import: ingested 160 files from C:\Users\howar\Clients

Howard's personal MSP client documentation folder imported into shared ClaudeTools repo via /import command. Scope: Clients (structured MSP docs under clients/<name>/docs/): - anaise (NEW) - 13 files - cascades-tucson - 47 files merged (existing had only reports/) - dataforth - 18 files merged (alongside incident reports) - instrumental-music-center - 14 files merged - khalsa (NEW) - 22 files, multi-site (camden, river) - kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone - lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault) - _client_template - 13-file scaffold for new clients MSP tooling (projects/msp-tools/): - msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README - utilities/ - clean_printer_ports, win11_upgrade, screenconnect-toolbox-commands Credential handling: - Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david) to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml - Redacted overview.md with vault reference pattern - Scanned all 160 files for keys/tokens/connection strings - no other credentials found Skipped: - Cascades/.claude/settings.local.json (per-machine config) - Source-root CLAUDE.md (personal, claudetools has its own) - scripts/server_audit.ps1 and workstation_audit.ps1 at source root (identical duplicates of msp-audit-scripts versions) Memory updates: - reference_client_docs_structure.md (layout, conventions, active list) - reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule) Session log: session-logs/2026-04-16-howard-client-docs-import.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00
parent 6eaba02b71
commit 8d975c1b44
160 changed files with 16002 additions and 0 deletions
--- a/clients/dataforth/docs/security/antivirus.md
+++ b/clients/dataforth/docs/security/antivirus.md
@@ -0,0 +1,19 @@
+# Endpoint Security / Antivirus
+
+## Solution
+- Product: Not specified in audit
+- Managed By: Mike Swanson / azcomputerguru.com
+
+## Deployment Status
+- During 2026-03-27 incident: 32 machines scanned clean
+- 28 machines were unreachable (offline at time of scan)
+
+## Remote Access Tools
+- ScreenConnect (ConnectWise) — deployed across fleet
+- Datto RMM agent (CagService)
+- GuruRMM Agent (azcomputerguru.com)
+
+## Notes
+- AV/EDR product details not captured in audit — need to identify
+- Post-incident scan was incomplete (28 machines missed)
+- No lateral movement detected from DF-JOEL2 compromise
--- a/clients/dataforth/docs/security/backup.md
+++ b/clients/dataforth/docs/security/backup.md
@@ -0,0 +1,32 @@
+# Backup and Disaster Recovery
+
+## Pre-Crypto Attack Backup
+- Location: HGHAUBNER (192.168.0.148) D: drive
+- Contents: Full backup of all visible network shares before 2025 crypto/ransomware attack
+- Folders: DF C-Drive, DF E-Drive, DF Sage, DF Server Archive, DF Server Engineering, DF Server Sales, DF Staff, DF WebShare
+- Access: Admin share (D$), firewall opened 2026-03-27
+
+## TestDataDB Backup
+- Task: TestDataDB-Backup (scheduled on AD2)
+- Script: C:\Shares\testdatadb\backup-db.ps1
+- Output: C:\Shares\testdatadb\backups\
+
+## VSS Shadow Copy
+- Task: VSS Shadow Copy (scheduled daily at 2:00 AM on AD2)
+- Target: E: drive
+
+## Online Backup
+- Service: "Online Backup Service" running on AD2
+- Details: Unknown — needs investigation
+
+## M365 Backup
+- Not identified
+
+## Disaster Recovery
+- No formal DR plan documented
+- RTO/RPO targets not defined
+
+## Notes
+- Backup posture is weak — the only full backup is a pre-attack copy on a workstation's D: drive
+- No verified backup of current server state, AD, or Sage ERP
+- TestDataDB has its own scheduled SQLite backup