azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dca6562bc54c7a8784f3f28a77ab6c7b6e965df5
claudetools/wiki/clients/glaztech.md
Mike Swanson 32f64a9561 wiki: seed 9 client articles (internal-infra, peaceful-spirit, cryoweave, glaztech, pavon, grabb-durando, stamback-septic, sombra-residential, birth-biologic) 
Notable findings per article:
- internal-infrastructure: Neptune cert expires 2026-05-31, DkimSigner
  disabled (unsigned outbound mail), Cloudflare tunnel on Jupiter
- peaceful-spirit: L2TP/IPsec RRAS VPN; billing/Syncro ID undocumented
- cryoweave: website redesign pending client assets
- glaztech: phishing bypassed MailProtector via secondary MX (fixed);
  no MFA enforcement yet; do not enable Security Defaults yet
- pavon: OwnCloud cron stacking fixed; Nextcloud migration deferred
- grabb-durando: plaintext DB password in README needs vaulting; AI
  demand review app scoped
- stamback-septic: WS2012 EOL server on network
- sombra-residential: Server2013 is actually WS2012 EOL unpatched
- birth-biologic: Datto→SharePoint migration unconfirmed complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 19:38:50 -07:00

8.6 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client glaztech Glaz-Tech Industries 2026-05-24 DESKTOP-0O8A1RL/claude-main
clients/glaztech/session-logs/2026-04-20-session.md
clients/glaztech/session-logs/2026-04-21-session.md
clients/glaztech/reports/2026-04-17-phishing-incident-report.md
clients/glaztech/PROJECT_STATE.md
clients/glaztech/README.md

Glaz-Tech Industries

Profile

  • Contract type: Managed (long-term — ~15 years per session logs)
  • Key contacts: Steve Eastman — seastman@glaztech.com — internal IT, ~200 users, 9 locations. Desktop-level tech; guides technical direction, ACG implements.
  • Billing rate: [unverified — not recorded in session logs]
  • Syncro customer ID: 143932
  • Active tickets: #32176 (DMARC override, Invoiced), #32186 (M365 Security Review / MFA, In Progress as of 2026-04-21)
  • GuruRMM client ID: d857708c-5713-4ee5-a314-679f86d2f9f9
  • GuruRMM site: SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)

Infrastructure

Servers & Services

No dedicated on-premises server infrastructure documented. Multi-site Windows environment (~200 users, 9 locations). Active Directory confirmed (OUs referenced in deployment scripts). IP range: 192.168.0.0/24 through 192.168.9.0/24 (10 site subnets, one per site).

Service Details Notes
M365 tenant glaztechindustries.onmicrosoft.com ~200 users, basic licensing (no Entra P1)
Exchange Online glaztech.com MailProtector inbound filter (MX 5 primary)
Active Directory glaztech.com domain [unverified — AD inferred from OU references in scripts]

Email & Identity

  • M365 tenant: glaztechindustries.onmicrosoft.com
  • Tenant ID: 82931e3c-de7a-4f74-87f7-fe714be1f160
  • Primary domain: glaztech.com
  • Inbound mail filter: MailProtector — glaztech-com.inbound.emailservice.io (MX 5, sole MX as of 2026-04-17)
  • DMARC: p=reject; sp=reject (hardened 2026-04-17, was p=none)
  • DKIM: CNAME records exist for selector1/selector2 — active status unverified [WARNING: confirm DKIM is active in M365]
  • MFA status: [WARNING] DISABLED as of 2026-04-21. Security Defaults off. No Conditional Access (requires Entra P1, not licensed). ~160 users with password-only sign-in. MFA rollout is open work item — do not enable Security Defaults until service account audit is complete (see Active Work).
  • Licensing: Basic M365 (no Entra P1 / Business Premium). Per-user MFA or Security Defaults are the available free options.
  • Mailbox forwarding (internal, low risk): Payroll@glaztech.comcarmen@glaztech.com; TUCCSR@glaztech.combryce@glaztech.com
  • OAuth consent grants: 38 grants — not audited as of last session

Network

  • Sites: 9 locations
  • IP ranges: 192.168.0.x through 192.168.9.x (one subnet per site — up to 10 sites)
  • Firewall/ISP: [unverified — not documented]
  • DNS hosted on: IX server (172.16.3.10), PowerDNS. Zone file: /var/named/glaztech.com.db

Access

  • Remediation tool: ComputerGuru apps consented in tenant (Exchange Operator, Security Investigator, Tenant Admin, Defender Add-on)
  • Exchange Operator App ID: b43e7342-5b4b-492f-890f-bb5a4f7f40e9
  • Remediation tool app (AI): fabb3421-8b34-484b-bc17-e46de9703418
  • Exchange Admin role: Assigned to ACG service principal in Entra
  • Global Admin account: admin@glaztechindustries.onmicrosoft.com (ACG admin only — external GA from tomakkglass.com removed 2026-04-21)
  • Vault path: clients/glaztech/ [no SOPS credential file documented — remediation tool uses MSP-wide app credentials]
  • Exchange Operator vault: msp-tools/computerguru-exchange-operator.sops.yaml
  • DNS access: root@172.16.3.10 (IX server)
  • Deploy (endpoints): ScreenConnect or GuruRMM

Patterns & Known Issues

  • Phishing via direct-to-M365 MX bypass: Two phishing campaigns in April 2026 succeeded because DNS had a secondary MX record (glaztech-com.mail.protection.outlook.com at priority 10) that bypassed MailProtector. Hardened: MX 10 removed, DMARC to p=reject, Enhanced Filtering for Connectors enabled. Do not re-add a secondary MX record.
  • Inbound connector IP restriction: Do NOT restrict SenderIPAddresses on the "Inbound Spam Filter" connector — blocks legitimate calendar invites from external M365 tenants (learned from Dataforth incident). EFSkipIPs are set to MailProtector IPs instead.
  • Service accounts need audit before MFA rollout: Shoretel, mitel, Gti-FaxFinder, GTIMail, GTIQUOTE, CAS1944, clerk — all need SMTP/auth method confirmation before Security Defaults can be enabled.
  • PDF preview broken (MOTW): Windows KB5066791/KB5066835 broke PDF preview on network shares via Mark of the Web. Fix scripts are ready in clients/glaztech/ — deployment is pending (as of 2026-03-30).
  • clearcutglass.com DMARC history: Corena Spottsville (clearcutglass.com) emails to seastman and zulema were rejected. Temporary transport rule (SCL=-1) was set and removed on 2026-04-21. SPF ~all weakness noted to Team Logic IT (Jordan Fox, jfox@tlit60302.com); recommend they harden to -all and confirm DKIM.
  • Client tone: ACG has managed GlazTech ~15 years. Steve Eastman is a trusted internal IT partner. Comments and communication should lead with what we know, state findings and actions taken, ask only one targeted question if needed — not open-ended discovery.
  • Unlicensed accounts (pending Steve confirmation): Chauntelle@glaztech.com, Denouser1@glaztech.com, Gti-FaxFinder@glaztech.com.

Active Work

PDF Preview Fix (DEPLOYMENT-READY — pending execution)

Scripts in clients/glaztech/:

  • Fix-PDFPreview-Glaztech-UPDATED.ps1 — updated remediation (recommended)
  • Fix-PDFPreview-Glaztech.ps1 — original
  • Deploy-PDFFix-BulkRemote.ps1 — bulk remote deployment
  • GPO-Configuration-Guide.md — GPO method
  • QUICK-REFERENCE.md — summary of all three methods

Deploy via Option A (ScreenConnect, individual), Option B (bulk remote via PS remoting), or Option C (GPO). Waiting on file server hostnames/IPs from Steve before bulk deploy.

MFA Rollout (Ticket #32186 — In Progress)

Waiting on Steve's reply to:

  1. Service account auth methods (which use SMTP basic auth or password-only flows?)
  2. Disposition of unlicensed accounts (Chauntelle, Denouser1, Gti-FaxFinder)
  3. Licensing preference: Security Defaults (free, no exclusions) vs. per-user MFA (free, can exclude service accounts) vs. Conditional Access (requires Entra P1/Business Premium, ~$22/user/mo)

Do not enable Security Defaults until service accounts are confirmed safe.

MFA rollout plan: Phase 1 — user communication (install Authenticator); Phase 2 — enable enforcement; Phase 3 — follow-up stragglers; Phase 4 (future/P1) — Conditional Access with trusted IPs for office locations.

Pending follow-ups

  • Audit 38 OAuth consent grants (not done as of 2026-04-21)
  • Confirm DKIM signing active in M365 for glaztech.com
  • Monitor DMARC aggregate reports (rua=noreply@glaztech.com — should be a monitored mailbox or reporting service)
  • Security awareness training for staff (multiple employees forwarded and replied to obvious phishing in April 2026)
  • Review whether any user clicked phishing links (check sign-in logs for suspicious auth attempts post-April 17)
  • Confirm test email clean delivery from clearcutglass.com after DMARC fix

History Highlights

  • [~15 years prior] Long-standing managed client.
  • 2026-01-27 — PDF preview break caused by Windows MOTW update (KB5066791/KB5066835). Fix scripts created. Deployment pending.
  • 2026-04-17 — Two phishing campaigns bypassed MailProtector via direct-to-M365 MX bypass. 32 messages purged across 8 users. Hardened: MX 10 removed, DMARC p=reject, Enhanced Filtering Connectors enabled. Remediation tool onboarded (admin consent, Exchange Admin role). Forensic evidence preserved in clients/glaztech/reports/.
  • 2026-04-20 — Exchange transport rule created to allow clearcutglass.com mail (DMARC bypass, SCL=-1) while Team Logic IT fixed their DNS. Ticket #32176 created.
  • 2026-04-21 — clearcutglass.com DNS fixed by Team Logic IT (Jordan Fox). Transport rule removed. External Global Admin (glaztechadmin from tomakkglass.com / Team Logic IT) removed from tenant. M365 security review surfaced: no MFA, 38 OAuth grants, unlicensed accounts, service account audit needed. Ticket #32186 opened for MFA implementation. Feedback: use expert-partner tone with Steve, not open-ended discovery questions.

Backlinks

  • wiki/systems/ix-webhosting.md [if exists] — DNS hosted on IX server
Reference in New Issue View Git Blame Copy Permalink