACG-managed Datto EDR agent was subsequently REINSTALLED — CS-SERVER is protected** (agent `b41befcf-e418-4d0d-8552-bc7662364d07`, Datto EDR sensor + Datto AV, live heartbeat, defs current; verified live in the azcomp4587 console by Mike). Do not read the 6/26 removal as "server unprotected." - **Karen Rossini share access -- RESOLVED.** `CASCADES\karen.rossini` (reset + vaulted `clients/cascades-tucson/karen-rossini.sops.yaml`, member of `SG-IT-RW`) verified able to open `\CS-SERVER\Server` shares **interactively** from another PC. Her ALDocs desktop shortcut + Quick Access pin were set on DESKTOP-LPOPV30 (`\CS-SERVER\Server\ALDocs`) via the `drive-map` skill. Note: her earlier move to CSCNet (WPA3-SAE) broke NAS-by-name resolution (unrelated side effect). ### Datto EDR / Bitdefender Decommission