azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

grabb-durando: GND-SERVER full health/security baseline (RED)

Browse Source 
First onboarding-diagnostic baseline for GND-SERVER (Grabb & Durando DC/file/RRAS box,
gd.local, 192.168.242.200). Grade RED: 2 critical (host firewall OFF on all profiles;
OS-EOL flag — false positive, build 17763 is Server 2019, supported to 2029), 6 warning
(Defender/AV unconfirmed, built-in Administrator enabled, 1 pending update, 2 disk errors
/14d, pending reboot, 2 stopped auto services), plus tempadmin local admin + no confirmed
BitLocker. Immutable JSON + report under onboarding-baselines/.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-16 08:11:34 -07:00
parent 76d006c08b
commit a33bc423f6
2 changed files with 1713 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1457
clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.json Normal file
View File

File diff suppressed because it is too large Load Diff

256
clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.md Normal file
View File

@@ -0,0 +1,256 @@
# Onboarding Diagnostic Baseline - GND-SERVER
- **Grade:** RED
- **Host:** GND-SERVER
- **Client:** Grabb & Durando Law Office (`grabb-durando`)
- **Collected (UTC):** 2026-06-16T15:10:09Z
- **Agent ID:** cd086074-6766-46b5-93ad-382df97b1f54
- **Command ID:** 63ae4f19-9498-4ecf-a646-a73c01f67845
- **Findings:** 2 critical / 6 warning / 11 info / 1 unknown
- **OS:** Microsoft Windows Server 2019 Standard (build 17763)
---
## CRITICAL (2)
### Firewall disabled on profile(s): Domain, Private, Public
- **Category:** security
- **ID:** `sec.firewall.disabled`
- One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles.
```
Profile states: Private=False; Domain=False; Public=False
```
### OS build is end-of-life: Win10 1809
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (17763, Win10 1809) passed end-of-servicing on 2020-11-10. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows Server 2019 Standard build 17763; EOL 2020-11-10
```
## WARNING (6)
### Defender status unavailable
- **Category:** security
- **ID:** `sec.defender.unavailable`
- Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).
```
Get-MpComputerStatus returned null
```
### Built-in Administrator account is enabled
- **Category:** security
- **ID:** `sec.local_admins.builtin_enabled`
- The built-in Administrator (RID 500) is enabled. It is a well-known target for brute force and lateral movement. Disable it or ensure it is managed by LAPS with a strong unique password.
```
Get-LocalUser SID ...-500 Enabled=True
```
### 1 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=2
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 2 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
```
## INFO (11)
### No AV products registered in Security Center
- **Category:** security
- **ID:** `sec.av_products.none_registered`
- SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.
```
root\SecurityCenter2 AntiVirusProduct: none
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.4.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### Local administrators (7)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
Administrator
Domain Admins
Domain Users
Enterprise Admins
localadmin
sysadmin
tempadmin
```
### Last hotfix: KB5094123
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5094123 installed 2026-06-10T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time.windows.com,0x1
```
### Backup agent installed and running
- **Category:** health
- **ID:** `health.backup.present`
- A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).
```
Datto Workplace: Datto_FSA.VssHelper = Running
Datto Workplace: datto_workplace_server.default = Running
```
## UNKNOWN (1)
### BitLocker status unavailable
- **Category:** security
- **ID:** `sec.bitlocker.unavailable`
- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).
```
MountPoint=C:, Get-BitLockerVolume returned null
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** Micro-Star International Co., Ltd. / MS-7B87
- **Serial:** To be filled by O.E.M.
- **CPU:** AMD Ryzen 5 2600 Six-Core Processor (6 cores / 12 logical)
- **RAM (GB):** 16
- **BIOS:** 1.00 (2018-07-13)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** ? / ?
- **Domain joined:** true (gd.local)
- **OS activation licensed:** ?
- **Uptime (days):** 6.6
- **Pending reboot:** true
- **Installed software count:** 142
- **Scheduled tasks (non-MS, enabled):** 13
- **Local administrators:** Administrator, Domain Admins, Domain Users, Enterprise Admins, localadmin, sysadmin, tempadmin
### Fixed volumes
- [System Reserved] - 0.5 GB free of 0.5 GB (93.4%)
- C: - 99.7 GB free of 222.3 GB (44.8%)
- [unlabeled] - 0.3 GB free of 0.8 GB (42.7%)
- F: - 770 GB free of 3725.9 GB (20.7%)
### Network adapters
- Realtek PCIe GbE Family Controller - IP: 192.168.242.200, fe80::dcaf:5645:6e99:a410 - DNS: 127.0.0.1, 8.8.8.8 - DHCP: false
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `GND-SERVER-20260616T151038.json` (immutable)._