---
type: client
name: glaztech
display_name: Glaz-Tech Industries
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
  - clients/glaztech/session-logs/2026-04-20-session.md
  - clients/glaztech/session-logs/2026-04-21-session.md
  - clients/glaztech/reports/2026-04-17-phishing-incident-report.md
  - clients/glaztech/PROJECT_STATE.md
  - clients/glaztech/README.md
backlinks: []
---

# Glaz-Tech Industries

## Profile

- **Contract type:** Managed (long-term — ~15 years per session logs)
- **Key contacts:** Steve Eastman — seastman@glaztech.com — internal IT, ~200 users, 9 locations. Desktop-level tech; guides technical direction, ACG implements.
- **Billing rate:** [unverified — not recorded in session logs]
- **Syncro customer ID:** 143932
- **Active tickets:** #32176 (DMARC override, Invoiced), #32186 (M365 Security Review / MFA, In Progress as of 2026-04-21)
- **GuruRMM client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9
- **GuruRMM site:** SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)

## Infrastructure

### Servers & Services

No dedicated on-premises server infrastructure documented. Multi-site Windows environment (~200 users, 9 locations). Active Directory confirmed (OUs referenced in deployment scripts). IP range: 192.168.0.0/24 through 192.168.9.0/24 (10 site subnets, one per site).

| Service | Details | Notes |
|---|---|---|
| M365 tenant | glaztechindustries.onmicrosoft.com | ~200 users, basic licensing (no Entra P1) |
| Exchange Online | glaztech.com | MailProtector inbound filter (MX 5 primary) |
| Active Directory | glaztech.com domain | [unverified — AD inferred from OU references in scripts] |

### Email & Identity

- **M365 tenant:** glaztechindustries.onmicrosoft.com
- **Tenant ID:** 82931e3c-de7a-4f74-87f7-fe714be1f160
- **Primary domain:** glaztech.com
- **Inbound mail filter:** MailProtector — `glaztech-com.inbound.emailservice.io` (MX 5, sole MX as of 2026-04-17)
- **DMARC:** p=reject; sp=reject (hardened 2026-04-17, was p=none)
- **DKIM:** CNAME records exist for selector1/selector2 — active status unverified [WARNING: confirm DKIM is active in M365]
- **MFA status:** [WARNING] DISABLED as of 2026-04-21. Security Defaults off. No Conditional Access (requires Entra P1, not licensed). ~160 users with password-only sign-in. MFA rollout is open work item — do not enable Security Defaults until service account audit is complete (see Active Work).
- **Licensing:** Basic M365 (no Entra P1 / Business Premium). Per-user MFA or Security Defaults are the available free options.
- **Mailbox forwarding (internal, low risk):** Payroll@glaztech.com → carmen@glaztech.com; TUCCSR@glaztech.com → bryce@glaztech.com
- **OAuth consent grants:** 38 grants — not audited as of last session

### Network

- **Sites:** 9 locations
- **IP ranges:** 192.168.0.x through 192.168.9.x (one subnet per site — up to 10 sites)
- **Firewall/ISP:** [unverified — not documented]
- **DNS hosted on:** IX server (172.16.3.10), PowerDNS. Zone file: `/var/named/glaztech.com.db`

## Access

- **Remediation tool:** ComputerGuru apps consented in tenant (Exchange Operator, Security Investigator, Tenant Admin, Defender Add-on)
- **Exchange Operator App ID:** b43e7342-5b4b-492f-890f-bb5a4f7f40e9
- **Remediation tool app (AI):** fabb3421-8b34-484b-bc17-e46de9703418
- **Exchange Admin role:** Assigned to ACG service principal in Entra
- **Global Admin account:** admin@glaztechindustries.onmicrosoft.com (ACG admin only — external GA from tomakkglass.com removed 2026-04-21)
- **Vault path:** `clients/glaztech/` [no SOPS credential file documented — remediation tool uses MSP-wide app credentials]
- **Exchange Operator vault:** `msp-tools/computerguru-exchange-operator.sops.yaml`
- **DNS access:** `root@172.16.3.10` (IX server)
- **Deploy (endpoints):** ScreenConnect or GuruRMM

## Patterns & Known Issues

- **Phishing via direct-to-M365 MX bypass:** Two phishing campaigns in April 2026 succeeded because DNS had a secondary MX record (`glaztech-com.mail.protection.outlook.com` at priority 10) that bypassed MailProtector. Hardened: MX 10 removed, DMARC to p=reject, Enhanced Filtering for Connectors enabled. Do not re-add a secondary MX record.
- **Inbound connector IP restriction:** Do NOT restrict `SenderIPAddresses` on the "Inbound Spam Filter" connector — blocks legitimate calendar invites from external M365 tenants (learned from Dataforth incident). EFSkipIPs are set to MailProtector IPs instead.
- **Service accounts need audit before MFA rollout:** Shoretel, mitel, Gti-FaxFinder, GTIMail, GTIQUOTE, CAS1944, clerk — all need SMTP/auth method confirmation before Security Defaults can be enabled.
- **PDF preview broken (MOTW):** Windows KB5066791/KB5066835 broke PDF preview on network shares via Mark of the Web. Fix scripts are ready in `clients/glaztech/` — deployment is pending (as of 2026-03-30).
- **clearcutglass.com DMARC history:** Corena Spottsville (clearcutglass.com) emails to seastman and zulema were rejected. Temporary transport rule (SCL=-1) was set and removed on 2026-04-21. SPF ~all weakness noted to Team Logic IT (Jordan Fox, jfox@tlit60302.com); recommend they harden to -all and confirm DKIM.
- **Client tone:** ACG has managed GlazTech ~15 years. Steve Eastman is a trusted internal IT partner. Comments and communication should lead with what we know, state findings and actions taken, ask only one targeted question if needed — not open-ended discovery.
- **Unlicensed accounts (pending Steve confirmation):** Chauntelle@glaztech.com, Denouser1@glaztech.com, Gti-FaxFinder@glaztech.com.

## Active Work

### PDF Preview Fix (DEPLOYMENT-READY — pending execution)

Scripts in `clients/glaztech/`:
- `Fix-PDFPreview-Glaztech-UPDATED.ps1` — updated remediation (recommended)
- `Fix-PDFPreview-Glaztech.ps1` — original
- `Deploy-PDFFix-BulkRemote.ps1` — bulk remote deployment
- `GPO-Configuration-Guide.md` — GPO method
- `QUICK-REFERENCE.md` — summary of all three methods

Deploy via Option A (ScreenConnect, individual), Option B (bulk remote via PS remoting), or Option C (GPO). Waiting on file server hostnames/IPs from Steve before bulk deploy.

### MFA Rollout (Ticket #32186 — In Progress)

Waiting on Steve's reply to:
1. Service account auth methods (which use SMTP basic auth or password-only flows?)
2. Disposition of unlicensed accounts (Chauntelle, Denouser1, Gti-FaxFinder)
3. Licensing preference: Security Defaults (free, no exclusions) vs. per-user MFA (free, can exclude service accounts) vs. Conditional Access (requires Entra P1/Business Premium, ~$22/user/mo)

**Do not enable Security Defaults until service accounts are confirmed safe.**

MFA rollout plan: Phase 1 — user communication (install Authenticator); Phase 2 — enable enforcement; Phase 3 — follow-up stragglers; Phase 4 (future/P1) — Conditional Access with trusted IPs for office locations.

### Pending follow-ups

- Audit 38 OAuth consent grants (not done as of 2026-04-21)
- Confirm DKIM signing active in M365 for glaztech.com
- Monitor DMARC aggregate reports (rua=noreply@glaztech.com — should be a monitored mailbox or reporting service)
- Security awareness training for staff (multiple employees forwarded and replied to obvious phishing in April 2026)
- Review whether any user clicked phishing links (check sign-in logs for suspicious auth attempts post-April 17)
- Confirm test email clean delivery from clearcutglass.com after DMARC fix

## History Highlights

- **[~15 years prior]** Long-standing managed client.
- **2026-01-27** — PDF preview break caused by Windows MOTW update (KB5066791/KB5066835). Fix scripts created. Deployment pending.
- **2026-04-17** — Two phishing campaigns bypassed MailProtector via direct-to-M365 MX bypass. 32 messages purged across 8 users. Hardened: MX 10 removed, DMARC p=reject, Enhanced Filtering Connectors enabled. Remediation tool onboarded (admin consent, Exchange Admin role). Forensic evidence preserved in `clients/glaztech/reports/`.
- **2026-04-20** — Exchange transport rule created to allow clearcutglass.com mail (DMARC bypass, SCL=-1) while Team Logic IT fixed their DNS. Ticket #32176 created.
- **2026-04-21** — clearcutglass.com DNS fixed by Team Logic IT (Jordan Fox). Transport rule removed. External Global Admin (glaztechadmin from tomakkglass.com / Team Logic IT) removed from tenant. M365 security review surfaced: no MFA, 38 OAuth grants, unlicensed accounts, service account audit needed. Ticket #32186 opened for MFA implementation. Feedback: use expert-partner tone with Steve, not open-ended discovery questions.

## Backlinks

- `wiki/systems/ix-webhosting.md` [if exists] — DNS hosted on IX server