--- type: client name: cascades-tucson display_name: Cascades of Tucson last_compiled: 2026-05-24 compiled_by: DESKTOP-0O8A1RL/claude-main sources: - session-logs/2026-03-24-session.md - session-logs/2026-03-31-session.md - session-logs/2026-04-01-session.md - session-logs/2026-04-16-session.md - session-logs/2026-04-16-howard-client-docs-import.md - session-logs/2026-04-17-session.md - session-logs/2026-04-17-howard-session.md - session-logs/2026-04-18-session.md - session-logs/2026-04-20-session.md - session-logs/2026-04-20-mac-session.md - session-logs/2026-04-21-mac-vault-setup.md - session-logs/2026-04-21-howard-remediation-vault-gap.md - session-logs/2026-04-28-session.md - session-logs/2026-04-29-session.md - session-logs/2026-04-30-session.md - session-logs/2026-05-01-session.md - session-logs/2026-05-01-howard-syncro-billing-batch-and-tmp-path-incident.md - session-logs/2026-05-10-session.md - session-logs/2026-05-18-session.md - session-logs/2026-05-18-howard-billing-review-and-ticket-updates.md - session-logs/2026-05-20-session.md - session-logs/2026-05-21-session.md - session-logs/2026-05-23-session.md - session-logs/2026-05-24-GURU-KALI-session.md - clients/cascades-tucson/session-logs/2026-05-22-session.md - clients/cascades-tucson/docs/overview.md - clients/cascades-tucson/docs/network/topology.md - clients/cascades-tucson/docs/network/vlans.md - clients/cascades-tucson/docs/servers/cs-server.md - clients/cascades-tucson/docs/billing-log.md - .claude/memory/project_cascades_admin_accounts.md - .claude/memory/project_cascades_ca_phased_rollout.md - .claude/memory/project_cascades_pilot_cleanup.md - .claude/memory/feedback_syncro_cascades_contact.md - .claude/memory/feedback_cascades_user_security_group.md - .claude/memory/project-cascades-migration-plan.md - .claude/memory/feedback_cascades_folder_redirect.md backlinks: - projects/gururmm --- # Cascades of Tucson Senior living / assisted living facility in Tucson, AZ. Single 6-floor building plus a MemCare (Memory Care) wing on floors 5-6. ACG took over from a previous MSP. Primary compliance driver is HIPAA. Active multi-phase migration project ongoing as of 2026-05-24. --- ## Profile - **Contract type:** Prepaid hour block - **Key contacts:** - Winter — front desk / billing; handles invoice processing and prepaid block purchases - Meredith Kuhn — Assistant Manager (ASSISTMAN-PC); internal billing contact. **NEVER set her as ticket contact in Syncro** — she is the wrong default that keeps being selected. - John Trozzi — Maintenance staff, Mac at 201cascades@gmail.com (shared facility account) - Lauren Hasselman — Accounting - Crystal Rodriguez — staff - Sharon Edwards — Life Enrichment Assistant (DESKTOP-DLTAGOI) - Ashley Jensen — Accountant (DESKTOP-U2DHAP0) - Shelby Trozzi — MemCare Director (MDIRECTOR-PC) - **Billing rate:** $175/hr all labor (prepaid block customer) - **Hours remaining:** ~37.5 hrs as of 2026-05-20. Always live-check via `GET /customers/20149445` before billing — balance is unreliable across sessions. [verify] - **Syncro customer ID:** 20149445 - **Active tickets:** - #110680053 — Dept-by-dept domain migration (primary active project; plan: `C:\Users\Howard\.claude\plans\wise-discovering-panda.md`) - #109412123 — Entra setup project (may be invoiced as of 2026-05-18; verify status) - #109225085 — Yealink phone inventory - #109035475 — John Trozzi desktop WiFi upgrade (billed) --- ## Infrastructure ### Servers & Services | Host | IP | Role | OS | Notes | |---|---|---|---|---| | CS-SERVER | 192.168.2.254 | DC, DNS, DHCP (no scopes), File Server, Hyper-V host, Print Server | Windows Server 2019 Standard | Dell PowerEdge R610 (~2009 hardware, 16+ years old). **Single DC — CRITICAL risk. No backup.** GuruRMM agent ID: `6766e973-e703-47c1-be56-76950290f87c` | | CS-SERVER iDRAC | 192.168.2.65 | Out-of-band management | — | Dell OOB interface | | CS-QB (Hyper-V VM on CS-SERVER) | 192.168.2.228 | VoIP server | — | Phones go down if R610 dies | | cascadesDS (Synology NAS) | 192.168.0.120 | NAS / legacy file storage | DSM | Port 5000 HTTP. Workgroup name is "CASCADES" — same as AD short name, causing Kerberos auth failures from domain-joined machines. Slated to become backup-only. | | pfSense Firewall | 192.168.0.1 | Perimeter firewall, inter-VLAN routing | pfSense 24.0 | Dual-WAN. All DHCP served here (CS-SERVER DHCP role has no scopes). MAC: 00:f1:f5:34:b3:4a | **[WARNING] CS-SERVER hardware:** Dell R610 with mixed SATA laptop drives (OS array, no hot spare) and enterprise SAS drives from 2015-2016. No backup exists. No second DC. Hardware will fail — DC migration is urgent. **[WARNING] HIPAA violation:** No backup for CS-SERVER (§164.308(a)(7)). Synology Active Backup for Business is blocked (ext4 filesystem, not Btrfs). ### Email & Identity - **M365 tenant:** cascadestucson.com | Tenant ID: `207fa277-e9d8-4eb7-ada1-1064d2221498` - **M365 license:** Business Standard (34 seats). Business Premium upgrade proposed (net -$56.50/mo savings after shared mailbox cleanup). 31 SPB seats reportedly free as of 2026-05-22 — relicensing time-sensitive. - **On-prem AD domain:** cascades.local | UPN suffix: cascadestucson.com (added 2026-04-13 for Entra Connect SSO readiness) - **MX / mail flow:** Exchange Online (M365). SPF strict (`-all`). DKIM: both M365 selectors published. DMARC: `p=none` (monitoring only) — **action needed: upgrade to `p=quarantine`**. DMARC reports to `info@cascadestucson.com` (unmonitored). - **MFA:** CA policy "Require MFA for all users" is enabled. Caregiver bypass pilot in progress — caregivers cannot satisfy MFA (no personal device), so three scoped CA policies use BLOCK instead. See Patterns section. - **Entra Connect:** Installed on CS-SERVER in staging mode as of 2026-04-25. **Not yet exited staging.** Exit from staging is a pending task. - **Break-glass accounts:** Two planned (`breakglass1-csc@cascadestucson.com`, `breakglass2-csc@cascadestucson.com`). FIDO2 YubiKeys ordered. Vault entries not yet created. [unverified — check if YubiKeys arrived and accounts created] - **Admin accounts:** - `admin@cascadestucson.com` — Mike's working admin (cloud-only, Connect-excluded by design) - `sysadmin@cascadestucson.com` — Howard's working admin (cloud-only, Connect-excluded by design) - **ALIS (clinical SaaS):** https://www.go-alis.com/ — Entra SSO configured but **BLOCKED on Medtelligent enabling it** on Cascades tenant. App registration values ready in vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml`. - **Yealink SDM:** 16 SIP-T54W phones via YMCS portal. SDM token success 2026-05-08. ~30 phones still to roll as of 2026-05-10. [unverified — check current count] - **Audit retention:** Approved 2026-04-29. Azure Log Analytics (90d) + Storage Account (6yr) in ACG subscription `e507e953-2ce9-4887-ba96-9b654f7d3267`, RG `rg-audit-cascadestucson`. **Not yet built.** Runbook: `.claude/skills/remediation-tool/references/audit-retention-runbook.md`. ### Network - **ISP / WAN:** Dual-WAN Cox Fiber (primary, static `184.191.143.62/30`, gateway `184.191.143.61`) + Cox Coax (secondary, DHCP `72.211.21.217`). Both WAN IPs added as Cascades Named Location in Entra (ID: `061c6b06-b980-40de-bff9-6a50a4071f6f`). - **Firewall:** pfSense 24.0 at 192.168.0.1. All DHCP. Inter-VLAN routing. 236 resident room VLANs (per-room /28, `10.[floor].[room].0/28`). Staff/infra VLAN 20 (`10.0.20.0/24`, gateway `10.0.20.1`). Guest VLAN 50 (`10.0.50.0/24`, RFC1918 blocked). - **Switching:** Full UniFi. 82 APs + 5 managed switches (1st Floor USW-48 PoE core; floors 2-4 USW-Pro-24-PoE; MemCare USW-Pro-24-PoE; USW Lite 8 PoE; USW-16-PoE VoIP switch). Floors 2/3/4 switches pending hardware replacement. - **WiFi SSIDs:** - CSCNet — staff, VLAN 20 - CSC ENT — legacy SSID, main LAN (192.168.0.0/22), being deprecated as migration proceeds - Guest — isolated, VLAN 50 - **VoIP:** AudioCodes phones (8 units) on USW-16-PoE. CS-QB VM at 192.168.2.228. Not MSP-managed but infra must stay static. --- ## Access - **CS-SERVER:** Via ScreenConnect or GuruRMM (agent ID: `6766e973-e703-47c1-be56-76950290f87c`) - **CS-SERVER iDRAC:** 192.168.2.65 - **pfSense admin:** https://192.168.0.1 — vault: `clients/cascades-tucson/pfsense-firewall.sops.yaml` - **Synology DSM:** http://192.168.0.120:5000 — vault: `clients/cascades-tucson/` (existing entry) - **M365 admin:** admin@cascadestucson.com — vault: `clients/cascades-tucson/m365-admin.sops.yaml` - **M365 sysadmin:** sysadmin@cascadestucson.com — vault: `clients/cascades-tucson/m365-sysadmin.sops.yaml` - **WiFi CSCNet:** vault: `clients/cascades-tucson/wifi-cscnet.sops.yaml` - **MDM service account:** vault: `clients/cascades-tucson/mdm-service-account.sops.yaml` - **ALIS SSO app registration:** vault: `clients/cascades-tucson/alis-sso-app-registration.sops.yaml` - **GuruRMM — RECEPTIONIST-PC:** agent ID `9c91d324-1073-449c-8cc0-45c5bccfc218` (flaky WebSocket, may lag fleet updates) - **Yealink YMCS portal:** https://us.ymcs.yealink.com/manager/login — vault: `infrastructure/voip-phones.sops.yaml` - **Remediation tool:** Still on old app `fabb3421` (ComputerGuru - AI Remediation) as of 2026-04-20. New tiered app suite not yet consented. [unverified — check if consented since then] - **Vault root:** `clients/cascades-tucson/` in vault repo --- ## Patterns & Known Issues ### Syncro / Billing - **Never set a contact on any Syncro ticket unless explicitly requested.** This is a global rule, not Cascades-specific. At Cascades, Meredith Kuhn is the recurring wrong default that Syncro pre-selects — she is not the correct contact. Leave `contact_id` blank; Syncro routes to the correct distribution emails automatically. Source: `feedback_syncro_blank_contact.md`. - **Billing product for prepaid block draw:** Use a real labor type (Remote, Onsite, etc.) — NOT "Prepaid project labor" (exempt, won't decrement the block). - **Always live-check hours before billing:** `GET /customers/20149445` in Syncro. The 2026-05-01 invoice debit may not have fired correctly — treat all cached hour counts as approximate. ### Active Directory / User Management - **Security group assignment is always explicit.** When creating or adding any Cascades user, always ask which security group(s). OU → group auto-mirror was explicitly declined 2026-05-14. OU placement controls Entra Connect sync scope; group membership controls CA policy — two separate deliberate decisions. Source: `feedback_cascades_user_security_group.md`. - **New user mandatory order (folder redirection):** 1. Create AD user 2. Run `New-HomeFolder -Username ""` on CS-SERVER (creates root + Desktop/Documents/Downloads/Music/Pictures with correct ACL) 3. Add to SG-FolderRedirect 4. THEN first domain logon - Skipping step 2 causes fdeploy to cache a failure silently and never retry. Source: `feedback_cascades_folder_redirect.md`. - **Folder redirect recovery:** If fdeploy cached a failure ("No changes detected"), run `clients/cascades-tucson/scripts/fix-shell-redirect.ps1` via GuruRMM while user is logged in. Must set both GUID-based and legacy-name registry keys. Folders must already exist on server. - **fdeploy1.ini flags:** Changed from `Flags=1211` (included `Grant Exclusive Rights` bit 0x400, causing WRITE_DAC failures on new subfolders) to `Flags=187`. File at `{512B43A4-F049-4CE5-BFAC-860AD13E92BE}\User\Documents & Settings\fdeploy1.ini` on CS-SERVER. ### Conditional Access / Caregiver Pilot - **Phased rollout — never tenant-wide.** CA policies for caregivers target `SG-Caregivers-Pilot` only (then `SG-Caregivers` after Entra Connect exits staging). The legacy "Require MFA for all users" policy stays in place. Expansion to other departments uses PATCH on `excludeGroups`, never replace. Source: `project_cascades_ca_phased_rollout.md`. - **Caregiver CA policy set:** - PATCH legacy MFA-all-users: add `SG-Caregivers-Pilot` to excludeGroups - CREATE `CSC - Block caregivers off Cascades network` (BLOCK if location not Cascades) - CREATE `CSC - Block caregivers on non-compliant device` (BLOCK if device non-compliant) - CREATE `CSC - Caregiver sign-in frequency 8h` - **GDAP exclusion:** CA policy 3 must exclude "Service provider users" (GDAP foreign principals) + `SG-External-Signin-Allowed` + `SG-Break-Glass`, otherwise ACG partner admins lose access at CA cutover. - **Pilot cleanup required when done:** Delete `pilot.test@cascadestucson.com`, clean up `howard.enos@cascadestucson.com`, remove `SG-Caregivers-Pilot` from CA policy targets and delete the group. Source: `project_cascades_pilot_cleanup.md`. ### Security Incidents (historical) - **Megan Hiatt (2026-04-16):** Active credential-stuffing — 126 failed sign-ins, bursts from Belfast GB, Hamburg DE. Password reset and SMTP AUTH disable were action items. Mailbox was clean (not breached). - **John Trozzi (2026-04-16, 2026-04-20):** Investigated twice — both times NO BREACH. First: credential stuffing flag (clean). Second: inbound phishing email (clean). Reports in `clients/cascades-tucson/reports/`. - **Crystal Rodriguez (2026-04-19):** Phishing investigation. Report: `clients/cascades-tucson/reports/2026-04-19-crystal-rodriguez-phish-investigation.md`. - **Canva email delivery (2026-05-20):** Alma Montt not receiving Canva invites. Resolved by adding canva.com domains to AllowedSenderDomains in EOP policies. - **dunedolly21@gmail.com:** External guest invited 2026-04-14 by Lauren Hasselman from mobile. Status unknown — confirm with Lauren. [unverified] ### HIPAA Compliance - **Primary objective.** Cascades stores PHI on CS-SERVER and uses ALIS for clinical records. - **Critical open gaps:** No backup (§164.308(a)(7)); no audit logging on D:\Homes (§164.312(b)); Object Access auditing disabled; no SMB encryption on homes share; no file access auditing. - **Restored 7 deleted mailboxes (2026-04-25)** for HIPAA §164.316(b)(2) 7-year retention. - **Termination policy established:** Convert to shared mailbox, hide from GAL, retain 7 years. --- ## Active Work Primary active project as of 2026-05-24: dept-by-dept domain migration (Syncro #110680053). **Migration phase status (approx. as of 2026-05-22):** | Machine / User | Status | |---|---| | Sharon Edwards (DESKTOP-DLTAGOI) | Domain-joined, folder redirect working via registry workaround | | Ashley Jensen (DESKTOP-U2DHAP0) | Domain-joined, folder redirect incomplete (manually fixed) | | RECEPTIONIST-PC (frontdesk) | Domain-joined 2026-05-22; loopback Replace mode, no folder redirect by design | | NURSESTATION-PC | Domain-joined, folder redirect complete | | Lauren Hasselman | Passwords didn't work 2026-05-21, machine not accessible — pending | | DESKTOP-KQSL232, CHEF-PC, SALES4-PC, MDIRECTOR-PC | Not yet started | **Blocking issues / pending:** - Entra Connect: exit staging (requires OU=Administrative UPN changes + cascadestucson.com UPN suffix for that OU) - M365 relicensing: 31 Business Standard → Business Premium (time-sensitive, 31 SPB seats reportedly free) - ALIS SSO: blocked on Medtelligent - Break-glass accounts: not created - Audit retention infra: not built - RECEPTIONIST-PC GuruRMM agent (9c91d324): flaky WebSocket, lagging fleet --- ## History Highlights | Date | Event | |---|---| | 2026-03-06 | ACG onboarding begins. Initial audit (CS-SERVER Dell R610, pfSense, UniFi, Synology). 19 machines. No backup, no HIPAA compliance. | | 2026-03-09 | AD security hardening: Monica Ramirez removed from Domain Admins, lockout policy fixed, AD Recycle Bin enabled, MachineAccountQuota set to 0. | | 2026-03-31 | Cascades onboarded to remediation tool. Tenant ID documented. 50 users, Secure Score 34%. | | 2026-04-13 | Major onsite: 13 stale AD accounts deleted, OU structure cleaned, UPNs migrated to cascadestucson.com, Homes share created, Folder Redirection GPO deployed (registry workaround), first domain joins. | | 2026-04-14 | Sandra Fish global admin revoked. ALIS SSO confirmed. Business Premium proposal created. | | 2026-04-16 | Breach checks: Megan Hiatt (credential stuffing, not breached; password reset). John Trozzi (clean). Crystal Rodriguez phish. /remediation-tool skill built. | | 2026-04-17 | Howard onsite: folder redirect Sharon Edwards diagnosis. John Trozzi WiFi (TP-Link + UniFi roaming instability). | | 2026-04-25 | Entra Connect installed on CS-SERVER (staging mode). 7 deleted mailboxes restored for HIPAA. Dual-WAN discovered. | | 2026-04-28-29 | CA policy reconciliation. Audit retention architecture (ACG-billed, LAW 90d + Storage 6yr). Break-glass design (2 accounts, YubiKeys). Caregiver pilot scope corrected (phased only). | | 2026-04-30 | CA rollout (Report-only mode): 3 caregiver policies created. SDM bootstrap. | | 2026-05-01 | Howard billed 33.5 hrs against prepaid block on Entra project ticket #32214 ($0 invoice). | | 2026-05-07-08 | SDM phone provisioning. SDM token success. ALIS SSO app registration values captured to vault. | | 2026-05-14-16 | Caregiver AD accounts created. Security groups always deliberate (no OU→group automation). Wireless diagnostic. | | 2026-05-18 | Billing review. 39.5 hrs remaining before session. 7 hrs billed separately. | | 2026-05-20 | Canva email delivery resolved (canva.com domains added to EOP). | | 2026-05-21 | Lauren Hasselman + Crystal Rodriguez domain join attempted — passwords didn't work. Comment posted to migration ticket. | | 2026-05-22 | Ashley Jensen domain-joined. RECEPTIONIST-PC domain-joined. GPO ILT fixes (FrontDesk printer + R: drive). cascadesDS auth failure diagnosed (workgroup collision) and deferred. | | 2026-05-24 | RECEPTIONIST-PC GuruRMM agent noted as 0.6.37 straggler while fleet at 0.6.38. Flaky WebSocket. | --- ## Compilation Notes **Session logs read:** 25 root session logs + client-specific logs in `clients/cascades-tucson/session-logs/` + 7 memory files + 5 structured docs. Date range: 2026-03-06 through 2026-05-24. **Client folder:** `clients/cascades-tucson/` (NOT `clients/cascades/` — that directory does not exist). **Open items flagged as unverified:** - Hour balance — always live-check; 2026-05-01 invoice debit may not have fired correctly - New tiered remediation app suite — Cascades still on old `fabb3421` as of 2026-04-20; unknown if consented since - DMARC p=none — action item from 2026-04-20, no evidence of resolution - Break-glass accounts + YubiKeys — decision 2026-04-29, no evidence of execution - Audit retention infra — approved 2026-04-29, not yet built - dunedolly21@gmail.com guest invite — confirm with Lauren ## Backlinks - [[projects/gururmm]] — RECEPTIONIST-PC enrolled (site CascadesTucson); CS-SERVER enrolled