azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rmm: Blaster2 (Jimmy Company) onboarding diagnostic baseline — RED (3 crit: Kaseya, Win10 EOL, RDP no-NLA)

Browse Source
This commit is contained in:
Mike Swanson
2026-06-19 12:18:23 -07:00
parent 768f543d70
commit 4b7f3c40e4
2 changed files with 1220 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

945
clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.json Normal file
View File

@@ -0,0 +1,945 @@
{
"host": "BLASTER2",
"collected_at_utc": "2026-06-19T19:17:04Z",
"os": {
"caption": "Microsoft Windows 10 Pro",
"version": "10.0.19045",
"build": "19045",
"install_date": "2023-07-20T18:05:54Z",
"last_boot_utc": "2026-06-19T15:48:34Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2025-10-14",
"release": "Win10 22H2"
},
"pending_updates": 5,
"pending_reboot": true,
"uptime_days": 0.1,
"acg_managed_tools": [
"ScreenConnect / ConnectWise Control",
"Splashtop (SOS/Streamer)",
"Syncro / Kabuto"
],
"hardware": {
"model": "0967B5U",
"manufacturer": "LENOVO",
"bios_date": "2013-07-15",
"cpu_logical": 4,
"bios_version": "F1KT54AUS",
"cpu_cores": 4,
"ram_gb": 3.8,
"serial": "MGN1197",
"cpu": "Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz"
},
"third_party_av_active": false,
"os_build": "19045",
"secure_boot": null,
"backup_agents": [
{
"label": "Acronis",
"service": "AcrSch2Svc",
"state": "Running"
},
{
"label": "Acronis",
"service": "afcdpsrv",
"state": "Running"
},
{
"label": "Acronis",
"service": "syncagentsrv",
"state": "Running"
}
],
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "RTHDVCPL",
"value": "C:\\Program Files\\Realtek\\Audio\\HDA\\RAVCpl64.exe -s"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "Fastboot",
"value": "C:\\Program Files (x86)\\Lenovo\\RapidBoot HDD Accelerator\\FBConsole.exe"
}
],
"local_users": [
{
"last_logon": "2013-10-17",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "HomeGroupUser$",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2026-06-19",
"name": "Jimmy",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2026-06-18",
"name": "localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2026-05-27",
"name": "scans",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 10,
"volumes": [
{
"drive": "C:",
"size_gb": 230,
"free_pct": 31.2,
"free_gb": 71.9
},
{
"drive": "E:",
"size_gb": 7451.9,
"free_pct": 0,
"free_gb": 0.7
},
{
"drive": "Q:",
"size_gb": 2.3,
"free_pct": 96,
"free_gb": 2.2
}
],
"network_adapters": [
{
"dhcp": true,
"description": "Realtek PCIe GbE Family Controller",
"gateway": [
"192.168.0.1"
],
"mac": "D4:3D:7E:CE:57:29",
"ip": [
"192.168.0.95",
"fe80::c6a9:daea:630b:2011"
],
"dns": [
"8.8.8.8",
"8.8.4.4"
]
}
],
"failed_autostart_services": [
{
"name": "GoogleUpdaterInternalService150.0.7863.0",
"display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)",
"state": "Stopped"
},
{
"name": "GoogleUpdaterService150.0.7863.0",
"display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)",
"state": "Stopped"
},
{
"name": "gpsvc",
"display": "Group Policy Client",
"state": "Stopped"
},
{
"name": "KaseyaConnectAPIService",
"display": "Kaseya Connect API Service",
"state": "Stopped"
},
{
"name": "RasMan",
"display": "Remote Access Connection Manager",
"state": "Stopped"
},
{
"name": "stisvc",
"display": "Windows Image Acquisition (WIA)",
"state": "Stopped"
},
{
"name": "WMPNetworkSvc",
"display": "Windows Media Player Network Sharing Service",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 2,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": true,
"uac_enabled": true,
"rdp_nla": false
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Adobe",
"name": "Adobe Acrobat (64-bit)",
"version": "24.002.20895"
},
{
"publisher": "HARMAN International",
"name": "Adobe AIR",
"version": "33.1.1.821"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Refresh Manager",
"version": "1.8.0"
},
{
"publisher": "Adobe Systems, Inc.",
"name": "Adobe Shockwave Player 12.1",
"version": "12.1.3.153"
},
{
"publisher": "Research In Motion Ltd.",
"name": "BlackBerry Desktop Software 7.1",
"version": "7.1.0.41"
},
{
"publisher": "Research In Motion Ltd.",
"name": "BlackBerry Device Software v6.0.0 for the BlackBerry 9650 smartphone",
"version": "6.0.0.719 (Platform 4.4.0.560)"
},
{
"publisher": "FranklinCovey",
"name": "FormsWizard",
"version": "4.0.50"
},
{
"publisher": "Google LLC",
"name": "Google Chrome",
"version": "149.0.7827.115"
},
{
"publisher": "Google Inc.",
"name": "Google Toolbar for Internet Explorer",
"version": "1.0.0"
},
{
"publisher": "Google Inc.",
"name": "Google Update Helper",
"version": "1.3.25.11"
},
{
"publisher": "Intel",
"name": "Intel AppUp(R) center",
"version": "3.8.0.41900.72"
},
{
"publisher": "Intel Corporation",
"name": "Intel(R) Control Center",
"version": "1.2.1.1007"
},
{
"publisher": "Intel Corporation",
"name": "Intel(R) Management Engine Components",
"version": "8.0.0.1351"
},
{
"publisher": "Intel Corporation",
"name": "Intel(R) OpenCL CPU Runtime",
"version": ""
},
{
"publisher": "Intel Corporation",
"name": "Intel(R) Processor Graphics",
"version": "9.17.10.2932"
},
{
"publisher": "Intel Corporation",
"name": "Intel? Trusted Connect Service Client",
"version": "1.23.216.0"
},
{
"publisher": "Oracle",
"name": "Java 7 Update 65 (64-bit)",
"version": "7.0.650"
},
{
"publisher": "Oracle",
"name": "Java 7 Update 67",
"version": "7.0.670"
},
{
"publisher": "Oracle, Inc.",
"name": "Java Auto Updater",
"version": "2.1.67.1"
},
{
"publisher": "KYOCERA Document Solutions Inc.",
"name": "Kyocera Product Library",
"version": "5.0.2608"
},
{
"publisher": "KYOCERA Document Solutions Inc.",
"name": "KYOCERA Status Monitor 5",
"version": "5.0.52.4"
},
{
"publisher": "KYOCERA Document Solutions Inc.",
"name": "Kyocera TWAIN Driver",
"version": "2.0.6513"
},
{
"publisher": "Lenovo Group Limited",
"name": "Lenovo Patch Utility 64 bit",
"version": "1.3.0.9"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft .NET Framework 4.8",
"version": "4.8.03761"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "149.0.4022.69"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "149.0.4022.69"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Office Home and Business 2013 - en-us",
"version": "15.0.5603.1000"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Silverlight",
"version": "5.1.50918.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2012 Express LocalDB ",
"version": "11.3.6020.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft SQL Server 2012 Management Objects (x64)",
"version": "11.1.3000.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft System CLR Types for SQL Server 2012 (x64)",
"version": "11.1.3000.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "3.74.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.56336"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.59193"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable",
"version": "8.0.61001"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable (x64)",
"version": "8.0.56336"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable (x64)",
"version": "8.0.59192"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2005 Redistributable (x64)",
"version": "8.0.61000"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148",
"version": "9.0.30729.4148"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161",
"version": "9.0.30729.6161"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17",
"version": "9.0.30729"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148",
"version": "9.0.30729.4148"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161",
"version": "9.0.30729.6161"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219",
"version": "10.0.40219"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501",
"version": "12.0.30501.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005",
"version": "12.0.21005"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112",
"version": "14.44.35112.1"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35112",
"version": "14.44.35112"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35112",
"version": "14.44.35112"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)",
"version": "10.0.50903"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Studio 2010 Tools for Office Runtime (x64)",
"version": "10.0.50908"
},
{
"publisher": "Microsoft Corporation",
"name": "MSXML 4.0 SP2 (KB954430)",
"version": "4.20.9870.0"
},
{
"publisher": "Microsoft Corporation",
"name": "MSXML 4.0 SP2 (KB973688)",
"version": "4.20.9876.0"
},
{
"publisher": "Microsoft Corporation",
"name": "MSXML 4.0 SP2 Parser and SDK",
"version": "4.20.9818.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 15 Click-to-Run Extensibility Component",
"version": "15.0.5603.1000"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 15 Click-to-Run Licensing Component",
"version": "15.0.5603.1000"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 15 Click-to-Run Localization Component",
"version": "15.0.5603.1000"
},
{
"publisher": "Arizona Computer Guru",
"name": "Online Backup 8.6",
"version": "8.6"
},
{
"publisher": "Oracle Corporation",
"name": "Oracle VM VirtualBox 6.1.34",
"version": "6.1.34"
},
{
"publisher": "Newsoft Technology Corporation",
"name": "Presto! PageManager 9.06 Standard",
"version": "9.06.00"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks",
"version": "22.0.4016.2206"
},
{
"publisher": "Intuit Inc.",
"name": "QuickBooks Premier: Accountant Edition 2012",
"version": "22.0.4016.2206"
},
{
"publisher": "Lenovo",
"name": "RapidBoot HDD Accelerator",
"version": "1.00.0802"
},
{
"publisher": "Realtek",
"name": "Realtek Ethernet Controller All-In-One Windows Driver",
"version": "1.12.0016"
},
{
"publisher": "Realtek Semiconductor Corp.",
"name": "Realtek High Definition Audio Driver",
"version": "6.0.1.6602"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.3.11.9650"
},
{
"publisher": "Splashtop Inc.",
"name": "Splashtop Streamer",
"version": "3.8.4.0"
},
{
"publisher": "Adobe Systems, Inc",
"name": "swMSM",
"version": "12.0.0.1"
},
{
"publisher": "Servably, Inc.",
"name": "Syncro",
"version": "1.0.201.18410"
},
{
"publisher": "Acronis",
"name": "True Image 2013",
"version": "16.0.6514"
},
{
"publisher": "Acronis",
"name": "True Image 2013 Plus Pack",
"version": "16.0.6514"
},
{
"publisher": "Tweaking.com",
"name": "Tweaking.com - Windows Repair",
"version": "4.14.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Update for Windows 10 for x64-based Systems (KB5001716)",
"version": "8.94.0.0"
},
{
"publisher": "VideoLAN",
"name": "VLC media player",
"version": "3.0.18"
},
{
"publisher": "VideoLAN",
"name": "VLC media player",
"version": "3.0.23"
},
{
"publisher": "Intel Corporation",
"name": "Windows Driver Package - Intel Corporation (igfx) Display (03/19/2012 8.15.10.2696)",
"version": "03/19/2012 8.15.10.2696"
},
{
"publisher": "Intel",
"name": "Windows Driver Package - Intel hdc (09/10/2010 9.2.0.1011)",
"version": "09/10/2010 9.2.0.1011"
},
{
"publisher": "Intel",
"name": "Windows Driver Package - Intel System (08/26/2011 9.3.0.1011)",
"version": "08/26/2011 9.3.0.1011"
},
{
"publisher": "Intel",
"name": "Windows Driver Package - Intel System (09/10/2010 9.2.0.1011)",
"version": "09/10/2010 9.2.0.1011"
},
{
"publisher": "Intel",
"name": "Windows Driver Package - Intel System (11/20/2010 9.2.0.1016)",
"version": "11/20/2010 9.2.0.1016"
},
{
"publisher": "Intel",
"name": "Windows Driver Package - Intel USB (12/21/2010 9.2.0.1021)",
"version": "12/21/2010 9.2.0.1021"
},
{
"publisher": "Realtek",
"name": "Windows Driver Package - Realtek (RTL8167) Net (11/23/2011 7.050.1123.2011)",
"version": "11/23/2011 7.050.1123.2011"
},
{
"publisher": "Realtek Semiconductor Corp.",
"name": "Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (03/27/2012 6.0.1.6602)",
"version": "03/27/2012 6.0.1.6602"
},
{
"publisher": "Microsoft Corporation",
"name": "Windows XP Mode",
"version": "1.3.7600.16423"
}
],
"tpm": {
"enabled": false,
"ready": false,
"present": false
},
"local_groups": [
"HomeUsers",
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"Users"
],
"battery": {
"present": false
},
"activation": {
"edition": "Microsoft Windows 10 Pro",
"description": "Windows(R) Operating System, RETAIL channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "time.windows.com,0x9",
"chassis_types": [
3
],
"last_hotfix": {
"hotfix_id": "KB5037768",
"installed_on": "2024-05-16T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "CreateExplorerShellUnelevatedTask",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Standalone Update Task-S-1-5-21-2324952135-2376640506-3994532062-1007",
"state": "Ready"
},
{
"path": "\\",
"name": "Shutdown",
"state": "Ready"
},
{
"path": "\\GoogleSystem\\GoogleUpdater\\",
"name": "GoogleUpdaterTaskSystem150.0.7863.0{3D96EE47-16CF-4988-B177-30FBA8EE384C}",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelper_Daily",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelper_Metrics",
"state": "Ready"
},
{
"path": "\\Intel\\",
"name": "Intel Service Manager",
"state": "Ready"
},
{
"path": "\\WPD\\",
"name": "SqmUpload_S-1-5-21-2324952135-2376640506-3994532062-1000",
"state": "Ready"
}
],
"antivirus_products": [
"Windows Defender"
],
"domain_joined": false,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"available": false,
"os_volume": "C:"
},
"is_laptop": false,
"installed_software_count": 86,
"local_administrators": [
"Blaster2\\Administrator",
"Blaster2\\Jimmy",
"Blaster2\\localadmin"
],
"domain": "WORKGROUP",
"foreign_agents": "Kaseya"
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.kaseya",
"category": "security",
"severity": "critical",
"title": "Foreign management/remote-access agent: Kaseya",
"detail": "A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.",
"evidence": "service: KaseyaConnectAPIService (Kaseya Connect API Service) Stopped"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.foreign_agents.acg.splashtop_sos_streamer_",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Splashtop Streamer 3.8.4.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running"
},
{
"id": "sec.foreign_agents.acg.syncro_kabuto",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: Syncro / Kabuto",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running"
},
{
"id": "sec.firewall.error",
"category": "security",
"severity": "unknown",
"title": "Check failed: Windows Firewall profiles",
"detail": "The probe could not complete this check. Manual review recommended.",
"evidence": "Invalid class "
},
{
"id": "sec.bitlocker.unavailable",
"category": "security",
"severity": "unknown",
"title": "BitLocker status unavailable",
"detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).",
"evidence": "MountPoint=C:, Get-BitLockerVolume returned null"
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (3)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "Blaster2\\Administrator\nBlaster2\\Jimmy\nBlaster2\\localadmin"
},
{
"id": "sec.patch.os_eol",
"category": "security",
"severity": "critical",
"title": "OS build is end-of-life: Win10 22H2",
"detail": "This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.",
"evidence": "Microsoft Windows 10 Pro build 19045; EOL 2025-10-14"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "5 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 5"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5037768",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5037768 installed 2024-05-16T07:00:00Z"
},
{
"id": "sec.exposure.rdp_no_nla",
"category": "security",
"severity": "critical",
"title": "RDP enabled WITHOUT Network Level Authentication",
"detail": "RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.",
"evidence": "fDenyTSConnections=0; UserAuthentication=0"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.disk_smart.unavailable",
"category": "health",
"severity": "unknown",
"title": "Physical disk health unavailable",
"detail": "Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.",
"evidence": "Get-PhysicalDisk returned null"
},
{
"id": "health.stability.some",
"category": "health",
"severity": "warning",
"title": "Stability events present in the last 14 days",
"detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.",
"evidence": "Unexpected shutdowns (id 41)=2; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.reboot_uptime.pending",
"category": "health",
"severity": "warning",
"title": "Reboot pending",
"detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.",
"evidence": "PendingFileRenameOperations"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "7 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped\ngpsvc (Group Policy Client) = Stopped\nKaseyaConnectAPIService (Kaseya Connect API Service) = Stopped\nRasMan (Remote Access Connection Manager) = Stopped\nstisvc (Windows Image Acquisition (WIA)) = Stopped\nWMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped"
},
{
"id": "health.domain.workgroup",
"category": "health",
"severity": "info",
"title": "Not domain-joined (workgroup)",
"detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.",
"evidence": "PartOfDomain=False; Domain=WORKGROUP"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=time.windows.com,0x9"
},
{
"id": "health.backup.present",
"category": "health",
"severity": "info",
"title": "Backup agent installed and running",
"detail": "A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).",
"evidence": "Acronis: AcrSch2Svc = Running\nAcronis: afcdpsrv = Running\nAcronis: syncagentsrv = Running"
}
]
}

275
clients/jimmy/onboarding-baselines/BLASTER2-20260619T191759.md Normal file
View File

@@ -0,0 +1,275 @@
# Onboarding Diagnostic Baseline - BLASTER2
- **Grade:** RED
- **Host:** BLASTER2
- **Client:** Jimmy Company (`jimmy`)
- **Collected (UTC):** 2026-06-19T19:17:04Z
- **Agent ID:** abddc0ce-a226-48f1-b913-263a81013389
- **Command ID:** 3c5d39d3-b653-4c6f-b8e4-1146c1a59be9
- **Findings:** 3 critical / 4 warning / 12 info / 3 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (3)
### Foreign management/remote-access agent: Kaseya
- **Category:** security
- **ID:** `sec.foreign_agents.kaseya`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
service: KaseyaConnectAPIService (Kaseya Connect API Service) Stopped
```
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
### RDP enabled WITHOUT Network Level Authentication
- **Category:** security
- **ID:** `sec.exposure.rdp_no_nla`
- RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.
```
fDenyTSConnections=0; UserAuthentication=0
```
## WARNING (4)
### 5 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 5
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=2; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 7 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
gpsvc (Group Policy Client) = Stopped
KaseyaConnectAPIService (Kaseya Connect API Service) = Stopped
RasMan (Remote Access Connection Manager) = Stopped
stisvc (Windows Image Acquisition (WIA)) = Stopped
WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped
```
## INFO (12)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.4.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
Blaster2\Administrator
Blaster2\Jimmy
Blaster2\localadmin
```
### Last hotfix: KB5037768
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5037768 installed 2024-05-16T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time.windows.com,0x9
```
### Backup agent installed and running
- **Category:** health
- **ID:** `health.backup.present`
- A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).
```
Acronis: AcrSch2Svc = Running
Acronis: afcdpsrv = Running
Acronis: syncagentsrv = Running
```
## UNKNOWN (3)
### Check failed: Windows Firewall profiles
- **Category:** security
- **ID:** `sec.firewall.error`
- The probe could not complete this check. Manual review recommended.
```
Invalid class
```
### BitLocker status unavailable
- **Category:** security
- **ID:** `sec.bitlocker.unavailable`
- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).
```
MountPoint=C:, Get-BitLockerVolume returned null
```
### Physical disk health unavailable
- **Category:** health
- **ID:** `health.disk_smart.unavailable`
- Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.
```
Get-PhysicalDisk returned null
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** LENOVO / 0967B5U
- **Serial:** MGN1197
- **CPU:** Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz (4 cores / 4 logical)
- **RAM (GB):** 3.8
- **BIOS:** F1KT54AUS (2013-07-15)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** ? / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** true
- **Uptime (days):** 0.1
- **Pending reboot:** true
- **Installed software count:** 86
- **Scheduled tasks (non-MS, enabled):** 10
- **Local administrators:** Blaster2\Administrator, Blaster2\Jimmy, Blaster2\localadmin
### Fixed volumes
- C: - 71.9 GB free of 230 GB (31.2%)
- E: - 0.7 GB free of 7451.9 GB (0%)
- Q: - 2.2 GB free of 2.3 GB (96%)
### Network adapters
- Realtek PCIe GbE Family Controller - IP: 192.168.0.95, fe80::c6a9:daea:630b:2011 - DNS: 8.8.8.8, 8.8.4.4 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `BLASTER2-20260619T191759.json` (immutable)._