claudetools/wiki/clients/glaztech.md

type, name, display_name, last_compiled, compiled_by, sources, backlinks

type	name	display_name	last_compiled	compiled_by	sources	backlinks
client	glaztech	Glaz-Tech Industries	2026-06-03	DESKTOP-0O8A1RL/claude-main	clients/glaztech/session-logs/2026-04-20-session.md clients/glaztech/session-logs/2026-04-21-session.md clients/glaztech/session-logs/2026-05-28-session.md clients/glaztech/session-logs/2026-06-02-session.md clients/glaztech/session-logs/2026-06-03-session.md clients/glaztech/reports/2026-04-17-phishing-incident-report.md clients/glaztech/reports/2026-06-03-pci-cardholder-data-finding.md clients/glaztech/reports/2026-06-03-website-security-assessment.md clients/glaztech/PROJECT_STATE.md clients/glaztech/README.md

Glaz-Tech Industries

Profile

• Contract type: Managed (long-term — ~15 years per session logs)
• Key contacts: Steve Eastman — seastman@glaztech.com — internal IT, ~200 users, 9 locations. Desktop-level tech; guides technical direction, ACG implements.
• Billing rate: [unverified — not recorded in session logs]
• Syncro customer ID: 143932
• Active tickets: #32186 (M365 Security Review / MFA, In Progress as of 2026-04-21), #32376 (Apex 404 + redirect, Resolved, 2026-06-03), #32377 (CyberSource TLS payment outage, Resolved, 2026-06-03), #32378 (Security assessment / PCI remediation, In Progress as of 2026-06-03)
• Prepaid block remaining: ~22.25 hrs (drew 26.5 → 22.25 on 2026-06-03)
• GuruRMM client ID: d857708c-5713-4ee5-a314-679f86d2f9f9
• GuruRMM site: SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)

Infrastructure

Servers & Services

Multi-site Windows environment (~200 users, 9 locations). Active Directory confirmed (OUs referenced in deployment scripts). IP range: 192.168.0.0/24 through 192.168.9.0/24 (10 site subnets, one per site).

Server	Role	OS / Build	Local IP	Public IP	Notes
WWW	IIS web server — customer/e-commerce site	Windows Server 2019 Standard, build 10.0.17763.8755 (patched ~May 2026)	192.168.8.72	65.113.52.88	IIS 10.0, .NET 4.8; site glaztech_new at D:\web\glaztech_4; full VB.NET source on disk (not precompiled); LE cert CN=www.glaztech.com, SAN apex+www, exp 2026-08-19 via Certify The Web (HTTP-01); GuruRMM agent 455a1bc7-1c29-42bc-b597-fa1e64f08eec; doubles as dev workstation (VS 2015+2022 installed — see Security Posture)
SQL backend	SQL Server — 15 per-office databases + Sage 100 + TimeForce	[unverified — Server 2019 assumed, co-located with Glaztech infra]	192.168.8.62,3436	—	Login tom (creds in site Web.config, NOT vaulted); DBs: glaz_prod (tuc), glaz_prod_phx, glaz_prod_slc, glaz_prod_elp, glaz_prod_den, glaz_prod_alb, glaz_prod_boi, glaz_prod_brl, glaz_prod_shp, glaz_prod_corp + mas_gti (Sage 100) + qqest (TimeForce)

Service	Details	Notes
M365 tenant	glaztechindustries.onmicrosoft.com	~200 users, basic licensing (no Entra P1)
Exchange Online	glaztech.com	MailProtector inbound filter (MX 5 primary)
Active Directory	glaztech.com domain	[unverified — AD inferred from OU references in scripts]
Payment processing	CyberSource REST (api.cybersource.com/pts/v2/payments) — PNC merchant processor for card payments; CyberSource SOAP toolkit for eCheck/ACH (cybs.log)	Card path: online-payment-pnc.aspx; eCheck path: ach.aspx; card-on-file auto-pay via gt_auto_process_2020.dll

Email & Identity

• M365 tenant: glaztechindustries.onmicrosoft.com
• Tenant ID: 82931e3c-de7a-4f74-87f7-fe714be1f160
• Primary domain: glaztech.com
• Inbound mail filter: MailProtector — glaztech-com.inbound.emailservice.io (MX 5, sole MX as of 2026-04-17)
• MailProtector IPs (EFSkipIPs on inbound connector): 162.248.93.233, 162.248.93.81, 65.113.52.82
• DMARC: p=reject; sp=reject (hardened 2026-04-17, was p=none)
• DKIM: CNAME records exist for selector1/selector2 — active status unverified [WARNING: confirm DKIM is active in M365]
• MFA status: [WARNING] DISABLED as of 2026-04-21. Security Defaults off. No Conditional Access (requires Entra P1, not licensed). ~160 users with password-only sign-in. MFA rollout is open work item — do not enable Security Defaults until service account audit is complete (see Active Work).
• Licensing: Basic M365 (no Entra P1 / Business Premium). Per-user MFA or Security Defaults are the available free options.
• Mailbox forwarding (internal, low risk): Payroll@glaztech.com → carmen@glaztech.com; TUCCSR@glaztech.com → bryce@glaztech.com
• OAuth consent grants: 38 grants — not audited as of last session
• EXO PowerShell: ExchangeOnlineManagement 3.9.2. Get-MessageTrace deprecated Sept 2025 — use Get-MessageTraceV2 (no -PageSize parameter).

Exchange Online Transport Rules

Full transport rule list as of 2026-06-02:

Priority	Name	Condition	Action	State
0	Pensky Allow	[unknown]	[unknown]	Enabled
1	GTIMail No-Reply - Reject Inbound	SentTo: gtimail@glaztech.com	RejectMessageAction	Enabled
2	SCL Bypass - hartsglass + olemons (SHVSALES)	From: hartsglass@centurytel.net, olemons@eastexglass.com, SSales@arkglass.com, bossier@glassservices.com	SetSCL -1	Enabled
3	SCL Bypass - aaaglassinc.com (SHVSALES)	SenderDomainIs: aaaglassinc.com	SetSCL -1	Enabled
4	SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)	From: noreply@azcomputerguru.com	SetSCL -1	Enabled

Rule GUIDs: Priority 2 = 482c714a-8780-4c62-ae0a-0b6da9ca9d52; Priority 3 = 7e0c01a8-ec22-43fe-b600-796c0f295aa5. GUIDs for Priority 0, 1, 4 not recorded.

Note on Priority 1: The "GTIMail No-Reply - Reject Inbound" rule rejects ALL inbound mail to gtimail@glaztech.com, which causes the daily MailProtector digest for that address to fail. This is a pre-existing rule — review with Steve is pending (see Active Work).

Inbound Connector

• Name: "Inbound Spam Filter"
• Type: Partner
• RequireTls: True
• EFSkipIPs: 162.248.93.233, 162.248.93.81, 65.113.52.82 (MailProtector IPs)
• SCLMinusOne: null (EOP re-evaluates all mail; do NOT change to true — too broad)
• SenderIPAddresses restriction: None (intentional — avoids blocking calendar invites from external M365 tenants)

Network

• Sites: 9 locations
• IP ranges: 192.168.0.x through 192.168.9.x (one subnet per site — up to 10 sites)
• Firewall/ISP: [unverified — not documented]
• DNS hosted on: IX server (172.16.3.10), PowerDNS. Zone file: /var/named/glaztech.com.db

Access

• Remediation tool: ComputerGuru apps consented in tenant (Exchange Operator, Security Investigator, Tenant Admin, Defender Add-on)
• Exchange Operator App ID: b43e7342-5b4b-492f-890f-bb5a4f7f40e9
• Exchange Operator cert thumbprint: A615823DE1CAF15229027DEC075AFE32B900D82C (not in Windows cert store on BEAST — use get-token.sh bearer token flow)
• Remediation tool app (AI): fabb3421-8b34-484b-bc17-e46de9703418
• Exchange Admin role: Assigned to ACG service principal in Entra
• Global Admin account: admin@glaztechindustries.onmicrosoft.com (ACG admin only — external GA from tomakkglass.com removed 2026-04-21)
• Vault path: clients/glaztech/ [no SOPS credential file documented — remediation tool uses MSP-wide app credentials]
• Exchange Operator vault: msp-tools/computerguru-exchange-operator.sops.yaml
• Token acquisition: bash .claude/skills/remediation-tool/scripts/get-token.sh <tenant-id> exchange-op → Connect-ExchangeOnline -AccessToken $token -Organization 'glaztechindustries.onmicrosoft.com'
• DNS access: root@172.16.3.10 (IX server)
• Deploy (endpoints): GuruRMM (preferred) or ScreenConnect
• MailProtector / CloudFilter partner portal: NO credentials in vault — manual partner-portal login required for any MailProtector changes (provisioning, spam summary enable). Consider vaulting.
• Glaztech SQL login (tom): present in D:\web\glaztech_4\Web.config connectionStrings — NOT in vault. Read-only access for assessment only; do NOT use outside of authorized sessions.

Security Posture — CRITICAL (Active Issue — Ticket #32378)

Classification: CONFIDENTIAL/Security. Full detail in:

• clients/glaztech/reports/2026-06-03-pci-cardholder-data-finding.md
• clients/glaztech/reports/2026-06-03-website-security-assessment.md

A full read-only security assessment of the Glaztech e-commerce web application and SQL backend was performed 2026-06-03. Overall risk: CRITICAL. Key findings (no card numbers or passwords are reproduced here):

Cardholder Data — PCI-DSS Violations (Req 3.2 + 3.4)

• cc_file (~780 saved cards): Full PAN stored in plaintext in every per-office database (glaz_prod, glaz_prod_phx, glaz_prod_slc, glaz_prod_elp, glaz_prod_den, glaz_prod_alb, glaz_prod_boi, glaz_prod_brl, glaz_prod_shp, glaz_prod_corp). Zero encrypted rows. cc_file.cc_code retains CVV/CID (50/54 rows in tuc; mirrors expected in all offices). CVV retention is a PCI Req 3.2 violation — indefensible; no exception even if encrypted.
• cof_payments_header (historical payments): Phoenix alone: 14,496 rows, 11,794 plaintext PANs. Tuc: 2,245 rows, ~367 plaintext + ~597 formatted. Years of transaction history with recoverable card numbers.
• Why cards are stored: Card-on-file invoice auto-pay. i_get_cc_on_file_invoices joins invoice × cc_file; gt_auto_process_2020.dll reads stored PANs and bills them via CyberSource. get_cc_data is SELECT * FROM cc_file (returns full PAN+CVV; IDOR-shaped on @acctno). Stale copies in Old_bin/Old_code\Bin. Feature can be preserved by migrating to the chosen processor's token vault — store a token reference instead of the raw PAN.
• Containment: Exposure is limited to the 15 custom web-app databases on 192.168.8.62. The Sage 100 ERP DB (mas_gti) stores no cardholder data — its native CC module is disabled (SY_Company.CreditCardEnable=N, AR_CustomerCreditCard=0 rows; tokenization columns exist in the schema but are unused). Database backups also contain plaintext PANs — cleanup must address backups, not just live data.
• Processor reality (verified 2026-06-03): despite a belief that processing moved to "Payrilla/Paya," the website is still on CyberSource/PNC (no Payrilla anywhere in site code/config) and still writing plaintext cards daily (cc_file last write tuc 2026-06-03 14:15, phx 10:19; live CC-WebPayment-PNC txns today). Sage's CC module is off. Payrilla, if used, is a separate channel not visible in either system and not connected to the website — the website exposure is unchanged. Anomaly: cc_file absent in the corp DB though present earlier 2026-06-03 — needs a look.

Authentication — Plaintext Passwords

• web_security table: ~9,000+ plaintext customer passwords (corp 6,017 + tuc 3,012 confirmed, other offices expected); 0 hash-like values; lengths 3–19 chars; no complexity enforcement.
• Auth stored proc get_web_accesslevel: WHERE acct_no=@username AND web_password=@passwd — direct plaintext comparison.
• Employee "forgot password" flow emails the user their existing plaintext password — possible only with reversible/plaintext storage.
• No account lockout, no rate-limiting; username = customer account number (guessable).

SQL Injection — quo() Helper

Function quo(stext) As String
    Return "'" + stext + "'"  ' wraps in quotes, does NOT escape embedded quotes
End Function

Used to build concatenated dynamic SQL in payment pages (ach.aspx.vb, quick-pay-ach.aspx.vb, quick-pay-pnc.aspx.vb, quick-pay.aspx.vb, order-detail*). 59 concatenated SQL statements identified (~10 joining user input). The login path itself is parameterized (sproc) and not injectable; 948 parameterized calls elsewhere. Any input containing ' breaks out and allows injection; a logged-in attacker can UNION-inject full PANs + CVV.

Other Critical/High Findings

Finding	Severity
Reflected XSS: gt_errorpage.aspx — errmsg query param → lblerr.Text unencoded	High
debug="true" + customErrors=Off + exceptions echoed to users in URLs	High
Production server is also a dev workstation: VS Community 2015 + 2022, .NET 8 SDKs, MSBuild, IIS Express, full VB.NET source on disk	High
Remote-access sprawl: RealVNC Enterprise E4.2.8 (~2009, EoL), stale ScreenConnect v6.0.11622 (2018), Splashtop, Datto RMM+EDR, Syncro, GuruRMM (6+ agents)	High
Server listener accepts TLS 1.0 + 1.1 (SChannel Enabled=1)	High
Single shared SQL login (tom) with full read on card + password columns; creds in Web.config in cleartext	High
No Secure/HttpOnly cookies; no session regeneration on login; session-fixation risk	High

Attack Chain Summary

Obtain a customer login (LOW difficulty — no lockout, guessable username = account number, plaintext passwords as short as 3 chars) → access payment pages → SQL inject with quo() to UNION-dump cc_file → full PAN + CVV for all saved cards in the office, plaintext. Every compensating control (lockout, password hashing, PAN encryption, parameterized queries) is absent; first failure is last failure.

Remediation Roadmap (Ticket #32378 — In Progress)

Now (days):

1. Purge stored CVV (cc_file.cc_code, backup-first — needs Tom/Steve explicit sign-off)
2. debug="false" + customErrors="On"; HTML-encode gt_errorpage.aspx; stop echoing exception text to users
3. Remove RealVNC 4.2.8 and stale ScreenConnect v6
4. Disable TLS 1.0/1.1 on the IIS/SChannel listener

Short term (weeks): 5. Hash all passwords (PBKDF2/bcrypt/Argon2); replace email-the-password flow with reset-token flow; force global reset 6. Parameterize all concatenated SQL in payment pages; delete quo() 7. Add Secure+HttpOnly cookies, session regeneration on login, login throttling/lockout 8. Migrate card-on-file to the chosen processor's token vault (CyberSource or the new provider — confirm which flows actually route through "Payrilla"); purge/encrypt historical cc_number columns; address backups

Structural: 9. Separate dev from production; deploy precompiled; remove SDKs/IDE/source from prod host 10. Least-privilege SQL accounts; secret management for Web.config connection strings; TDE at rest; re-scope merchant PCI SAQ after remediation

Patterns & Known Issues

• Phishing via direct-to-M365 MX bypass: Two phishing campaigns in April 2026 succeeded because DNS had a secondary MX record (glaztech-com.mail.protection.outlook.com at priority 10) that bypassed MailProtector. Hardened: MX 10 removed, DMARC to p=reject, Enhanced Filtering for Connectors enabled. Do not re-add a secondary MX record.
• Inbound connector IP restriction: Do NOT restrict SenderIPAddresses on the "Inbound Spam Filter" connector — blocks legitimate calendar invites from external M365 tenants (learned from Dataforth incident). EFSkipIPs are set to MailProtector IPs instead.
• Do NOT set SCLMinusOne=true on connector: This would trust MailProtector's verdict for all inbound mail — too broad. Use targeted transport rules for specific senders instead.
• DMARC-rejecting vendor senders: With Enhanced Filtering enabled, EOP looks past MailProtector to the original sender's SPF/DKIM/DMARC. Vendors with p=reject domains (e.g., centurytel.net, eastexglass.com) get hard 550 5.7.509 NDR rejections. Fix: SCL=-1 transport rule scoped to the specific sender address or domain. Transport rules evaluate before DMARC enforcement in EOP.
• EXO transport rule name limit: 64-character maximum. Plan names accordingly.
• EXO REST API: Direct /TransportRule REST endpoints 404 in this tenant. Use InvokeCommand pattern: POST /adminapi/beta/{tenant}/InvokeCommand with {"CmdletInput": {"CmdletName": "New-TransportRule", "Parameters": {...}}}.
• Service accounts need audit before MFA rollout: Shoretel, mitel, Gti-FaxFinder, GTIMail, GTIQUOTE, CAS1944, clerk — all need SMTP/auth method confirmation before Security Defaults can be enabled.
• PDF preview broken (MOTW): Windows KB5066791/KB5066835 broke PDF preview on network shares via Mark of the Web. Fix scripts are ready in clients/glaztech/ — deployment is pending (as of 2026-03-30).
• clearcutglass.com DMARC history: Corena Spottsville (clearcutglass.com) emails to seastman and zulema were rejected. Temporary transport rule (SCL=-1) was set and removed on 2026-04-21. SPF ~all weakness noted to Team Logic IT (Jordan Fox, jfox@tlit60302.com); recommend they harden to -all and confirm DKIM.
• glassservices.com SPF broken: bossier@glassservices.com publishes v=spf1 -all — rejected by all mail providers. SCL=-1 rule covers this as a workaround. Steve should notify vendor to fix SPF.
• Client tone: ACG has managed GlazTech ~15 years. Steve Eastman is a trusted internal IT partner. Comments and communication should lead with what we know, state findings and actions taken, ask only one targeted question if needed — not open-ended discovery.
• Unlicensed accounts (pending Steve confirmation): Chauntelle@glaztech.com, Denouser1@glaztech.com, Gti-FaxFinder@glaztech.com.
• IIS apex binding — always add both http:80 and https:443 for the bare domain: The glaztech_new IIS site originally had only a www host-header binding. Apex (glaztech.com) returned 404 from HTTP.sys (not a 301 redirect, a real 404) because no binding matched. Fix: add http/IP:80:glaztech.com + https/IP:443:glaztech.com bindings reusing the existing SAN cert. When adding HTTP→HTTPS redirect via URL Rewrite, always include a negate condition on /.well-known/acme-challenge/ so Certify The Web (HTTP-01) LE renewals are not blocked.
• Legacy .NET + modern payment gateway TLS: .NET Framework 4.x apps on Windows Server 2019 do NOT automatically use TLS 1.2 unless the registry keys SchUseStrongCrypto=1 + SystemDefaultTlsVersions=1 are set under BOTH HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 AND HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319. Payment gateways (CyberSource, etc.) that drop TLS 1.0/1.1 will silently fail with "Could not create SSL/TLS secure channel" without this fix. App pool recycle required after registry change. Verify via the payments DB (look for fresh approvals), not just a TLS probe.
• MailProtector digest provisioning is per-mailbox on the MailProtector side: The SCL=-1 transport rule (Priority 4) ensures digest emails from noreply@azcomputerguru.com are not spam-filtered by EOP — but a mailbox that was never provisioned in MailProtector will never receive a digest regardless of EOP rules. Confirmed via message trace (shannon@glaztech.com: 629 digests sent to ~60 recipients over 10 days, 0 to Shannon). Fix is on the MailProtector partner portal — no Exchange change needed.
• Glaztech custom web app — stored card feature requires tokenization to remediate safely: Cards in cc_file are there for auto-pay via gt_auto_process_2020.dll. Deleting the PANs without a replacement breaks the auto-billing feature. The safe path is CyberSource token vault migration (tokenize on write, replace stored PAN with token, update gt_auto_process to bill by token). Quick win: purge CVV (cc_code) immediately — this has no functional impact and is the fastest PCI Req 3.2 remediation.
• Glaztech SQL login (tom) + Web.config creds are NOT in the SOPS vault. Do not commit these credentials. If future automation needs SQL access, vault them first.

Active Work

PDF Preview Fix (DEPLOYMENT-READY — pending execution)

Scripts in clients/glaztech/:

• Fix-PDFPreview-Glaztech-UPDATED.ps1 — updated remediation (recommended)
• Fix-PDFPreview-Glaztech.ps1 — original
• Deploy-PDFFix-BulkRemote.ps1 — bulk remote deployment
• GPO-Configuration-Guide.md — GPO method
• QUICK-REFERENCE.md — summary of all three methods

Deploy via Option A (ScreenConnect, individual), Option B (bulk remote via PS remoting), or Option C (GPO). Waiting on file server hostnames/IPs from Steve before bulk deploy.

MFA Rollout (Ticket #32186 — In Progress)

Waiting on Steve's reply to:

1. Service account auth methods (which use SMTP basic auth or password-only flows?)
2. Disposition of unlicensed accounts (Chauntelle, Denouser1, Gti-FaxFinder)
3. Licensing preference: Security Defaults (free, no exclusions) vs. per-user MFA (free, can exclude service accounts) vs. Conditional Access (requires Entra P1/Business Premium, ~$22/user/mo)

Do not enable Security Defaults until service accounts are confirmed safe.

MFA rollout plan: Phase 1 — user communication (install Authenticator); Phase 2 — enable enforcement; Phase 3 — follow-up stragglers; Phase 4 (future/P1) — Conditional Access with trusted IPs for office locations.

Website Security Remediation (Ticket #32378 — In Progress)

Security assessment complete 2026-06-03. Awaiting Mike/Steve direction to begin remediation. See Security Posture section and reports in clients/glaztech/reports/ for full detail. Key actions queued but not yet executed (require client sign-off):

• Purge CVV from cc_file.cc_code (backup-first; needs explicit go-ahead from Tom)
• debug="false" + customErrors="On" — can apply quickly with low risk
• Remove RealVNC 4.2.8 and stale ScreenConnect v6
• Disable TLS 1.0/1.1 on IIS/SChannel listener

gtimail@glaztech.com Daily Digest Failure (Pending — review with Steve)

The "GTIMail No-Reply - Reject Inbound" transport rule (Priority 1) rejects all inbound mail to gtimail@glaztech.com, causing the daily MailProtector digest for that address to fail every day. This is a pre-existing rule and was not modified. Confirm with Steve Eastman whether gtimail@glaztech.com should receive MailProtector digests — if so, the rule needs an exception or the recipient needs to be removed from the MailProtector digest list.

shannon@glaztech.com — MailProtector Digest Not Received (Pending — MailProtector portal)

Message trace confirmed shannon@glaztech.com receives no MailProtector digests at all (0 of 629 digests over 10 days). This is a MailProtector-side provisioning issue — she is not provisioned/enabled in the MailProtector spam summary settings. No Exchange change needed. Fix: log into the MailProtector partner portal and enable the Spam Summary for shannon@glaztech.com. No vault credentials exist for MailProtector — manual portal access only.

Pending follow-ups

• Audit 38 OAuth consent grants (not done as of 2026-04-21)
• Confirm DKIM signing active in M365 for glaztech.com
• Monitor DMARC aggregate reports (rua=noreply@glaztech.com — should be a monitored mailbox or reporting service)
• Security awareness training for staff (multiple employees forwarded and replied to obvious phishing in April 2026)
• Review whether any user clicked phishing links (check sign-in logs for suspicious auth attempts post-April 17)
• Notify Steve: glassservices.com vendor needs to fix their SPF record (v=spf1 -all)
• Harts Glass original rejected emails need to be resent by sender — our SCL bypass is live but NDR'd messages do not auto-retry
• Consider creating retroactive Syncro ticket for 2026-05-28 SHVSALES email delivery work
• Monitor continued card payment success on WWW after 2026-06-03 TLS fix (verify web_payment_header for ongoing approvals)
• Tom code fallback (ServicePointManager.SecurityProtocol = Tls12 in app code) staged but not deployed — can apply if registry fix ever regresses

History Highlights

• [~15 years prior] Long-standing managed client.
• 2026-01-27 — PDF preview break caused by Windows MOTW update (KB5066791/KB5066835). Fix scripts created. Deployment pending.
• 2026-04-17 — Two phishing campaigns bypassed MailProtector via direct-to-M365 MX bypass. 32 messages purged across 8 users. Hardened: MX 10 removed, DMARC p=reject, Enhanced Filtering Connectors enabled. Remediation tool onboarded (admin consent, Exchange Admin role). Forensic evidence preserved in clients/glaztech/reports/.
• 2026-04-20 — Exchange transport rule created to allow clearcutglass.com mail (DMARC bypass, SCL=-1) while Team Logic IT fixed their DNS. Ticket #32176 created.
• 2026-04-21 — clearcutglass.com DNS fixed by Team Logic IT (Jordan Fox). Transport rule removed. External Global Admin (glaztechadmin from tomakkglass.com / Team Logic IT) removed from tenant. M365 security review surfaced: no MFA, 38 OAuth grants, unlicensed accounts, service account audit needed. Ticket #32186 opened for MFA implementation. Feedback: use expert-partner tone with Steve, not open-ended discovery questions.
• 2026-05-28 — SHVSALES@glaztech.com vendor email delivery failure. Root cause: vendors (centurytel.net, eastexglass.com) publish DMARC p=reject; Enhanced Filtering re-evaluates past MailProtector relay, producing 550 5.7.509 NDR. Fix: two SCL=-1 transport rules created (Priority 2: specific addresses for hartsglass, olemons, SSales, bossier; Priority 3: aaaglassinc.com domain). glassservices.com SPF broken (-all) — workaround only, vendor must fix.
• 2026-06-02 — MailProtector quarantine digest messages from noreply@azcomputerguru.com confirmed hitting FilteredAsSpam for some recipients (e.g., tshaw@glaztech.com). Transport rule created: "SCL Bypass - noreply@azcomputerguru.com (MailProtector digests)" at Priority 4 (From=noreply@azcomputerguru.com, SetSCL=-1). Message trace via Get-MessageTraceV2 also revealed gtimail@glaztech.com failing daily due to pre-existing Priority-1 reject rule — flagged for Steve review.
• 2026-06-03 — Three tickets on web server WWW (192.168.8.72 / 65.113.52.88), all via GuruRMM. (1) Apex 404 emergency: glaztech.com returned 404 (IIS site glaztech_new had www-only binding); added apex http:80+https:443 bindings (cert SAN already covered apex), then added HTTP→HTTPS 301 URL Rewrite redirect with /.well-known/acme-challenge/ exclusion (Certify/LE HTTP-01 renewal safe). web.config.bak-20260603-090701 created. Ticket #32376 — Resolved, 1h remote. (2) CyberSource payment outage ("Could not create SSL/TLS secure channel"): CyberSource (PNC merchant processor) disabled TLS 1.0/1.1; .NET 4.x on Server 2019 defaulted to old TLS. Fix: SchUseStrongCrypto=1 + SystemDefaultTlsVersions=1 in both .NETFramework\v4.0.30319 hives + app pool glaztech_new recycle. Verified via payments DB (credit-card approval at 09:36 post-fix). Ticket #32377 — Resolved, 1.5h emergency remote. (3) Security assessment: read-only deep inspection of IIS config, VB.NET source, and SQL backend revealed CRITICAL posture: full PANs + CVV plaintext, ~9,000+ plaintext passwords, SQL injection via quo() helper in payment pages, reflected XSS, debug mode on, dev workstation on prod, RealVNC 4.2.8, TLS 1.0/1.1 listener, single shared SQL login. Exposure contained to custom web-app DBs (not Sage 100 which tokenizes). Two reports created. Ticket #32378 opened and left In Progress for remediation. Billed 1h remote. Prepaid block: 26.5 → 22.25 hrs. Also: shannon@glaztech.com digest-not-received confirmed as MailProtector provisioning issue (not Exchange) — requires MailProtector partner-portal fix.

Backlinks

• wiki/systems/ix-webhosting.md [if exists] — DNS hosted on IX server