scc: Session save and push from GURU-5070 at 2026-06-05 10:35
glaztech: :3436 backup-job recon + Tom's architectural reply; session log update. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -90,3 +90,61 @@ SELECT name,data_source FROM sys.servers WHERE is_linked=1 # the mesh (0.54/0.
|
||||
- Ticket: #32378 (id 112111185), Waiting on Customer. Comments 417493519 + 417494988.
|
||||
- Coord todos: `aebaf751` (least-priv `tom` migration), `6d15fc88` (E2-E4 containment).
|
||||
- GuruRMM: WWW agent `455a1bc7-1c29-42bc-b597-fa1e64f08eec`; GTI-INV-SQL agent `869e56b4-e8ed-4808-8c88-782d1577c152`.
|
||||
|
||||
## Update: 10:35 PT — :3436 backup-job recon + Tom's architectural reply
|
||||
|
||||
### Summary
|
||||
Completed the `:3436` SQL Agent job-definition recon (via tom credential, read-only) and
|
||||
reconciled two reachability checks. Then Tom replied to the partnership message with a
|
||||
substantial list of work he's already doing — which materially shifts ACG's role.
|
||||
|
||||
### Recon findings
|
||||
- **`192.168.0.55,55181` (mas_gti linked server) is LIVE** = `GTI-FINANCESVR`, SQL Server 2019
|
||||
(15.0.4322.2). The website's accounting connection is current, NOT vestigial. "Old MAS90 dead"
|
||||
refers to the retired app/box, not this data path.
|
||||
- **`SAGE2025` enrolled in RMM** (Glaztech / TUS-Tucson) — new payroll server. Distinct from
|
||||
GTI-FINANCESVR. (This is why we asked Tom how qqest/payroll is used rather than assuming.)
|
||||
- **Cleartext domain-admin password (`glaztech\administrator`) sits in ~10-12 backup-job copy
|
||||
steps** across 6 jobs on `:3436`. Pattern (redacted): `exec xp_cmdshell 'net use
|
||||
\192.168.8.52\sql_backup\... /user:glaztech\administrator <PW> /persistent:yes'` then
|
||||
`xp_cmdshell 'copy d:\sql_backup\...\*.* \192.168.8.52\... /y'`. Jobs: Glaz PDF Differential
|
||||
(Daily) to 8.62; Glaz PDF Full (weekly) to 8.52 + to 8.62; Glaz Prod Archive Full Monthly;
|
||||
Glaz Prod Differential (Hourly) to 8.62; Glaz Prod Full (Daily) to 8.62. Most also have a
|
||||
`.212` copy step. `Copy EndofWeek Backups` uses xp_cmdshell for a LOCAL copy only (no creds).
|
||||
- The `BACKUP DATABASE` steps themselves are clean TSQL → local disk. Only the push-to-share step
|
||||
carries the cleartext credential. Fix = replace each copy step with a CmdExec robocopy under the
|
||||
service account's own share access (no net use), OR BACKUP TO DISK=UNC directly. That removes the
|
||||
cleartext password AND the last xp_cmdshell dependency → unblocks disabling xp_cmdshell.
|
||||
- The bulk of `:3436` jobs are GTIware automation (`gt_console_apps.exe` modes + d:\sql_jobs\*.bat)
|
||||
plus `del \192.168.0.147\web\glaztech_4\pdf_output\*.pdf` (confirms 192.168.0.147 = 2nd web host).
|
||||
Any dedicated Agent service account (E4) must retain DB + d:\sql_jobs + \192.168.0.147 +
|
||||
8.52/8.212 backup-share access.
|
||||
|
||||
### Tom's reply (strategy shift)
|
||||
Tom independently: encrypted cc_number (cc_number_encrypted) + CVV (cc_code_encrypted) + website
|
||||
login passwords; is building separate web-only databases on 0.55 (no cc_file), with a new low-priv
|
||||
`web` login replacing his personal login; converting inline SQL to stored procs; long-term moving
|
||||
all DB access into *.dll library layer. This is the architectural fix we scoped — ACG's role shifts
|
||||
from "carry the app work" to validate/align + own backend infra (the :3436 cleartext/xp_cmdshell/sa/
|
||||
domain-admin rotation, WAF, network segmentation).
|
||||
|
||||
### Caveats raised to Tom (drafted reply, ask/remind tone)
|
||||
1. CVV must not be retained at all even encrypted (PCI 3.2) — drop the column. (The one must-fix.)
|
||||
2. Confirm PAN decryption key isolation (key out of web login's reach).
|
||||
3. Confirm passwords are salted one-way hash vs reversible encrypt; retire any plaintext-password email.
|
||||
4. Confirm new `web` login on 0.55 is scoped off the co-resident accounting (mas_gti) data.
|
||||
5. Confirm back-office billing engine still points at 8.62 cc_file (cutover safety).
|
||||
Offered: the quo() fix-list as a stored-proc conversion checklist; help defining the web login grants.
|
||||
|
||||
### Files
|
||||
- Committed (fdcf014): clients/glaztech/reports/2026-06-05-tom-message-draft.md (final),
|
||||
2026-06-05-quo-sql-fix-list.md (80 quo() sites / 15 files).
|
||||
- New: clients/glaztech/reports/2026-06-05-tom-reply-draft.md + Outlook draft opened.
|
||||
|
||||
### Pending
|
||||
- Await Tom's answers (CVV drop, key location, hash vs encrypt, web-login isolation, billing path).
|
||||
- ACG-owned Tier A still ours: recreate :3436 backup copy steps clean (CmdExec robocopy / dedicated
|
||||
service account on 8.52/8.212) -> disable xp_cmdshell -> disable sa -> rotate glaztech\administrator;
|
||||
WAF + SQL network segmentation. Sequence: E4 service acct -> clean copy steps -> xp_cmdshell off ->
|
||||
domain-admin rotation.
|
||||
- Reference 58KB job dump: tool-results/b30gcchnr.txt (this session's transcript dir).
|
||||
|
||||
Reference in New Issue
Block a user