From a33bc423f6866cc8c454b52a1ea8d1e44175b0d6 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Tue, 16 Jun 2026 08:11:34 -0700 Subject: [PATCH] grabb-durando: GND-SERVER full health/security baseline (RED) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First onboarding-diagnostic baseline for GND-SERVER (Grabb & Durando DC/file/RRAS box, gd.local, 192.168.242.200). Grade RED: 2 critical (host firewall OFF on all profiles; OS-EOL flag — false positive, build 17763 is Server 2019, supported to 2029), 6 warning (Defender/AV unconfirmed, built-in Administrator enabled, 1 pending update, 2 disk errors /14d, pending reboot, 2 stopped auto services), plus tempadmin local admin + no confirmed BitLocker. Immutable JSON + report under onboarding-baselines/. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../GND-SERVER-20260616T151038.json | 1457 +++++++++++++++++ .../GND-SERVER-20260616T151038.md | 256 +++ 2 files changed, 1713 insertions(+) create mode 100644 clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.json create mode 100644 clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.md diff --git a/clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.json b/clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.json new file mode 100644 index 0000000..d44b2e9 --- /dev/null +++ b/clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.json @@ -0,0 +1,1457 @@ +{ + "host": "GND-SERVER", + "collected_at_utc": "2026-06-16T15:10:09Z", + "os": { + "caption": "Microsoft Windows Server 2019 Standard", + "version": "10.0.17763", + "build": "17763", + "install_date": "2022-05-04T23:53:21Z", + "last_boot_utc": "2026-06-10T00:28:03Z", + "architecture": "64-bit" + }, + "facts": { + "builtin_admin_enabled": true, + "os_eol": { + "eol_date": "2020-11-10", + "release": "Win10 1809" + }, + "pending_updates": 1, + "pending_reboot": true, + "uptime_days": 6.6, + "acg_managed_tools": [ + "ScreenConnect / ConnectWise Control", + "Splashtop (SOS/Streamer)", + "Syncro / Kabuto" + ], + "hardware": { + "model": "MS-7B87", + "manufacturer": "Micro-Star International Co., Ltd.", + "bios_date": "2018-07-13", + "cpu_logical": 12, + "bios_version": "1.00", + "cpu_cores": 6, + "ram_gb": 16, + "serial": "To be filled by O.E.M.", + "cpu": "AMD Ryzen 5 2600 Six-Core Processor " + }, + "local_administrators": [ + "Administrator", + "Domain Admins", + "Domain Users", + "Enterprise Admins", + "localadmin", + "sysadmin", + "tempadmin" + ], + "os_build": "17763", + "secure_boot": null, + "backup_agents": [ + { + "label": "Datto Workplace", + "service": "Datto_FSA.VssHelper", + "state": "Running" + }, + { + "label": "Datto Workplace", + "service": "datto_workplace_server.default", + "state": "Running" + } + ], + "autoruns_run_keys": [ + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "SecurityHealth", + "value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "AdobeGCInvoker-1.0", + "value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\AdobeGCClient\\AGCInvokerUtility.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "AdobeAAMUpdater-1.0", + "value": "\"C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\"" + }, + { + "key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Datto Workplace Server", + "value": "\"C:\\Program Files\\Datto\\Workplace Server\\WorkplaceServer.exe\" -boot" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Adobe Creative Cloud", + "value": "\"C:\\Program Files\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe\" --showwindow=false --onOSstartup=true" + }, + { + "key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", + "name": "Adobe CCXProcess", + "value": "C:\\Program Files (x86)\\Adobe\\Adobe Creative Cloud Experience\\CCXProcess.exe" + } + ], + "physical_disks": [ + { + "health": "Healthy", + "model": "WDC WD40EZRZ-00GXCB0", + "media_type": "HDD" + }, + { + "health": "Healthy", + "model": "WDC WD40EZRZ-00GXCB0", + "media_type": "HDD" + }, + { + "health": "Healthy", + "model": "TEAML5Lite3D240G", + "media_type": "SSD" + } + ], + "local_users": [ + { + "last_logon": "2021-12-27", + "name": "Administrator", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "", + "name": "Guest", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "krbtgt", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "", + "name": "DefaultAccount", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2026-06-16", + "name": "sysadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "jwilliams", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "jsosa", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-03-03", + "name": "gstoltz", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2026-03-05", + "name": "rgrabb", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-08", + "name": "rpesqueira", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-05-16", + "name": "localadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-15", + "name": "avazquez", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-09", + "name": "depo", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-05-31", + "name": "rnedlin", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2026-06-16", + "name": "MSOL_fe31cecd815d", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-05-06", + "name": "tempadmin", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2024-05-13", + "name": "yheredia", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-04-09", + "name": "pgrabb", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-15", + "name": "slarionova", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "GND-SERVER$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2023-05-15", + "name": "GND-JEFF$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2021-02-17", + "name": "GND-MICHELLE$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-03-09", + "name": "GND-GREG$", + "password_never_expires": false, + "enabled": false + }, + { + "last_logon": "2024-01-09", + "name": "GND-MELODY$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2020-09-09", + "name": "GND-AMBER$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2025-08-16", + "name": "GND-JEANNETTE$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2020-11-09", + "name": "GND-BOB$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2019-05-16", + "name": "GND-FRONT$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2021-02-10", + "name": "GND-MARTHA$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2019-08-02", + "name": "GND-LIZ$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2020-04-05", + "name": "GND-JEFF-LT$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-15", + "name": "DESKTOP-FSN454Q$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2023-01-24", + "name": "GND-RECEPTION$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-06-08", + "name": "GND-L-1$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-08", + "name": "GND-L-3$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2024-07-20", + "name": "GND-L-2$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-10-28", + "name": "GND-L-4$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2024-07-08", + "name": "GND-BOB-PC$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2022-03-04", + "name": "DESKTOP-74RNQG6$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "DESKTOP-KUL6BI7$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "GND-PARALEGAL$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-09", + "name": "GND-JWILL$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-09", + "name": "ADSyncMSAfe31c$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "GND-JEFF-2$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "GRABBDURANDO$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "GND-REYNA$", + "password_never_expires": false, + "enabled": true + }, + { + "last_logon": "2026-06-16", + "name": "GND-TDIAZ$", + "password_never_expires": false, + "enabled": true + } + ], + "scheduled_tasks_count": 13, + "volumes": [ + { + "drive": "[System Reserved]", + "size_gb": 0.5, + "free_pct": 93.4, + "free_gb": 0.5 + }, + { + "drive": "C:", + "size_gb": 222.3, + "free_pct": 44.8, + "free_gb": 99.7 + }, + { + "drive": "[unlabeled]", + "size_gb": 0.8, + "free_pct": 42.7, + "free_gb": 0.3 + }, + { + "drive": "F:", + "size_gb": 3725.9, + "free_pct": 20.7, + "free_gb": 770 + } + ], + "network_adapters": [ + { + "dhcp": false, + "description": "Realtek PCIe GbE Family Controller", + "gateway": [ + "192.168.242.1" + ], + "mac": "30:9C:23:E2:1F:20", + "ip": [ + "192.168.242.200", + "fe80::dcaf:5645:6e99:a410" + ], + "dns": [ + "127.0.0.1", + "8.8.8.8" + ] + } + ], + "failed_autostart_services": [ + { + "name": "GoogleUpdaterInternalService150.0.7863.0", + "display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)", + "state": "Stopped" + }, + { + "name": "GoogleUpdaterService150.0.7863.0", + "display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)", + "state": "Stopped" + } + ], + "stability_14d": { + "unexpected_shutdowns": 0, + "disk_errors": 2, + "bugchecks": 0 + }, + "exposure": { + "smb1_enabled": false, + "laps_present": true, + "rdp_enabled": false, + "uac_enabled": true, + "rdp_nla": true + }, + "accounts_password_never_expires": [], + "installed_software": [ + { + "publisher": "Microsoft Corporation", + "name": " Tools for .Net 3.5", + "version": "3.11.50727" + }, + { + "publisher": "Adobe", + "name": "Adobe Acrobat (64-bit)", + "version": "26.001.21563" + }, + { + "publisher": "Adobe Inc.", + "name": "Adobe Creative Cloud", + "version": "5.5.0.617" + }, + { + "publisher": "Adobe Inc.", + "name": "Adobe Genuine Service", + "version": "9.1.0.52" + }, + { + "publisher": "Adobe Systems Incorporated", + "name": "Adobe Refresh Manager", + "version": "1.8.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Browser for SQL Server 2017", + "version": "14.0.1000.169" + }, + { + "publisher": "Webprofusion Pty Ltd", + "name": "Certify The Web version 5.6.8", + "version": "5.6.8" + }, + { + "publisher": "Cisco WebEx LLC", + "name": "Cisco WebEx Meetings", + "version": "" + }, + { + "publisher": "Datto, Inc.", + "name": "Datto Workplace Server", + "version": "8.50.13" + }, + { + "publisher": "Nsasoft LLC.", + "name": "DhcpExplorer 1.4.9", + "version": "" + }, + { + "publisher": "Eclipse Adoptium", + "name": "Eclipse Temurin JRE with Hotspot 8u482-b08 (x64)", + "version": "8.0.482.8" + }, + { + "publisher": "Google LLC", + "name": "Google Chrome", + "version": "149.0.7827.114" + }, + { + "publisher": "Arizona Computer Guru LLC", + "name": "GuruRMM Agent", + "version": "0.6.2" + }, + { + "publisher": "Microsoft Corporation", + "name": "Integration Services", + "version": "15.0.2000.92" + }, + { + "publisher": "LexisNexis", + "name": "LexisNexis Common API", + "version": "1.90.0.0" + }, + { + "publisher": "LexisNexis", + "name": "LexisNexis? Time Matters?", + "version": "16.4.0.253" + }, + { + "publisher": "Crystal Rich Ltd", + "name": "LockHunter 3.3, 32/64 bit", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4 Multi-Targeting Pack", + "version": "4.0.30319" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4.5 Multi-Targeting Pack", + "version": "4.5.50710" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4.5.1 Multi-Targeting Pack", + "version": "4.5.50932" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU)", + "version": "4.5.50932" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4.5.1 SDK", + "version": "4.5.51641" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4.5.2 Multi-Targeting Pack", + "version": "4.5.51209" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft .NET Framework 4.5.2 Multi-Targeting Pack (ENU)", + "version": "4.5.51209" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Analysis Services OLE DB Provider", + "version": "15.0.2000.20" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Azure AD Connect", + "version": "2.1.16.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Azure AD Connect Health agent for sync", + "version": "3.2.1823.12" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Azure AD Connect synchronization services", + "version": "2.1.16.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Build Tools 14.0 (amd64)", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Build Tools 14.0 (x86)", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Build Tools Language Resources 14.0 (amd64)", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Build Tools Language Resources 14.0 (x86)", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Command Line Utilities 11 for SQL Server", + "version": "11.0.2270.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Command Line Utilities 15 for SQL Server", + "version": "15.0.2000.5" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Edge WebView2 Runtime", + "version": "149.0.4022.69" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Help Viewer 2.2", + "version": "2.2.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Help Viewer 2.3", + "version": "2.3.28107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft ODBC Driver 11 for SQL Server", + "version": "11.0.2270.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft ODBC Driver 13 for SQL Server", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft ODBC Driver 17 for SQL Server", + "version": "17.7.2.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft OLE DB Driver for SQL Server", + "version": "18.5.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2012 Native Client ", + "version": "11.4.7462.6" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2014 Management Objects ", + "version": "12.0.2000.8" + }, + { + "publisher": "", + "name": "Microsoft SQL Server 2017", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2017 (64-bit)", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2017 Policies ", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2017 RsFx Driver", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2017 Setup (English)", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2017 T-SQL Language Service ", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2017 T-SQL Language Service ", + "version": "14.0.17289.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server 2019 LocalDB ", + "version": "15.0.4138.2" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server Data-Tier Application Framework (x86)", + "version": "14.0.4127.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server Management Studio - 17.9.1", + "version": "14.0.17289.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft SQL Server Management Studio - 18.5", + "version": "15.0.18330.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft System CLR Types for SQL Server 2014", + "version": "12.0.2402.11" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft System CLR Types for SQL Server 2017", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable", + "version": "8.0.56336" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2005 Redistributable (x64)", + "version": "8.0.56336" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", + "version": "10.0.40219" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", + "version": "11.0.61030.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", + "version": "11.0.61030" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005", + "version": "12.0.21005.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664", + "version": "12.0.40664.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005", + "version": "12.0.21005.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40664", + "version": "12.0.40664.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Debug Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Debug Runtime - 12.0.21005", + "version": "12.0.21005" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40664", + "version": "12.0.40664" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 x64 Debug Runtime - 14.0.23026", + "version": "14.0.23026" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015 x86 Debug Runtime - 14.0.23026", + "version": "14.0.23026" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.23.27820", + "version": "14.23.27820.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35112", + "version": "14.44.35112.1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.23.27820", + "version": "14.23.27820" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.23.27820", + "version": "14.23.27820" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35112", + "version": "14.44.35112" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35112", + "version": "14.44.35112" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 Shell (Isolated)", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 Shell (Isolated)", + "version": "14.0.23107.10" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 Shell (Isolated) Resources", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 Shell (Minimum)", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 Shell (Minimum) Interop Assemblies", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 Shell (Minimum) Resources", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 XAML Designer", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio 2015 XAML Designer - ENU", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Services Hub", + "version": "1.0.23107.00" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Finalizer", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Language Support", + "version": "14.0.23107.20" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Language Support - ENU Language Pack", + "version": "14.0.23107.20" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 Language Support Finalizer", + "version": "14.0.23107.20" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x64 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2015 x86 Hosting Support", + "version": "14.0.23829" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2017", + "version": "15.0.27520" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2017 x64 Hosting Support", + "version": "15.0.27520" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft Visual Studio Tools for Applications 2017 x86 Hosting Support", + "version": "15.0.27520" + }, + { + "publisher": "Microsoft Corporation", + "name": "Microsoft VSS Writer for SQL Server 2017", + "version": "14.0.1000.169" + }, + { + "publisher": "Notepad++ Team", + "name": "Notepad++ (64-bit x64)", + "version": "8.8.7" + }, + { + "publisher": "Arizona Computer Guru", + "name": "Online Backup 8.6", + "version": "8.6" + }, + { + "publisher": "Simon Tatham", + "name": "PuTTY release 0.70 (64-bit)", + "version": "0.70.0.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "Roslyn Language Services - x86", + "version": "14.0.23107" + }, + { + "publisher": "ScreenConnect Software", + "name": "ScreenConnect Client (1912bf3444b41a08)", + "version": "26.1.24.9579" + }, + { + "publisher": "Splashtop Inc.", + "name": "Splashtop Streamer", + "version": "3.8.4.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Batch Parser", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Client Tools Extensions", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Common Files", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Connection Info", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Database Engine Services", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Database Engine Shared", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 DMF", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Integration Services Scale Out Management Portal", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Management Studio Extensions", + "version": "14.0.3026.27" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Shared Management Objects", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 Shared Management Objects Extensions", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 SQL Diagnostics", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server 2017 XEvent", + "version": "14.0.1000.169" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server Management Studio", + "version": "14.0.17289.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server Management Studio", + "version": "15.0.18330.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server Management Studio for Analysis Services", + "version": "14.0.17289.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server Management Studio for Analysis Services", + "version": "15.0.18330.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server Management Studio for Reporting Services", + "version": "14.0.17289.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SQL Server Management Studio for Reporting Services", + "version": "15.0.18330.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SSMS Post Install Tasks", + "version": "14.0.17289.0" + }, + { + "publisher": "Microsoft Corporation", + "name": "SSMS Post Install Tasks", + "version": "15.0.18330.0" + }, + { + "publisher": "Servably, Inc.", + "name": "Syncro", + "version": "1.0.201.18410" + }, + { + "publisher": "", + "name": "Ubiquiti UniFi (remove only)", + "version": "" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for (KB2504637)", + "version": "1" + }, + { + "publisher": "Microsoft Corporation", + "name": "Update for Microsoft Visual Studio 2015 (KB3095681)", + "version": "14.0.23317" + }, + { + "publisher": "Microsoft Corporation", + "name": "Visual Studio 2015 Prerequisites", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Visual Studio 2015 Prerequisites - ENU Language Pack", + "version": "14.0.23107" + }, + { + "publisher": "Microsoft Corporation", + "name": "Visual Studio 2017 Isolated Shell for SSMS", + "version": "15.0.28307.421" + }, + { + "publisher": "Thingamahoochie Software", + "name": "WinMerge 2.16.0.0 x64", + "version": "2.16.0.0" + }, + { + "publisher": "win.rar GmbH", + "name": "WinRAR 7.22 (64-bit)", + "version": "7.22.0" + }, + { + "publisher": "Martin Prikryl", + "name": "WinSCP 5.13.7", + "version": "5.13.7" + }, + { + "publisher": "Antibody Software", + "name": "WizTree v4.31", + "version": "4.31" + } + ], + "tpm": { + "enabled": false, + "ready": false, + "present": false + }, + "local_groups": [ + "Cert Publishers", + "RAS and IAS Servers", + "Allowed RODC Password Replication Group", + "Denied RODC Password Replication Group", + "DnsAdmins", + "SQLServer2005SQLBrowserUser$GND-SERVER", + "ADSyncAdmins", + "ADSyncOperators", + "ADSyncBrowse" + ], + "battery": { + "present": false + }, + "activation": { + "edition": "Microsoft Windows Server 2019 Standard", + "description": "Windows(R) Operating System, VOLUME_KMSCLIENT channel", + "licensed": false, + "license_status_code": 5 + }, + "time_source": "time.windows.com,0x1", + "chassis_types": [ + 3 + ], + "last_hotfix": { + "hotfix_id": "KB5094123", + "installed_on": "2026-06-10T07:00:00Z" + }, + "scheduled_tasks": [ + { + "path": "\\", + "name": "Adobe Acrobat Update Task", + "state": "Ready" + }, + { + "path": "\\", + "name": "Adobe-Genuine-Software-Integrity-Scheduler-1.0", + "state": "Ready" + }, + { + "path": "\\", + "name": "AdobeGCInvoker-1.0", + "state": "Ready" + }, + { + "path": "\\", + "name": "AutoKMS", + "state": "Ready" + }, + { + "path": "\\", + "name": "CreateExplorerShellUnelevatedTask", + "state": "Ready" + }, + { + "path": "\\", + "name": "GuruRMM-VSS-Snapshot", + "state": "Ready" + }, + { + "path": "\\", + "name": "Launch Adobe CCXProcess", + "state": "Ready" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineCore", + "state": "Running" + }, + { + "path": "\\", + "name": "MicrosoftEdgeUpdateTaskMachineUA", + "state": "Ready" + }, + { + "path": "\\", + "name": "ShadowCopyVolume{04f8e549-0000-0000-0000-501f00000000}", + "state": "Ready" + }, + { + "path": "\\", + "name": "ShadowCopyVolume{c8294e1c-274b-11e9-ab97-309c23e21f20}", + "state": "Ready" + }, + { + "path": "\\", + "name": "TM_Scheduled_Backup_Task", + "state": "Ready" + }, + { + "path": "\\GoogleSystem\\GoogleUpdater\\", + "name": "GoogleUpdaterTaskSystem150.0.7863.0{2ED90400-4283-41D7-AC77-282001ACFAC0}", + "state": "Ready" + } + ], + "antivirus_products": [], + "domain_joined": true, + "defender": { + "available": false + }, + "bitlocker": { + "available": false, + "os_volume": "C:" + }, + "is_laptop": false, + "installed_software_count": 142, + "secure_channel_ok": null, + "firewall_profiles": { + "Private": false, + "Domain": false, + "Public": false + }, + "domain": "gd.local", + "foreign_agents": null + }, + "findings": [ + { + "id": "sec.defender.unavailable", + "category": "security", + "severity": "warning", + "title": "Defender status unavailable", + "detail": "Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check).", + "evidence": "Get-MpComputerStatus returned null" + }, + { + "id": "sec.av_products.none_registered", + "category": "security", + "severity": "info", + "title": "No AV products registered in Security Center", + "detail": "SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active.", + "evidence": "root\\SecurityCenter2 AntiVirusProduct: none" + }, + { + "id": "sec.foreign_agents.none", + "category": "security", + "severity": "info", + "title": "No competitor/leftover management agents detected", + "detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.", + "evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service" + }, + { + "id": "sec.foreign_agents.acg.screenconnect_connectwise_control", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running" + }, + { + "id": "sec.foreign_agents.acg.splashtop_sos_streamer_", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Splashtop (SOS/Streamer)", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Splashtop Streamer 3.8.4.0\nservice: SplashtopRemoteService (Splashtop? Remote Service) Running" + }, + { + "id": "sec.foreign_agents.acg.syncro_kabuto", + "category": "security", + "severity": "info", + "title": "Expected ACG management tooling present: Syncro / Kabuto", + "detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.", + "evidence": "program: Syncro 1.0.201.18410\nservice: Syncro (Syncro) Running" + }, + { + "id": "sec.firewall.disabled", + "category": "security", + "severity": "critical", + "title": "Firewall disabled on profile(s): Domain, Private, Public", + "detail": "One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles.", + "evidence": "Profile states: Private=False; Domain=False; Public=False" + }, + { + "id": "sec.bitlocker.unavailable", + "category": "security", + "severity": "unknown", + "title": "BitLocker status unavailable", + "detail": "Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).", + "evidence": "MountPoint=C:, Get-BitLockerVolume returned null" + }, + { + "id": "sec.local_admins.list", + "category": "security", + "severity": "info", + "title": "Local administrators (7)", + "detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).", + "evidence": "Administrator\nDomain Admins\nDomain Users\nEnterprise Admins\nlocaladmin\nsysadmin\ntempadmin" + }, + { + "id": "sec.local_admins.builtin_enabled", + "category": "security", + "severity": "warning", + "title": "Built-in Administrator account is enabled", + "detail": "The built-in Administrator (RID 500) is enabled. It is a well-known target for brute force and lateral movement. Disable it or ensure it is managed by LAPS with a strong unique password.", + "evidence": "Get-LocalUser SID ...-500 Enabled=True" + }, + { + "id": "sec.patch.os_eol", + "category": "security", + "severity": "critical", + "title": "OS build is end-of-life: Win10 1809", + "detail": "This OS build (17763, Win10 1809) passed end-of-servicing on 2020-11-10. It no longer receives security updates. Plan a feature update or OS upgrade.", + "evidence": "Microsoft Windows Server 2019 Standard build 17763; EOL 2020-11-10" + }, + { + "id": "sec.patch.pending", + "category": "security", + "severity": "warning", + "title": "1 pending Windows updates", + "detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.", + "evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1" + }, + { + "id": "sec.patch.last_hotfix", + "category": "security", + "severity": "info", + "title": "Last hotfix: KB5094123", + "detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).", + "evidence": "KB5094123 installed 2026-06-10T07:00:00Z" + }, + { + "id": "sec.exposure.smb1_off", + "category": "security", + "severity": "info", + "title": "SMBv1 disabled", + "detail": "SMBv1 server protocol is disabled.", + "evidence": "EnableSMB1Protocol=False" + }, + { + "id": "sec.exposure.laps_present", + "category": "security", + "severity": "info", + "title": "LAPS detected", + "detail": "A LAPS mechanism is present.", + "evidence": "Windows LAPS reg key" + }, + { + "id": "health.stability.some", + "category": "health", + "severity": "warning", + "title": "Stability events present in the last 14 days", + "detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.", + "evidence": "Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=2" + }, + { + "id": "health.reboot_uptime.pending", + "category": "health", + "severity": "warning", + "title": "Reboot pending", + "detail": "A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.", + "evidence": "PendingFileRenameOperations" + }, + { + "id": "health.failed_services.stopped", + "category": "health", + "severity": "warning", + "title": "2 auto-start service(s) not running", + "detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.", + "evidence": "GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped" + }, + { + "id": "health.time.source", + "category": "health", + "severity": "info", + "title": "Time service source", + "detail": "Current Windows Time service source.", + "evidence": "Source=time.windows.com,0x1" + }, + { + "id": "health.backup.present", + "category": "health", + "severity": "info", + "title": "Backup agent installed and running", + "detail": "A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).", + "evidence": "Datto Workplace: Datto_FSA.VssHelper = Running\nDatto Workplace: datto_workplace_server.default = Running" + } + ] +} diff --git a/clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.md b/clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.md new file mode 100644 index 0000000..b42c78a --- /dev/null +++ b/clients/grabb-durando/onboarding-baselines/GND-SERVER-20260616T151038.md @@ -0,0 +1,256 @@ +# Onboarding Diagnostic Baseline - GND-SERVER + +- **Grade:** RED +- **Host:** GND-SERVER +- **Client:** Grabb & Durando Law Office (`grabb-durando`) +- **Collected (UTC):** 2026-06-16T15:10:09Z +- **Agent ID:** cd086074-6766-46b5-93ad-382df97b1f54 +- **Command ID:** 63ae4f19-9498-4ecf-a646-a73c01f67845 +- **Findings:** 2 critical / 6 warning / 11 info / 1 unknown + +- **OS:** Microsoft Windows Server 2019 Standard (build 17763) + +--- + +## CRITICAL (2) + +### Firewall disabled on profile(s): Domain, Private, Public +- **Category:** security +- **ID:** `sec.firewall.disabled` +- One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles. + +``` +Profile states: Private=False; Domain=False; Public=False +``` + +### OS build is end-of-life: Win10 1809 +- **Category:** security +- **ID:** `sec.patch.os_eol` +- This OS build (17763, Win10 1809) passed end-of-servicing on 2020-11-10. It no longer receives security updates. Plan a feature update or OS upgrade. + +``` +Microsoft Windows Server 2019 Standard build 17763; EOL 2020-11-10 +``` + + +## WARNING (6) + +### Defender status unavailable +- **Category:** security +- **ID:** `sec.defender.unavailable` +- Get-MpComputerStatus returned nothing. Defender may be disabled, replaced by a 3rd-party AV, or the cmdlet is unavailable. Confirm an active AV exists (see security-center check). + +``` +Get-MpComputerStatus returned null +``` + +### Built-in Administrator account is enabled +- **Category:** security +- **ID:** `sec.local_admins.builtin_enabled` +- The built-in Administrator (RID 500) is enabled. It is a well-known target for brute force and lateral movement. Disable it or ensure it is managed by LAPS with a strong unique password. + +``` +Get-LocalUser SID ...-500 Enabled=True +``` + +### 1 pending Windows updates +- **Category:** security +- **ID:** `sec.patch.pending` +- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window. + +``` +Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1 +``` + +### Stability events present in the last 14 days +- **Category:** health +- **ID:** `health.stability.some` +- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports. + +``` +Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=2 +``` + +### Reboot pending +- **Category:** health +- **ID:** `health.reboot_uptime.pending` +- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart. + +``` +PendingFileRenameOperations +``` + +### 2 auto-start service(s) not running +- **Category:** health +- **ID:** `health.failed_services.stopped` +- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running. + +``` +GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped +GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped +``` + + +## INFO (11) + +### No AV products registered in Security Center +- **Category:** security +- **ID:** `sec.av_products.none_registered` +- SecurityCenter2 returned no AntiVirusProduct entries. This is normal on Windows Server SKUs (Security Center is a client feature). On a workstation, confirm Defender or a managed AV is active. + +``` +root\SecurityCenter2 AntiVirusProduct: none +``` + +### No competitor/leftover management agents detected +- **Category:** security +- **ID:** `sec.foreign_agents.none` +- No known competitor RMM or unmanaged remote-access agents found in installed programs or services. + +``` +Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service +``` + +### Expected ACG management tooling present: ScreenConnect / ConnectWise Control +- **Category:** security +- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579 +service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running +``` + +### Expected ACG management tooling present: Splashtop (SOS/Streamer) +- **Category:** security +- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Splashtop Streamer 3.8.4.0 +service: SplashtopRemoteService (Splashtop? Remote Service) Running +``` + +### Expected ACG management tooling present: Syncro / Kabuto +- **Category:** security +- **ID:** `sec.foreign_agents.acg.syncro_kabuto` +- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk. + +``` +program: Syncro 1.0.201.18410 +service: Syncro (Syncro) Running +``` + +### Local administrators (7) +- **Category:** security +- **ID:** `sec.local_admins.list` +- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider). + +``` +Administrator +Domain Admins +Domain Users +Enterprise Admins +localadmin +sysadmin +tempadmin +``` + +### Last hotfix: KB5094123 +- **Category:** security +- **ID:** `sec.patch.last_hotfix` +- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata). + +``` +KB5094123 installed 2026-06-10T07:00:00Z +``` + +### SMBv1 disabled +- **Category:** security +- **ID:** `sec.exposure.smb1_off` +- SMBv1 server protocol is disabled. + +``` +EnableSMB1Protocol=False +``` + +### LAPS detected +- **Category:** security +- **ID:** `sec.exposure.laps_present` +- A LAPS mechanism is present. + +``` +Windows LAPS reg key +``` + +### Time service source +- **Category:** health +- **ID:** `health.time.source` +- Current Windows Time service source. + +``` +Source=time.windows.com,0x1 +``` + +### Backup agent installed and running +- **Category:** health +- **ID:** `health.backup.present` +- A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup). + +``` +Datto Workplace: Datto_FSA.VssHelper = Running +Datto Workplace: datto_workplace_server.default = Running +``` + + +## UNKNOWN (1) + +### BitLocker status unavailable +- **Category:** security +- **ID:** `sec.bitlocker.unavailable` +- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status). + +``` +MountPoint=C:, Get-BitLockerVolume returned null +``` + + +--- + +## Inventory Baseline Summary + +- **Manufacturer / Model:** Micro-Star International Co., Ltd. / MS-7B87 +- **Serial:** To be filled by O.E.M. +- **CPU:** AMD Ryzen 5 2600 Six-Core Processor (6 cores / 12 logical) +- **RAM (GB):** 16 +- **BIOS:** 1.00 (2018-07-13) +- **Chassis is laptop:** false +- **TPM present / Secure Boot:** ? / ? +- **Domain joined:** true (gd.local) +- **OS activation licensed:** ? +- **Uptime (days):** 6.6 +- **Pending reboot:** true +- **Installed software count:** 142 +- **Scheduled tasks (non-MS, enabled):** 13 +- **Local administrators:** Administrator, Domain Admins, Domain Users, Enterprise Admins, localadmin, sysadmin, tempadmin + +### Fixed volumes + +- [System Reserved] - 0.5 GB free of 0.5 GB (93.4%) +- C: - 99.7 GB free of 222.3 GB (44.8%) +- [unlabeled] - 0.3 GB free of 0.8 GB (42.7%) +- F: - 770 GB free of 3725.9 GB (20.7%) + +### Network adapters + +- Realtek PCIe GbE Family Controller - IP: 192.168.242.200, fe80::dcaf:5645:6e99:a410 - DNS: 127.0.0.1, 8.8.8.8 - DHCP: false + +--- + +## Diff vs Prior Baseline + +- No prior baseline found for this host. This is the first baseline. + +--- + +_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `GND-SERVER-20260616T151038.json` (immutable)._