# Dataforth — Work Log / Billing Record

## Session 1 — 2026-04-02 (Remote — Documentation Audit)

**Focus:** Full client documentation buildout from Mike Swanson handoff + post-incident audit

| Time | Task | Details |
|------|------|---------|
| | Client intake & overview | Created overview.md — company info, Dan Center contact (replacing retired Joel Lohr), Mike Swanson as outgoing IT, M365 tenant 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584, ~21 human users, 6 servers, 2 ESXi + 1 Hyper-V, ~38 workstations, 64 DOS test stations |
| | Network documentation | Built topology.md, dns.md, dhcp.md, firewall.md, vlans.md for flat network (no VLANs, all Windows Firewall profiles disabled on AD2) |
| | Cloud documentation | Built m365.md + azure.md — tenant info, Entra ID Sync from OU=SyncedUsers, MFA enforcement deadline April 4, 19 users still need to register |
| | Security documentation | Built antivirus.md + backup.md |
| | RMM documentation | Documented Datto RMM + GuruRMM (azcomputerguru.com) |
| | Active Directory doc | Built active-directory.md — intranet.dataforth.com forest, Windows Server 2016 level |
| | Per-server docs (6 servers) | AD1, AD2, FILES-D1, SAGE-SQL, 3CX, DF-HYPERV-B, D2TESTNAS |
| | Workstation inventory | Built workstations.md — Engineering (~12), Manufacturing/Assembly (~14), Office/Admin (~12), 3 EOL Windows 7 (LABELPC, LABELPC2, D2-RCVG-003) |
| | Manufacturing doc | Built manufacturing.md — 64 DOS stations running QuickBASIC 4.5 ATE on MS-DOS 6.22, SMB1 via D2TESTNAS Samba proxy, TestDataDB (Node.js + SQLite on AD2:3000, 2.28M test records) |
| | Issue log buildout | Documented 2025 ransomware incident (AD2 wiped/rebuilt), 2026-03-27 DF-JOEL2 phishing compromise (Angel Raya/ScreenConnect social engineering, C2 blocked, IC3 complaint, jlohr reset) |
| | Risk inventory | Critical/High/Medium/Low risk catalog: firewall disabled on AD2, Win7 machines, AD1 at 90% disk, jlohr account overdue for disable, 28 machines not scanned, etc. |

### Billing Summary — Session 1
| Category | Items |
|----------|-------|
| Client onboarding / intake | Full Mike Swanson handoff documented |
| Documentation buildout | 22 files created across overview, network, cloud, security, rmm, servers, workstations, manufacturing, issues |
| Post-incident risk audit | 2025 ransomware + 2026-03-27 phishing compromise fully documented with follow-ups |

**Time:** File timestamps span ~10:04 AM → 12:45 PM (~2.5–3 hrs)

---

## Outstanding Work — Prioritized

### Critical
- All Windows Firewall profiles disabled on AD2 — re-enable
- 3 Windows 7 machines still on network — retire or isolate
- AD1 C: drive at 90% capacity (C:\Engineering = 787 GB) — expand or clean
- AD1/AD2 on Windows Server 2016 (end of mainstream support) — plan upgrade

### High
- Joel Lohr (jlohr) account — disable post-retirement (**OVERDUE since 2026-03-31**)
- C2 IP blocks on UDM are iptables rules only — make permanent in UniFi UI
- 28 machines offline during incident — rescan when available
- MFA enforcement (April 4) — 19 users still need to register
- No reverse DNS zone for 192.168.0.x
- Website upload mechanism broken (ASP.NET 404s)

### Medium
- D2TESTNAS uses root SSH with password auth
- Stale/conflicting computer account IPs
- ~845K test records pending ForWeb export

### Low
- DVD ISO mounted on AD2 D:
- ClaudeTools-ReadOnly AD account — purpose unclear
- DESKTOP-* BYOD-looking hostnames