diff --git a/clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.html b/clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.html new file mode 100644 index 0000000..be7305d --- /dev/null +++ b/clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.html @@ -0,0 +1,759 @@ + + + + + +Email Infrastructure Assessment — Quantum WMS + + + +
+ +
+ +
+
Arizona Computer Guru LLC
+

Email Infrastructure Assessment
and Migration Recommendation

+
Confidential — Prepared for Quantum WMS
+
+
+
Prepared for
+
John & Sheila Velez, Quantum WMS
+
+
+
Date
+
May 26, 2026
+
+
+
Prepared by
+
Mike Swanson
+
+
+
+ +
+ +
+

Following our review of Quantum WMS's current email infrastructure, we have identified significant security deficiencies in your existing Intermedia hosted Exchange setup.

+

We are recommending a migration to Microsoft 365 Business Premium with Mailprotector as a managed email security frontend. This solution is technically superior, more cost-effective, and fully satisfies your regulatory compliance requirements under FINRA Rule 4511 and SEC Rule 17a-4.

+

Before we finalize the migration plan, we need one item from Sheila (detailed at the end of this document).

+
+ +

Current State: Intermedia Hosted Exchange

+ +

Your email is currently hosted by Intermedia on their Exchange Server cluster. This is an important distinction: Intermedia is not running Microsoft's cloud. They run Exchange Server software in their own data center, the same software that runs on an on-premises server. This has major security implications.

+ +

Your Domain Has No Email Security Records

+

Our DNS assessment revealed the following active security risks:

+ +
+
+
DMARC
+
Missing
+
Anyone can send email appearing to come from @quantumwms.com with zero enforcement. This is the primary mechanism used in CEO fraud and vendor impersonation attacks.
+
+
+
SPF
+
Misconfigured (2 records)
+
Internet standards allow only one SPF record per domain. Having two causes unpredictable authentication failures and can result in your legitimate email being rejected as spam.
+
+
+
DKIM
+
Not Configured
+
DKIM cryptographically signs outbound email, proving it originated from your server and was not tampered with in transit. Without it, recipients cannot fully authenticate your email.
+
+
+
DNSSEC
+
Not Signed
+
Your domain has no cryptographic protection against DNS hijacking or spoofing attacks at the infrastructure layer.
+
+
+ +
+ +
+ These issues exist today, regardless of which email platform you use. + Correcting them is a required step and one we will handle as part of the migration. +
+
+ +

Exchange Server CVE Exposure

+

Because Intermedia runs Exchange Server — not Exchange Online — your infrastructure is subject to the same critical vulnerabilities that have affected on-premises Exchange servers globally:

+ + + + + + + + + + + + + + + +
VulnerabilityDisclosedImpact
ProxyLogon (CVE-2021-26855)March 2021Full server compromise, mass-exploited worldwide
ProxyShell (CVE-2021-34473)August 2021Remote code execution without authentication
ProxyNotShell (CVE-2022-41040)October 2022Actively exploited before patch availability
OWASSRF (CVE-2022-41080)December 2022Used in the Rackspace hosted Exchange breach
+ +

Microsoft patches Exchange Online the same day vulnerabilities are disclosed. Intermedia patches their hosted clusters on their own schedule. The gap between disclosure and deployment is precisely when attacks occur.

+ +
+ +

Recommended Solution: M365 Business Premium + Mailprotector

+ +

Microsoft 365 Business Premium — $22/user/month

+

A complete cloud-native productivity and security platform that replaces Intermedia entirely:

+ + + + + + + + + + + + + + + +
ServiceWhat It Provides
Exchange OnlineCloud email, Microsoft-managed, same-day security patching
Office Apps (Desktop)Word, Excel, Outlook, PowerPoint on up to 5 devices per user
Microsoft TeamsChat, video conferencing, file collaboration
OneDrive / SharePoint1 TB cloud file storage per user
Microsoft PurviewFINRA/SEC 17a-4 compliant email archiving (WORM storage) — included
Defender for Office 365Safe Links, Safe Attachments, advanced anti-phishing
Microsoft Entra ID P1Conditional Access, MFA enforcement, sign-in risk detection
Microsoft IntuneMobile device and PC management
+ +

Mailprotector — ACG-Managed Email Security Frontend

+

Mailprotector sits in front of Exchange Online as an additional filtering layer: inbound spam and malware are blocked before mail reaches your inbox. ACG configures and monitors it; you do not need to manage it.

+ +
+ Sender + + Mailprotector + + Exchange Online + + Your Inbox +
Inbound: filtered for spam and malware before delivery  ·  Outbound: DKIM-signed, SPF-aligned, DMARC-enforced
+
+ +

Security Posture Comparison

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CapabilityIntermedia (Current)M365 + Mailprotector
Exchange CVE ExposureYes — Server CVEsNo — Exchange Online
Same-Day Security PatchingNoYes
Inbound Threat FilteringBasicMailprotector + Defender
Safe Links / Safe AttachmentsNoYes
MFA Enforcement PolicyManual, per-userConditional Access (Entra P1)
DMARC / DKIM / SPFNot managedACG-configured
FINRA/SEC 17a-4 ArchivingExtra-cost add-onIncluded (Purview)
Desktop Office AppsNoYes
Mobile Device ManagementNoYes (Intune)
Sign-In Risk DetectionNoYes (Entra P1)
+ +
+ +

Regarding Your Broker/Dealer Compliance Requirement

+ +

You have indicated that your Broker/Dealer may require Intermedia for compliance purposes. We want to address this directly.

+ +
+
What FINRA Rule 4511 & SEC Rule 17a-4 Actually Require
+
    +
  • Electronic communication retention in non-rewritable, non-erasable (WORM) storage
    • +
  • Minimum retention: 3 years readily accessible, 6 years total
    • +
  • Records indexed and available for regulatory inspection on demand
    • +
  • Supervisory review capability
    • +
+
+ +
+ +
+ Microsoft 365 is fully FINRA/SEC 17a-4 compliant. + Microsoft Purview has received a formal compliance assessment from Cohasset Associates confirming that Exchange Online meets the requirements of SEC Rule 17a-4(f) and CFTC Rule 1.31. The majority of FINRA-registered broker/dealers run on Exchange Online today. +
+
+ +
+ +
+ The regulations specify outcomes, not vendors. + FINRA Rule 4511 and SEC Rule 17a-4 do not name Intermedia or any specific platform as a required provider. If your Broker/Dealer's written policy names Intermedia explicitly, we would consider that extraordinary and recommend reviewing it with your compliance attorney. +
+
+ +
+
Action Required — Sheila
+

Please Provide the Written Policy Before Our Meeting

+

Please locate and provide the written policy from your Broker/Dealer that specifies your email and security compliance requirements.

+

We are looking for any document that defines which platforms are approved or required, specifies archiving or retention standards, or names Intermedia as a required provider.

+

Please have this document — or confirmation that no such document exists — ready for our meeting on Tuesday, May 27 at 2:00 PM.

+
+ +

Proposed Timeline

+ +
+
+
Now → May 27
+
+
Sheila obtains B/D compliance policy; confirm Intermedia is not mandated
+
+
+
May 27, 2:00 PM
+
+
Review policy; confirm migration go/no-go; finalize license counts
+
+
+
May 28 – 29
+
+
Purchase Business Premium licenses; configure tenant and mailboxes
+
+
+
May 30 – 31
+
+
Set up Mailprotector; configure DMARC, DKIM, SPF; test mail flow
+
+
+
June 1 – 2
+
+
Mail migration from Intermedia; DNS cutover to Exchange Online
+
+
+
June 3
+
+
Current GoDaddy O365 Essentials lapses. New Business Premium is live before this date.
+
+
+ +
+ +
+
+
Arizona Computer Guru LLC
+
mike@azcomputerguru.com  ·  (520) 226-3987
+
+
+ Confidential — Quantum WMS
+ May 26, 2026 +
+
+ +
+ + diff --git a/clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.txt b/clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.txt new file mode 100644 index 0000000..037e1c3 --- /dev/null +++ b/clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.txt @@ -0,0 +1,237 @@ +EMAIL INFRASTRUCTURE ASSESSMENT & MIGRATION RECOMMENDATION +Arizona Computer Guru LLC +Prepared for: John Velez & Sheila Peress, Quantum WMS +Date: May 26, 2026 +Prepared by: Mike Swanson + +================================================================================ +EXECUTIVE SUMMARY +================================================================================ + +Following our review of Quantum WMS's current email infrastructure, we have +identified significant security deficiencies in the current Intermedia hosted +Exchange setup and have confirmed that a migration to Microsoft 365 Business +Premium is technically superior, more cost-effective, and fully satisfies your +regulatory compliance requirements under FINRA Rule 4511 and SEC Rule 17a-4. + +We are recommending: Microsoft 365 Business Premium (exchange and full Office +suite) with Mailprotector as a managed email security frontend. + +Before we proceed, we need one item from Sheila: the written policy from your +Broker/Dealer specifying email and security compliance requirements. Details +at the end of this document. + +================================================================================ +CURRENT STATE: INTERMEDIA HOSTED EXCHANGE +================================================================================ + +Your current email is hosted by Intermedia on their "exch090" Exchange Server +cluster. This is important to understand: Intermedia is not running Microsoft's +cloud. They are running Exchange Server software in their own data center — +the same software that runs on an on-premises server. This distinction has +major security implications. + +CRITICAL: YOUR DOMAIN HAS NO EMAIL SECURITY RECORDS +---------------------------------------------------- + +During our assessment we found the following DNS configuration issues that +represent active security risks today: + + DMARC Record: MISSING + ----------------------------------------------------------------------- + DMARC is what tells the internet what to do with email that claims to + be from @quantumwms.com but wasn't sent by your mail server. Without + it, anyone in the world can send email that appears to come from your + domain with no enforcement. This is the primary mechanism used in + CEO fraud and vendor impersonation attacks. + + SPF Records: TWO RECORDS (misconfiguration) + ----------------------------------------------------------------------- + Your domain has two conflicting SPF records: + + Record 1: v=spf1 include:spf.intermedia.net -all + Record 2: v=spf1 include:_spf-usg1.ppe-hosted.com + include:secureserver.net ~all + + Internet standards (RFC 7208) permit only ONE SPF record per domain. + Having two causes receiving mail servers to evaluate them unpredictably, + which can result in your legitimate email being marked as spam or + rejected outright. + + DKIM: NOT CONFIGURED + ----------------------------------------------------------------------- + DKIM cryptographically signs outbound email, proving it originated + from your mail server and has not been tampered with in transit. + Without it, your email cannot be fully authenticated by recipients. + +These three issues exist independently of which email platform you use and +need to be corrected as part of any migration. + +SECURITY RISKS: EXCHANGE SERVER CVE EXPOSURE +-------------------------------------------- + +Because Intermedia runs Exchange Server (not Exchange Online), your email +infrastructure is subject to the same vulnerabilities that have affected +on-premises Exchange servers worldwide over the past several years: + + - ProxyLogon (CVE-2021-26855) — mass-exploited March 2021 + - ProxyShell (CVE-2021-34473) — mass-exploited August 2021 + - ProxyNotShell (CVE-2022-41040) — actively exploited October 2022 + - OWASSRF (CVE-2022-41080) — Rackspace breach, December 2022 + +Microsoft patches Exchange Online the same day vulnerabilities are +disclosed. Intermedia patches their hosted Exchange clusters on their +own schedule. The gap between disclosure and patch deployment is when +attacks occur. + +WHAT INTERMEDIA DOES NOT PROVIDE +--------------------------------- + + - Advanced threat protection (no Safe Links, Safe Attachments) + - Conditional Access / MFA enforcement policies + - Modern email archiving with FINRA compliance certification + - Desktop Office applications (Word, Excel, Outlook, etc.) + - Mobile device management + - Identity protection or sign-in risk detection + +================================================================================ +RECOMMENDED SOLUTION: M365 BUSINESS PREMIUM + MAILPROTECTOR +================================================================================ + +MICROSOFT 365 BUSINESS PREMIUM +------------------------------- + +$22/user/month (direct) — includes: + + Exchange Online Full cloud email, Microsoft-managed, same-day patching + Desktop Office Apps Word, Excel, Outlook, PowerPoint, OneNote (5 devices) + Microsoft Teams Chat, video, file collaboration + SharePoint / OneDrive 1 TB cloud file storage per user + Microsoft Purview FINRA/SEC 17a-4 compliant email archiving (WORM) + Defender for Office 365 Safe Links, Safe Attachments, anti-phishing (Plan 1) + Microsoft Entra ID P1 Conditional Access, MFA enforcement, sign-in risk + Microsoft Intune Mobile device and PC management + +MAILPROTECTOR (ACG-MANAGED FRONTEND) +------------------------------------- + +Mailprotector sits in front of Exchange Online as an additional email +security layer, providing: + + - Inbound spam and malware filtering before mail reaches Exchange + - Outbound filtering and DLP + - Quarantine management + - ACG-managed — we handle configuration, updates, and tuning + +WHAT THIS LOOKS LIKE DAY-TO-DAY +-------------------------------- + + Inbound mail path: + Sender -> Mailprotector (spam/malware filter) -> Exchange Online -> Outlook + + Outbound mail path: + Outlook -> Exchange Online -> Internet (DKIM-signed, SPF-aligned, DMARC-enforced) + + Result: your outbound email is cryptographically authenticated, and your + inbound email is filtered twice before reaching your inbox. + +SECURITY POSTURE COMPARISON +---------------------------- + + Intermedia M365 Business Premium + + Mailprotector + ----------------------------------------------------------------------- + Exchange CVE exposure Yes (Exchange Server) No (Exchange Online) + Same-day security patching No (Intermedia pace) Yes (Microsoft) + Inbound threat filtering Basic Mailprotector + Defender + Safe Links (URL scanning) No Yes + Safe Attachments No Yes + MFA enforcement policy Manual, per-user Conditional Access (P1) + DMARC/DKIM/SPF Not managed ACG-configured + Email archiving (FINRA) Extra cost add-on Included (Purview) + Desktop Office apps No Yes + Mobile device management No Yes (Intune) + Sign-in risk detection No Yes (Entra P1) + ----------------------------------------------------------------------- + +================================================================================ +REGARDING YOUR BROKER/DEALER COMPLIANCE REQUIREMENT +================================================================================ + +You have indicated that your Broker/Dealer may require Intermedia for +compliance purposes. We want to address this directly. + +WHAT FINRA RULE 4511 AND SEC RULE 17a-4 ACTUALLY REQUIRE: + + The regulations require that broker/dealers retain electronic + communications (including email) in a format that is: + + 1. Non-rewritable and non-erasable (WORM storage) + 2. Retained for a minimum period (3 years accessible, 6 total) + 3. Indexed and available for regulatory inspection on demand + 4. Subject to supervisory review + + The regulations do NOT name any specific vendor or platform. + They specify outcomes, not products. + +MICROSOFT 365 IS FINRA/SEC 17a-4 COMPLIANT: + + Microsoft Purview Compliance (included in Business Premium) has received + a formal compliance assessment from Cohasset Associates confirming that + Exchange Online and SharePoint Online meet the requirements of SEC Rule + 17a-4(f) and CFTC Rule 1.31. This assessment is publicly available. + + The majority of FINRA-registered broker/dealers — including large + institutions — run on Exchange Online today. FINRA has published + guidance explicitly endorsing cloud-based recordkeeping solutions. + +OUR EXPECTATION: + + If your Broker/Dealer has a written policy specifying Intermedia by + name as the required platform, we would consider that extraordinary and + would want to review it alongside your compliance attorney. In our + experience, B/D policies specify archiving standards, not vendors. + +================================================================================ +ACTION REQUIRED FROM SHEILA — BEFORE OUR MEETING TOMORROW AT 2 PM +================================================================================ + +Please locate and provide the written policy from your Broker/Dealer that +specifies your email and security compliance requirements. + +Specifically, we are looking for any document that: + + - Defines which email platforms are approved or required + - Specifies archiving or retention requirements for electronic communications + - Names Intermedia (or any vendor) as a required provider + +If no such document exists, or if the policy specifies standards rather +than a named vendor, we can proceed with the Microsoft 365 migration on +the timeline we discussed. + +Please have this document (or confirmation that it does not exist) ready +for our meeting on Tuesday, May 27 at 2:00 PM. + +If you have questions before then, call or text Mike at Arizona Computer +Guru. + +================================================================================ +PROPOSED TIMELINE +================================================================================ + + Now through May 27: Sheila obtains B/D compliance policy + May 27 (2 PM): Review policy; confirm migration go/no-go + May 28-29: Purchase licenses; configure tenant + May 30-31: Stand up mailboxes; configure Mailprotector + June 1-2: Mail migration from Intermedia; DNS cutover + June 3: Current GoDaddy O365 Essentials lapses — new + Business Premium is live before this date + +================================================================================ + +Arizona Computer Guru LLC +Mike Swanson +mike@azcomputerguru.com +(520) 226-3987 + +================================================================================ diff --git a/session-logs/2026-05-26-session.md b/session-logs/2026-05-26-session.md index 58a7561..0b5d77c 100644 --- a/session-logs/2026-05-26-session.md +++ b/session-logs/2026-05-26-session.md @@ -548,3 +548,75 @@ GET http://172.16.3.30:3001/api/commands/{command_id} - quantumwms.com consent URL: https://login.microsoftonline.com/ddf3d2c9-b76c-40d9-a216-9f11a1a26f97/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent - GuruRMM: http://172.16.3.30:3001 | admin@azcomputerguru.com / GuruRMM2025 - Vault commit: 86a5586 | guru-rmm: 1a00912 | claudetools: 464d28a + +--- + +## Update: 15:56 PT — wiki-compile skill, Syncro billing/comment, GuruScan packaging, GND-SERVER Datto investigation + +### Session Summary + +Switched to Opus 4.7 (model selection happens at conversation start; cannot change mid-session — user started fresh selection). Answered a Microsoft CSP-direct question: ACG currently resells via PAX8 (indirect); Direct Bill requires $300K trailing-12-month Microsoft revenue + a support contract, so it is not accessible yet — the realistic path is to grow CSP revenue through PAX8 and apply when approaching the threshold. + +Designed and built a new `/wiki-compile` skill (it was referenced in CLAUDE.md but never implemented). It seeds or refreshes client wiki articles from session logs plus live Syncro data. Three modes: seed (new article, full Ollama synthesis), refresh (existing article, surgical update of dynamic fields only), and `--full` (force recompile preserving Patterns/History). Syncro is authoritative for all billing fields (hours remaining, rate, contract type, customer ID, asset count). Customer-not-found fails gracefully (continue with logs only); ambiguous search pauses and asks; asset count only (no detail tables). Also added Step 6 to `/wiki-lint`: pull live `prepay_hours` for every client article with a Syncro customer ID and auto-fix stale hours in place, committing fixes in one batch. Committed as d9ab515. + +Created Cascades Syncro ticket #32324 (onsite meeting with access control vendor) and billed 0.5 hr onsite against the prepaid block — invoice $0.00, block decremented 29.0 -> 28.5 (verified). Added a public, customer-emailed comment to Grabb & Durando ticket #32279 (Richard Glabman) apologizing for the wifi equipment-quote delay and promising an update tomorrow; created a coord todo (due 2026-05-27) to follow up. + +Reviewed GuruScan (Howard's new standalone multi-scanner malware suite, pulled in this session's sync at 3a0c83d/64374e3). Sent Howard four coord messages: (1) repo gaps + suggestion to package as an RMM-callable PowerShell module, (2) dual-mode design so it stays stand-alone (one module core + two entry points + pluggable output/AI sink, explicit `-OutputSink` defaulting to stand-alone), (3) signing note pointing at the existing Azure Trusted Signing infra. Saved a feedback memory: point vault-access teammates at the SOPS path rather than transcribing entry fields into messages. + +Investigated a Datto Workplace "Deletion request denied by OS" alert on Grabb & Durando's GND-SERVER for `opp.msj.docx` in the BRILLON, BARBARA litigation drafts. Root cause: the BRILLON matter was closed and moved to `F:\Shares\Closed Files`; the move = copy + delete-at-source, and Workplace's delete of opp.msj.docx was momentarily denied because the file was open/locked. The file is intact in Closed Files. Per user direction, deleted the now-empty source matter folder (guarded delete — verified 0 files recursively first) to let Datto reconcile the pending delete and clear the alert. + +### Key Decisions + +- **/wiki-compile: Syncro is the source of truth for billing fields, not session logs.** Session logs go stale; the live customer record does not. Refresh mode updates only hours + active tickets + frontmatter, never Patterns/History (those need human review or `--full`). +- **wiki-lint auto-fixes stale hours but only flags ticket-status drift.** Hours are a single deterministic field safe to overwrite; ticket/narrative changes are not, so they are surfaced for review. +- **GuruScan stand-alone vs RMM is not a mode of the scanner** — it is the caller + a pluggable output sink. One module core returning structured objects; stand-alone is just the default disk sink, RMM is an additive entry point. Avoids forking scan logic. +- **GND-SERVER: guarded delete only.** Embedded a guard in the PowerShell so the source folder is deleted ONLY if zero files exist recursively — refused to risk deleting un-moved litigation data. Confirmed content preserved in Closed Files + twice-daily VSS before acting. +- **Did not restore the "deleted" file** — investigation showed it was an intentional matter-close/move, not data loss, so no recovery was warranted. + +### Problems Encountered + +- **Coord todos POST schema:** first attempt used `title`/`detail`; the API requires `text`, `created_by_user`, `created_by_machine`. Inspected an existing todo to get the shape, then retried successfully (Glabman todo 1bf0cfef). +- **`/tmp` path mismatch (again):** handing a Git Bash `/tmp/*.ps1` path to Windows `py` failed (FileNotFoundError) — Windows Python can't resolve the POSIX path. Fixed by using `jq -Rs` (fed by bash redirection) for all JSON payload building/parsing instead of `py`. This is the documented Windows /tmp gotcha. +- **RMM command poll timeouts:** the recursive Closed Files search on a 3.7 TB law-firm archive ran longer than the foreground poll window; switched to a background long-poll and fetched the command result by ID once complete. + +### Configuration Changes + +- CREATED `.claude/commands/wiki-compile.md` — new skill (committed d9ab515) +- MODIFIED `.claude/commands/wiki-lint.md` — added Step 6 (Syncro live-check auto-fix) + report section (committed d9ab515) +- CREATED `.claude/memory/feedback_vault_pointer_for_teammates.md` + index entry in `.claude/memory/MEMORY.md` +- DELETED on GND-SERVER: `F:\Shares\Company Data\CLIENTS\BRILLON, BARBARA` (empty source matter folder, post-move cleanup) + +### Credentials & Secrets + +- No new secrets created. GuruRMM API auth: `infrastructure/gururmm-server.sops.yaml` -> `credentials.gururmm-api.admin-email` / `admin-password` (login returns ~24h JWT). +- Azure Trusted Signing details in `services/azure-trusted-signing.sops.yaml` (public-trust, CN=Arizona Computer Guru LLC; sign.ps1 wrapper on Pluto; build SP on 172.16.3.30:/etc/gururmm-signing.env). + +### Infrastructure & Servers + +- **GND-SERVER (Grabb & Durando):** GuruRMM agent ID `cd086074-6766-46b5-93ad-382df97b1f54` (v0.6.39, online), site `d526d700-7210-48b1-94a9-40c87a29dc25`. Windows Server 2019, domain `gd.local`. + - `F:` = local volume `DATA_VOL`, 3.7 TB (NOT a network mapping — it is the server's data drive; users' mappings point at its shares). + - SMB shares: `Company Data` -> `F:\Shares\Company Data`; `Closed Files` -> `F:\Shares\Closed Files`; `Business` -> `F:\Shares\Business`; plus C:\ServerFolders\* (Folder Redirection, Users, Company). + - VSS previous-versions enabled on F: — twice-daily (7 AM + 12 PM) snapshots back to 2026-04-13. + - Datto Workplace Server service `datto_workplace_server.default` (LocalSystem) + `Datto_FSA.VssHelper`; team ID `517722` (HKLM:\SOFTWARE\WOW6432Node\Datto\Workplace Server\services\default\client.workplace.datto.com\517722). +- **Cascades:** Syncro customer 20149445, prepaid block, onsite labor product 26118 @ $175/hr, taxable false. Block 28.5 hrs after this session. +- **Grabb & Durando:** Syncro customer 7088463 (Deere Park Development, LLC / Richard Glabman, rglabman@dpa-inc.com). + +### Commands & Outputs + +- GuruRMM run-on-agent pattern: login -> JWT; `POST /api/agents/{id}/command` with `{command_type:"powershell", command:...}` (build payload with `jq -Rs`); poll `GET /api/commands/{id}` for status/stdout. +- BRILLON file located: `F:\Shares\Closed Files\BRILLON, BARBARA\LITIGATION\DRAFTS\opp.msj.docx` (39183 bytes) + a doubled-nested copy + `opp.msj (2).docx` (move/merge artifacts). +- Guarded delete result: `RESULT: DELETED empty source folder: F:\Shares\Company Data\CLIENTS\BRILLON, BARBARA` (0 files recursive). + +### Pending / Incomplete Tasks + +- **GND-SERVER Datto alert:** deletion synced; confirm the alert clears via Workplace Online (server status green) or absence of a new alert email. Offered to tail Datto Workplace Server logs server-side for confirmation — not yet done. +- **Optional:** fold GND-SERVER drive/share/VSS/Datto details into `wiki/clients/grabb-durando.md` (Infrastructure section currently blank for drives/backup). +- (Carried) quantumwms.com John Velez consent; 2x Business Premium before 2026-06-03; Autotask skill build; Western Tire #32199 billing; Kittle HIGH; GuruRMM fix/audit-2-remediation merge. + +### Reference Information + +- Commit: d9ab515 (wiki-compile + wiki-lint Syncro step). Pulled this session: 64374e3, 3a0c83d (Howard — GuruScan). +- Cascades: ticket #32324 (id 111060920), invoice 1650416726, comment id 413109831 — https://computerguru.syncromsp.com/tickets/111060920 +- Grabb & Durando: ticket #32279 (id 110305905), comment id 413112462, todo 1bf0cfef (due 2026-05-27) — https://computerguru.syncromsp.com/tickets/110305905 +- Coord messages to Howard (HOWARD-HOME/claude-main): ac6b35e2 (gaps+packaging), 43f8795b (dual-mode), 1e5c92a9 (signing) +- GuruScan: projects/msp-tools/guru-scan/ (6 PowerShell scripts; scanner chain RKill->AdwCleaner->Emsisoft->HitmanPro->ESET) diff --git a/wiki/clients/quantumwms.md b/wiki/clients/quantumwms.md new file mode 100644 index 0000000..765d18c --- /dev/null +++ b/wiki/clients/quantumwms.md @@ -0,0 +1,159 @@ +--- +title: Quantum WMS +slug: quantumwms +type: client +project_key: clients/quantumwms +last_updated: 2026-05-26 +--- + +# Quantum WMS + +## Overview + +| Field | Value | +|---|---| +| Company | Quantum WMS | +| Primary domain | quantumwms.com | +| Personal domain | sheilaperess.com | +| M365 tenant | `NETORGFT2570783.onmicrosoft.com` / `8f7eaff4-f913-4d3f-b8b9-92e695d987c6` | +| GoDaddy admin | `plan@johnvelez.com` (John Velez) — ACG has delegate access | +| Project key | `clients/quantumwms` | + +## Contacts + +| Name | Role | Notes | +|---|---|---| +| John Velez | Primary / M365 global admin | plan@johnvelez.com; GoDaddy account owner for both domains | +| Sheila Peress | Owner/principal | sheilaperess.com personal domain; compliance decision-maker; final say on license tier | + +## Current Email Infrastructure + +- **Registrar:** GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access +- **DNS:** GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC +- **Mail routing:** Intermedia hosted Exchange — `exch090.serverdata.net` cluster (east/west) + - IP: `64.78.25.106` (Intermedia data center) + - Autodiscover: `ar-east.exch090.serverdata.net` + - This is Exchange Server software hosted by Intermedia, NOT Exchange Online +- **Intermedia setup:** Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure + +### DNS / Email Security Gaps (CRITICAL) + +| Record | Status | Impact | +|---|---|---| +| DMARC | **MISSING** | Anyone can spoof @quantumwms.com with no enforcement | +| SPF | **TWO RECORDS** (misconfiguration) | RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures | +| DKIM | Not found on standard selectors | Outbound mail not cryptographically signed | +| DNSSEC | Not signed | Domain hijack risk | + +SPF records found (conflict): +1. `v=spf1 include:spf.intermedia.net -all` +2. `v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all` + +## M365 Tenant (GoDaddy/johnvelez.com) + +- **Tenant created:** 2016-12-05 (GoDaddy-provisioned) +- **onmicrosoft domain:** `NETORGFT2570783.onmicrosoft.com` +- **quantumwms.com** is NOT a verified domain in this tenant — email runs entirely through Intermedia +- **Remediation app consent:** Tenant Admin tier consented by John (plan@johnvelez.com) 2026-05-26 + +### Users + +| UPN | Display | Licenses | Notes | +|---|---|---|---| +| `plan@johnvelez.com` | John Velez | O365 Business Essentials + Flow Free | Active — no desktop Office apps | +| `admin@NETORGFT2570783.onmicrosoft.com` | johnvelez.com | None | GoDaddy admin account | +| `john__quantumwms.com@NETORGFT2570783.onmicrosoft.com` | john@quantumwms.com | None | Shell account, no mailbox, created 2026-03-16 | +| `migrationapp@NETORGFT2570783.onmicrosoft.com` | SkyKick Inc. | None | Old 2016 migration app account | + +### Consent URL (Tenant Admin tier) + +``` +https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent +``` + +Post-consent onboard command: +```bash +bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6 +``` + +## Compliance Context: Broker/Dealer Requirements + +John and Sheila believe Intermedia is mandated by their Broker/Dealer. **This is almost certainly incorrect.** + +### What SEC Rule 17a-4 / FINRA Rule 4511 actually require + +- Electronic communication retention (3 years accessible, 6 years total for most records) +- Non-rewritable, non-erasable (WORM-compliant) archiving +- Supervisory review capability +- Ability to produce records on regulatory demand + +### What they do NOT require + +- Intermedia specifically +- Any named third-party vendor +- Exchange Server or hosted Exchange + +### Microsoft 365 satisfies all FINRA/17a-4 requirements + +Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping. + +### Action item (BLOCKER) + +Sheila has been asked to produce **written policy from the Broker/Dealer that explicitly names Intermedia** as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00. + +## Recommended Architecture: M365 Business Premium + Mailprotector + +### License Plan + +| Account | License | Domain | +|---|---|---| +| John (firm) | M365 Business Premium | quantumwms.com | +| Sheila (firm) | M365 Business Premium | quantumwms.com | +| Sheila (personal) | Exchange Online Plan 1 | sheilaperess.com | +| Others TBD | Exchange Online Plan 1 | TBD | + +### What Business Premium provides over Intermedia + +| Capability | Intermedia Hosted Exchange | M365 Business Premium | +|---|---|---| +| Email | Exchange Server (hosted) | Exchange Online (Microsoft cloud) | +| Exchange CVE exposure | YES — full Server CVE surface | No — Microsoft patches same-day | +| Spam/malware filtering | Basic | Defender for Office 365 Plan 1 (Safe Links, Safe Attachments) | +| Frontend filtering | None | Mailprotector (ACG-managed) | +| MFA enforcement | Manual | Entra ID P1 — Conditional Access | +| FINRA archiving | Intermedia archiver (extra cost) | Microsoft Purview — included | +| Desktop Office apps | No | Yes (Word, Excel, Outlook, etc.) | +| Mobile device management | No | Intune — included | +| DMARC/DKIM setup | Not managed | ACG-managed during migration | + +### Migration Steps + +1. [DONE] Get consent from John (2026-05-26) +2. Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate +3. Add quantumwms.com as verified domain to johnvelez.com tenant +4. Purchase 2x Business Premium (direct or ACG CSP) +5. Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com) +6. Assign Business Premium licenses +7. Set up Mailprotector frontend for quantumwms.com +8. Configure DMARC, fix SPF (single record), configure DKIM +9. Cut MX from Intermedia → Exchange Online +10. Migrate existing mail from Intermedia → Exchange Online +11. Activate Office apps on their machines +12. Cancel Intermedia after cutover confirmed +13. Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare +14. Purchase Exchange Online Plan 1 for personal domain accounts +15. Cancel GoDaddy email hosting per account as each migrates + +### GoDaddy Decoupling Plan + +- DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first) +- M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium +- Intermedia: cancel after mail cutover confirmed + +## Open Items + +- [ ] **BLOCKER:** Sheila to produce B/D written policy on email compliance requirements (due 2026-05-27 14:00) +- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade +- [ ] Determine additional personal domain accounts beyond sheilaperess.com +- [ ] DNS cutover timing for both domains +- [ ] Confirm whether SkyKick migration app account (2016) can be deleted diff --git a/wiki/index.md b/wiki/index.md index 2149c03..38b9d40 100644 --- a/wiki/index.md +++ b/wiki/index.md @@ -42,6 +42,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks. | [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 | | [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 | | [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 | +| [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 | ## Projects