azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/cascades-tucson/docs/issues/audit-findings-2026-03-20.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

13 KiB
Raw Blame History

Cascades Master Issue Tracker

Combined from fleet audit (2026-03-20) and all prior issue log entries.

Work Log

2026-03-26

  • MAINTENANCE-PC: Uninstalled OneDrive (corrupt Telemetry.dll causing entry point error on boot, user doesn't use it)

2026-03-25

  • MAINTENANCE-PC: Disabled Wi-Fi power saving + Fast Startup (was dropping Wi-Fi after idle)

2026-03-21

  • Enabled AD Recycle Bin
  • Set MachineAccountQuota = 0
  • Set RestrictAnonymous = 1 on CS-SERVER
  • Ran stale printer port cleanup on all machines

2026-03-20 (evening)

  • Ran audits on all 19 machines, built full documentation
  • Pro key applied: ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC
  • RDP disabled: ASSISTMAN-PC, DESKTOP-U2DHAP0
  • AutoPatch + Win 11 upgrade tasks pushed to 15 machines (overnight, stops 5AM)
    • Skipped: CS-SERVER (server), RECEPTIONIST-PC (front desk), MEMRECEPT-PC (front desk + ancient hw)
    • After Win 11 upgrade completes on LAPTOP-DRQ5L558 and LAPTOP-E0STJJE8, push Pro key

CRITICAL

  • 1. No backup — anywhere

    • CS-SERVER has no backup. It is the ONLY DC. If it dies, everything is gone.
    • Synology ABB blocked (ext4, needs Btrfs) — use Windows Server Backup to Synology SMB share instead
    • No M365 backup either
    • HIPAA §164.308(a)(7)

  • 2. CS-SERVER hardware — 2009 Dell R610, extreme failure risk

    • 16+ years old. Single server runs: DC, DNS, DHCP, File Server, Hyper-V (VoIP), RDS, IIS, NPS
    • No second DC — if hardware fails, AD, DNS, shares, phones ALL go down
    • Plan: migrate to new hardware, add second DC

  • 3. Windows Updates — 6 machines critically behind

    • [~] DESKTOP-LPOPV30 — 13 months behind — AutoPatch running overnight
    • [~] LAPTOP2 — 8 months — AutoPatch running overnight
    • [~] CRYSTAL-PC — 5 months — AutoPatch running overnight
    • MEMRECEPT-PC — 4 months — skipped (front desk, ancient hw)
    • [~] ASSISTMAN-PC — 3 months — AutoPatch running overnight
    • [~] DESKTOP-KQSL232 — 3 months — AutoPatch running overnight
    • RECEPTIONIST-PC also skipped — needs update run scheduled

  • 4. Windows Home → Pro upgrades (2026-03-20)

    • ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC — done via changepk
    • LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 — pending Win 11 upgrade first
    • MEMRECEPT-PC — replace machine instead

  • 5. Shared accounts with NO PASSWORD accessing PHI

    • NURSESTATION-PC: "Nurses" — accesses ALIS (medical records)
    • MEMRECEPT-PC: "memfrtdesk" — MemCare front desk
    • RECEPTIONIST-PC: "Front Desk" — mapped drives to CS-SERVER
    • DESKTOP-KQSL232: Lois Lane — PasswordRequired=False
    • Also: AD shared accounts (Culinary, Receptionist, saleshare, directoryshare) need replacement — Phase 5
    • HIPAA §164.312(a)(2)(i)

  • 6. No audit logging

    • CS-SERVER: Object Access auditing completely disabled — cannot track PHI access
    • Synology NAS: stores PHI with no access auditing (ext4 can't support it) — migrate to CS-SERVER NTFS
    • HIPAA §164.312(b)

  • 7. Expired SSL certificate on CS-SERVER (2025-04-02)

    • Self-signed cert expired ~1 year ago, causing Schannel TLS errors

  • 8. Floating firewall rule #4 passes ALL IPv4 traffic

    • Breaks room-to-room VLAN isolation — residents can reach staff VLAN, servers, other rooms
    • Planned: Phase 1.3 — replace with scoped rules
    • HIPAA §164.312(e)(1)

HIGH

  • 9. Remove non-IT staff from Domain Admins

    • Meredith.Kuhn — never logged in, never set password
    • John.Trozzi — never logged in, never set password

  • 10. AD password issues

    • 23 accounts never set a password (null PasswordLastSet)
    • 10 accounts with PasswordNeverExpires (Lois.Lane, strozzi, Culinary, Receptionist, howard, directoryshare, etc.)
    • Password min length only 7 — increase to 12 in Default Domain Policy
    • krbtgt password 569 days old (last set 2024-08-28) — rotate

  • 11. No screen lock on ANY machine

    • Zero machines have inactivity timeout or screensaver lock
    • Staff walk away from ALIS sessions, shared drives, email — all open
    • Push via GPO (domain) or registry (non-domain)

  • 12. BitLocker broken/missing fleet-wide

    • Fix protection OFF (encrypted but no protectors): ACCT2-PC, LAPTOP2, RECEPTIONIST-PC
    • Enable on remaining 13 machines (requires Pro — do after upgrades)
    • Only 2 of 18 working correctly (DESKTOP-LPOPV30, DESKTOP-U2DHAP0)

  • 13. No LAPS — same local admin password on every machine

    • Compromise one = compromise all. Deploy Windows LAPS.

  • 14. Share permissions wide open on CS-SERVER

    • Culinary: Everyone=FullControl → SG-Culinary-RW
    • directoryshare: Everyone=FullControl → SG-Directory-RW
    • Roaming: Domain Users=FullControl → restrict
    • Shares (parent): Everyone=FullControl NTFS → restrict
    • Security groups already designed — apply during Phase 2

  • 15. M365 — no MFA, no BAA signed

    • Enable Security Defaults (MFA) in Entra ID — free, 5 minutes
    • Sign Microsoft HIPAA BAA in M365 Admin Center
    • Verify BAA with ALIS (go-alis.com) — ask management
    • HIPAA §164.312(d) and §164.308(b)(1)

  • 16. M365 licenses full (34/34) — 12 role accounts wasting licenses

    • Convert role-based accounts to shared mailboxes (~$150/mo savings)
    • Frees licenses for actual employees
    • Delete: Kristiana Dowse (HR confirmed), "howaed" typo guest account
    • Delete shared mailboxes: Anna Pitzlin, Nela Durut-Azizi (HR confirmed OK)
    • Sandra Fish still global admin — create break-glass admin, remove her access

  • 17. QuickBooks installed on Domain Controller

    • QB Pro 2024 running on CS-SERVER with DB listener on port 6600
    • Should be on dedicated workstation or VM — increases DC attack surface

  • 18. Account lockout was disabled (fixed threshold, but GPO not fully deployed)

    • Default Domain Policy: 5 attempts / 30 min (fixed 2026-03-09)
    • But most PCs aren't domain-joined so policy doesn't apply to them yet

  • 19. RDP without NLA (2026-03-20)

    • ASSISTMAN-PC — disabled
    • DESKTOP-U2DHAP0 — disabled

  • 20. TightVNC on MEMRECEPT-PC + old MSP remote access tools everywhere

    • TightVNC on MEMRECEPT-PC — unauthorized remote access, no-password machine
    • Splashtop Streamer — ALL 19 machines
    • Datto RMM — CS-SERVER at minimum
    • N-able Take Control — some machines
    • RemotePC — ASSISTMAN-PC, CHEF-PC, DESKTOP-U2DHAP0
    • TeamViewer — ANN-PC
    • GoTo Opener — ANN-PC, MDIRECTOR-PC, DESKTOP-H6QHRR7

  • 21. AV conflicts on multiple machines

    • RECEPTIONIST-PC: Bitdefender + Datto AV both running
    • LAPTOP-E0STJJE8: McAfee LiveSafe + Datto AV
    • MDIRECTOR-PC: COMODO AV disabled (stale, remove)
    • CHEF-PC: Norton Security Scan (bloatware)

  • 22. RDS licensing expired ~17 months ago

    • RDS roles installed (Connection Broker, Session Host, Web Access) but no CALs
    • Decide: purchase CALs or remove RDS roles

MEDIUM

  • 23. Most PCs not domain-joined (15 of 18)

    • Only 3 joined: ACCT2-PC, CRYSTAL-PC, DESKTOP-H6QHRR7
    • No GPOs apply to the other 15 (password policy, screen lock, BitLocker, drive maps)
    • Domain join planned Phase 3, needs Pro on all machines first

  • 24. Network — machines on wrong subnets

    • LAPTOP-DRQ5L558 on Guest WiFi (10.0.50.x) — no internal access at all
    • Many machines on old LAN (192.168.2-3.x) instead of INTERNAL (10.0.20.x)
    • Most non-domain machines DNS points to pfSense (192.168.0.1) not CS-SERVER — adds latency for AD lookups

  • 25. AD OU cleanup — 13 junk root-level OUs

    • 10 duplicate department OUs + Managment (misspelled) + MemCare + Sales
    • 20 accounts in CN=Users need placement
    • Scripts ready: phase2-ou-cleanup.ps1, phase2-ad-setup.ps1

  • 26. Delete confirmed former employee AD accounts

    • Disabled: Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Jeff.Bristol
    • Enabled but gone: Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate)
    • Lupe.Sanchez — possible duplicate of Guadalupe.Sanchez (verify onsite)

  • 27. AD ↔ M365 identity issues

    • Tamra.Johnson AD account needs rename to Tamra.Matthews (M365 already correct)
    • nick pavloff has M365 but no AD account
    • AD and M365 fully separate (no Entra Connect) — evaluate after Phase 3
    • 13 AD users have no M365 account (hourly staff — determine if they need email)

  • 28. Hardware problems

    • MEMRECEPT-PC: Pentium E5500, 6GB RAM, 100Mbps NIC — replace entirely
    • MDIRECTOR-PC: only 3.9 GB RAM — upgrade or replace
    • MAINTENANCE-PC: disk 85% full (34.6 GB free) — clean up
    • ASSISTMAN-PC: 7 local admin accounts — clean up to 3

  • 29. Kitchen iPads not isolated

    • 9 iPads on INTERNAL VLAN with full access to staff resources
    • Food service only, NOT medical — restrict to kitchen thermal printers only
    • Needs firewall rules restricting iPad MACs to printer IPs + internet

  • 30. 9 offline UniFi APs — coverage gaps

    • APs on floors 1-4 offline, some on wrong IP ranges (192.168.6-7.x)
    • Need physical visit to check power, cables, re-adopt

  • 31. Printer issues

    • 206 Health Services Brother printer drops WiFi (192.168.1.138) — wire it or fix signal
    • Brother printer 192.168.2.53 dual-connected (WiFi + ethernet, ARP flapping) — disable one
    • Bizhub C368 location and status unknown — find it onsite
    • Room 405 long print lag — investigate onsite

  • 32. LDAP Channel Binding not configured on CS-SERVER

  • 33. Stale DNS records

    • 192.168.2.59 and 192.168.0.5 in GC (old DCs?)
    • DESKTOP-1ISF081 has AAAA but no A record

  • 34. UniFi VLAN 10 "CSC Internal Network" mismatch

    • UniFi has VLAN 10 but pfSense uses VLAN 20 for INTERNAL — VLAN 10 may be orphaned

  • 35. Room 339 pfSense interface possibly disabled

    • Missing <enable> tag — verify if room is occupied

  • 36. SSH on pfSense — verify hardening

    • Confirm key-based auth only, restricted to management VLAN

  • 37. Synology shares still mapped directly from MDIRECTOR-PC

    • H: \cascadesds\homes, M: \cascadesds\Management, P: \cascadesds\Public
    • Should point to CS-SERVER after migration

  • 38. Lauren Hasselman needs Sales share access

    • Replaced Jeff Bristol as Business Office Director, permissions not granted

LOW

  • 39. Remove stale user profiles from workstations

    • DESKTOP-LPOPV30: Haris Durut, Jodi Ramstack, Nela
    • NURSESTATION-PC: Adella Clark (2021), April Hughes (2020)
    • MAINTENANCE-PC: nick (2024-08), John Trozzi (disabled)
    • ASSISTMAN-PC: Cecil Rinker, "DO NOT USE"

  • 40. CS-SERVER cleanup

    • Remove AutomationManagerAgent orphan service (file not found)
    • Delete "Synology Sync machine" VM (off, not needed)
    • Remove unused DHCP role
    • Decide on Power Options GPO (unlinked) — keep or delete
    • Remove 3 empty GPOs (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter) — if not already deleted

  • 41. GPOs not deployed yet (Phase 2.5-2.6)

    • CSC - Drive Mappings, CSC - Printer Deployment, CSC - Security Baseline, CSC - Windows Update, CSC - Folder Redirection, CSC - Shared Workstation
    • Blocked on: domain join (Phase 3)

  • 42. RMM documentation missing

    • rmm/rmm.md is blank — document agent counts, monitoring, patch policies

COMPLETED

  • RDP disabled on ASSISTMAN-PC + DESKTOP-U2DHAP0 (2026-03-20)
  • Pro key applied: ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC (2026-03-20)
  • Orphan printer ports cleaned on all machines (2026-03-21)
  • AD Recycle Bin enabled (2026-03-21)
  • MachineAccountQuota set to 0 (2026-03-21)
  • RestrictAnonymous set to 1 (2026-03-21)
  • Guest WiFi isolated to VLAN 50 (2026-03-06)
  • DNS scavenging enabled, stale records cleaned (2026-03-06)
  • Reverse DNS zones created (2026-03-06)
  • Room 218 DHCP scope fixed (2026-03-07)
  • Room 130 disabled firewall rule deleted (2026-03-07)
  • CS-SERVER timezone fixed to Arizona (2026-03-07)
  • LG TV ARP flapping fixed (ethernet disabled) (2026-03-07)
  • Account lockout set to 5/30 (2026-03-09)
  • Monica.Ramirez removed from Domain Admins (2026-03-09)
  • 3 empty GPOs reviewed (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter) (2026-03-07)

Known Issues / Workarounds

  • Older DirecTV boxes cannot connect to VLAN networks (CSCNet)

    • Must first join CSC ENT (non-VLAN), receive a software update, then they can join CSCNet
    • Affects resident room DirecTV boxes — discovered 2026-03-22

  • Synology NAS is ext4 — cannot use Active Backup for Business

    • Use Windows Server Backup to Synology SMB share instead
    • Cannot convert without wiping volume

  • changepk.exe fails on Win 10 Home with Pro for Workstations key (error 0x80070490)

    • Must upgrade to Win 11 first, then apply key — or use key during ISO setup
Reference in New Issue View Git Blame Copy Permalink