sync: auto-sync from Mikes-MacBook-Air.local at 2026-07-08 06:49:28

Author: Mike Swanson
Machine: Mikes-MacBook-Air.local
Timestamp: 2026-07-08 06:49:28
This commit is contained in:
2026-07-08 06:49:37 -07:00
parent fc12c596f1
commit 2a1ea6c9f7
10 changed files with 22260 additions and 4 deletions

View File

@@ -2,8 +2,8 @@
type: client
name: glaztech
display_name: Glaz-Tech Industries
last_compiled: 2026-06-04
compiled_by: DESKTOP-0O8A1RL/claude-main
last_compiled: 2026-07-08
compiled_by: Mikes-MacBook-Air/claude-main
sources:
- clients/glaztech/session-logs/2026-04-20-session.md
- clients/glaztech/session-logs/2026-04-21-session.md
@@ -30,7 +30,9 @@ backlinks: []
- **Active tickets:** #32186 (M365 Security Review / MFA, In Progress as of 2026-04-21), #32376 (Apex 404 + redirect, Resolved, 2026-06-03), #32377 (CyberSource TLS payment outage, Resolved, 2026-06-03), #32378 (Security assessment / PCI remediation, **Waiting on Customer** as of 2026-06-03 — assessment + reports delivered, Tom replied, client to remediate)
- **Prepaid block remaining:** ~22.25 hrs (drew 26.5 → 22.25 on 2026-06-03)
- **GuruRMM client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9
- **GuruRMM site:** SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)
- **GuruRMM sites:** 11 sites created 2026-07-08 (TUC, SAN, PHX, DEN, BOI, SLC, BRL, INV, SHV, ABQ, REMOTE)
- Enrollment codes vaulted in `~/vault/clients/glaztech/gururmm-site-*.sops.yaml`
- 81+ agents enrolled as of 2026-07-08 (199 Windows machines total across 11 sites)
## Infrastructure
@@ -368,6 +370,7 @@ Message trace confirmed shannon@glaztech.com receives no MailProtector digests a
- **2026-06-03 (late — ~19:32 PT)** — **Tom (GTIware dev) replied to #32378** clarifying that the website's online payment system stores no card data — he is correct. Investigation of Tom's reply surfaced the **top critical finding (C0):** the website connects to the shared SQL server `GTI-INV-SQL` (192.168.8.62,3436) as SQL login `tom`, a **named SQL login that is a member of the `sysadmin` role** (created 2018; password in `Web.config`). The instance hosts 46 databases shared between GTIware and the website. Because SQLi executes as the connecting login, the website's `quo()` injection = sysadmin over the entire `GTI-INV-SQL` instance; cross-database card-table reads confirmed live. **Attribution corrected in both reports:** the website is the access path (C0); GTIware (staff-operated) writes the cards. Sage CC module confirmed disabled (0 stored cards, not a CHD location). Both reports updated. Plain-English reply posted to Tom on #32378 (public+emailed, comment 417070212) explaining the sysadmin+SQLi chain and the four required fixes. Ticket set to **Waiting on Customer**.
- **2026-06-04 (morning)** — **Read-only intrusion/brute-force log review** on `WWW` (GuruRMM agent 455a1bc7, v0.6.54). Reviewed 7 days of IIS W3SVC4 logs (~52,000 requests, May 29 Jun 4) and Windows Security event log (4625/4624 events, 7-day window, log retained back to 2026-03-31). **Finding: NO evidence of a brute-force or intrusion attempt** against the website logins or the Windows server. Customer login traffic is normal (2,547 successes/740 IPs). Employee login: initial "381 failures" corrected — the employee login returns HTTP 200 on BOTH success and failure (status code is not an auth-outcome signal); all flagged IPs proved to be legitimate employees. Windows Security log: 13 failed logons in 7 days, all SMB type 3 from internal LAN IPs, zero external, no RDP failures. **Key confirmation:** the H5 detection blind spot is real — 200-on-both + no failed-login logging + no lockout = a slow guessing attack would currently be completely invisible. HTTP 500 bursts on post-login pages flagged as an open app-side item. Findings folded into security report as Appendix A. Ticket #32378 remains Waiting on Customer.
- **2026-06-04 (09:38 PT) — Deep host + SQL-infrastructure recon (Grok gap-analysis loop).** Collaborative gap-analysis (Claude + Grok CLI, 4 turns, session `019e9351-ed1c-7bc3-b171-b4cf4b53745d`) plus 3 read-only GuruRMM pulls on `WWW` (recon1/recon2/recon3). New confirmed findings folded into assessment report as **C0-Extended**, findings **C5/H9/H10**, and **Emergency-containment roadmap bucket (E1E5)**. Key discoveries: GTIware card engine co-resident in public IIS worker on `tom` sysadmin connection; `xp_cmdshell=1` already enabled on `GTI-INV-SQL`; SQL Agent runs as domain-admin `Administrator@glaztech.com`; cleartext `glaztech\administrator` domain-admin password embedded in `msdb` job steps (redacted; must rotate); 7 linked servers spanning two subnets; `sa` enabled; all 47 DBs unencrypted; `Everyone:(R)` ACL on web root; firewall Private/Public Off; TLS 1.0 explicitly Enabled=1; new Samsara webhook endpoints. **Retraction:** earlier draft mis-flagged `kgc7jt` ScreenConnect Cloud as "foreign/unrecognized third-party access" (draft finding C6) — **fully retracted**; both ScreenConnect instances and all other management agents (Datto RMM/EDR, Syncro, Splashtop, GuruRMM) are ACG's sanctioned stack. RealVNC 4.x remains H2 (EoL, Steve's tool). Two coord todos filed: `6d15fc88` (domain-admin rotation + xp_cmdshell/sa) and `aebaf751` (least-priv `tom` migration).
- **2026-07-08 — GuruRMM fleet deployment.** Mass deployment of GuruRMM agents to all 199 Glaztech Windows machines across 11 sites via ScreenConnect. Created 9 new RMM sites (SAN, PHX, DEN, BOI, SLC, BRL, SHV, ABQ, REMOTE) + TUC/INV pre-existing. Mapped ScreenConnect site tags (CP2) to RMM enrollment codes based on subnet analysis (192.168.0-12.x MPLS topology). Initial deployment failed silently (199 commands sent, 0 installs) due to incorrect installer URL (`/install/{code}` returns HTML landing page). Corrected to `/install/{code}/download/msi` (actual MSI). Tested on DENJOHNNY successfully. Re-deployed with error checking and proper URL. Result: 81 agents enrolled within 11 minutes (59% of online machines, 76 new installations). Commands queued for 62 offline machines. Enrollment codes vaulted in `~/vault/clients/glaztech/gururmm-site-*.sops.yaml`. Deployment script: `.deploy-glaztech-rmm.py`. Key lesson logged to errorlog.md: GuruRMM installer landing page vs. direct download URL structure.
## Backlinks