azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/rednour/onboarding-baselines/REDNOURCARRIEVI-20260529T202250.md
Mike Swanson c6c79d8f3e data(rednour): onboarding baseline for REDNOURCARRIEVI (3rd machine, RED) 
Completes Rednour first-baseline set. Note: ScreenConnect/Splashtop/Syncro/Datto
RMM+EDR flagged critical are ACG's own stack (false positives - detection tuning
tracked separately). Real issues: Win10 22H2 EOL, RDP without NLA, no BitLocker,
C: 12% free.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 13:24:10 -07:00

9.7 KiB
Raw Blame History

Onboarding Diagnostic Baseline - REDNOURCARRIEVI

  • Grade: RED

  • Host: REDNOURCARRIEVI

  • Client: Rednour Law Offices (rednour)

  • Collected (UTC): 2026-05-29T20:21:21Z

  • Agent ID: 8e4e2221-7e2a-4a6f-9eda-864568539961

  • Command ID: e46f35e2-1809-46b4-b2ee-624e6b4fbd44

  • Findings: 8 critical / 9 warning / 7 info / 0 unknown

  • OS: Microsoft Windows 10 Pro (build 19045)

CRITICAL (8)

Defender real-time protection is OFF

  • Category: security
  • ID: sec.defender.rtp_off
  • Real-time protection is disabled. The endpoint is unprotected against active threats. Re-enable immediately or confirm a managed 3rd-party AV is providing real-time protection.
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False

Defender antimalware service is not running

  • Category: security
  • ID: sec.defender.amservice_off
  • The Defender antimalware service is not active. If no 3rd-party AV is present, this endpoint has no antivirus protection.
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False

Foreign management/remote-access agent: ScreenConnect / ConnectWise Control

  • Category: security
  • ID: sec.foreign_agents.screenconnect_connectwise_control
  • A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
program: ScreenConnect Client (1912bf3444b41a08) 26.1.24.9579
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running

Foreign management/remote-access agent: Datto RMM

  • Category: security
  • ID: sec.foreign_agents.datto_rmm
  • A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
program: Datto RMM 4.4.11616.11616
service: CagService (Datto RMM) Running

Foreign management/remote-access agent: Splashtop (SOS/Streamer)

  • Category: security
  • ID: sec.foreign_agents.splashtop_sos_streamer_
  • A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
program: Splashtop Streamer 3.8.2.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running

Foreign management/remote-access agent: Syncro / Kabuto

  • Category: security
  • ID: sec.foreign_agents.syncro_kabuto
  • A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running

OS build is end-of-life: Win10 22H2

  • Category: security
  • ID: sec.patch.os_eol
  • This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14

RDP enabled WITHOUT Network Level Authentication

  • Category: security
  • ID: sec.exposure.rdp_no_nla
  • RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.
fDenyTSConnections=0; UserAuthentication=0

WARNING (9)

Defender tamper protection is OFF

  • Category: security
  • ID: sec.defender.tamper_off
  • Tamper protection is disabled, so malware or a local admin can silently disable Defender. Enable tamper protection (typically via Intune / Security Center).
RealTimeProtectionEnabled=False; AMServiceEnabled=False; AntispywareSignatureAge=0 days; IsTamperProtected=False

Third-party AV present: Datto AV

  • Category: security
  • ID: sec.av_products.third_party
  • A non-Defender antivirus is registered. Running two real-time AV engines causes conflicts, performance loss, and detection gaps. Confirm the intended AV and ensure only one provides real-time protection.
Registered AV: Windows Defender, Datto AV

OS volume is NOT encrypted with BitLocker

  • Category: security
  • ID: sec.bitlocker.unencrypted
  • The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=

1 pending Windows updates

  • Category: security
  • ID: sec.patch.pending
  • Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 1

Disk low: C: at 11.7% free

  • Category: health
  • ID: health.disk_space.C
  • Less than 15 percent free. Plan cleanup or expansion.
C: free 54.4 GB of 465.1 GB (11.7%)

Stability events present in the last 14 days

  • Category: health
  • ID: health.stability.some
  • One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
Unexpected shutdowns (id 41)=0; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=1

Reboot pending

  • Category: health
  • ID: health.reboot_uptime.pending
  • A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
PendingFileRenameOperations

2 auto-start service(s) not running

  • Category: health
  • ID: health.failed_services.stopped
  • These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
NetMsmqActivator (Net.Msmq Listener Adapter) = Stopped

Time source is local CMOS clock (not NTP)

  • Category: health
  • ID: health.time.local_cmos
  • The system is not syncing time from an NTP source. Clock drift breaks Kerberos and certificate validation. Configure a reliable time source (domain hierarchy or pool.ntp.org).
Source=Local CMOS Clock

INFO (7)

All firewall profiles enabled

  • Category: security
  • ID: sec.firewall.ok
  • Domain, Private, and Public firewall profiles are all enabled.
Private=True; Domain=True; Public=True

Local administrators (4)

  • Category: security
  • ID: sec.local_admins.list
  • Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
REDNOURCARRIEVI\Administrator
REDNOURCARRIEVI\Carrie
REDNOURCARRIEVI\emma
REDNOURCARRIEVI\localadmin

Last hotfix: KB5072653

  • Category: security
  • ID: sec.patch.last_hotfix
  • Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
KB5072653 installed 2025-12-20T07:00:00Z

SMBv1 disabled

  • Category: security
  • ID: sec.exposure.smb1_off
  • SMBv1 server protocol is disabled.
EnableSMB1Protocol=False

LAPS detected

  • Category: security
  • ID: sec.exposure.laps_present
  • A LAPS mechanism is present.
Windows LAPS reg key

Not domain-joined (workgroup)

  • Category: health
  • ID: health.domain.workgroup
  • This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
PartOfDomain=False; Domain=WORKGROUP

No backup agent detected

  • Category: health
  • ID: health.backup.none
  • No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
No matching backup service in Win32_Service

Inventory Baseline Summary

  • Manufacturer / Model: To Be Filled By O.E.M. / To Be Filled By O.E.M.
  • Serial: To Be Filled By O.E.M.
  • CPU: Intel(R) Core(TM) i3-9100 CPU @ 3.60GHz (4 cores / 4 logical)
  • RAM (GB): 7.7
  • BIOS: P4.10 (2019-04-01)
  • Chassis is laptop: false
  • TPM present / Secure Boot: ? / ?
  • Domain joined: false (WORKGROUP)
  • OS activation licensed: ?
  • Uptime (days): 0.2
  • Pending reboot: true
  • Installed software count: 151
  • Scheduled tasks (non-MS, enabled): 19
  • Local administrators: REDNOURCARRIEVI\Administrator, REDNOURCARRIEVI\Carrie, REDNOURCARRIEVI\emma, REDNOURCARRIEVI\localadmin

Fixed volumes

  • [unlabeled] - 0.1 GB free of 0.1 GB (71.7%)
  • C: - 54.4 GB free of 465.1 GB (11.7%)
  • [unlabeled] - 0 GB free of 0.5 GB (8.5%)

Network adapters

  • ZeroTier Virtual Port - IP: 10.147.17.253, fe80::c624:d955:2579:a9e4, fcfb:1c63:8659:2d21:d189::1 - DNS: - DHCP: false
  • Intel(R) Ethernet Connection (7) I219-V - IP: 192.168.10.194, fe80::e42e:510a:5261:a8dd - DNS: 192.168.10.1 - DHCP: true

Diff vs Prior Baseline

  • No prior baseline found for this host. This is the first baseline.

Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: REDNOURCARRIEVI-20260529T202250.json (immutable).

Reference in New Issue View Git Blame Copy Permalink