azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

import: ingested 160 files from C:\Users\howar\Clients

Browse Source 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-16 19:43:58 -07:00
parent 251edef420
commit 121ba75fda
160 changed files with 16002 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
clients/cascades-tucson/docs/security/antivirus.md Normal file
View File

@@ -0,0 +1,66 @@
# Endpoint Security / Antivirus
## Current State (In Transition)
- Current Product: Datto EDR (part of Datto RMM suite)
- Status: **Migrating away** — Datto RMM being replaced by SyncroRMM
- Datto EDR will need to be replaced when migration completes
- **HIPAA:** §164.308(a)(5) requires security awareness and §164.312(a) requires access control. EDR/AV is a critical control for protecting PHI on staff workstations that access ALIS and file shares.
## Available Options Through Syncro
- Bitdefender GravityZone — available, Howard does NOT prefer this
- Emsisoft — available through Syncro
## Recommended: Huntress + SentinelOne (via Syncro)
See notes section for full recommendation.
## Deployment Status (audit 2026-03-20)
- Total Endpoints: 19 (1 server + 18 workstations)
- **Datto AV:** 17 machines (enabled and up to date on most)
- **Bitdefender + Datto AV (conflict):** RECEPTIONIST-PC — dual AV running
- **COMODO AV (disabled):** MDIRECTOR-PC — Windows Defender active instead
- **McAfee LiveSafe (bloatware):** LAPTOP-E0STJJE8 — conflicts with Datto
- **Malwarebytes (alongside Datto):** CRYSTAL-PC, MAINTENANCE-PC
- **Windows Defender active:** MDIRECTOR-PC (only machine using Defender as primary)
### Issues
| Machine | Issue |
|---------|-------|
| RECEPTIONIST-PC | Bitdefender + Datto AV both running — pick one |
| LAPTOP-E0STJJE8 | McAfee LiveSafe + WebAdvisor installed — remove |
| MDIRECTOR-PC | COMODO AV disabled, stale — remove |
| LAPTOP-DRQ5L558 | Multiple Datto AV instances, mixed enabled/disabled |
| LAPTOP-E0STJJE8 | Multiple Datto AV instances, mixed enabled/disabled |
### Previous MSP Software (on ALL machines — remove)
- Splashtop Streamer — on every machine
- Datto RMM agent — on CS-SERVER (at minimum)
- N-able Take Control — on some machines (stopped/stuck services)
## Notes
### Antivirus Recommendation for Syncro Integration
**Best option: Huntress + SentinelOne**
**SentinelOne (Singularity)**
- Native Syncro integration (built-in, deploy from Syncro)
- Full autonomous EDR — detects AND responds without human intervention
- Rollback capability (ransomware recovery)
- Consistently top-rated in independent AV tests
- Per-agent MSP pricing available
- Much stronger detection engine than Bitdefender GZ or Emsisoft
**Huntress (Managed Threat Detection)**
- Native Syncro integration
- Managed by Huntress SOC team — they investigate alerts FOR you
- Catches what traditional AV misses (persistent footholds, LOLbins, lateral movement)
- Lightweight agent runs alongside any AV
- Built specifically for MSPs
- 24/7 human threat hunters review detections before alerting you
**Why both?**
- SentinelOne = prevention + automated response (replaces Datto EDR)
- Huntress = detection + managed investigation (adds a layer Datto EDR never had)
- Together they cover the full kill chain with minimal MSP effort
- Both have one-click deploy through Syncro
**If only one:** SentinelOne alone is a strong standalone choice and integrates directly with Syncro's policy management. It's a significant upgrade over Datto EDR, Bitdefender GZ, and Emsisoft in both detection quality and automation.

85
clients/cascades-tucson/docs/security/backup.md Normal file
View File

@@ -0,0 +1,85 @@
# Backup and Disaster Recovery
## Backup Solution
- Product: **NONE CURRENTLY** — implementation planned as Phase 0 of network migration (Session 3, 2026-03-07)
- Priority: **CRITICAL** — no backups means no recovery from ransomware, hardware failure, or accidental deletion
- **HIPAA:** §164.308(a)(7) requires contingency plan including backup. Synology NAS and CS-SERVER both store PHI. No backup = regulatory violation.
- See `migration/session3-2026-03-07.md` for detailed setup steps
## Migration Plan — Backup Implementation (Phase 0.1 + Phase 4.4)
See `migration/phase0-safety-net.md`.
### Phase 0.1: Synology Active Backup for Business
| Setting | Value |
|---------|-------|
| Product | Synology Active Backup for Business (free) |
| Target | Synology NAS (192.168.0.120), Volume 1 |
| Source | CS-SERVER C: and D: drives (entire machine) |
| Agent | ABB Windows agent on CS-SERVER |
| Schedule | Nightly at 2:00 AM |
| Retention | 7 daily + 4 weekly |
| Compression | Enabled |
| Transfer Encryption | Enabled |
#### Storage Capacity Analysis
| Item | Size |
|------|------|
| Synology Volume 1 free space | ~540 GB |
| CS-SERVER C: used | ~137 GB |
| CS-SERVER D: used | ~455 GB |
| Total data to back up | ~592 GB |
| Expected after ABB compression (40-60%) | ~240-355 GB |
| Estimated remaining after first backup | ~185-300 GB |
ABB automatically excludes pagefile, hibernation file, and temp files. With compression and dedup, first full backup should fit. Incrementals will be small (daily changes are minimal). Monitor after first backup.
### Phase 4.4: Offsite Backup
| Setting | Value |
|---------|-------|
| Product | Synology Hyper Backup |
| Target | Backblaze B2 or Wasabi (~$3/mo) |
| Schedule | Daily after ABB completes (e.g., 5:00 AM) |
| Retention | 30 daily + 12 monthly |
## Available Backup Targets
| Target Name | Type | Location | Details |
|----------------|--------------|-----------|----------------------|
| Synology NAS | Local NAS | On-site | cascadesds / synology.cascades.local, IP: 192.168.0.120 |
| CS-SERVER | Server RAID | On-site | 192.168.2.254, has RAID storage |
## Backup Jobs
- None configured (Phase 0 will establish first backup)
## M365 Backup
- M365 Backup Product: None
- Exchange Backed Up: No
- SharePoint Backed Up: No
- OneDrive Backed Up: No
- Teams Backed Up: No
## Disaster Recovery Plan
- RTO Target: Not defined
- RPO Target: Not defined
- DR Site: None
- Last DR Test Date: N/A
## Notes
### Backup Implementation Recommendations
**For servers/workstations (on-prem):**
- Synology Active Backup for Business — free with the Synology, backs up Windows PCs and servers to the NAS
- Or Datto BCDR / Axcient x360Recover for full BDR with cloud replication
**For M365:**
- Datto SaaS Protection, Veeam Backup for M365, or Acronis — protects Exchange, SharePoint, OneDrive, Teams
**Minimum viable backup plan (HIPAA required):**
1. Enable Synology Active Backup for Business (free, already have the hardware) ← Phase 0
2. Back up CS-SERVER and critical workstations to the Synology nightly ← Phase 0
3. Add an M365 backup solution for email/SharePoint (email may contain PHI)
4. Configure Synology Hyper Backup to replicate critical data to a cloud target ← Phase 4
5. After Phase 4: enable NTFS audit logging on PHI shares migrated from Synology

107
clients/cascades-tucson/docs/security/hipaa.md Normal file
View File

@@ -0,0 +1,107 @@
# HIPAA Compliance — Cascades
## Why HIPAA Applies
Cascades is an assisted living facility with health services staff (nurses, medtechs, health services director). They handle Protected Health Information (PHI) through:
1. **ALIS** (https://www.go-alis.com/) — cloud-hosted clinical/medical records system, accessed via web browser on staff PCs
2. **Synology NAS (cascadesDS)** — stores resident/facility data locally that falls under HIPAA
3. **CS-SERVER file shares** — migration target for Synology data; will become the primary secured storage
4. **M365 email** — staff may send/receive resident-related information via cascadestucson.com email
## Project Mission
Cascades was taken over from a previous MSP that left the environment insecure and non-compliant. The core objective of the migration project is to **get Cascades secure and HIPAA compliant**. Every migration phase ties back to this goal.
## Current HIPAA Gaps
| # | Gap | Severity | HIPAA Rule | Migration Phase |
|---|-----|----------|------------|-----------------|
| 1 | **No backup exists** | Critical | §164.308(a)(7) — Contingency Plan | Phase 0 (WSB → Synology) + Phase 4 (offsite) |
| 2 | **Synology stores PHI with no access auditing** | Critical | §164.312(b) — Audit Controls | Phase 4 (move to CS-SERVER with NTFS audit) |
| 3 | **Shared accounts** (Receptionist, Culinary, saleshare, directoryshare) | High | §164.312(a)(2)(i) — Unique User ID | Phase 5 (replace with individual accounts) |
| 4 | **No MFA on M365** | High | §164.312(d) — Person Authentication | Can enable now (Security Defaults, free) |
| 5 | **No disk encryption (BitLocker)** | High | §164.312(a)(2)(iv) — Encryption | Phase 2.6 GPO (free with Windows Pro) |
| 6 | **Permissive floating firewall rule** | High | §164.312(e)(1) — Transmission Security | Phase 1.6 (post-migration lockdown) |
| 7 | **Non-IT staff in Domain Admins** | High | §164.312(a)(1) — Access Control | Phase 2.2 (remove Meredith.Kuhn, John.Trozzi) |
| 8 | **Most PCs not domain-joined** | Medium | §164.308(a)(3) — Workforce Security | Phase 3 (domain join all staff PCs) |
| 9 | **No GPOs enforced** (password policy, screen lock) | Medium | §164.308(a)(5) — Security Awareness | Phase 2.6 (Security Baseline GPO) |
| 10 | **Kitchen iPads on same VLAN as staff PCs** | Medium | §164.312(e)(1) — Transmission Security | Restrict iPads to kitchen printers only |
| 11 | **ALIS browser access on shared PCs** | Medium | §164.312(d) — Person Authentication | Phase 5 (individual logins, no shared accounts) |
| 12 | **No BAA verified with ALIS** | Medium | §164.308(b)(1) — Business Associates | Verify with management |
| 13 | **No BAA with Microsoft (M365)** | Medium | §164.308(b)(1) — Business Associates | Sign Microsoft BAA via M365 admin |
| 14 | **Sandra Fish still global admin** | Low | §164.308(a)(3) — Workforce Security | Create break-glass admin, remove Sandra |
| 15 | **No M365 backup** | Low | §164.308(a)(7) — Contingency Plan | Future — Veeam Backup for M365 |
## How Migration Phases Address HIPAA
| Phase | What It Does | HIPAA Controls Addressed |
|-------|-------------|------------------------|
| Phase 0 — Safety Net | Windows Server Backup → Synology SMB share | Backup, contingency plan |
| Phase 1 — Network | VLAN migration, firewall lockdown, guest isolation | Transmission security, access control |
| Phase 2 — Server Prep | AD cleanup, security groups, GPOs (BitLocker, passwords, screen lock) | Access control, audit, encryption, unique user ID |
| Phase 3 — Domain Join | All staff PCs under centralized management | Workforce security, device management |
| Phase 4 — Synology Retirement | Move data to CS-SERVER with NTFS permissions + audit logging | Audit controls, access control, integrity |
| Phase 5 — Hardening | Remove shared accounts, RDS cleanup, final lockdown | Unique user ID, person authentication |
## Systems and PHI Flow
```
Nurses/MedTechs (staff PCs)
├──► ALIS (cloud, go-alis.com) — clinical/medical records
│ └── ALIS responsible for their own HIPAA compliance + BAA
├──► Synology NAS (cascadesDS, 192.168.0.120) — resident/facility data (MOVING TO CS-SERVER)
├──► CS-SERVER (192.168.2.254) — file shares, AD, DNS (migration target)
└──► M365 (cascadestucson.com) — email, may contain PHI in messages/attachments
```
## Non-PHI Systems (out of HIPAA scope)
| System | Purpose | Notes |
|--------|---------|-------|
| Kitchen iPads (9 units) | Food order taking | No PHI — only need access to kitchen thermal receipt printers. **Managed via ManageEngine MDM** |
| Kitchen thermal printers | Receipt printing | Bistro (TM-T88VII, 192.168.2.207) + Kitchen (TM-U220IIB, 10.0.20.225) |
| Resident room VLANs | Resident personal devices (TVs, phones) | No PHI — isolated /28 per room |
| Ring cameras (8 units) | Security cameras | No PHI |
| GoDaddy | Website hosting (cascadestucson.com) | Public website, no PHI |
## New Findings from Audit (2026-03-20)
| # | Gap | Severity | HIPAA Rule | Notes |
|---|-----|----------|------------|-------|
| 16 | **3 shared accounts with no password** (Nurses, memfrtdesk, Front Desk) — these PCs access ALIS | Critical | §164.312(a)(2)(i) — Unique User ID | NURSESTATION-PC, MEMRECEPT-PC, RECEPTIONIST-PC |
| 17 | **No audit logging on CS-SERVER** (Object Access = No Auditing) | Critical | §164.312(b) — Audit Controls | Cannot track who accessed PHI files |
| 18 | **13 months without Windows updates** on DESKTOP-LPOPV30 | High | §164.308(a)(1) — Security Management | 6 machines 3+ months behind |
| 19 | **Expired SSL certificate** on CS-SERVER (2025-04-02) | High | §164.312(e)(1) — Transmission Security | Causes Schannel errors |
| 20 | **krbtgt password 569 days old** | High | §164.312(a)(1) — Access Control | Should rotate every 180 days |
| 21 | **RDP without NLA** on ASSISTMAN-PC, DESKTOP-U2DHAP0 | High | §164.312(e)(1) — Transmission Security | Credential exposure risk |
| 22 | **TightVNC on MEMRECEPT-PC** | High | §164.312(a)(1) — Access Control | Unauthorized remote access tool |
| 23 | **No LAPS** — same local admin password on all machines | Medium | §164.312(a)(1) — Access Control | Lateral movement risk |
| 24 | **RestrictAnonymous = 0** on CS-SERVER | Medium | §164.312(a)(1) — Access Control | Null sessions allowed |
| 25 | **Protected Users group empty** | Medium | §164.312(a)(1) — Access Control | Admin accounts not protected |
| 26 | **Share permissions: Everyone=FullControl** on multiple shares | Medium | §164.312(a)(1) — Access Control | Culinary, directoryshare, Roaming |
## Quick Wins (Free, Can Do Now)
1. **Enable MFA on M365** — Security Defaults in Entra ID (free, takes 5 minutes)
2. **Sign Microsoft BAA** — M365 Admin Center → Settings → Org Settings → Security & Privacy → HIPAA BAA
3. **Verify ALIS BAA** — Ask management if they have a signed BAA with go-alis.com
4. **BitLocker GPO** — Enable via Security Baseline GPO once PCs are domain-joined (Phase 2.6)
## Recommendations (Paid)
| Service | Why | Cost | Priority |
|---------|-----|------|----------|
| Veeam Backup for M365 | Protect email/OneDrive containing PHI | ~$2-4/user/mo | Medium |
| Business Premium upgrade | DLP (prevent PHI in outbound email), Defender, Conditional Access | +$10/user/mo (~$340/mo net after shared mailbox savings) | Low — most gaps covered by free controls |
## Notes
- Cascades is assisted living, not a hospital — but nurses and medtechs handle PHI, making HIPAA applicable
- Previous MSP left the environment non-compliant — this project is a remediation effort
- ALIS handles the heavy clinical data in the cloud — local HIPAA focus is on access control, backup, encryption, and audit trails
- Kitchen area (iPads, thermal printers) is out of HIPAA scope — food service only

193
clients/cascades-tucson/docs/security/mdm.md Normal file
View File

@@ -0,0 +1,193 @@
# Mobile Device Management — Cascades
## Product
- **Platform:** ManageEngine Mobile Device Manager Plus
- **URL:** https://mdm.manageengine.com/
- **Account:** Created (setup pending)
- **Future consideration:** Microsoft Intune Shared Device Mode (requires Business Premium upgrade, ~+$10/user/mo). Enables per-user sign-in/sign-out with automatic data wipe. Better HIPAA audit trail at device level. Revisit when budget allows.
## Device Inventory
- **25 Android phones** — shared among employees (rotation model)
- **9 Kitchen iPads** — food service only, no PHI
- **Mode:** Device Owner (fully managed), shared device, no OS-level users
- **Kiosk:** Multi-app kiosk mode
## Phase 0 — Baseline Decision
| Setting | Value |
|---------|-------|
| Devices | Android (Zero-touch supported) |
| Mode | Device Owner (fully managed) |
| Usage | Shared device (no OS-level users) |
| Control | Kiosk mode (multi-app) |
| HIPAA audit trail | Application layer (ALIS login, browser sign-in) — not device level |
## Phase 1 — Prep MDM Environment
### 1.1 Configure MDM Tenant
- [ ] Set organization name (Cascades)
- [ ] Create admin accounts
- [ ] Configure email/SMS notification settings
### 1.2 Create Device Groups
| Group | Purpose |
|-------|---------|
| Cascades-Shared-Phones | 25 employee phones |
| Cascades-Kitchen-iPads | 9 kitchen iPads |
| Cascades-Test-Devices | 1-2 test devices |
### 1.3 Upload Apps to App Repository
- [ ] ALIS (EHR / medical records — go-alis.com, browser-based)
- [ ] Secure browser (if needed beyond Chrome)
- [ ] Microsoft Authenticator (if MFA required)
- [ ] Outlook (for shared mailbox access via SSO — future)
### 1.4 Build Baseline Policies
#### Security Policy
- Passcode required (6+ digits)
- Auto-lock: 2-5 minutes
- Encryption: ON
- Disable:
- USB file transfer
- Unknown app installs
- Developer options
#### Restrictions Policy
- Disable:
- Camera (if required by compliance)
- Bluetooth (optional)
- Screen capture
- Block personal Google accounts
#### App Policy
- Silent install required apps
- Force updates
- Prevent uninstall
#### Data Protection Policy
- Clear app data on logout (if supported)
- Disable copy/paste between apps
- Block cloud backups
#### Kiosk Profile (CRITICAL)
Multi-app kiosk mode — allow ONLY:
- Medical app (ALIS via browser)
- Browser (limited)
- Settings (optional, limited)
This turns the phone into a work terminal.
## Phase 2 — Zero-Touch Enrollment
### 2.1 Register with Android Zero-Touch
- URL: https://enterprise.google.com/android/zero-touch/
- [ ] Link reseller (Verizon, AT&T, etc.)
- [ ] Add ManageEngine as EMM provider
- [ ] Use ManageEngine's EMM config
### 2.2 Create Zero-Touch Configuration
In Zero-touch portal:
- EMM: ManageEngine
- Enrollment profile: Fully managed device, Device Owner mode
- Auto-assign to all 25 devices
### 2.3 Link Zero-Touch to ManageEngine
- [ ] Go to Enrollment > Android > Zero-touch in MDM
- [ ] Paste configuration details
**Result:** Phone powers on > connects to WiFi > auto-enrolls into ManageEngine > gets policies + apps + kiosk mode. No manual setup per device.
## Phase 3 — Device Staging
When phones arrive:
1. Unbox
2. Power on
3. Connect to WiFi
**Automatic:**
- Device contacts Google
- Pulls Zero-touch config
- Enrolls into ManageEngine
- Receives: policies, apps, kiosk mode
No manual setup needed per device.
## Phase 4 — Testing (DO NOT SKIP)
Test with 1-2 devices first:
- [ ] Auto enrollment works
- [ ] Apps install correctly
- [ ] Kiosk locks properly
- [ ] Cannot exit kiosk
- [ ] No personal account access
- [ ] Device wipes correctly from MDM
- [ ] ALIS login/logout works per user
- [ ] Browser doesn't save passwords or cookies
## Phase 5 — HIPAA Workflow
### 5.1 App Login Behavior
- Require unique user login to ALIS
- MFA if possible
- Auto logout after 5-10 min idle
### 5.2 Session Control
- Browser: disable saved passwords, clear cookies on exit
- Apps: disable offline storage if possible
### 5.3 Physical Device Labels
Label each phone: "Cascades Device 01" through "Cascades Device 25"
- Helps auditing + troubleshooting
## Phase 6 — Monitoring & Control
In ManageEngine MDM:
- Track: device compliance, app usage, last check-in, security status
- Enable: remote lock, remote wipe, lost mode
## Phase 7 — Ongoing Maintenance
| Frequency | Task |
|-----------|------|
| Weekly | Check compliance dashboard, review failed devices |
| Monthly | Update apps, review security policies |
| As needed | Remote wipe lost/stolen, add/remove apps |
## Kitchen iPads (9 units)
Separate from phones — food service only, no PHI.
### Policies
- Kiosk/lockdown mode (food ordering app only)
- Restrict to kitchen thermal printers only (Bistro 192.168.2.207, Kitchen 10.0.20.225)
- No browser/email/app store access
- WiFi profile: CSCNet (INTERNAL VLAN 20) only
### Enrollment
- [ ] Create iOS/iPadOS enrollment profile
- [ ] Apple DEP or manual enrollment (iPads may not support zero-touch without Apple Business Manager)
## Future Upgrades
| Upgrade | Benefit | Requires |
|---------|---------|----------|
| SSO Integration (Entra ID) | Faster logins, better audit trails | Entra Connect (planned) |
| Microsoft Intune Shared Device Mode | Per-user sign-in/sign-out with auto data wipe | Business Premium (~+$10/user/mo) |
| Per-app VPN | Encrypt only medical app traffic | VPN gateway |
| Audit logging | Track who logged in from which device | App-level or Intune |
## Common Mistakes to Avoid
- Skipping kiosk mode
- Allowing Google accounts
- Not enforcing auto logout
- Testing on all 25 at once
- Letting users store data locally
## Setup Status
- [ ] Phase 1 — MDM tenant setup
- [ ] Phase 2 — Zero-touch enrollment
- [ ] Phase 3 — Device staging
- [ ] Phase 4 — Testing (1-2 devices)
- [ ] Phase 5 — HIPAA workflow
- [ ] Phase 6 — Monitoring enabled
- [ ] Phase 7 — Ongoing maintenance schedule