azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f4fb1315297a01acfc95874d503871382c05a863
claudetools/wiki/clients/glaztech.md
Mike Swanson 32f64a9561 wiki: seed 9 client articles (internal-infra, peaceful-spirit, cryoweave, glaztech, pavon, grabb-durando, stamback-septic, sombra-residential, birth-biologic) 
Notable findings per article:
- internal-infrastructure: Neptune cert expires 2026-05-31, DkimSigner
  disabled (unsigned outbound mail), Cloudflare tunnel on Jupiter
- peaceful-spirit: L2TP/IPsec RRAS VPN; billing/Syncro ID undocumented
- cryoweave: website redesign pending client assets
- glaztech: phishing bypassed MailProtector via secondary MX (fixed);
  no MFA enforcement yet; do not enable Security Defaults yet
- pavon: OwnCloud cron stacking fixed; Nextcloud migration deferred
- grabb-durando: plaintext DB password in README needs vaulting; AI
  demand review app scoped
- stamback-septic: WS2012 EOL server on network
- sombra-residential: Server2013 is actually WS2012 EOL unpatched
- birth-biologic: Datto→SharePoint migration unconfirmed complete

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-24 19:38:50 -07:00

126 lines
8.6 KiB
Markdown
Raw Blame History

---
type: client
name: glaztech
display_name: Glaz-Tech Industries
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
- clients/glaztech/session-logs/2026-04-20-session.md
- clients/glaztech/session-logs/2026-04-21-session.md
- clients/glaztech/reports/2026-04-17-phishing-incident-report.md
- clients/glaztech/PROJECT_STATE.md
- clients/glaztech/README.md
backlinks: []
---
# Glaz-Tech Industries
## Profile
- **Contract type:** Managed (long-term — ~15 years per session logs)
- **Key contacts:** Steve Eastman — seastman@glaztech.com — internal IT, ~200 users, 9 locations. Desktop-level tech; guides technical direction, ACG implements.
- **Billing rate:** [unverified — not recorded in session logs]
- **Syncro customer ID:** 143932
- **Active tickets:** #32176 (DMARC override, Invoiced), #32186 (M365 Security Review / MFA, In Progress as of 2026-04-21)
- **GuruRMM client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9
- **GuruRMM site:** SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)
## Infrastructure
### Servers & Services
No dedicated on-premises server infrastructure documented. Multi-site Windows environment (~200 users, 9 locations). Active Directory confirmed (OUs referenced in deployment scripts). IP range: 192.168.0.0/24 through 192.168.9.0/24 (10 site subnets, one per site).
| Service | Details | Notes |
|---|---|---|
| M365 tenant | glaztechindustries.onmicrosoft.com | ~200 users, basic licensing (no Entra P1) |
| Exchange Online | glaztech.com | MailProtector inbound filter (MX 5 primary) |
| Active Directory | glaztech.com domain | [unverified — AD inferred from OU references in scripts] |
### Email & Identity
- **M365 tenant:** glaztechindustries.onmicrosoft.com
- **Tenant ID:** 82931e3c-de7a-4f74-87f7-fe714be1f160
- **Primary domain:** glaztech.com
- **Inbound mail filter:** MailProtector — `glaztech-com.inbound.emailservice.io` (MX 5, sole MX as of 2026-04-17)
- **DMARC:** p=reject; sp=reject (hardened 2026-04-17, was p=none)
- **DKIM:** CNAME records exist for selector1/selector2 — active status unverified [WARNING: confirm DKIM is active in M365]
- **MFA status:** [WARNING] DISABLED as of 2026-04-21. Security Defaults off. No Conditional Access (requires Entra P1, not licensed). ~160 users with password-only sign-in. MFA rollout is open work item — do not enable Security Defaults until service account audit is complete (see Active Work).
- **Licensing:** Basic M365 (no Entra P1 / Business Premium). Per-user MFA or Security Defaults are the available free options.
- **Mailbox forwarding (internal, low risk):** Payroll@glaztech.com → carmen@glaztech.com; TUCCSR@glaztech.com → bryce@glaztech.com
- **OAuth consent grants:** 38 grants — not audited as of last session
### Network
- **Sites:** 9 locations
- **IP ranges:** 192.168.0.x through 192.168.9.x (one subnet per site — up to 10 sites)
- **Firewall/ISP:** [unverified — not documented]
- **DNS hosted on:** IX server (172.16.3.10), PowerDNS. Zone file: `/var/named/glaztech.com.db`
## Access
- **Remediation tool:** ComputerGuru apps consented in tenant (Exchange Operator, Security Investigator, Tenant Admin, Defender Add-on)
- **Exchange Operator App ID:** b43e7342-5b4b-492f-890f-bb5a4f7f40e9
- **Remediation tool app (AI):** fabb3421-8b34-484b-bc17-e46de9703418
- **Exchange Admin role:** Assigned to ACG service principal in Entra
- **Global Admin account:** admin@glaztechindustries.onmicrosoft.com (ACG admin only — external GA from tomakkglass.com removed 2026-04-21)
- **Vault path:** `clients/glaztech/` [no SOPS credential file documented — remediation tool uses MSP-wide app credentials]
- **Exchange Operator vault:** `msp-tools/computerguru-exchange-operator.sops.yaml`
- **DNS access:** `root@172.16.3.10` (IX server)
- **Deploy (endpoints):** ScreenConnect or GuruRMM
## Patterns & Known Issues
- **Phishing via direct-to-M365 MX bypass:** Two phishing campaigns in April 2026 succeeded because DNS had a secondary MX record (`glaztech-com.mail.protection.outlook.com` at priority 10) that bypassed MailProtector. Hardened: MX 10 removed, DMARC to p=reject, Enhanced Filtering for Connectors enabled. Do not re-add a secondary MX record.
- **Inbound connector IP restriction:** Do NOT restrict `SenderIPAddresses` on the "Inbound Spam Filter" connector — blocks legitimate calendar invites from external M365 tenants (learned from Dataforth incident). EFSkipIPs are set to MailProtector IPs instead.
- **Service accounts need audit before MFA rollout:** Shoretel, mitel, Gti-FaxFinder, GTIMail, GTIQUOTE, CAS1944, clerk — all need SMTP/auth method confirmation before Security Defaults can be enabled.
- **PDF preview broken (MOTW):** Windows KB5066791/KB5066835 broke PDF preview on network shares via Mark of the Web. Fix scripts are ready in `clients/glaztech/` — deployment is pending (as of 2026-03-30).
- **clearcutglass.com DMARC history:** Corena Spottsville (clearcutglass.com) emails to seastman and zulema were rejected. Temporary transport rule (SCL=-1) was set and removed on 2026-04-21. SPF ~all weakness noted to Team Logic IT (Jordan Fox, jfox@tlit60302.com); recommend they harden to -all and confirm DKIM.
- **Client tone:** ACG has managed GlazTech ~15 years. Steve Eastman is a trusted internal IT partner. Comments and communication should lead with what we know, state findings and actions taken, ask only one targeted question if needed — not open-ended discovery.
- **Unlicensed accounts (pending Steve confirmation):** Chauntelle@glaztech.com, Denouser1@glaztech.com, Gti-FaxFinder@glaztech.com.
## Active Work
### PDF Preview Fix (DEPLOYMENT-READY — pending execution)
Scripts in `clients/glaztech/`:
- `Fix-PDFPreview-Glaztech-UPDATED.ps1` — updated remediation (recommended)
- `Fix-PDFPreview-Glaztech.ps1` — original
- `Deploy-PDFFix-BulkRemote.ps1` — bulk remote deployment
- `GPO-Configuration-Guide.md` — GPO method
- `QUICK-REFERENCE.md` — summary of all three methods
Deploy via Option A (ScreenConnect, individual), Option B (bulk remote via PS remoting), or Option C (GPO). Waiting on file server hostnames/IPs from Steve before bulk deploy.
### MFA Rollout (Ticket #32186 — In Progress)
Waiting on Steve's reply to:
1. Service account auth methods (which use SMTP basic auth or password-only flows?)
2. Disposition of unlicensed accounts (Chauntelle, Denouser1, Gti-FaxFinder)
3. Licensing preference: Security Defaults (free, no exclusions) vs. per-user MFA (free, can exclude service accounts) vs. Conditional Access (requires Entra P1/Business Premium, ~$22/user/mo)
**Do not enable Security Defaults until service accounts are confirmed safe.**
MFA rollout plan: Phase 1 — user communication (install Authenticator); Phase 2 — enable enforcement; Phase 3 — follow-up stragglers; Phase 4 (future/P1) — Conditional Access with trusted IPs for office locations.
### Pending follow-ups
- Audit 38 OAuth consent grants (not done as of 2026-04-21)
- Confirm DKIM signing active in M365 for glaztech.com
- Monitor DMARC aggregate reports (rua=noreply@glaztech.com — should be a monitored mailbox or reporting service)
- Security awareness training for staff (multiple employees forwarded and replied to obvious phishing in April 2026)
- Review whether any user clicked phishing links (check sign-in logs for suspicious auth attempts post-April 17)
- Confirm test email clean delivery from clearcutglass.com after DMARC fix
## History Highlights
- **[~15 years prior]** Long-standing managed client.
- **2026-01-27** — PDF preview break caused by Windows MOTW update (KB5066791/KB5066835). Fix scripts created. Deployment pending.
- **2026-04-17** — Two phishing campaigns bypassed MailProtector via direct-to-M365 MX bypass. 32 messages purged across 8 users. Hardened: MX 10 removed, DMARC p=reject, Enhanced Filtering Connectors enabled. Remediation tool onboarded (admin consent, Exchange Admin role). Forensic evidence preserved in `clients/glaztech/reports/`.
- **2026-04-20** — Exchange transport rule created to allow clearcutglass.com mail (DMARC bypass, SCL=-1) while Team Logic IT fixed their DNS. Ticket #32176 created.
- **2026-04-21** — clearcutglass.com DNS fixed by Team Logic IT (Jordan Fox). Transport rule removed. External Global Admin (glaztechadmin from tomakkglass.com / Team Logic IT) removed from tenant. M365 security review surfaced: no MFA, 38 OAuth grants, unlicensed accounts, service account audit needed. Ticket #32186 opened for MFA implementation. Feedback: use expert-partner tone with Steve, not open-ended discovery questions.
## Backlinks
- `wiki/systems/ix-webhosting.md` [if exists] — DNS hosted on IX server
Reference in New Issue View Git Blame Copy Permalink