Howard Enos
8d975c1b44
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3.4 KiB
3.4 KiB
Dataforth — Work Log / Billing Record
Session 1 — 2026-04-02 (Remote — Documentation Audit)
Focus: Full client documentation buildout from Mike Swanson handoff + post-incident audit
| Time | Task | Details |
|---|---|---|
| Client intake & overview | Created overview.md — company info, Dan Center contact (replacing retired Joel Lohr), Mike Swanson as outgoing IT, M365 tenant 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584, ~21 human users, 6 servers, 2 ESXi + 1 Hyper-V, ~38 workstations, 64 DOS test stations | |
| Network documentation | Built topology.md, dns.md, dhcp.md, firewall.md, vlans.md for flat network (no VLANs, all Windows Firewall profiles disabled on AD2) | |
| Cloud documentation | Built m365.md + azure.md — tenant info, Entra ID Sync from OU=SyncedUsers, MFA enforcement deadline April 4, 19 users still need to register | |
| Security documentation | Built antivirus.md + backup.md | |
| RMM documentation | Documented Datto RMM + GuruRMM (azcomputerguru.com) | |
| Active Directory doc | Built active-directory.md — intranet.dataforth.com forest, Windows Server 2016 level | |
| Per-server docs (6 servers) | AD1, AD2, FILES-D1, SAGE-SQL, 3CX, DF-HYPERV-B, D2TESTNAS | |
| Workstation inventory | Built workstations.md — Engineering (~12), Manufacturing/Assembly (~14), Office/Admin (~12), 3 EOL Windows 7 (LABELPC, LABELPC2, D2-RCVG-003) | |
| Manufacturing doc | Built manufacturing.md — 64 DOS stations running QuickBASIC 4.5 ATE on MS-DOS 6.22, SMB1 via D2TESTNAS Samba proxy, TestDataDB (Node.js + SQLite on AD2:3000, 2.28M test records) | |
| Issue log buildout | Documented 2025 ransomware incident (AD2 wiped/rebuilt), 2026-03-27 DF-JOEL2 phishing compromise (Angel Raya/ScreenConnect social engineering, C2 blocked, IC3 complaint, jlohr reset) | |
| Risk inventory | Critical/High/Medium/Low risk catalog: firewall disabled on AD2, Win7 machines, AD1 at 90% disk, jlohr account overdue for disable, 28 machines not scanned, etc. |
Billing Summary — Session 1
| Category | Items |
|---|---|
| Client onboarding / intake | Full Mike Swanson handoff documented |
| Documentation buildout | 22 files created across overview, network, cloud, security, rmm, servers, workstations, manufacturing, issues |
| Post-incident risk audit | 2025 ransomware + 2026-03-27 phishing compromise fully documented with follow-ups |
Time: File timestamps span ~10:04 AM → 12:45 PM (~2.5–3 hrs)
Outstanding Work — Prioritized
Critical
- All Windows Firewall profiles disabled on AD2 — re-enable
- 3 Windows 7 machines still on network — retire or isolate
- AD1 C: drive at 90% capacity (C:\Engineering = 787 GB) — expand or clean
- AD1/AD2 on Windows Server 2016 (end of mainstream support) — plan upgrade
High
- Joel Lohr (jlohr) account — disable post-retirement (OVERDUE since 2026-03-31)
- C2 IP blocks on UDM are iptables rules only — make permanent in UniFi UI
- 28 machines offline during incident — rescan when available
- MFA enforcement (April 4) — 19 users still need to register
- No reverse DNS zone for 192.168.0.x
- Website upload mechanism broken (ASP.NET 404s)
Medium
- D2TESTNAS uses root SSH with password auth
- Stale/conflicting computer account IPs
- ~845K test records pending ForWeb export
Low
- DVD ISO mounted on AD2 D:
- ClaudeTools-ReadOnly AD account — purpose unclear
- DESKTOP-* BYOD-looking hostnames