azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/cascades-tucson/docs/issues/audit-findings-2026-03-20.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

277 lines
13 KiB
Markdown
Raw Blame History

# Cascades Master Issue Tracker
Combined from fleet audit (2026-03-20) and all prior issue log entries.
## Work Log
### 2026-03-26
- [x] MAINTENANCE-PC: Uninstalled OneDrive (corrupt Telemetry.dll causing entry point error on boot, user doesn't use it)
### 2026-03-25
- [x] MAINTENANCE-PC: Disabled Wi-Fi power saving + Fast Startup (was dropping Wi-Fi after idle)
### 2026-03-21
- [x] Enabled AD Recycle Bin
- [x] Set MachineAccountQuota = 0
- [x] Set RestrictAnonymous = 1 on CS-SERVER
- [x] Ran stale printer port cleanup on all machines
### 2026-03-20 (evening)
- [x] Ran audits on all 19 machines, built full documentation
- [x] Pro key applied: ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC
- [x] RDP disabled: ASSISTMAN-PC, DESKTOP-U2DHAP0
- [x] AutoPatch + Win 11 upgrade tasks pushed to 15 machines (overnight, stops 5AM)
- **Skipped:** CS-SERVER (server), RECEPTIONIST-PC (front desk), MEMRECEPT-PC (front desk + ancient hw)
- After Win 11 upgrade completes on LAPTOP-DRQ5L558 and LAPTOP-E0STJJE8, push Pro key
---
## CRITICAL
- [ ] **1. No backup — anywhere**
- CS-SERVER has no backup. It is the ONLY DC. If it dies, everything is gone.
- Synology ABB blocked (ext4, needs Btrfs) — use Windows Server Backup to Synology SMB share instead
- No M365 backup either
- HIPAA §164.308(a)(7)
- [ ] **2. CS-SERVER hardware — 2009 Dell R610, extreme failure risk**
- 16+ years old. Single server runs: DC, DNS, DHCP, File Server, Hyper-V (VoIP), RDS, IIS, NPS
- No second DC — if hardware fails, AD, DNS, shares, phones ALL go down
- Plan: migrate to new hardware, add second DC
- [ ] **3. Windows Updates — 6 machines critically behind**
- [~] DESKTOP-LPOPV30 — 13 months behind — AutoPatch running overnight
- [~] LAPTOP2 — 8 months — AutoPatch running overnight
- [~] CRYSTAL-PC — 5 months — AutoPatch running overnight
- [ ] MEMRECEPT-PC — 4 months — skipped (front desk, ancient hw)
- [~] ASSISTMAN-PC — 3 months — AutoPatch running overnight
- [~] DESKTOP-KQSL232 — 3 months — AutoPatch running overnight
- RECEPTIONIST-PC also skipped — needs update run scheduled
- [x] **4. Windows Home → Pro upgrades** *(2026-03-20)*
- [x] ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC — done via changepk
- [ ] LAPTOP-DRQ5L558, LAPTOP-E0STJJE8 — pending Win 11 upgrade first
- [ ] MEMRECEPT-PC — replace machine instead
- [ ] **5. Shared accounts with NO PASSWORD accessing PHI**
- [ ] NURSESTATION-PC: "Nurses" — accesses ALIS (medical records)
- [ ] MEMRECEPT-PC: "memfrtdesk" — MemCare front desk
- [ ] RECEPTIONIST-PC: "Front Desk" — mapped drives to CS-SERVER
- [ ] DESKTOP-KQSL232: Lois Lane — PasswordRequired=False
- Also: AD shared accounts (Culinary, Receptionist, saleshare, directoryshare) need replacement — Phase 5
- HIPAA §164.312(a)(2)(i)
- [ ] **6. No audit logging**
- CS-SERVER: Object Access auditing completely disabled — cannot track PHI access
- Synology NAS: stores PHI with no access auditing (ext4 can't support it) — migrate to CS-SERVER NTFS
- HIPAA §164.312(b)
- [ ] **7. Expired SSL certificate on CS-SERVER (2025-04-02)**
- Self-signed cert expired ~1 year ago, causing Schannel TLS errors
- [ ] **8. Floating firewall rule #4 passes ALL IPv4 traffic**
- Breaks room-to-room VLAN isolation — residents can reach staff VLAN, servers, other rooms
- Planned: Phase 1.3 — replace with scoped rules
- HIPAA §164.312(e)(1)
## HIGH
- [ ] **9. Remove non-IT staff from Domain Admins**
- [ ] Meredith.Kuhn — never logged in, never set password
- [ ] John.Trozzi — never logged in, never set password
- [ ] **10. AD password issues**
- [ ] 23 accounts never set a password (null PasswordLastSet)
- [ ] 10 accounts with PasswordNeverExpires (Lois.Lane, strozzi, Culinary, Receptionist, howard, directoryshare, etc.)
- [ ] Password min length only 7 — increase to 12 in Default Domain Policy
- [ ] krbtgt password 569 days old (last set 2024-08-28) — rotate
- [ ] **11. No screen lock on ANY machine**
- Zero machines have inactivity timeout or screensaver lock
- Staff walk away from ALIS sessions, shared drives, email — all open
- Push via GPO (domain) or registry (non-domain)
- [ ] **12. BitLocker broken/missing fleet-wide**
- [ ] Fix protection OFF (encrypted but no protectors): ACCT2-PC, LAPTOP2, RECEPTIONIST-PC
- [ ] Enable on remaining 13 machines (requires Pro — do after upgrades)
- Only 2 of 18 working correctly (DESKTOP-LPOPV30, DESKTOP-U2DHAP0)
- [ ] **13. No LAPS — same local admin password on every machine**
- Compromise one = compromise all. Deploy Windows LAPS.
- [ ] **14. Share permissions wide open on CS-SERVER**
- [ ] Culinary: Everyone=FullControl → SG-Culinary-RW
- [ ] directoryshare: Everyone=FullControl → SG-Directory-RW
- [ ] Roaming: Domain Users=FullControl → restrict
- [ ] Shares (parent): Everyone=FullControl NTFS → restrict
- Security groups already designed — apply during Phase 2
- [ ] **15. M365 — no MFA, no BAA signed**
- [ ] Enable Security Defaults (MFA) in Entra ID — free, 5 minutes
- [ ] Sign Microsoft HIPAA BAA in M365 Admin Center
- [ ] Verify BAA with ALIS (go-alis.com) — ask management
- HIPAA §164.312(d) and §164.308(b)(1)
- [ ] **16. M365 licenses full (34/34) — 12 role accounts wasting licenses**
- Convert role-based accounts to shared mailboxes (~$150/mo savings)
- Frees licenses for actual employees
- Delete: Kristiana Dowse (HR confirmed), "howaed" typo guest account
- Delete shared mailboxes: Anna Pitzlin, Nela Durut-Azizi (HR confirmed OK)
- Sandra Fish still global admin — create break-glass admin, remove her access
- [ ] **17. QuickBooks installed on Domain Controller**
- QB Pro 2024 running on CS-SERVER with DB listener on port 6600
- Should be on dedicated workstation or VM — increases DC attack surface
- [ ] **18. Account lockout was disabled (fixed threshold, but GPO not fully deployed)**
- Default Domain Policy: 5 attempts / 30 min (fixed 2026-03-09)
- But most PCs aren't domain-joined so policy doesn't apply to them yet
- [x] **19. RDP without NLA** *(2026-03-20)*
- [x] ASSISTMAN-PC — disabled
- [x] DESKTOP-U2DHAP0 — disabled
- [ ] **20. TightVNC on MEMRECEPT-PC + old MSP remote access tools everywhere**
- [ ] TightVNC on MEMRECEPT-PC — unauthorized remote access, no-password machine
- [ ] Splashtop Streamer — ALL 19 machines
- [ ] Datto RMM — CS-SERVER at minimum
- [ ] N-able Take Control — some machines
- [ ] RemotePC — ASSISTMAN-PC, CHEF-PC, DESKTOP-U2DHAP0
- [ ] TeamViewer — ANN-PC
- [ ] GoTo Opener — ANN-PC, MDIRECTOR-PC, DESKTOP-H6QHRR7
- [ ] **21. AV conflicts on multiple machines**
- [ ] RECEPTIONIST-PC: Bitdefender + Datto AV both running
- [ ] LAPTOP-E0STJJE8: McAfee LiveSafe + Datto AV
- [ ] MDIRECTOR-PC: COMODO AV disabled (stale, remove)
- [ ] CHEF-PC: Norton Security Scan (bloatware)
- [ ] **22. RDS licensing expired ~17 months ago**
- RDS roles installed (Connection Broker, Session Host, Web Access) but no CALs
- Decide: purchase CALs or remove RDS roles
## MEDIUM
- [ ] **23. Most PCs not domain-joined (15 of 18)**
- Only 3 joined: ACCT2-PC, CRYSTAL-PC, DESKTOP-H6QHRR7
- No GPOs apply to the other 15 (password policy, screen lock, BitLocker, drive maps)
- Domain join planned Phase 3, needs Pro on all machines first
- [ ] **24. Network — machines on wrong subnets**
- LAPTOP-DRQ5L558 on Guest WiFi (10.0.50.x) — no internal access at all
- Many machines on old LAN (192.168.2-3.x) instead of INTERNAL (10.0.20.x)
- Most non-domain machines DNS points to pfSense (192.168.0.1) not CS-SERVER — adds latency for AD lookups
- [ ] **25. AD OU cleanup — 13 junk root-level OUs**
- 10 duplicate department OUs + Managment (misspelled) + MemCare + Sales
- 20 accounts in CN=Users need placement
- Scripts ready: phase2-ou-cleanup.ps1, phase2-ad-setup.ps1
- [ ] **26. Delete confirmed former employee AD accounts**
- Disabled: Anna.Pitzlin, Nela.Durut-Azizi, Jodi.Ramstack, Monica.Ramirez, Jeff.Bristol
- Enabled but gone: Haris.Durut, Nuria.Diaz, Cathy.Reece, Kelly.Wallace, Isabella.Islas, ann.dery, alyssa.brooks (duplicate)
- Lupe.Sanchez — possible duplicate of Guadalupe.Sanchez (verify onsite)
- [ ] **27. AD ↔ M365 identity issues**
- Tamra.Johnson AD account needs rename to Tamra.Matthews (M365 already correct)
- nick pavloff has M365 but no AD account
- AD and M365 fully separate (no Entra Connect) — evaluate after Phase 3
- 13 AD users have no M365 account (hourly staff — determine if they need email)
- [ ] **28. Hardware problems**
- [ ] MEMRECEPT-PC: Pentium E5500, 6GB RAM, 100Mbps NIC — replace entirely
- [ ] MDIRECTOR-PC: only 3.9 GB RAM — upgrade or replace
- [ ] MAINTENANCE-PC: disk 85% full (34.6 GB free) — clean up
- [ ] ASSISTMAN-PC: 7 local admin accounts — clean up to 3
- [ ] **29. Kitchen iPads not isolated**
- 9 iPads on INTERNAL VLAN with full access to staff resources
- Food service only, NOT medical — restrict to kitchen thermal printers only
- Needs firewall rules restricting iPad MACs to printer IPs + internet
- [ ] **30. 9 offline UniFi APs — coverage gaps**
- APs on floors 1-4 offline, some on wrong IP ranges (192.168.6-7.x)
- Need physical visit to check power, cables, re-adopt
- [ ] **31. Printer issues**
- [ ] 206 Health Services Brother printer drops WiFi (192.168.1.138) — wire it or fix signal
- [ ] Brother printer 192.168.2.53 dual-connected (WiFi + ethernet, ARP flapping) — disable one
- [ ] Bizhub C368 location and status unknown — find it onsite
- [ ] Room 405 long print lag — investigate onsite
- [ ] **32. LDAP Channel Binding not configured on CS-SERVER**
- [ ] **33. Stale DNS records**
- 192.168.2.59 and 192.168.0.5 in GC (old DCs?)
- DESKTOP-1ISF081 has AAAA but no A record
- [ ] **34. UniFi VLAN 10 "CSC Internal Network" mismatch**
- UniFi has VLAN 10 but pfSense uses VLAN 20 for INTERNAL — VLAN 10 may be orphaned
- [ ] **35. Room 339 pfSense interface possibly disabled**
- Missing `<enable>` tag — verify if room is occupied
- [ ] **36. SSH on pfSense — verify hardening**
- Confirm key-based auth only, restricted to management VLAN
- [ ] **37. Synology shares still mapped directly from MDIRECTOR-PC**
- H: \\cascadesds\homes, M: \\cascadesds\Management, P: \\cascadesds\Public
- Should point to CS-SERVER after migration
- [ ] **38. Lauren Hasselman needs Sales share access**
- Replaced Jeff Bristol as Business Office Director, permissions not granted
## LOW
- [ ] **39. Remove stale user profiles from workstations**
- DESKTOP-LPOPV30: Haris Durut, Jodi Ramstack, Nela
- NURSESTATION-PC: Adella Clark (2021), April Hughes (2020)
- MAINTENANCE-PC: nick (2024-08), John Trozzi (disabled)
- ASSISTMAN-PC: Cecil Rinker, "DO NOT USE"
- [ ] **40. CS-SERVER cleanup**
- [ ] Remove AutomationManagerAgent orphan service (file not found)
- [ ] Delete "Synology Sync machine" VM (off, not needed)
- [ ] Remove unused DHCP role
- [ ] Decide on Power Options GPO (unlinked) — keep or delete
- [ ] Remove 3 empty GPOs (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter) — if not already deleted
- [ ] **41. GPOs not deployed yet (Phase 2.5-2.6)**
- CSC - Drive Mappings, CSC - Printer Deployment, CSC - Security Baseline, CSC - Windows Update, CSC - Folder Redirection, CSC - Shared Workstation
- Blocked on: domain join (Phase 3)
- [ ] **42. RMM documentation missing**
- rmm/rmm.md is blank — document agent counts, monitoring, patch policies
## COMPLETED
- [x] RDP disabled on ASSISTMAN-PC + DESKTOP-U2DHAP0 *(2026-03-20)*
- [x] Pro key applied: ANN-PC, DESKTOP-DLTAGOI, MAINTENANCE-PC, MDIRECTOR-PC *(2026-03-20)*
- [x] Orphan printer ports cleaned on all machines *(2026-03-21)*
- [x] AD Recycle Bin enabled *(2026-03-21)*
- [x] MachineAccountQuota set to 0 *(2026-03-21)*
- [x] RestrictAnonymous set to 1 *(2026-03-21)*
- [x] Guest WiFi isolated to VLAN 50 *(2026-03-06)*
- [x] DNS scavenging enabled, stale records cleaned *(2026-03-06)*
- [x] Reverse DNS zones created *(2026-03-06)*
- [x] Room 218 DHCP scope fixed *(2026-03-07)*
- [x] Room 130 disabled firewall rule deleted *(2026-03-07)*
- [x] CS-SERVER timezone fixed to Arizona *(2026-03-07)*
- [x] LG TV ARP flapping fixed (ethernet disabled) *(2026-03-07)*
- [x] Account lockout set to 5/30 *(2026-03-09)*
- [x] Monica.Ramirez removed from Domain Admins *(2026-03-09)*
- [x] 3 empty GPOs reviewed (CopyRoomPrinter, Nurses-Kiosk, MemCareMedTechPrinter) *(2026-03-07)*
## Known Issues / Workarounds
- **Older DirecTV boxes cannot connect to VLAN networks (CSCNet)**
- Must first join CSC ENT (non-VLAN), receive a software update, then they can join CSCNet
- Affects resident room DirecTV boxes — discovered 2026-03-22
- **Synology NAS is ext4 — cannot use Active Backup for Business**
- Use Windows Server Backup to Synology SMB share instead
- Cannot convert without wiping volume
- **changepk.exe fails on Win 10 Home with Pro for Workstations key (error 0x80070490)**
- Must upgrade to Win 11 first, then apply key — or use key during ISO setup
Reference in New Issue View Git Blame Copy Permalink