276 lines
8.4 KiB
Markdown
276 lines
8.4 KiB
Markdown
# Onboarding Diagnostic Baseline - BLASTER2
|
|
|
|
- **Grade:** RED
|
|
- **Host:** BLASTER2
|
|
- **Client:** Jimmy Company (`jimmy`)
|
|
- **Collected (UTC):** 2026-06-19T19:17:04Z
|
|
- **Agent ID:** abddc0ce-a226-48f1-b913-263a81013389
|
|
- **Command ID:** 3c5d39d3-b653-4c6f-b8e4-1146c1a59be9
|
|
- **Findings:** 3 critical / 4 warning / 12 info / 3 unknown
|
|
|
|
- **OS:** Microsoft Windows 10 Pro (build 19045)
|
|
|
|
---
|
|
|
|
## CRITICAL (3)
|
|
|
|
### Foreign management/remote-access agent: Kaseya
|
|
- **Category:** security
|
|
- **ID:** `sec.foreign_agents.kaseya`
|
|
- A competitor RMM or unmanaged remote-access tool is present. At onboarding this is a security and control risk (a prior MSP or attacker may retain remote access). Verify it is authorized; if not, remove it.
|
|
|
|
```
|
|
service: KaseyaConnectAPIService (Kaseya Connect API Service) Stopped
|
|
```
|
|
|
|
### OS build is end-of-life: Win10 22H2
|
|
- **Category:** security
|
|
- **ID:** `sec.patch.os_eol`
|
|
- This OS build (19045, Win10 22H2) passed end-of-servicing on 2025-10-14. It no longer receives security updates. Plan a feature update or OS upgrade.
|
|
|
|
```
|
|
Microsoft Windows 10 Pro build 19045; EOL 2025-10-14
|
|
```
|
|
|
|
### RDP enabled WITHOUT Network Level Authentication
|
|
- **Category:** security
|
|
- **ID:** `sec.exposure.rdp_no_nla`
|
|
- RDP is on and NLA is not required. This exposes the logon screen pre-auth and is vulnerable to pre-auth exploits and brute force. Require NLA, restrict RDP to VPN/allow-listed IPs, or disable RDP.
|
|
|
|
```
|
|
fDenyTSConnections=0; UserAuthentication=0
|
|
```
|
|
|
|
|
|
## WARNING (4)
|
|
|
|
### 5 pending Windows updates
|
|
- **Category:** security
|
|
- **ID:** `sec.patch.pending`
|
|
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
|
|
|
|
```
|
|
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 5
|
|
```
|
|
|
|
### Stability events present in the last 14 days
|
|
- **Category:** health
|
|
- **ID:** `health.stability.some`
|
|
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
|
|
|
|
```
|
|
Unexpected shutdowns (id 41)=2; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
|
|
```
|
|
|
|
### Reboot pending
|
|
- **Category:** health
|
|
- **ID:** `health.reboot_uptime.pending`
|
|
- A reboot is pending. Pending reboots can block patches and leave the system in a half-updated state. Schedule a restart.
|
|
|
|
```
|
|
PendingFileRenameOperations
|
|
```
|
|
|
|
### 7 auto-start service(s) not running
|
|
- **Category:** health
|
|
- **ID:** `health.failed_services.stopped`
|
|
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
|
|
|
|
```
|
|
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
|
|
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
|
|
gpsvc (Group Policy Client) = Stopped
|
|
KaseyaConnectAPIService (Kaseya Connect API Service) = Stopped
|
|
RasMan (Remote Access Connection Manager) = Stopped
|
|
stisvc (Windows Image Acquisition (WIA)) = Stopped
|
|
WMPNetworkSvc (Windows Media Player Network Sharing Service) = Stopped
|
|
```
|
|
|
|
|
|
## INFO (12)
|
|
|
|
### Defender active and current
|
|
- **Category:** security
|
|
- **ID:** `sec.defender.ok`
|
|
- Real-time protection on, service running, signatures current.
|
|
|
|
```
|
|
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
|
|
```
|
|
|
|
### Defender is the only registered AV
|
|
- **Category:** security
|
|
- **ID:** `sec.av_products.defender_only`
|
|
- Only Microsoft/Windows Defender is registered in Security Center.
|
|
|
|
```
|
|
Windows Defender
|
|
```
|
|
|
|
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
|
|
- **Category:** security
|
|
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
|
|
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
|
|
|
|
```
|
|
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
|
|
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
|
|
```
|
|
|
|
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
|
|
- **Category:** security
|
|
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
|
|
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
|
|
|
|
```
|
|
program: Splashtop Streamer 3.8.4.0
|
|
service: SplashtopRemoteService (Splashtop? Remote Service) Running
|
|
```
|
|
|
|
### Expected ACG management tooling present: Syncro / Kabuto
|
|
- **Category:** security
|
|
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
|
|
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
|
|
|
|
```
|
|
program: Syncro 1.0.201.18410
|
|
service: Syncro (Syncro) Running
|
|
```
|
|
|
|
### Local administrators (3)
|
|
- **Category:** security
|
|
- **ID:** `sec.local_admins.list`
|
|
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
|
|
|
|
```
|
|
Blaster2\Administrator
|
|
Blaster2\Jimmy
|
|
Blaster2\localadmin
|
|
```
|
|
|
|
### Last hotfix: KB5037768
|
|
- **Category:** security
|
|
- **ID:** `sec.patch.last_hotfix`
|
|
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
|
|
|
|
```
|
|
KB5037768 installed 2024-05-16T07:00:00Z
|
|
```
|
|
|
|
### SMBv1 disabled
|
|
- **Category:** security
|
|
- **ID:** `sec.exposure.smb1_off`
|
|
- SMBv1 server protocol is disabled.
|
|
|
|
```
|
|
EnableSMB1Protocol=False
|
|
```
|
|
|
|
### LAPS detected
|
|
- **Category:** security
|
|
- **ID:** `sec.exposure.laps_present`
|
|
- A LAPS mechanism is present.
|
|
|
|
```
|
|
Windows LAPS reg key
|
|
```
|
|
|
|
### Not domain-joined (workgroup)
|
|
- **Category:** health
|
|
- **ID:** `health.domain.workgroup`
|
|
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
|
|
|
|
```
|
|
PartOfDomain=False; Domain=WORKGROUP
|
|
```
|
|
|
|
### Time service source
|
|
- **Category:** health
|
|
- **ID:** `health.time.source`
|
|
- Current Windows Time service source.
|
|
|
|
```
|
|
Source=time.windows.com,0x9
|
|
```
|
|
|
|
### Backup agent installed and running
|
|
- **Category:** health
|
|
- **ID:** `health.backup.present`
|
|
- A backup agent service is present and running. Confirm the backup is actually configured and reporting successful jobs (presence != working backup).
|
|
|
|
```
|
|
Acronis: AcrSch2Svc = Running
|
|
Acronis: afcdpsrv = Running
|
|
Acronis: syncagentsrv = Running
|
|
```
|
|
|
|
|
|
## UNKNOWN (3)
|
|
|
|
### Check failed: Windows Firewall profiles
|
|
- **Category:** security
|
|
- **ID:** `sec.firewall.error`
|
|
- The probe could not complete this check. Manual review recommended.
|
|
|
|
```
|
|
Invalid class
|
|
```
|
|
|
|
### BitLocker status unavailable
|
|
- **Category:** security
|
|
- **ID:** `sec.bitlocker.unavailable`
|
|
- Get-BitLockerVolume failed for the OS volume. BitLocker may not be installed (Home edition) or the cmdlet is unavailable. Verify encryption manually (manage-bde -status).
|
|
|
|
```
|
|
MountPoint=C:, Get-BitLockerVolume returned null
|
|
```
|
|
|
|
### Physical disk health unavailable
|
|
- **Category:** health
|
|
- **ID:** `health.disk_smart.unavailable`
|
|
- Get-PhysicalDisk is unavailable (older OS / RAID controller hiding disks). Verify drive health via vendor tools.
|
|
|
|
```
|
|
Get-PhysicalDisk returned null
|
|
```
|
|
|
|
|
|
---
|
|
|
|
## Inventory Baseline Summary
|
|
|
|
- **Manufacturer / Model:** LENOVO / 0967B5U
|
|
- **Serial:** MGN1197
|
|
- **CPU:** Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz (4 cores / 4 logical)
|
|
- **RAM (GB):** 3.8
|
|
- **BIOS:** F1KT54AUS (2013-07-15)
|
|
- **Chassis is laptop:** false
|
|
- **TPM present / Secure Boot:** ? / ?
|
|
- **Domain joined:** false (WORKGROUP)
|
|
- **OS activation licensed:** true
|
|
- **Uptime (days):** 0.1
|
|
- **Pending reboot:** true
|
|
- **Installed software count:** 86
|
|
- **Scheduled tasks (non-MS, enabled):** 10
|
|
- **Local administrators:** Blaster2\Administrator, Blaster2\Jimmy, Blaster2\localadmin
|
|
|
|
### Fixed volumes
|
|
|
|
- C: - 71.9 GB free of 230 GB (31.2%)
|
|
- E: - 0.7 GB free of 7451.9 GB (0%)
|
|
- Q: - 2.2 GB free of 2.3 GB (96%)
|
|
|
|
### Network adapters
|
|
|
|
- Realtek PCIe GbE Family Controller - IP: 192.168.0.95, fe80::c6a9:daea:630b:2011 - DNS: 8.8.8.8, 8.8.4.4 - DHCP: true
|
|
|
|
---
|
|
|
|
## Diff vs Prior Baseline
|
|
|
|
- No prior baseline found for this host. This is the first baseline.
|
|
|
|
---
|
|
|
|
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `BLASTER2-20260619T191759.json` (immutable)._
|