azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f817f5bf2b8e2c33cc09cce19aac6fb51c1f868
claudetools/wiki/clients/quantumwms.md
Howard Enos 847d63426a sync: auto-sync from HOWARD-HOME at 2026-06-01 09:11:26 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 09:11:26
2026-06-01 09:11:39 -07:00

9.7 KiB
Raw Blame History

title, slug, type, project_key, last_updated
title slug type project_key last_updated
Quantum WMS quantumwms client clients/quantumwms 2026-06-01

Quantum WMS

Overview

Field Value
Company Quantum Wealth Management
Primary domain quantumwms.com
Personal domain sheilaperess.com
M365 tenant (CURRENT) quantumwms.onmicrosoft.com / 2fd0092b-e9b7-474c-ad73-301f34dd6b64 — Pax8-provisioned 2026-05-27
Old tenants (bypassed) 8f7eaff4-... (NETORGFT2570783, GoDaddy/johnvelez) and dormant ddf3d2c9-... (netorg18235235) — NOT in use
GoDaddy admin plan@johnvelez.com (John Velez) — ACG has delegate access
Project key clients/quantumwms

Current Status (2026-06-01)

  • 6/03 license-lapse deadline: RESOLVED. Both firm users are M365 Business Premium licensed AND have activated Office (John + Sheila both signed into Microsoft Office from the Tucson office 2026-05-27). They will not lose Office apps when M365 Personal lapses 2026-06-03.
  • Mail still on Intermedia (HEX). MX cutover to Exchange Online not yet done; mailboxes in the new tenant are still empty.
  • Migration remainder pending: PST backups (pre-cutover), MX/mail cutover, CA enforcement, Defender for Business onboarding, DMARC/SPF/DKIM, DNS -> Cloudflare, Exchange Online Plan 1 for personal-domain accounts, GoDaddy/Intermedia cancellation.

[WARNING] Security: active password-spray on john@quantumwms.com

Read-only review 2026-06-01 (see clients/quantumwms/reports/2026-06-01-m365-review.md):

  • john@quantumwms.com hit by a distributed password-spray — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess). 0 successful malicious logins — account NOT breached (Entra blocked the IPs; password guesses failed).
  • Exposure: John is NOT MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (require-MFA, block-non-US) are report-only. Security Defaults is ON but only protects users who have registered MFA — neither John nor Sheila has.
  • Recommended (not yet done): force-reset John's password; drive both users through MFA registration; enforce CA001 (MFA) + CA003 (block non-US) now (break-glass already excluded).

Contacts

Name Role Notes
John Velez Primary / M365 global admin plan@johnvelez.com; GoDaddy account owner for both domains
Sheila Peress Owner/principal sheilaperess.com personal domain; compliance decision-maker; final say on license tier

Current Email Infrastructure

  • Registrar: GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access
  • DNS: GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC
  • Mail routing: Intermedia hosted Exchange — exch090.serverdata.net cluster (east/west)
    • IP: 64.78.25.106 (Intermedia data center)
    • Autodiscover: ar-east.exch090.serverdata.net
    • This is Exchange Server software hosted by Intermedia, NOT Exchange Online
  • Intermedia setup: Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure

DNS / Email Security Gaps (CRITICAL)

Record Status Impact
DMARC MISSING Anyone can spoof @quantumwms.com with no enforcement
SPF TWO RECORDS (misconfiguration) RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures
DKIM Not found on standard selectors Outbound mail not cryptographically signed
DNSSEC Not signed Domain hijack risk

SPF records found (conflict):

  1. v=spf1 include:spf.intermedia.net -all
  2. v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all

M365 Tenant (CURRENT — 2fd0092b)

  • Tenant: 2fd0092b-e9b7-474c-ad73-301f34dd6b64 ("Quantum Wealth Management"), Pax8-provisioned 2026-05-27
  • Domains: quantumwms.onmicrosoft.com (initial), quantumwms.com (primary, verified)
  • Management: Pax8 GDAP "Default_Ariz_Quantum Weal_704149625747913" (180 days). All 5 ComputerGuru remediation apps consented w/ directory roles.
  • Email: still on Intermedia HEX — MX not yet cut to Exchange Online.

Users (verified 2026-06-01)

UPN Display License MFA registered Notes
john@quantumwms.com John Velez Business Premium (SPB) No Office activated 5/27; under password-spray (see Security)
sheila@quantumwms.com Sheila Peress Business Premium (SPB) No Office activated 5/27; 8 clean sign-ins
sysadmin@quantumwms.com Mike Swanson none Yes (Authenticator + TOTP) Global Admin (daily)
breakglass@quantumwms.onmicrosoft.com Break Glass none No (by design) Emergency GA, CA-excluded, vaulted at clients/quantumwms/m365-breakglass.sops.yaml

Conditional Access (all report-only as of 2026-06-01 — enforcing nothing)

  • CA001 Require MFA (all users), CA002 Block legacy auth, CA003 Block sign-in outside US — each excludes break-glass. Security Defaults is ON (interim MFA).

Consent URL (Tenant Admin tier)

https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent

Post-consent onboard command:

bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6

Compliance Context: Broker/Dealer Requirements

John and Sheila believe Intermedia is mandated by their Broker/Dealer. This is almost certainly incorrect.

What SEC Rule 17a-4 / FINRA Rule 4511 actually require

  • Electronic communication retention (3 years accessible, 6 years total for most records)
  • Non-rewritable, non-erasable (WORM-compliant) archiving
  • Supervisory review capability
  • Ability to produce records on regulatory demand

What they do NOT require

  • Intermedia specifically
  • Any named third-party vendor
  • Exchange Server or hosted Exchange

Microsoft 365 satisfies all FINRA/17a-4 requirements

Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping.

Action item (BLOCKER)

Sheila has been asked to produce written policy from the Broker/Dealer that explicitly names Intermedia as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00.

Recommended Architecture: M365 Business Premium + Mailprotector

License Plan

Account License Domain
John (firm) M365 Business Premium quantumwms.com
Sheila (firm) M365 Business Premium quantumwms.com
Sheila (personal) Exchange Online Plan 1 sheilaperess.com
Others TBD Exchange Online Plan 1 TBD

What Business Premium provides over Intermedia

Capability Intermedia Hosted Exchange M365 Business Premium
Email Exchange Server (hosted) Exchange Online (Microsoft cloud)
Exchange CVE exposure YES — full Server CVE surface No — Microsoft patches same-day
Spam/malware filtering Basic Defender for Office 365 Plan 1 (Safe Links, Safe Attachments)
Frontend filtering None Mailprotector (ACG-managed)
MFA enforcement Manual Entra ID P1 — Conditional Access
FINRA archiving Intermedia archiver (extra cost) Microsoft Purview — included
Desktop Office apps No Yes (Word, Excel, Outlook, etc.)
Mobile device management No Intune — included
DMARC/DKIM setup Not managed ACG-managed during migration

Migration Steps

  1. [DONE] Get consent from John (2026-05-26)
  2. Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate
  3. Add quantumwms.com as verified domain to johnvelez.com tenant
  4. Purchase 2x Business Premium (direct or ACG CSP)
  5. Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com)
  6. Assign Business Premium licenses
  7. Set up Mailprotector frontend for quantumwms.com
  8. Configure DMARC, fix SPF (single record), configure DKIM
  9. Cut MX from Intermedia → Exchange Online
  10. Migrate existing mail from Intermedia → Exchange Online
  11. Activate Office apps on their machines
  12. Cancel Intermedia after cutover confirmed
  13. Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare
  14. Purchase Exchange Online Plan 1 for personal domain accounts
  15. Cancel GoDaddy email hosting per account as each migrates

GoDaddy Decoupling Plan

  • DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first)
  • M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium
  • Intermedia: cancel after mail cutover confirmed

Open Items

  • RESOLVED: B/D compliance "Intermedia mandate" — IFG (Jen Curry) confirmed Intermedia HEX is being phased out and recommended the move to M365 (2026-05-27).
  • DONE: 2x Business Premium licensed + Office activated for John & Sheila (2026-05-27) — 6/03 lapse risk cleared.
  • SECURITY (new, 2026-06-01): force-reset John's password; get John + Sheila MFA-registered; enforce CA001 + CA003 (john@ under active password-spray, currently failing).
  • PST backups of John + Sheila mailboxes before Intermedia cutover.
  • Mail/MX cutover Intermedia HEX -> Exchange Online; then migrate existing mail.
  • Defender for Business onboarding; DMARC, single SPF, DKIM.
  • DNS for both domains -> Cloudflare.
  • Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade; determine additional personal-domain accounts.
  • Cancel GoDaddy email hosting + Intermedia per account as each migrates.
Reference in New Issue View Git Blame Copy Permalink