From d8613371913b0d704919829d976e17815baee826 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 19 Jun 2026 14:21:35 -0700 Subject: [PATCH] =?UTF-8?q?clients/jimmy:=20BLASTER2=20onboarding=20remedi?= =?UTF-8?q?ation=20note=20(2026-06-19)=20=E2=80=94=20NLA,=20Kaseya=20remov?= =?UTF-8?q?al,=20MSP360=20backup=20retention=20+=20console=20handoff?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2026-06-19-blaster2-remediation.md | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 clients/jimmy/reports/2026-06-19-blaster2-remediation.md diff --git a/clients/jimmy/reports/2026-06-19-blaster2-remediation.md b/clients/jimmy/reports/2026-06-19-blaster2-remediation.md new file mode 100644 index 00000000..3dbce270 --- /dev/null +++ b/clients/jimmy/reports/2026-06-19-blaster2-remediation.md @@ -0,0 +1,60 @@ +# Blaster2 — Onboarding Remediation (2026-06-19) + +**Client:** Jimmy Company (`jimmy`) · **Site:** Main (SILVER-LION-5647) +**Machine:** BLASTER2 — Windows 10 Pro 22H2 (build 19045), Lenovo, i5-3470 / 3.8 GB RAM +**RMM agent:** `abddc0ce-a226-48f1-b913-263a81013389` (v0.6.66) +**Tech:** Mike Swanson · **Onboarding grade:** RED (baseline: `onboarding-baselines/BLASTER2-20260619T191759.md`) + +## Actions completed + +### Security +- **RDP NLA enabled** — set `UserAuthentication=1` on `RDP-Tcp`. RDP was on with NLA off + (pre-auth exposure, critical). RDP left enabled, now requires Network Level Authentication. +- **Kaseya leftover removed** — deleted service `KaseyaConnectAPIService` (kav2srv.exe), + install dir `C:\Program Files (x86)\Kaseya\ECGRP939762241516006`, and registry hives + `HKLM\SOFTWARE\Kaseya` + `HKLM\SOFTWARE\WOW6432Node\Kaseya\Agent`. Post-removal sweep + clean: no services, no dir, no scheduled tasks, no other references. (Leftover foreign-RMM + agent from a prior provider — control/security risk.) + +### Cleanup / health scan +- **Machine is clean.** C: = 159 GB used / 70.8 GB free. Temp/junk negligible (Windows Temp + 0.05 GB, user temps 0.12 GB, SoftwareDistribution/Recycle Bin ~0; no Windows.old / hiberfil + / MEMORY.dmp). No real bloatware among 80 installed programs — only a dead "Google Toolbar + for Internet Explorer" (left in place; removable on request). + +### Backup (MSP360 / mspbackups) +- **Root problem:** external backup drive **E: full** — 7.45 TB, 0.74 GB free. Two **local** + MSP360 plans failing with `NotEnoughSpaceOnLocalDestination` (image-based + file). The + **cloud (Backblaze B2)** plan is healthy. +- **90-day retention applied** to both local plans (`cbb editBackupPlan` / `editBackupIBBPlan + -purge "3m"`; plans are new-backup-format). Confirmed "Retention time is set to 90 days." +- **Space NOT yet reclaimed — blocked by provider policy.** Agent-side deletion (`cbb delete`) + is refused: *"File deletion on backup storage is restricted due to your service provider + policy."* The MBS REST API is monitoring-only. The full disk also deadlocks the automatic + retention purge (no successful pass can run). **Reclamation must be done provider-side in the + MSP360 management console.** + +## E: storage breakdown (6.7 TB MSP360 + 0.7 TB legacy + 0.7 TB non-MSP360) +- Active NBF generations: image `aae0be51` 3.24 TB, file `5277ed3c` 2.48 TB (history back to 2024). +- Orphaned legacy bunches (pre-2024, no plan, dead weight): "Image Based" 793 GB (last 2022-07-24), + "C:" folder 216 GB. +- Non-MSP360 squatters on E:: VeeamBackup 543 GB, "My backups" 98 GB, FileHistory 81 GB. + +## Console purge worklist (handed to Mike, cutoff 2026-03-21 = 90 days) +1. Lift the MSP360 "restrict backup deletion" provider policy (or delete from the console Storage view). +2. Image plan: keep restore points 2026-06-07 / 05-04 / 04-06; delete 2026-03-01 and older (~20). +3. File plan: keep 2026-03-23 onward; delete 2026-03-17 and older (~65). +4. Delete the 2 orphaned legacy bunches ("Image Based" 793 GB, "C:" 216 GB). +5. Optional (Explorer, not MSP360, only if abandoned): E:\VeeamBackup, E:\My backups, E:\FileHistory (722 GB). +6. After space frees, the 90-day retention keeps both plans bounded — re-run both Local plans to confirm Success. + +## Still open (not addressed today) +- **Win10 22H2 is EOL** (end-of-servicing 2025-10-14) on weak 2012-era hardware (i5-3470, 3.8 GB RAM, + 2013 BIOS) — realistically a **machine replacement**, not in-place upgrade. +- 5 pending Windows updates + pending reboot; 2 unexpected shutdowns (event 41) in 14 days. +- BitLocker status unavailable (likely unencrypted — verify), firewall-profile + SMART checks + returned "unknown" in the diagnostic (manual follow-up). + +## References +- RMM write ops alerted to #dev-alerts. Provider-policy delete blocker logged to `errorlog.md`. +- Vault: `clients/jimmy/gururmm-site-main.sops.yaml` (enrollment key); MSP360 API `msp-tools/msp360-api.sops.yaml`.