scc: Session save and push from GURU-5070 at 2026-06-05 10:35
glaztech: :3436 backup-job recon + Tom's architectural reply; session log update. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
40
clients/glaztech/reports/2026-06-05-tom-reply-draft.md
Normal file
40
clients/glaztech/reports/2026-06-05-tom-reply-draft.md
Normal file
@@ -0,0 +1,40 @@
|
||||
# Draft reply to Tom (calm/partnership tone, 2026-06-05)
|
||||
|
||||
**Channel:** reply to Tom's email/message (the one where he listed what he's already done).
|
||||
**Tone:** affirm his direction strongly; ask rather than assert; remind rather than demand.
|
||||
**Context:** Tom independently encrypted PAN/CVV/passwords, is building separate web-only DBs on
|
||||
0.55 with a dedicated low-priv `web` login, and converting inline SQL to stored procs. This is the
|
||||
architectural fix we scoped — ACG's role shifts to validate/align + own the backend infra.
|
||||
|
||||
---
|
||||
|
||||
**Subject:** Re: Glaztech site — we're in this with you
|
||||
|
||||
Hi Tom,
|
||||
|
||||
This is great to read — honestly, it's exactly the direction we were hoping for, and you're already further down it than I expected. Splitting the website onto its own databases, getting cc_file off that surface entirely, and giving the site its own limited "web" login instead of your personal one — that's the heart of the whole thing. The stored-proc cleanup and the longer-term move to everything going through the *.dll library layer is the right endgame too. You're solving the hard part at the source, which is better than anything we could bolt on from outside.
|
||||
|
||||
A few things I wanted to ask about rather than assume, just so we stay aligned:
|
||||
|
||||
- On the card data — the encrypted PAN column is a solid step. Out of curiosity, where does the decryption key live relative to that database? The thing that makes column encryption really pay off is the key sitting somewhere the web login can't reach, so a compromise of the site doesn't hand over both.
|
||||
- One heads-up worth flagging on the CVV (cc_code) — this is the one spot where encryption alone doesn't quite get there. The card brands' rules (PCI) treat the CVV as something that can't be retained at all once a payment's authorized, even encrypted. So rather than encrypt it, the usual move is to stop storing it and drop the column once nothing in-flight still needs it. Is that something the new web-DB design could just leave behind?
|
||||
- On the website passwords — when you say encrypted, are those one-way hashed (salted), or two-way encrypted? Either is a big improvement over before; just want to make sure I've got it right in my notes. (And if anything in the app ever emails a password back out in plain text, that's a good one to retire while you're in there.)
|
||||
- The new web databases landing on 0.55 — since that box also has the accounting data on it, is the new web login scoped so it only sees its own web databases and nothing on the finance side? If it'd help, I'm glad to sit down and work out the exact minimal permission set for that login with you so it's tight from day one.
|
||||
- Last one, just to be safe: does the back-office billing engine still point at the main server (8.62) for cc_file? I want to make sure none of the auto-billing gets caught up in the website cutover.
|
||||
|
||||
On our side, we'll take the stuff you shouldn't have to think about — locking down the server itself, cleaning up some old backend job credentials, putting a web application firewall in front of the site, and tightening the network around the database servers. That all runs in parallel with what you're doing and doesn't need anything from you.
|
||||
|
||||
One thing that might save you some hunting: when we looked through the site we mapped every spot still building SQL the old inline way — I can send you that list as a checklist so the stored-proc conversion doesn't miss a page. Just say the word.
|
||||
|
||||
Really glad we're rowing the same direction on this. Let me know a good time to connect if it's easier to talk any of it through.
|
||||
|
||||
Thanks,
|
||||
Mike / Arizona Computer Guru
|
||||
|
||||
---
|
||||
|
||||
### Notes for Mike
|
||||
- CVV is framed as a "heads-up / usual move" with an ask, not a directive — the one must-fix, softened.
|
||||
- Every other technical point is a question, not an assertion (key location, hash-vs-encrypt, web-login isolation on 0.55, billing-engine path).
|
||||
- The `quo()` fix-list is offered as a convenience checklist, not a handed-down to-do.
|
||||
- Held back for the live conversation: key-management depth, the co-location-on-finance-server risk specifics.
|
||||
@@ -90,3 +90,61 @@ SELECT name,data_source FROM sys.servers WHERE is_linked=1 # the mesh (0.54/0.
|
||||
- Ticket: #32378 (id 112111185), Waiting on Customer. Comments 417493519 + 417494988.
|
||||
- Coord todos: `aebaf751` (least-priv `tom` migration), `6d15fc88` (E2-E4 containment).
|
||||
- GuruRMM: WWW agent `455a1bc7-1c29-42bc-b597-fa1e64f08eec`; GTI-INV-SQL agent `869e56b4-e8ed-4808-8c88-782d1577c152`.
|
||||
|
||||
## Update: 10:35 PT — :3436 backup-job recon + Tom's architectural reply
|
||||
|
||||
### Summary
|
||||
Completed the `:3436` SQL Agent job-definition recon (via tom credential, read-only) and
|
||||
reconciled two reachability checks. Then Tom replied to the partnership message with a
|
||||
substantial list of work he's already doing — which materially shifts ACG's role.
|
||||
|
||||
### Recon findings
|
||||
- **`192.168.0.55,55181` (mas_gti linked server) is LIVE** = `GTI-FINANCESVR`, SQL Server 2019
|
||||
(15.0.4322.2). The website's accounting connection is current, NOT vestigial. "Old MAS90 dead"
|
||||
refers to the retired app/box, not this data path.
|
||||
- **`SAGE2025` enrolled in RMM** (Glaztech / TUS-Tucson) — new payroll server. Distinct from
|
||||
GTI-FINANCESVR. (This is why we asked Tom how qqest/payroll is used rather than assuming.)
|
||||
- **Cleartext domain-admin password (`glaztech\administrator`) sits in ~10-12 backup-job copy
|
||||
steps** across 6 jobs on `:3436`. Pattern (redacted): `exec xp_cmdshell 'net use
|
||||
\192.168.8.52\sql_backup\... /user:glaztech\administrator <PW> /persistent:yes'` then
|
||||
`xp_cmdshell 'copy d:\sql_backup\...\*.* \192.168.8.52\... /y'`. Jobs: Glaz PDF Differential
|
||||
(Daily) to 8.62; Glaz PDF Full (weekly) to 8.52 + to 8.62; Glaz Prod Archive Full Monthly;
|
||||
Glaz Prod Differential (Hourly) to 8.62; Glaz Prod Full (Daily) to 8.62. Most also have a
|
||||
`.212` copy step. `Copy EndofWeek Backups` uses xp_cmdshell for a LOCAL copy only (no creds).
|
||||
- The `BACKUP DATABASE` steps themselves are clean TSQL → local disk. Only the push-to-share step
|
||||
carries the cleartext credential. Fix = replace each copy step with a CmdExec robocopy under the
|
||||
service account's own share access (no net use), OR BACKUP TO DISK=UNC directly. That removes the
|
||||
cleartext password AND the last xp_cmdshell dependency → unblocks disabling xp_cmdshell.
|
||||
- The bulk of `:3436` jobs are GTIware automation (`gt_console_apps.exe` modes + d:\sql_jobs\*.bat)
|
||||
plus `del \192.168.0.147\web\glaztech_4\pdf_output\*.pdf` (confirms 192.168.0.147 = 2nd web host).
|
||||
Any dedicated Agent service account (E4) must retain DB + d:\sql_jobs + \192.168.0.147 +
|
||||
8.52/8.212 backup-share access.
|
||||
|
||||
### Tom's reply (strategy shift)
|
||||
Tom independently: encrypted cc_number (cc_number_encrypted) + CVV (cc_code_encrypted) + website
|
||||
login passwords; is building separate web-only databases on 0.55 (no cc_file), with a new low-priv
|
||||
`web` login replacing his personal login; converting inline SQL to stored procs; long-term moving
|
||||
all DB access into *.dll library layer. This is the architectural fix we scoped — ACG's role shifts
|
||||
from "carry the app work" to validate/align + own backend infra (the :3436 cleartext/xp_cmdshell/sa/
|
||||
domain-admin rotation, WAF, network segmentation).
|
||||
|
||||
### Caveats raised to Tom (drafted reply, ask/remind tone)
|
||||
1. CVV must not be retained at all even encrypted (PCI 3.2) — drop the column. (The one must-fix.)
|
||||
2. Confirm PAN decryption key isolation (key out of web login's reach).
|
||||
3. Confirm passwords are salted one-way hash vs reversible encrypt; retire any plaintext-password email.
|
||||
4. Confirm new `web` login on 0.55 is scoped off the co-resident accounting (mas_gti) data.
|
||||
5. Confirm back-office billing engine still points at 8.62 cc_file (cutover safety).
|
||||
Offered: the quo() fix-list as a stored-proc conversion checklist; help defining the web login grants.
|
||||
|
||||
### Files
|
||||
- Committed (fdcf014): clients/glaztech/reports/2026-06-05-tom-message-draft.md (final),
|
||||
2026-06-05-quo-sql-fix-list.md (80 quo() sites / 15 files).
|
||||
- New: clients/glaztech/reports/2026-06-05-tom-reply-draft.md + Outlook draft opened.
|
||||
|
||||
### Pending
|
||||
- Await Tom's answers (CVV drop, key location, hash vs encrypt, web-login isolation, billing path).
|
||||
- ACG-owned Tier A still ours: recreate :3436 backup copy steps clean (CmdExec robocopy / dedicated
|
||||
service account on 8.52/8.212) -> disable xp_cmdshell -> disable sa -> rotate glaztech\administrator;
|
||||
WAF + SQL network segmentation. Sequence: E4 service acct -> clean copy steps -> xp_cmdshell off ->
|
||||
domain-admin rotation.
|
||||
- Reference 58KB job dump: tool-results/b30gcchnr.txt (this session's transcript dir).
|
||||
|
||||
Submodule projects/msp-tools/guru-rmm updated: fe551e4b86...226ba9f77c
Reference in New Issue
Block a user