sync: auto-sync from HOWARD-HOME at 2026-04-22 17:39:56

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-22 17:39:56
This commit is contained in:
2026-04-22 17:39:57 -07:00
parent 90d4f386aa
commit 6bd416657c
18 changed files with 1409 additions and 36 deletions

View File

@@ -109,6 +109,13 @@ Run `scripts/phase2-file-shares.ps1` on CS-SERVER (AFTER sync completes).
Creates SMB shares for synced folders and sets NTFS permissions matching Synology access. **HIPAA §164.312(b):** After shares are created, enable Advanced Audit Logging on all PHI-containing shares (Management, Server, homes) to track read/write/delete operations.
**Prerequisite (added 2026-04-22 per `docs/security/hipaa-review-2026-04-22.md` + user-rollout dependency):** Before this script runs, the Synology permission inventory must be captured and translated to AD security group memberships. See `docs/migration/phase4-synology.md` §6.0.16.0.2 for the discovery commands and `docs/migration/synology-permission-inventory.md` (to be created) for the mapping output.
**HIPAA-review additions (must be applied as part of this phase, not deferred):**
- `Set-SmbShare -EncryptData $true` on every share in the table — satisfies Addressable specs §164.312(a)(2)(iv) at-rest and §164.312(e)(2)(ii) in-transit encryption
- NTFS SACL (audit rule) set to audit Success + Failure for ReadData / WriteData / Delete / ChangePermissions on all PHI shares — satisfies Required spec §164.312(b) Audit Controls
- See `phase4-synology.md` §6.0.3 for the exact PowerShell
| Share | NTFS Access | SMB Share |
|---|---|---|
| Management | SG-Management-RW = Modify | `\\CS-SERVER\Management` |