data(rednour): onboarding baseline for REDNOURCARRIEVI (3rd machine, RED)
Completes Rednour first-baseline set. Note: ScreenConnect/Splashtop/Syncro/Datto RMM+EDR flagged critical are ACG's own stack (false positives - detection tuning tracked separately). Real issues: Win10 22H2 EOL, RDP without NLA, no BitLocker, C: 12% free. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,286 @@
|
||||
# Onboarding Diagnostic Baseline - REDNOURCARRIEVI
|
||||
|
||||
- **Grade:** RED
|
||||
- **Host:** REDNOURCARRIEVI
|
||||
- **Client:** Rednour Law Offices (`rednour`)
|
||||
- **Collected (UTC):** 2026-05-29T20:21:21Z
|
||||
- **Agent ID:** 8e4e2221-7e2a-4a6f-9eda-864568539961
|
||||
- **Command ID:** e46f35e2-1809-46b4-b2ee-624e6b4fbd44
|
||||
- **Findings:** 8 critical / 9 warning / 7 info / 0 unknown
|
||||
|
||||
- **OS:** Microsoft Windows 10 Pro (build 19045)
|
||||
|
||||
---
|
||||
|
||||
## CRITICAL (8)
|
||||
|
||||
### Defender real-time protection is OFF
|
||||
- **Category:** security
|
||||
- **ID:** `sec.defender.rtp_off`
|
||||
- Real-time protection is disabled. The endpoint is unprotected against active threats. Re-enable immediately or confirm a managed 3rd-party AV is providing real-time protection.
|
||||
|
||||
```
|
||||
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False
|
||||
```
|
||||
|
||||
### Defender antimalware service is not running
|
||||
- **Category:** security
|
||||
- **ID:** `sec.defender.amservice_off`
|
||||
- The Defender antimalware service is not active. If no 3rd-party AV is present, this endpoint has no antivirus protection.
|
||||
|
||||
```
|
||||
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False
|
||||
```
|
||||
|
||||
### Foreign management/remote-access agent: ScreenConnect / ConnectWise Control
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.screenconnect_connectwise_control`
|
||||
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
|
||||
|
||||
```
|
||||
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
|
||||
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
|
||||
```
|
||||
|
||||
### Foreign management/remote-access agent: Datto RMM
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.datto_rmm`
|
||||
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
|
||||
|
||||
```
|
||||
program: Datto RMM 4.4.11616.11616
|
||||
service: CagService (Datto RMM) Running
|
||||
```
|
||||
|
||||
### Foreign management/remote-access agent: Splashtop (SOS/Streamer)
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.splashtop_sos_streamer_`
|
||||
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
|
||||
|
||||
```
|
||||
program: Splashtop Streamer 3.8.2.0
|
||||
service: SplashtopRemoteService (Splashtop? Remote Service) Running
|
||||
```
|
||||
|
||||
### Foreign management/remote-access agent: Syncro / Kabuto
|
||||
- **Category:** security
|
||||
- **ID:** `sec.foreign_agents.syncro_kabuto`
|
||||
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
|
||||
|
||||
```
|
||||
program: Syncro 1.0.201.18410
|
||||
service: Syncro (Syncro) Running
|
||||
```
|
||||
|
||||
### OS build is end-of-life: Win10 22H2
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.os_eol`
|
||||
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
|
||||
|
||||
```
|
||||
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
|
||||
```
|
||||
|
||||
### RDP enabled WITHOUT Network Level Authentication
|
||||
- **Category:** security
|
||||
- **ID:** `sec.exposure.rdp_no_nla`
|
||||
- RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.
|
||||
|
||||
```
|
||||
fDenyTSConnections=0; UserAuthentication=0
|
||||
```
|
||||
|
||||
|
||||
## WARNING (9)
|
||||
|
||||
### Defender tamper protection is OFF
|
||||
- **Category:** security
|
||||
- **ID:** `sec.defender.tamper_off`
|
||||
- Tamper protection is disabled, so malware or a local admin can silently disable Defender. Enable tamper protection (typically via Intune / Security Center).
|
||||
|
||||
```
|
||||
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False
|
||||
```
|
||||
|
||||
### Third-party AV present: Datto AV
|
||||
- **Category:** security
|
||||
- **ID:** `sec.av_products.third_party`
|
||||
- A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection.
|
||||
|
||||
```
|
||||
Registered AV: Windows Defender, Datto AV
|
||||
```
|
||||
|
||||
### OS volume is NOT encrypted with BitLocker
|
||||
- **Category:** security
|
||||
- **ID:** `sec.bitlocker.unencrypted`
|
||||
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
|
||||
|
||||
```
|
||||
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
|
||||
```
|
||||
|
||||
### 1 pending Windows updates
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.pending`
|
||||
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
|
||||
|
||||
```
|
||||
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
|
||||
```
|
||||
|
||||
### Disk low: C: at 11.7% free
|
||||
- **Category:** health
|
||||
- **ID:** `health.disk_space.C`
|
||||
- Less than 15 percent free. Plan cleanup or expansion.
|
||||
|
||||
```
|
||||
C: free 54.4 GB of 465.1 GB (11.7%)
|
||||
```
|
||||
|
||||
### Stability events present in the last 14 days
|
||||
- **Category:** health
|
||||
- **ID:** `health.stability.some`
|
||||
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
|
||||
|
||||
```
|
||||
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1
|
||||
```
|
||||
|
||||
### Reboot pending
|
||||
- **Category:** health
|
||||
- **ID:** `health.reboot_uptime.pending`
|
||||
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
|
||||
|
||||
```
|
||||
PendingFileRenameOperations
|
||||
```
|
||||
|
||||
### 2 auto-start service(s) not running
|
||||
- **Category:** health
|
||||
- **ID:** `health.failed_services.stopped`
|
||||
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
|
||||
|
||||
```
|
||||
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
|
||||
NetMsmqActivator (Net.Msmq Listener Adapter) = Stopped
|
||||
```
|
||||
|
||||
### Time source is local CMOS clock (not NTP)
|
||||
- **Category:** health
|
||||
- **ID:** `health.time.local_cmos`
|
||||
- The system is not syncing time from an NTP source. Clock drift breaks Kerberos and certificate validation. Configure a reliable time source (domain hierarchy or pool.ntp.org).
|
||||
|
||||
```
|
||||
Source=Local CMOS Clock
|
||||
```
|
||||
|
||||
|
||||
## INFO (7)
|
||||
|
||||
### All firewall profiles enabled
|
||||
- **Category:** security
|
||||
- **ID:** `sec.firewall.ok`
|
||||
- Domain, Private, and Public firewall profiles are all enabled.
|
||||
|
||||
```
|
||||
Private=True; Domain=True; Public=True
|
||||
```
|
||||
|
||||
### Local administrators (4)
|
||||
- **Category:** security
|
||||
- **ID:** `sec.local_admins.list`
|
||||
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
|
||||
|
||||
```
|
||||
REDNOURCARRIEVI\Administrator
|
||||
REDNOURCARRIEVI\Carrie
|
||||
REDNOURCARRIEVI\emma
|
||||
REDNOURCARRIEVI\localadmin
|
||||
```
|
||||
|
||||
### Last hotfix: KB5072653
|
||||
- **Category:** security
|
||||
- **ID:** `sec.patch.last_hotfix`
|
||||
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
|
||||
|
||||
```
|
||||
KB5072653 installed 2025-12-20T07:00:00Z
|
||||
```
|
||||
|
||||
### SMBv1 disabled
|
||||
- **Category:** security
|
||||
- **ID:** `sec.exposure.smb1_off`
|
||||
- SMBv1 server protocol is disabled.
|
||||
|
||||
```
|
||||
EnableSMB1Protocol=False
|
||||
```
|
||||
|
||||
### LAPS detected
|
||||
- **Category:** security
|
||||
- **ID:** `sec.exposure.laps_present`
|
||||
- A LAPS mechanism is present.
|
||||
|
||||
```
|
||||
Windows LAPS reg key
|
||||
```
|
||||
|
||||
### Not domain-joined (workgroup)
|
||||
- **Category:** health
|
||||
- **ID:** `health.domain.workgroup`
|
||||
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
|
||||
|
||||
```
|
||||
PartOfDomain=False; Domain=WORKGROUP
|
||||
```
|
||||
|
||||
### No backup agent detected
|
||||
- **Category:** health
|
||||
- **ID:** `health.backup.none`
|
||||
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
|
||||
|
||||
```
|
||||
No matching backup service in Win32_Service
|
||||
```
|
||||
|
||||
|
||||
---
|
||||
|
||||
## Inventory Baseline Summary
|
||||
|
||||
- **Manufacturer / Model:** To Be Filled By O.E.M. / To Be Filled By O.E.M.
|
||||
- **Serial:** To Be Filled By O.E.M.
|
||||
- **CPU:** Intel(R) Core(TM) i3-9100 CPU @ 3.60GHz (4 cores / 4 logical)
|
||||
- **RAM (GB):** 7.7
|
||||
- **BIOS:** P4.10 (2019-04-01)
|
||||
- **Chassis is laptop:** false
|
||||
- **TPM present / Secure Boot:** ? / ?
|
||||
- **Domain joined:** false (WORKGROUP)
|
||||
- **OS activation licensed:** ?
|
||||
- **Uptime (days):** 0.2
|
||||
- **Pending reboot:** true
|
||||
- **Installed software count:** 151
|
||||
- **Scheduled tasks (non-MS, enabled):** 19
|
||||
- **Local administrators:** REDNOURCARRIEVI\Administrator, REDNOURCARRIEVI\Carrie, REDNOURCARRIEVI\emma, REDNOURCARRIEVI\localadmin
|
||||
|
||||
### Fixed volumes
|
||||
|
||||
- [unlabeled] - 0.1 GB free of 0.1 GB (71.7%)
|
||||
- C: - 54.4 GB free of 465.1 GB (11.7%)
|
||||
- [unlabeled] - 0 GB free of 0.5 GB (8.5%)
|
||||
|
||||
### Network adapters
|
||||
|
||||
- ZeroTier Virtual Port - IP: 10.147.17.253, fe80::c624:d955:2579:a9e4, fcfb:1c63:8659:2d21:d189::1 - DNS: - DHCP: false
|
||||
- Intel(R) Ethernet Connection (7) I219-V - IP: 192.168.10.194, fe80::e42e:510a:5261:a8dd - DNS: 192.168.10.1 - DHCP: true
|
||||
|
||||
---
|
||||
|
||||
## Diff vs Prior Baseline
|
||||
|
||||
- No prior baseline found for this host. This is the first baseline.
|
||||
|
||||
---
|
||||
|
||||
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `REDNOURCARRIEVI-20260529T202250.json` (immutable)._
|
||||
Reference in New Issue
Block a user