scc: Session save and push from GURU-5070 at 2026-06-05 10:35

glaztech: :3436 backup-job recon + Tom's architectural reply; session log update.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-05 11:34:56 -07:00
parent 1ecdc903c3
commit 2ac6c568fb
3 changed files with 99 additions and 1 deletions

View File

@@ -90,3 +90,61 @@ SELECT name,data_source FROM sys.servers WHERE is_linked=1 # the mesh (0.54/0.
- Ticket: #32378 (id 112111185), Waiting on Customer. Comments 417493519 + 417494988.
- Coord todos: `aebaf751` (least-priv `tom` migration), `6d15fc88` (E2-E4 containment).
- GuruRMM: WWW agent `455a1bc7-1c29-42bc-b597-fa1e64f08eec`; GTI-INV-SQL agent `869e56b4-e8ed-4808-8c88-782d1577c152`.
## Update: 10:35 PT — :3436 backup-job recon + Tom's architectural reply
### Summary
Completed the `:3436` SQL Agent job-definition recon (via tom credential, read-only) and
reconciled two reachability checks. Then Tom replied to the partnership message with a
substantial list of work he's already doing — which materially shifts ACG's role.
### Recon findings
- **`192.168.0.55,55181` (mas_gti linked server) is LIVE** = `GTI-FINANCESVR`, SQL Server 2019
(15.0.4322.2). The website's accounting connection is current, NOT vestigial. "Old MAS90 dead"
refers to the retired app/box, not this data path.
- **`SAGE2025` enrolled in RMM** (Glaztech / TUS-Tucson) — new payroll server. Distinct from
GTI-FINANCESVR. (This is why we asked Tom how qqest/payroll is used rather than assuming.)
- **Cleartext domain-admin password (`glaztech\administrator`) sits in ~10-12 backup-job copy
steps** across 6 jobs on `:3436`. Pattern (redacted): `exec xp_cmdshell 'net use
\192.168.8.52\sql_backup\... /user:glaztech\administrator <PW> /persistent:yes'` then
`xp_cmdshell 'copy d:\sql_backup\...\*.* \192.168.8.52\... /y'`. Jobs: Glaz PDF Differential
(Daily) to 8.62; Glaz PDF Full (weekly) to 8.52 + to 8.62; Glaz Prod Archive Full Monthly;
Glaz Prod Differential (Hourly) to 8.62; Glaz Prod Full (Daily) to 8.62. Most also have a
`.212` copy step. `Copy EndofWeek Backups` uses xp_cmdshell for a LOCAL copy only (no creds).
- The `BACKUP DATABASE` steps themselves are clean TSQL → local disk. Only the push-to-share step
carries the cleartext credential. Fix = replace each copy step with a CmdExec robocopy under the
service account's own share access (no net use), OR BACKUP TO DISK=UNC directly. That removes the
cleartext password AND the last xp_cmdshell dependency → unblocks disabling xp_cmdshell.
- The bulk of `:3436` jobs are GTIware automation (`gt_console_apps.exe` modes + d:\sql_jobs\*.bat)
plus `del \192.168.0.147\web\glaztech_4\pdf_output\*.pdf` (confirms 192.168.0.147 = 2nd web host).
Any dedicated Agent service account (E4) must retain DB + d:\sql_jobs + \192.168.0.147 +
8.52/8.212 backup-share access.
### Tom's reply (strategy shift)
Tom independently: encrypted cc_number (cc_number_encrypted) + CVV (cc_code_encrypted) + website
login passwords; is building separate web-only databases on 0.55 (no cc_file), with a new low-priv
`web` login replacing his personal login; converting inline SQL to stored procs; long-term moving
all DB access into *.dll library layer. This is the architectural fix we scoped — ACG's role shifts
from "carry the app work" to validate/align + own backend infra (the :3436 cleartext/xp_cmdshell/sa/
domain-admin rotation, WAF, network segmentation).
### Caveats raised to Tom (drafted reply, ask/remind tone)
1. CVV must not be retained at all even encrypted (PCI 3.2) — drop the column. (The one must-fix.)
2. Confirm PAN decryption key isolation (key out of web login's reach).
3. Confirm passwords are salted one-way hash vs reversible encrypt; retire any plaintext-password email.
4. Confirm new `web` login on 0.55 is scoped off the co-resident accounting (mas_gti) data.
5. Confirm back-office billing engine still points at 8.62 cc_file (cutover safety).
Offered: the quo() fix-list as a stored-proc conversion checklist; help defining the web login grants.
### Files
- Committed (fdcf014): clients/glaztech/reports/2026-06-05-tom-message-draft.md (final),
2026-06-05-quo-sql-fix-list.md (80 quo() sites / 15 files).
- New: clients/glaztech/reports/2026-06-05-tom-reply-draft.md + Outlook draft opened.
### Pending
- Await Tom's answers (CVV drop, key location, hash vs encrypt, web-login isolation, billing path).
- ACG-owned Tier A still ours: recreate :3436 backup copy steps clean (CmdExec robocopy / dedicated
service account on 8.52/8.212) -> disable xp_cmdshell -> disable sa -> rotate glaztech\administrator;
WAF + SQL network segmentation. Sequence: E4 service acct -> clean copy steps -> xp_cmdshell off ->
domain-admin rotation.
- Reference 58KB job dump: tool-results/b30gcchnr.txt (this session's transcript dir).