azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

data(rednour): onboarding baseline for REDNOURCARRIEVI (3rd machine, RED)

Browse Source 
Completes Rednour first-baseline set. Note: ScreenConnect/Splashtop/Syncro/Datto
RMM+EDR flagged critical are ACG's own stack (false positives - detection tuning
tracked separately). Real issues: Win10 22H2 EOL, RDP without NLA, no BitLocker,
C: 12% free.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-29 13:24:10 -07:00
parent df9be01065
commit c6c79d8f3e
2 changed files with 1651 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1365
clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.json Normal file
View File

File diff suppressed because it is too large Load Diff

286
clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md Normal file
View File

@@ -0,0 +1,286 @@
# Onboarding Diagnostic Baseline - REDNOURCARRIEVI
- **Grade:** RED
- **Host:** REDNOURCARRIEVI
- **Client:** Rednour Law Offices (`rednour`)
- **Collected (UTC):** 2026-05-29T20:21:21Z
- **Agent ID:** 8e4e2221-7e2a-4a6f-9eda-864568539961
- **Command ID:** e46f35e2-1809-46b4-b2ee-624e6b4fbd44
- **Findings:** 8 critical / 9 warning / 7 info / 0 unknown
- **OS:** Microsoft Windows 10 Pro (build 19045)
---
## CRITICAL (8)
### Defender real-time protection is OFF
- **Category:** security
- **ID:** `sec.defender.rtp_off`
- Real-time protection is disabled. The endpoint is unprotected against active threats. Re-enable immediately or confirm a managed 3rd-party AV is providing real-time protection.
```
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False
```
### Defender antimalware service is not running
- **Category:** security
- **ID:** `sec.defender.amservice_off`
- The Defender antimalware service is not active. If no 3rd-party AV is present, this endpoint has no antivirus protection.
```
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False
```
### Foreign management/remote-access agent: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.screenconnect_connectwise_control`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Foreign management/remote-access agent: Datto RMM
- **Category:** security
- **ID:** `sec.foreign_agents.datto_rmm`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: Datto RMM 4.4.11616.11616
service: CagService (Datto RMM) Running
```
### Foreign management/remote-access agent: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.splashtop_sos_streamer_`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Foreign management/remote-access agent: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.syncro_kabuto`
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### OS build is end-of-life: Win10 22H2
- **Category:** security
- **ID:** `sec.patch.os_eol`
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
```
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
```
### RDP enabled WITHOUT Network Level Authentication
- **Category:** security
- **ID:** `sec.exposure.rdp_no_nla`
- RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.
```
fDenyTSConnections=0; UserAuthentication=0
```
## WARNING (9)
### Defender tamper protection is OFF
- **Category:** security
- **ID:** `sec.defender.tamper_off`
- Tamper protection is disabled, so malware or a local admin can silently disable Defender. Enable tamper protection (typically via Intune / Security Center).
```
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False
```
### Third-party AV present: Datto AV
- **Category:** security
- **ID:** `sec.av_products.third_party`
- A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection.
```
Registered AV: Windows Defender, Datto AV
```
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### 1 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1
```
### Disk low: C: at 11.7% free
- **Category:** health
- **ID:** `health.disk_space.C`
- Less than 15 percent free. Plan cleanup or expansion.
```
C: free 54.4 GB of 465.1 GB (11.7%)
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1
```
### Reboot pending
- **Category:** health
- **ID:** `health.reboot_uptime.pending`
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
```
PendingFileRenameOperations
```
### 2 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
NetMsmqActivator (Net.Msmq Listener Adapter) = Stopped
```
### Time source is local CMOS clock (not NTP)
- **Category:** health
- **ID:** `health.time.local_cmos`
- The system is not syncing time from an NTP source. Clock drift breaks Kerberos and certificate validation. Configure a reliable time source (domain hierarchy or pool.ntp.org).
```
Source=Local CMOS Clock
```
## INFO (7)
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (4)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
REDNOURCARRIEVI\Administrator
REDNOURCARRIEVI\Carrie
REDNOURCARRIEVI\emma
REDNOURCARRIEVI\localadmin
```
### Last hotfix: KB5072653
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5072653 installed 2025-12-20T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** To Be Filled By O.E.M. / To Be Filled By O.E.M.
- **Serial:** To Be Filled By O.E.M.
- **CPU:** Intel(R) Core(TM) i3-9100 CPU @ 3.60GHz (4 cores / 4 logical)
- **RAM (GB):** 7.7
- **BIOS:** P4.10 (2019-04-01)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** ? / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** ?
- **Uptime (days):** 0.2
- **Pending reboot:** true
- **Installed software count:** 151
- **Scheduled tasks (non-MS, enabled):** 19
- **Local administrators:** REDNOURCARRIEVI\Administrator, REDNOURCARRIEVI\Carrie, REDNOURCARRIEVI\emma, REDNOURCARRIEVI\localadmin
### Fixed volumes
- [unlabeled] - 0.1 GB free of 0.1 GB (71.7%)
- C: - 54.4 GB free of 465.1 GB (11.7%)
- [unlabeled] - 0 GB free of 0.5 GB (8.5%)
### Network adapters
- ZeroTier Virtual Port - IP: 10.147.17.253, fe80::c624:d955:2579:a9e4, fcfb:1c63:8659:2d21:d189::1 - DNS: - DHCP: false
- Intel(R) Ethernet Connection (7) I219-V - IP: 192.168.10.194, fe80::e42e:510a:5261:a8dd - DNS: 192.168.10.1 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `REDNOURCARRIEVI-20260529T202250.json` (immutable)._