azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

import: ingested 160 files from C:\Users\howar\Clients

Browse Source 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-16 19:43:58 -07:00
parent 6eaba02b71
commit 8d975c1b44
160 changed files with 16002 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
clients/dataforth/docs/active-directory.md Normal file
View File

@@ -0,0 +1,109 @@
# Active Directory
## Domain Info
- Domain: intranet.dataforth.com
- Forest Level: Windows Server 2016
- Domain Level: Windows Server 2016
- Domain Controllers: AD1 (192.168.0.27, primary), AD2 (192.168.0.6, secondary)
- FSMO Roles: All on AD1 (assumed)
## Organizational Units
| OU | Purpose | Entra Sync |
|----|---------|------------|
| Domain Controllers | DCs | — |
| CompanyUsers | Main user OU | — |
| Azure_Users | Azure-related users | — |
| SyncedUsers | Users synced to Entra ID | Yes |
| ServiceAccounts | Service accounts | No |
| Servers | Server computer accounts | — |
| Workstations | Workstation computer accounts | — |
| DistoGroups | Distribution groups | — |
## Active Human Users (as of 2026-04-02)
| Name | Username | Last Logon | Notes |
|------|----------|------------|-------|
| Ben Wadzinski | bwadzinski | 2026-04-01 | |
| Jacque Antar | jantar | 2026-04-01 | |
| Martin Florez | mflorez | 2026-04-02 | |
| Kevin Wackerly | kwackerly | 2026-03-30 | |
| Otto Fest | ofest | 2026-03-30 | |
| Lee Payne | lpayne | 2026-03-29 | |
| John Lehman | jlehman | 2026-03-29 | Engineering |
| Georg Haubner | ghaubner | 2026-03-27 | Engineering, has D: backup |
| Kellyn Wackerly | Kellynwackerly | 2026-03-26 | |
| Jaime Becerra | JBecerra | 2026-03-26 | |
| Angel Lopez | alopez | 2026-03-25 | |
| Dan Center | dcenter | 2026-03-23 | Operations |
| Logan Tobey | ltobey | 2026-03-23 | |
| Patricia | patricia | 2026-03-23 | |
| Peter Iliya | pIliya | 2026-03-23 | Applications Engineer |
| Sandra Schock | sSchock | 2026-03-23 | |
| Theresa Dean | tdean | 2026-03-23 | |
| Bobbi Whitson | bwhitson | 2026-03-23 | |
| Ayleen Montijo | aMontijo | 2026-03-23 | |
| Ken Hoffman | khoffman | 2026-03-10 | Also has "oemdata" account |
| Ken Hoffman | oemdata | N/A | TestDataSheetUploader author |
| Joel Lohr | jlohr | 2026-03-31 | **RETIRING — disable after 03/31** |
## Service / System Accounts
| Username | Purpose | Notes |
|----------|---------|-------|
| sysadmin | Domain Admin | — |
| Administrator (Admin_3652) | Built-in admin | — |
| svc_testdatadb | TestDataDB service | OU=ServiceAccounts, created 2026-03-28 |
| sqluser | SQL Server service | OU=ServiceAccounts |
| MSOL_664594195fe2 | Entra ID Sync (Azure AD Connect) | — |
| ClaudeTools-ReadOnly | Read-only automation access | Purpose unclear |
## Machine / Functional Accounts
- Assembly Stations: AS24, AS26, AS30, AS31, AS34
- Test Stations: TS1, TS1L, TS1R, TS2L, TS2R, etc. (30+ stations)
- Manufacturing: hipot, encap, Endcap, my9
- Label/Scanning: labelpc, scan, scand2
- Mobile: tablet0107, hh0104
- Shared: confroom, Training
## Disabled Accounts
Alex Mitev, Annie Chin, Bill Oldham, Brian Faires, Brian Scaramella, calibration, Jerry Lopez, John Barrios, Linda D, Maria Cota, Michele Hvidsten, Mizan Rahman, Moe Naseem, Stephen Poanessa, Steve Lehman, Support Pool, William Oldham, wcarr
## Groups
| Group | Scope | Notes |
|-------|-------|-------|
| Domain Admins | Global | Standard |
| Enterprise Admins | Universal | Forest-wide |
| Schema Admins | Universal | Schema modification |
| Administrators | DomainLocal | Local admin |
| ADSyncAdmins | DomainLocal | Azure AD Connect |
| DnsAdmins | DomainLocal | DNS management |
| Hyper-V Administrators | DomainLocal | Hyper-V |
| Key Admins | Global | Key management |
| Enterprise Key Admins | Universal | Enterprise keys |
| Storage Replica Admins | DomainLocal | Storage replication |
**No custom security groups found** — only default/built-in groups.
## Group Policy Objects
| GPO | Status | Last Modified |
|-----|--------|---------------|
| Default Domain Policy | AllSettingsEnabled | 2026-03-02 |
| Default Domain Controllers Policy | AllSettingsEnabled | 2025-09-30 |
| TrustedZones | AllSettingsEnabled | 2025-10-01 |
| Screenconnect | AllSettingsEnabled | 2025-10-01 |
| Profwiz | AllSettingsEnabled | 2025-10-08 |
| Mapped Drives | AllSettingsEnabled | 2025-10-09 |
## Drive Mappings (GPO: Mapped Drives)
| Letter | Path | Purpose |
|--------|------|---------|
| B: | \\\\ad1\itsvc | IT service files |
| Q: | \\\\ad2\c-drive | AD2 C-drive share |
| S: | \\\\SAGE-SQL\sage | Sage ERP |
| T: | \\\\ad2\e-drive | AD2 E-drive share |
| W: | \\\\files-d1\sales | Sales docs |
| X: | \\\\ad2\webshare | Datasheets (For_Web) |
| Y: | \\\\files-d1\archive | Archive |
## Action Items
- **[HIGH]** Disable jlohr account — retirement was 2026-03-31, **OVERDUE**
- Investigate ClaudeTools-ReadOnly account purpose
- Ken Hoffman has two accounts (khoffman + oemdata) — consolidate?

56
clients/dataforth/docs/billing-log.md Normal file
View File

@@ -0,0 +1,56 @@
# Dataforth — Work Log / Billing Record
## Session 1 — 2026-04-02 (Remote — Documentation Audit)
**Focus:** Full client documentation buildout from Mike Swanson handoff + post-incident audit
| Time | Task | Details |
|------|------|---------|
| | Client intake & overview | Created overview.md — company info, Dan Center contact (replacing retired Joel Lohr), Mike Swanson as outgoing IT, M365 tenant 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584, ~21 human users, 6 servers, 2 ESXi + 1 Hyper-V, ~38 workstations, 64 DOS test stations |
| | Network documentation | Built topology.md, dns.md, dhcp.md, firewall.md, vlans.md for flat network (no VLANs, all Windows Firewall profiles disabled on AD2) |
| | Cloud documentation | Built m365.md + azure.md — tenant info, Entra ID Sync from OU=SyncedUsers, MFA enforcement deadline April 4, 19 users still need to register |
| | Security documentation | Built antivirus.md + backup.md |
| | RMM documentation | Documented Datto RMM + GuruRMM (azcomputerguru.com) |
| | Active Directory doc | Built active-directory.md — intranet.dataforth.com forest, Windows Server 2016 level |
| | Per-server docs (6 servers) | AD1, AD2, FILES-D1, SAGE-SQL, 3CX, DF-HYPERV-B, D2TESTNAS |
| | Workstation inventory | Built workstations.md — Engineering (~12), Manufacturing/Assembly (~14), Office/Admin (~12), 3 EOL Windows 7 (LABELPC, LABELPC2, D2-RCVG-003) |
| | Manufacturing doc | Built manufacturing.md — 64 DOS stations running QuickBASIC 4.5 ATE on MS-DOS 6.22, SMB1 via D2TESTNAS Samba proxy, TestDataDB (Node.js + SQLite on AD2:3000, 2.28M test records) |
| | Issue log buildout | Documented 2025 ransomware incident (AD2 wiped/rebuilt), 2026-03-27 DF-JOEL2 phishing compromise (Angel Raya/ScreenConnect social engineering, C2 blocked, IC3 complaint, jlohr reset) |
| | Risk inventory | Critical/High/Medium/Low risk catalog: firewall disabled on AD2, Win7 machines, AD1 at 90% disk, jlohr account overdue for disable, 28 machines not scanned, etc. |
### Billing Summary — Session 1
| Category | Items |
|----------|-------|
| Client onboarding / intake | Full Mike Swanson handoff documented |
| Documentation buildout | 22 files created across overview, network, cloud, security, rmm, servers, workstations, manufacturing, issues |
| Post-incident risk audit | 2025 ransomware + 2026-03-27 phishing compromise fully documented with follow-ups |
**Time:** File timestamps span ~10:04 AM → 12:45 PM (~2.53 hrs)
---
## Outstanding Work — Prioritized
### Critical
- All Windows Firewall profiles disabled on AD2 — re-enable
- 3 Windows 7 machines still on network — retire or isolate
- AD1 C: drive at 90% capacity (C:\Engineering = 787 GB) — expand or clean
- AD1/AD2 on Windows Server 2016 (end of mainstream support) — plan upgrade
### High
- Joel Lohr (jlohr) account — disable post-retirement (**OVERDUE since 2026-03-31**)
- C2 IP blocks on UDM are iptables rules only — make permanent in UniFi UI
- 28 machines offline during incident — rescan when available
- MFA enforcement (April 4) — 19 users still need to register
- No reverse DNS zone for 192.168.0.x
- Website upload mechanism broken (ASP.NET 404s)
### Medium
- D2TESTNAS uses root SSH with password auth
- Stale/conflicting computer account IPs
- ~845K test records pending ForWeb export
### Low
- DVD ISO mounted on AD2 D:
- ClaudeTools-ReadOnly AD account — purpose unclear
- DESKTOP-* BYOD-looking hostnames

14
clients/dataforth/docs/cloud/azure.md Normal file
View File

@@ -0,0 +1,14 @@
# Azure / Cloud Services
## Azure
No Azure IaaS services identified. Entra ID is used for M365 sync only.
## Other Cloud/Web Services
| Service | Purpose | Notes |
|---------|---------|-------|
| dataforth.com | Company website + test datasheet portal | Upload endpoints currently return 404 |
| legacy.dataforth.com | Legacy test data reports | /TestDataReport_Print.aspx still works, no auth required |
## Notes
- Website upload mechanism is broken post-crypto attack — old ASP.NET endpoints return 404
- Legacy datasheet viewer still functional but unauthenticated

31
clients/dataforth/docs/cloud/m365.md Normal file
View File

@@ -0,0 +1,31 @@
# Microsoft 365 / Entra ID
## Tenant Info
- Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
- Primary Domain: dataforth.com
- Admin Portal: https://admin.microsoft.com
## Entra ID (Azure AD)
- Hybrid Joined: Yes — Azure AD Connect
- Sync Account: MSOL_664594195fe2
- Syncs From: OU=SyncedUsers
- Does NOT Sync: OU=ServiceAccounts
- Password Hash Sync: Unknown
## Conditional Access Policies
Deployed 2026-03-27, **report-only until April 4, 2026**:
| Policy | Details |
|--------|---------|
| Require MFA | Skip from office IP 67.206.163.122 |
| Block foreign sign-ins | US only, MFA-Travel-Bypass group for exceptions |
| Block legacy authentication | Blocks all legacy auth protocols |
## MFA Status
- MFA-Ready: 19/38 users
- Need to Register: 19 users
- **Enforcement Date: April 4, 2026**
## Notes
- MFA-Travel-Bypass is likely an Entra ID group (not on-prem AD)
- No custom security groups found in on-prem AD

61
clients/dataforth/docs/issues/log.md Normal file
View File

@@ -0,0 +1,61 @@
# Issue Log
### 2025 — Crypto/Ransomware Attack
- **Severity:** Critical
- **Symptoms:** Ransomware encryption across network
- **Impact:** AD2 wiped and rebuilt. Many files lost including C:\DFWDS\, scheduled tasks, service configs. Test datasheet pipeline (DFWDS.exe, VB6) destroyed.
- **Resolution:** AD2 rebuilt. Pre-attack backup exists on HGHAUBNER D: drive. TestDataDB pipeline rebuilt 2026-03-2729.
- **Lessons Learned:** No adequate backup existed. Flat network allowed lateral movement.
---
### 2026-03-27 — DF-JOEL2 Workstation Compromise
- **Reported By:** Mike Swanson
- **Severity:** Critical
- **Target:** Joel Lohr's workstation (DF-JOEL2, 192.168.0.174)
- **Vector:** Phishing email to personal Yahoo account
- **Attacker:** "Angel Raya" via ScreenConnect social engineering
- **C2 IPs:** 80.76.49.18, 45.88.91.99 (AS399486, Virtuo, Montreal QC)
- **C2 Cloud:** instance-wlb9ga-relay.screenconnect.com
- **M365 Impact:** jlohr account compromised from Turkey/UK/Germany
- **Resolution:**
- C2 IPs blocked at UDM firewall (iptables rules — need permanent UniFi UI rules)
- 3 rogue ScreenConnect clients uninstalled
- jlohr AD password reset, M365 sessions revoked
- 32 machines scanned clean, 28 unreachable (offline)
- No lateral movement detected
- IC3 Complaint: 1c32ade367084be9acd548f23705736f
- ConnectWise Case: 03464184
- C2 hosting SUSPENDED by provider
- **Follow-up:** Joel Lohr retired 2026-03-31. Auto-reply set to Dan Center.
- **Lessons Learned:** Personal email on work machines is a phishing vector. ScreenConnect brand used for social engineering.
---
## Known Issues & Risks (from 2026-04-02 audit)
### Critical
- All Windows Firewall profiles **DISABLED** on AD2
- Windows 7 machines still on network (LABELPC, LABELPC2, D2-RCVG-003)
- AD1 and AD2 are Windows Server 2016 (end of mainstream support)
- AD1 C: drive at **90% capacity** (C:\Engineering = 787 GB)
### High
- Joel Lohr account (jlohr) needs to be disabled post-retirement (March 31) — **OVERDUE**
- 28 machines not scanned during security incident (were offline)
- C2 IP blocks are iptables rules on UDM — need permanent UniFi UI rules
- No reverse DNS zone for 192.168.0.x
- MFA enforcement deadline April 4, 2026 — 19 users still need to register
- Website upload mechanism broken (old ASP.NET endpoints return 404)
### Medium
- D2TESTNAS uses root SSH with password authentication
- Multiple DESKTOP-* computer names suggest unmanaged/BYOD devices
- ~845K test records pending ForWeb export
- Some computer accounts have stale/conflicting IP addresses
- TestDataDB Server scheduled task still exists (disabled, replaced by service)
### Low
- DVD ISO still mounted on AD2 D: drive
- ClaudeTools-ReadOnly AD account — purpose unclear
- Multiple duplicate/old computer accounts in AD

95
clients/dataforth/docs/manufacturing.md Normal file
View File

@@ -0,0 +1,95 @@
# Manufacturing Test Infrastructure
## DOS Test Stations (64 total)
- Stations: TS-1 through TS-30 (plus L/R variants for dual-station setups)
- Dev/Test: TS-GURU, TS-TOM
- OS: MS-DOS 6.22
- Software: QuickBASIC 4.5 ATE programs
- Network: SMB1 via D2TESTNAS Samba proxy
- Not domain-joined
### Boot Sequence
AUTOEXEC.BAT v4.1 (deployed 2026-03-12):
1. `STARTNET.BAT` → Map T: (\\\\D2TESTNAS\test) and X: (\\\\D2TESTNAS\datasheets)
2. `NWTOC.BAT` → Download software updates from T:\COMMON\ProdSW
3. `CTONW.BAT` → Upload DAT files to T:\TS-XX\LOGS\
4. `CTONWTXT.BAT` → Upload TXT datasheets to T:\STAGE\TS-XX\
5. `menux` → Launch test menu system
### Test Programs by Product Family
| Family | Programs | Description |
|--------|----------|-------------|
| SCM5B | TEST5B1E/2E | Voltage/current/TC/RTD modules |
| SCM5B | TST5B45B | Frequency/counter |
| SCM5B | TST5B481 | Multi-bandwidth |
| SCM5B | TST5B49B | Sample & hold |
| 8B | TEST8B1D/2D | 8B series modules |
| DSCA | KDSCOUT1/2 | Output modules |
| DSCA | TSTDIN1B/2B | Input modules |
| DSCT | TST5SCT1/2 | Transmitters |
| SCM7B | 7BMAIN4, TEST7B1C/2C/3C | 7B series modules |
## Test Datasheet Pipeline
### Original Pipeline (pre-crypto attack, broken)
1. QuickBASIC writes DAT (binary) + TXT (formatted) on DOS machines
2. CTONW.BAT uploads DAT to NAS, CTONWTXT.BAT uploads TXT
3. DFWDS.exe (VB6) validates/renames files, moves to X:\For_Web
4. TestDataSheetUploader (VB.NET) syncs to dataforth.com via HTTP
5. Website serves at dataforth.com/TestDataReport
Status: Steps 34 broken after crypto wipe. Step 2 (CTONWTXT) was not being called.
### New Pipeline (rebuilt 2026-03-2729)
1. DOS machines write DAT files → NAS (via CTONW.BAT) ✓
2. Sync-FromNAS pulls DAT to AD2 every 15 min ✓
3. import.js parses DAT into SQLite database ✓
4. export-datasheets.js generates exact-match TXT → X:\For_Web ✓
5. Website upload mechanism **TBD** (old endpoints return 404)
**Key improvement:** Datasheets generated server-side from DAT data. Eliminates need for CTONWTXT.BAT, DFWDS.exe, and DOS-side TXT transfer.
## Model Specifications (Spec Files)
| File | Models | Family |
|------|--------|--------|
| 5BMAIN.DAT | 481 | SCM5B |
| 5B45DATA.DAT | 56 | SCM5B frequency/counter |
| DB5B48.DAT | 3 | SCM5B multi-bandwidth |
| 5B49_2.DAT | 15 | SCM5B sample & hold |
| 8BMAIN.DAT | 148 | 8B |
| DSCOUT.DAT | 23 | DSCA output |
| DSCMAIN4.DAT | 391 | DSCA input |
| SCTMAIN.DAT | 103 | DSCT transmitters |
| 7BMAIN.DAT | 276 | SCM7B |
| **Total** | **1,470+** | |
Location: C:\Shares\testdatadb\specdata\
Source: \\\\AD1\Engineering\ENGR\ATE\<family>\<DATA>\
## Webshare Layout (X: / C:\Shares\webshare on AD2)
| Path | Contents | Count |
|------|----------|-------|
| X:\For_Web\ | Validated test datasheets | ~1,058 current year |
| X:\For_Web\2011\2025\ | Archived by year | 500K+ files total |
| X:\For_Web_PDF\ | PDF versions | ~4,773 |
| X:\Test_Datasheets\ | Incoming/staging from DFWDS | — |
| X:\Bad_Datasheets\ | Invalid files | ~18,801 |
| X:\Datasheets_Log\ | DFWDS processing logs | ~3,336 |
## TestDataDB Statistics
| Metric | Value |
|--------|-------|
| Test Records | 2,281,524 |
| Work Orders | 33,745 (63,263 test lines) |
| Records with WO | 2,277,183 |
| ForWeb Exported | 1,435,989 |
| Pending Export | ~845K |
| Model Specs | 1,470+ |
## Future Product Lines (not yet integrated)
| Product | Format | Location | Notes |
|---------|--------|----------|-------|
| MAQ20 | XLS (multi-sheet) | T:\ENGR\DESIGN\MAQ20 Design\Test Data | Needs K: drive move, path update |
| PWRM10 | XLS | U:\DESIGN\PWRM10...\Test Data\Final Pass Test | — |
| 10D | JSON | K:\10D\first_pass and second_pass | ~May 2026 |
| DSCMHV | — | — | New line, uses MAQ20/PWRM naming standard |

11
clients/dataforth/docs/network/dhcp.md Normal file
View File

@@ -0,0 +1,11 @@
# DHCP Configuration
## DHCP Server
- Details not captured in audit
- Likely running on UDM (192.168.0.254) or AD1 (192.168.0.27)
## Known Static IPs
See `network/topology.md` for server IPs. All servers appear to be statically assigned on 192.168.0.0/24.
## Notes
- DHCP scope details need to be captured from UDM or AD1

26
clients/dataforth/docs/network/dns.md Normal file
View File

@@ -0,0 +1,26 @@
# DNS Configuration
## Internal DNS Servers
| Server Name | IP Address | Role |
|-------------|-----------|------|
| AD1 | 192.168.0.27 | Primary DNS |
| AD2 | 192.168.0.6 | Secondary DNS |
## DNS Zones
| Zone | Type | Notes |
|------|------|-------|
| intranet.dataforth.com | Primary | Main forward lookup zone |
| _msdcs.intranet.dataforth.com | Primary | DC locator records |
| 0.in-addr.arpa | Primary | Auto-created |
| 127.in-addr.arpa | Primary | Auto-created |
| 255.in-addr.arpa | Primary | Auto-created |
| TrustAnchors | Primary | DNSSEC anchors |
## Known Issues
- **[HIGH] No reverse lookup zone for 192.168.0.x** — PTR lookups will fail
## External DNS
- Primary Domain: dataforth.com
## Notes
- DNS is AD-integrated on both domain controllers

23
clients/dataforth/docs/network/firewall.md Normal file
View File

@@ -0,0 +1,23 @@
# Firewall Configuration
## Gateway Device
- Device: UniFi Dream Machine (UDM)
- IP: 192.168.0.254
- Public IP: 67.206.163.122
## Firewall Rules (UDM)
- C2 IPs blocked (iptables): 80.76.49.18, 45.88.91.99 (from 2026-03-27 incident)
- **[HIGH]** These blocks are iptables rules — need permanent UniFi UI rules
## Windows Firewall (AD2)
| Profile | Status |
|---------|--------|
| Domain | **DISABLED** |
| Private | **DISABLED** |
| Public | **DISABLED** |
**[CRITICAL]** All Windows Firewall profiles are disabled on AD2.
## Notes
- No dedicated firewall appliance — UDM handles all perimeter firewall duties
- AD2 firewall was opened to HGHAUBNER D$ share on 2026-03-27 for backup access

36
clients/dataforth/docs/network/topology.md Normal file
View File

@@ -0,0 +1,36 @@
# Network Topology
## Internet Connection
- Public IP: 67.206.163.122
- Gateway/Router: UniFi Dream Machine (UDM) at 192.168.0.254
## Network Segments
| Segment | Subnet | Purpose |
|---------|--------|---------|
| Main LAN | 192.168.0.0/24 | Servers, workstations, DOS test stations |
| Secondary | 192.168.1.x | Some workstations |
| VPN/Remote | 192.168.6.x | VPN / remote access |
## Key Infrastructure IPs
| Device | IP | OS / Type | Role |
|--------|-----|-----------|------|
| AD1 | 192.168.0.27 | Win Server 2016 | Primary DC, DNS, WINS/NPS |
| AD2 | 192.168.0.6 | Win Server 2016 | Secondary DC, DNS, DFS, TestDataDB |
| FILES-D1 | 192.168.0.189 | Win Server 2016 | File Server |
| SAGE-SQL | 192.168.0.153 | Win Server 2016 | Sage ERP Database |
| 3CX | 192.168.0.125 | Win Server 2016 | Phone System |
| D2TESTNAS | 192.168.0.9 | Debian 13 / Samba | SMB1 proxy for DOS machines |
| ESXi-122 | 192.168.0.122 | VMware ESXi | Hypervisor |
| ESXi-124 | 192.168.0.124 | VMware ESXi | Hypervisor |
| DF-HYPERV-B | 192.168.0.123 | Win Server 2025 | Hyper-V Host |
| UDM | 192.168.0.254 | UniFi Dream Machine | Gateway/Router |
| ENG-DEV-SERVER | 192.168.0.126 | Win 11 Pro | Engineering Dev Server |
## WINS / NPS
- Server: AD1 (192.168.0.27)
- NPS Ports: 1812/1813
## Notes
- Flat network — no VLANs, everything on 192.168.0.0/24
- DOS test stations (64) use SMB1 via D2TESTNAS Samba proxy
- No dedicated firewall appliance — UDM handles routing and firewall

15
clients/dataforth/docs/network/vlans.md Normal file
View File

@@ -0,0 +1,15 @@
# VLANs
## Current State
**No VLANs configured.** Dataforth runs a flat network — all devices on 192.168.0.0/24.
## Network Segments (non-VLAN)
| Segment | Subnet | Purpose |
|---------|--------|---------|
| Main LAN | 192.168.0.0/24 | Servers, workstations, DOS test stations |
| Secondary | 192.168.1.x | Some workstations |
| VPN | 192.168.6.x | VPN / remote access |
## Notes
- Flat network is a risk — no segmentation between servers, workstations, and DOS stations
- DOS stations require SMB1 (via D2TESTNAS), which is a lateral movement risk on a flat network

72
clients/dataforth/docs/overview.md Normal file
View File

@@ -0,0 +1,72 @@
# Client Overview
## Company Name
Dataforth Corporation
## Primary Contact
- Name: Dan Center (Operations, replacing retired Joel Lohr)
- Email: dcenter@dataforth.com
## IT Contact
- Name: Mike Swanson (azcomputerguru.com)
- Email: mike@azcomputerguru.com
## Address
3331 E. Hemisphere Loop, Tucson, AZ 85706 USA
Phone: (520) 741-1404 | Fax: (520) 741-0762
Website: www.dataforth.com
## Industry
Signal Conditioning / Data Acquisition — Manufacturing
## Environment Summary
- Domain: intranet.dataforth.com
- Forest/Domain Level: Windows Server 2016
- Total Active Users: ~21 human + ~5 service + 50+ machine/functional accounts
- Servers: 6 (AD1, AD2, FILES-D1, SAGE-SQL, 3CX, DF-HYPERV-B)
- Hypervisors: 2x ESXi (122, 124) + 1x Hyper-V (DF-HYPERV-B)
- Engineering Workstations: ~12
- Manufacturing/Assembly: ~14
- Office/Admin: ~12
- DOS Test Stations: 64 (MS-DOS 6.22, not domain-joined)
- End-of-Life Machines: 3 (Windows 7: LABELPC, LABELPC2, D2-RCVG-003)
- M365 Tenant ID: 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584
- Entra ID Sync: Yes (Azure AD Connect from OU=SyncedUsers)
- RMM: Datto RMM + GuruRMM (azcomputerguru.com)
## Key Applications
- **TestDataDB**: Node.js + SQLite web app on AD2:3000 — 2.28M test records, 1,470+ model specs
- **Sage ERP**: On SAGE-SQL (192.168.0.153), mapped as S:
- **3CX Phone**: On 3CX server (192.168.0.125) — possibly inactive (last logon Oct 2025)
- **GageTrak**: Calibration tracking on DF-GAGETRAK (192.168.0.102)
- **QuickBASIC 4.5 ATE**: Automated test equipment on 64 DOS stations
## Key Contacts
### Dataforth Staff
| Name | Username | Role | Email |
|------|----------|------|-------|
| John Lehman | jlehman | Engineering, QB code, test specs | jlehman@dataforth.com |
| Peter Iliya | pIliya | Applications Engineer | pIliya@dataforth.com |
| Dan Center | dcenter | Operations | dcenter@dataforth.com |
| Georg Haubner | ghaubner | Engineering, has D: backup | ghaubner@dataforth.com |
| Ken Hoffman | khoffman / oemdata | TestDataSheetUploader author | — |
| Logan Tobey | ltobey | Support/Sales | ltobey@dataforth.com |
| Ben Wadzinski | bwadzinski | Engineering | — |
| Lee Payne | lpayne | Engineering | — |
| Theresa Dean | tdean | Admin | tdean@dataforth.com |
| Joel Lohr | jlohr | **RETIRED 2026-03-31** | jlohr@dataforth.com |
### External
| Name | Role | Contact |
|------|------|---------|
| Mike Swanson | IT Consultant (azcomputerguru.com) | mike@azcomputerguru.com |
| Ginger (Quatronix) | China distributor | gy@quatronix-cn.com |
| Support Pool | Customer support | support@dataforth.com / (520) 741-1404 |
## Notes
- Suffered a **crypto/ransomware attack in 2025** — AD2 was wiped and rebuilt, many files lost
- **DF-JOEL2 compromised 2026-03-27** via phishing — remediated, Joel retired 3/31
- Test datasheet pipeline rebuilt 2026-03-2729 after crypto wipe broke original VB6 tooling
- MFA enforcement deadline: **April 4, 2026** — 19/38 users still need to register
- Previous MSP/IT: Mike Swanson (azcomputerguru.com) — prepared this audit for handoff

19
clients/dataforth/docs/rmm/rmm.md Normal file
View File

@@ -0,0 +1,19 @@
# RMM / Monitoring
## RMM Solutions
| Product | Vendor | Notes |
|---------|--------|-------|
| Datto RMM | Datto | CagService on AD2 |
| GuruRMM | azcomputerguru.com | Agent + scheduled update/restart/rollback tasks |
| ScreenConnect | ConnectWise | Remote access client deployed on servers |
## Scheduled RMM Tasks (AD2)
| Task | Status | Purpose |
|------|--------|---------|
| AgentBinaryUpdate | Ready | Updates RMM agent binary |
| AgentRestart | Ready | Restarts GuruRMM agent service |
| GuruRMM-Rollback | Ready | RMM rollback script |
## Notes
- RMM is managed by previous IT consultant (Mike Swanson, azcomputerguru.com)
- Transition status TBD — may need to replace with our own RMM

19
clients/dataforth/docs/security/antivirus.md Normal file
View File

@@ -0,0 +1,19 @@
# Endpoint Security / Antivirus
## Solution
- Product: Not specified in audit
- Managed By: Mike Swanson / azcomputerguru.com
## Deployment Status
- During 2026-03-27 incident: 32 machines scanned clean
- 28 machines were unreachable (offline at time of scan)
## Remote Access Tools
- ScreenConnect (ConnectWise) — deployed across fleet
- Datto RMM agent (CagService)
- GuruRMM Agent (azcomputerguru.com)
## Notes
- AV/EDR product details not captured in audit — need to identify
- Post-incident scan was incomplete (28 machines missed)
- No lateral movement detected from DF-JOEL2 compromise

32
clients/dataforth/docs/security/backup.md Normal file
View File

@@ -0,0 +1,32 @@
# Backup and Disaster Recovery
## Pre-Crypto Attack Backup
- Location: HGHAUBNER (192.168.0.148) D: drive
- Contents: Full backup of all visible network shares before 2025 crypto/ransomware attack
- Folders: DF C-Drive, DF E-Drive, DF Sage, DF Server Archive, DF Server Engineering, DF Server Sales, DF Staff, DF WebShare
- Access: Admin share (D$), firewall opened 2026-03-27
## TestDataDB Backup
- Task: TestDataDB-Backup (scheduled on AD2)
- Script: C:\Shares\testdatadb\backup-db.ps1
- Output: C:\Shares\testdatadb\backups\
## VSS Shadow Copy
- Task: VSS Shadow Copy (scheduled daily at 2:00 AM on AD2)
- Target: E: drive
## Online Backup
- Service: "Online Backup Service" running on AD2
- Details: Unknown — needs investigation
## M365 Backup
- Not identified
## Disaster Recovery
- No formal DR plan documented
- RTO/RPO targets not defined
## Notes
- Backup posture is weak — the only full backup is a pre-attack copy on a workstation's D: drive
- No verified backup of current server state, AD, or Sage ERP
- TestDataDB has its own scheduled SQLite backup

11
clients/dataforth/docs/servers/3cx.md Normal file
View File

@@ -0,0 +1,11 @@
# Server: 3CX
## General Info
- Hostname: 3CX
- IP Address: 192.168.0.125
- OS: Windows Server 2016
- Role: Phone System (3CX PBX)
## Notes
- Last logon: 2025-10-01 — **may be inactive/decommissioned**
- Needs investigation to determine if still in use

29
clients/dataforth/docs/servers/ad1.md Normal file
View File

@@ -0,0 +1,29 @@
# Server: AD1
## General Info
- Hostname: AD1
- IP Address: 192.168.0.27
- OS: Windows Server 2016 Standard
- Physical / Virtual: Unknown (likely VM on ESXi)
## Roles and Services
- [x] Primary Domain Controller (all FSMO roles assumed)
- [x] DNS Server
- [x] WINS / NPS Server (ports 1812/1813)
- [ ] File Server (Engineering share)
## Storage
- **C: drive at 90% full** — C:\Engineering consuming 787 GB
## Shares
| Share Name | Path | Notes |
|-----------|------|-------|
| Engineering | C:\Engineering | 787 GB — ENGR/ATE source code and specs |
| ITSvc | C:\Shares\ITSvc | IT service files, mapped as B: |
## Drive Mappings (from AD1)
- B: = \\ad1\itsvc
## Known Issues
- **[CRITICAL]** C: drive at 90% capacity — Engineering folder needs to move off this DC
- Running AD DS on a server with 787 GB of engineering data is a risk

84
clients/dataforth/docs/servers/ad2.md Normal file
View File

@@ -0,0 +1,84 @@
# Server: AD2
## General Info
- Hostname: AD2
- IP Address: 192.168.0.6
- OS: Windows Server 2016 Standard
- Physical / Virtual: VM (VMware Tools + VGAuthService running, on ESXi)
## Roles and Services
- [x] Secondary Domain Controller
- [x] DNS Server
- [x] DFS Replication / Namespace
- [x] File Server (multiple shares)
- [x] TestDataDB host (Node.js + SQLite on port 3000)
- [x] NAS sync (rsync every 15 min)
## Storage
- C: drive 1 TB, 405 GB free
- E: drive (VSS shadow copy target)
## Shares
| Share Name | Path | Mapped As | Notes |
|-----------|------|-----------|-------|
| c-drive | C:\Shares\c-drive | Q: | — |
| e-drive | C:\Shares\e-drive | T: | — |
| test | C:\Shares\test | — | NAS sync staging, DOS station data |
| webshare | C:\Shares\webshare | X: | Contains For_Web datasheets |
## Key Applications
### TestDataDB
- Type: Node.js + SQLite web app
- URL: http://192.168.0.6:3000
- Location: C:\Shares\testdatadb\
- Database: C:\Shares\testdatadb\database\testdata.db (~3 GB)
- Service: `testdatadb` (Windows service, runs as INTRANET\svc_testdatadb)
- Stats: 2,281,524 test records, 33,745 work orders, 1,470+ model specs
## Scheduled Tasks
| Task | Status | Schedule | Notes |
|------|--------|----------|-------|
| Sync-FromNAS | Ready | Every 15 min | Bidirectional rsync with D2TESTNAS |
| TestDataDB-Backup | Ready | Scheduled | SQLite DB backup |
| VSS Shadow Copy | Ready | Daily 2:00 AM | E: drive |
| ClaudeTools Log Rotation | Ready | — | Log rotation |
| AgentBinaryUpdate | Ready | — | RMM agent update |
| AgentRestart | Ready | — | GuruRMM restart |
| GuruRMM-Rollback | Ready | — | RMM rollback |
| TestDataDB Server | Disabled | — | Replaced by Windows service |
| TestDataDB_NodeServer | Disabled | — | Alternate startup (disabled) |
| BulkSync-Catchup | Disabled | — | One-time bulk sync (done) |
## Running Services (Non-Default)
| Service | Purpose | Run As |
|---------|---------|--------|
| testdatadb | TestDataDB web app (Node.js port 3000) | INTRANET\svc_testdatadb |
| CagService | Datto RMM agent | — |
| GuruRMMAgent | GuruRMM monitoring | — |
| ScreenConnect Client | Remote access | — |
| Online Backup Service | Backup agent | — |
| VGAuthService | VMware guest auth | — |
| VMTools | VMware Tools | — |
| NTDS | AD DS | — |
| Kdc | Kerberos KDC | — |
| ADWS | AD Web Services | — |
| DFSR | DFS Replication | — |
| Dfs | DFS Namespace | — |
| ssh-agent | OpenSSH auth agent | — |
## Windows Firewall
| Profile | Status |
|---------|--------|
| Domain | **DISABLED** |
| Private | **DISABLED** |
| Public | **DISABLED** |
## History
- **Wiped and rebuilt after 2025 crypto/ransomware attack**
- Many files lost (C:\DFWDS\, scheduled tasks, service configs)
- TestDataDB pipeline rebuilt 2026-03-2729
## Known Issues
- **[CRITICAL]** All firewall profiles disabled
- **[LOW]** DVD ISO still mounted on D: drive
- **[MEDIUM]** TestDataDB Server scheduled task still exists but disabled

27
clients/dataforth/docs/servers/d2testnas.md Normal file
View File

@@ -0,0 +1,27 @@
# Server: D2TESTNAS
## General Info
- Hostname: D2TESTNAS
- IP Address: 192.168.0.9
- OS: Debian 13 Linux
- Role: SMB1 proxy for DOS test stations, rsync endpoint
## Services
| Service | Port | Notes |
|---------|------|-------|
| Samba (SMB1) | 445 | Guest access (no password) for DOS machines |
| SSH | 22 | Root access with password auth |
| rsync daemon | 873 | Module "test" → /data/test |
## Storage
- /data/test — Test station data
- /data/test/STAGE — TXT datasheet staging area
## Sync
- rsync module "test" maps to /data/test
- AD2 pulls from NAS every 15 min (Sync-FromNAS scheduled task)
- Bidirectional: DAT/reports pulled to AD2, software updates pushed to NAS
## Known Issues
- **[MEDIUM]** Root SSH with password authentication — should use key-based auth
- **[MEDIUM]** Guest Samba access (no password) — required for DOS SMB1 compatibility

11
clients/dataforth/docs/servers/df-hyperv-b.md Normal file
View File

@@ -0,0 +1,11 @@
# Server: DF-HYPERV-B
## General Info
- Hostname: DF-HYPERV-B
- IP Address: 192.168.0.123
- OS: Windows Server 2025
- Role: Hyper-V Host
## Notes
- Newest server in the environment (Server 2025)
- VM inventory not captured in audit

16
clients/dataforth/docs/servers/files-d1.md Normal file
View File

@@ -0,0 +1,16 @@
# Server: FILES-D1
## General Info
- Hostname: FILES-D1
- IP Address: 192.168.0.189
- OS: Windows Server 2016
- Role: File Server
## Shares
| Share Name | Mapped As | Notes |
|-----------|-----------|-------|
| sales | W: | Sales documents |
| archive | Y: | Archive storage |
## Notes
- Primary file server for sales and archive data

16
clients/dataforth/docs/servers/sage-sql.md Normal file
View File

@@ -0,0 +1,16 @@
# Server: SAGE-SQL
## General Info
- Hostname: SAGE-SQL
- IP Address: 192.168.0.153
- OS: Windows Server 2016
- Role: Sage ERP Database Server
## Shares
| Share Name | Mapped As | Notes |
|-----------|-----------|-------|
| sage | S: | Sage ERP data |
## Notes
- Hosts Sage ERP database
- Backup status unknown — not included in any identified backup job

81
clients/dataforth/docs/workstations.md Normal file
View File

@@ -0,0 +1,81 @@
# Workstation Inventory
## Engineering Workstations
| Hostname | IP | OS | User/Purpose | Last Logon |
|----------|-----|-----|-------------|------------|
| D1-ENGI-005 | 192.168.0.91 | Win 11 Pro | Engineering | — |
| D1-ENGI-006 | 192.168.0.104 | Win 11 Pro | Engineering | 2026-04-02 |
| D1-ENGI-008 | 192.168.0.116 | Win 10 Pro | Engineering | 2026-04-02 |
| D1-ENGI-010 | 192.168.0.197 | Win 11 Pro | Engineering | — |
| D1-ENGI-012 | 192.168.0.135 | Win 11 Pro | Engineering | 2026-04-02 |
| D1-ENGI-DEV2 | 192.168.0.71 | Win 11 Pro | Engineering | — |
| D1-ENGI-EMCLAB1 | 192.168.0.50 | Win 11 Pro | EMC Lab | — |
| D1-ENGI-LAB1 | 192.168.0.193 | Win 10 Pro | Engineering Lab | — |
| D1-PWRM | 192.168.0.166 | Win 11 Pro | PWRM10 test station | — |
| ENG-DEV-SERVER | 192.168.0.126 | Win 11 Pro | Engineering Dev Server | — |
| DF-LEE-I9 | 192.168.0.103 | Win 11 Pro | Lee Payne | — |
| HGHAUBNER | 192.168.0.148 | Win 11 Pro | Georg Haubner (D: has pre-attack backup) | — |
## Manufacturing / Assembly
| Hostname | IP | OS | Purpose | Last Logon |
|----------|-----|-----|---------|------------|
| D2-AS-24 | 192.168.0.115 | Win 11 Pro | Assembly | — |
| D2-AS-26 | 192.168.0.79 | Win 11 Pro | Assembly | — |
| D2-ASSY-001 | 192.168.0.71 | Win 10 Pro | Assembly | — |
| D2-HIPOT-SURFAC | 192.168.0.121 | Win 11 Pro | Hi-pot / surface test | — |
| D2-LEETEST | 192.168.0.40 | Win 11 Pro | Lee's test station | — |
| D2-MFG-001 | 192.168.0.81 | Win 11 Pro | Manufacturing | — |
| D2-MFGR-004 | 192.168.0.90 | Win 11 Pro | Manufacturing | — |
| D2-MFGR-200 | 192.168.0.151 | Win 11 Pro | Manufacturing | — |
| QCINSPECTION | 192.168.0.84 | Win 11 Pro | QC Inspection | — |
| STATION_41 | 192.168.0.42 | Win 11 Pro | Test station | — |
| STATION20-PC | 192.168.0.129 | Win 10 Pro | Test station | — |
| STATION21 | 192.168.0.79 | Win 10 Pro | Test station | — |
| STATION43 | 192.168.0.43 | Win 10 Pro | Test station | — |
| D2-BOBBI | 192.168.0.154 | Win 11 Pro | Bobbi Whitson | — |
## Office / Admin
| Hostname | IP | OS | Purpose |
|----------|-----|-----|---------|
| D1-CONF-002 | 192.168.0.120 | Win 11 Pro | Conference room |
| D1-CUST-003 | 192.168.0.119 | Win 11 Pro | Customer service |
| DANC0619 | 192.168.0.51 | Win 11 Pro | Dan Center |
| DFORTH-SHIP | 192.168.0.146 | Win 11 Pro | Shipping |
| DFORTH-SHIPP | 192.168.0.70 | Win 11 Pro | Shipping |
| DFASLB0519 | 192.168.0.172 | Win 10 Pro | — |
| DF-GAGETRAK | 192.168.0.102 | Win 11 Pro | Gage tracking |
| DF-D2-TRAINING- | 192.168.0.199 | Win 11 Pro | Training room |
| MY9-PC | 192.168.0.57 | Win 10 Pro | — |
## End-of-Life (Windows 7)
| Hostname | IP | OS | Notes |
|----------|-----|-----|-------|
| LABELPC | 192.168.0.100 | **Win 7 Pro** | Label printing — EOL |
| LABELPC2 | 192.168.0.98 | **Win 7 Pro** | Label printing — EOL |
| D2-RCVG-003 | 192.168.0.47 | **Win 7 Pro** | Receiving — EOL |
## Security Incident Machine
| Hostname | IP | OS | Notes |
|----------|-----|-----|-------|
| DF-JOEL2 | 192.168.0.174 | Win 11 Pro | Compromised 2026-03-27, remediated |
## RMA
| Hostname | IP | OS | Notes |
|----------|-----|-----|-------|
| DATAFORTH-PC | — | — | RMA processing. Users remote in via RDP + ScreenConnect. Not in Mike's audit. |
## Test / Special
| Hostname | IP | OS | Notes |
|----------|-----|-----|-------|
| D2-10D-TS1 | — | Win 11 Pro | 10D product test station (new) |
| TEST01 | 192.168.0.167 | Win 11 Business | — |
| TS-41 | 192.168.0.169 | Win 10 Pro | — |
## DOS Test Stations (64 total, not domain-joined)
- Stations: TS-1 through TS-30 (plus L/R variants: TS-1L, TS-1R, TS-2L, TS-2R, etc.)
- Dev stations: TS-GURU, TS-TOM
- OS: MS-DOS 6.22
- Software: QuickBASIC 4.5 ATE (Automated Test Equipment)
- Network: SMB1 via D2TESTNAS Samba proxy
- Drive Maps: T: = \\\\D2TESTNAS\test, X: = \\\\D2TESTNAS\datasheets
- See `manufacturing.md` for full test infrastructure details