managing third party updates with microsoft’s system center configuration manager secunia...
TRANSCRIPT
Managing Third Party Updates with Microsoft’s System Center Configuration Manager Secunia Integration, MMS 2015
Kent Agerlund Sherry Kissinger
#MMSMOA
Owner, Coretech http://blog.coretech.
dk/author/kea/
Microsoft MVP
Copenhagen, Denmark
Kent Agerlund
#MMSMOA
Systems Engineer
http://www.mnscug.org/blogs/sherry-kissinger
14 years experience with SMS / ConfigMgr
Microsoft MVP 2009-2015
Jackson, Wisconsin
Sherry Kissinger
3rd party Security Updates using SCCM and Secunia CSI integration
Secunia CSI
What is it?• Secunia CSI is a scanning tool with an intranet backend server. The scanning tool is deployed to randomly selected ConfigMgr Clients and is purely for getting a statistical random sample.
What is it NOT?• It does NOT deploy patches on it’s own.• It does NOT make any decisions for you.
Secunia CSI: how does it work?
After scanning the statistical random sample (this is a rotating sample—newly random machines will be targeted continuously), the Secunia server will compile the data to be presented to decision makers. Because of Secunia’s threat level logistics, the “most vulnerable” applications will be ranked highest. The group who will look at these reports will identify and inform Application owners that their application is a high security risk based on the Secunia server compiled results.
Decision Maker Reports (example)
Decision Maker Reports click-through (sample)
Secunia CSI: Decision Making
The Application Owner will evaluate the data, and depending upon their own Service Level Agreements or other factors, will decide whether an Uninstall, Upgrade using traditional package, or if offering an update via ConfigMgr as a “Software Update” is possible and preferred to a traditional deployment
Sample (lab) ConfigMgr Console
What a Deployment Admin would see in the Configmgr ConsoleNote it looks just like any other patch in the console; the only thing making it appear different is the Vendor will be “Secunia”
Secunia to CM Integration
Only if the Application Owner has confirmed that patching their application via something that looks like a Software Updates deployment would the application owner engage the ConfigMgr team to test leveraging a Secunia-synchronized package in the lab; and once confirmed that the patch performs as expected, then moved to production. The Application Owner will need to follow all defined processes for a deployment.
Vulnerability Reporting
For those applications synchronized according to the Application Owner, reports will be available via standard ConfigMgr SRS reporting.
ConfigMgr Report Demo
Summary
Secunia scanning of random sample workstations is to find the most insecure applications which may not already be known and addressed.Deployments to address those insecurities may or may not be utilizing Software Updates mechanism (Secunia)—only the application owners can make that decision.
<End of Manager Demo>
…Now for the technical geeky stuff
Random Sampling
Why are we just sampling?How is that being done?
Randomizing scriptOn Error Resume Next
'------------------
'Purpose: Run a Secunia CSIA Vulnerability Scan, and log
activity
'Author: Sherry Kissinger
'Created: 2015-03-10
'------------------
'Steps:
'Pick a random number between 1 and 365, if = 1 then continue,
else quit.
'Delete any existing SecuniaScan.log in %temp%
'1- run csia.exe with parameters from same folder as this
vbscript lives (usually a cm cache location)
' -cc using only command line options as given
' -d means to create a log file where indicated
' --ignore-crl is because we are intrAnet, not inTERnet
' --no-win-update means don't run a wua scan (no need, we
have that already w/cm)
' --type 1 means look in the common areas of where software
lives, not the entire hard drive (takes less time)
' NOTE: all available cmd line options are visible by running
csia.exe -h
'==================
set sho = WScript.CreateObject("Wscript.Shell")
set fso = CreateObject("Scripting.FileSystemObject")
strCurrentDir = Left(Wscript.ScriptFullName,
(InstrRev(Wscript.ScriptFullName, "\") -1)) & "\"
'=================
'Pick a random number from 1 to 365. If 1 or less, then continue. else,
exit.
intMaxNumber = 365
intMinNumber = 1
Randomize
intNumber = Int((intMaxNumber - intMinNumber + 1) * Rnd + intLowNumber)
if intNumber > 1 then
wscript.echo 0
wscript.quit
end if
'=================
strTemp = sho.ExpandEnvironmentStrings("%Temp%")
if fso.fileexists(strTemp & "\SecuniaScan.log") then
fso.DeleteFile(strTemp & "\SecuniaScan.log")
end if
If fso.fileexists(strCurrentDir & "csia.exe") then
sho.run strCurrentDir & "csia.exe -cc -d " & strTemp & "\SecuniaScan.log
--ignore-crl --no-win-update --type 1 ",0,vbtrue
Else
wscript.echo 1612
'1612 is the msi code for 'Installation source not available’
End If
end if
if fso.fileexists(strTemp & "\SecuniaScan.log") then
wscript.echo 0
end if
wscript.quit
Internal Server
Why did we choose to have an internal server?Technical challenges, and advantages.
Secunia vs. Other
Observed benefits of Secunia vs. other (used in the past) 3rd party integration tools.• Vendor Name• Pre-packages-for-us content to deploy.•Wizards
Evaluations: Please provide session feedback by clicking the EVAL button in the scheduler app (also download slides). One lucky winner will receive a free ticket to the next MMS!Session Title: Managing Third Party Updates with Microsoft’s System Center Configuration Manager
Discuss…
Ask your questions-real world answers!
SPO
NSO
RS