Managing Third Party Updates with Microsoft’s System Center Configuration Manager Secunia Integration, MMS 2015

Kent Agerlund Sherry Kissinger

#MMSMOA

Owner, Coretech http://blog.coretech.

dk/author/kea/

Microsoft MVP

Copenhagen, Denmark

Kent Agerlund

#MMSMOA

Systems Engineer

http://www.mnscug.org/blogs/sherry-kissinger

14 years experience with SMS / ConfigMgr

Microsoft MVP 2009-2015

Jackson, Wisconsin

Sherry Kissinger

3rd party Security Updates using SCCM and Secunia CSI integration

Secunia CSI

What is it?• Secunia CSI is a scanning tool with an intranet backend server. The scanning tool is deployed to randomly selected ConfigMgr Clients and is purely for getting a statistical random sample.

What is it NOT?• It does NOT deploy patches on it’s own.• It does NOT make any decisions for you.

Secunia CSI: how does it work?

After scanning the statistical random sample (this is a rotating sample—newly random machines will be targeted continuously), the Secunia server will compile the data to be presented to decision makers. Because of Secunia’s threat level logistics, the “most vulnerable” applications will be ranked highest. The group who will look at these reports will identify and inform Application owners that their application is a high security risk based on the Secunia server compiled results.

Decision Maker Reports (example)

Decision Maker Reports click-through (sample)

Secunia CSI: Decision Making

The Application Owner will evaluate the data, and depending upon their own Service Level Agreements or other factors, will decide whether an Uninstall, Upgrade using traditional package, or if offering an update via ConfigMgr as a “Software Update” is possible and preferred to a traditional deployment

Sample (lab) ConfigMgr Console

What a Deployment Admin would see in the Configmgr ConsoleNote it looks just like any other patch in the console; the only thing making it appear different is the Vendor will be “Secunia”

Secunia to CM Integration

Only if the Application Owner has confirmed that patching their application via something that looks like a Software Updates deployment would the application owner engage the ConfigMgr team to test leveraging a Secunia-synchronized package in the lab; and once confirmed that the patch performs as expected, then moved to production. The Application Owner will need to follow all defined processes for a deployment.

Vulnerability Reporting

For those applications synchronized according to the Application Owner, reports will be available via standard ConfigMgr SRS reporting.

ConfigMgr Report Demo

Summary

Secunia scanning of random sample workstations is to find the most insecure applications which may not already be known and addressed.Deployments to address those insecurities may or may not be utilizing Software Updates mechanism (Secunia)—only the application owners can make that decision.

<End of Manager Demo>

…Now for the technical geeky stuff

Random Sampling

Why are we just sampling?How is that being done?

Randomizing scriptOn Error Resume Next

'------------------

'Purpose: Run a Secunia CSIA Vulnerability Scan, and log

activity

'Author: Sherry Kissinger

'Created: 2015-03-10

'------------------

'Steps:

'Pick a random number between 1 and 365, if = 1 then continue,

else quit.

'Delete any existing SecuniaScan.log in %temp%

'1- run csia.exe with parameters from same folder as this

vbscript lives (usually a cm cache location)

' -cc using only command line options as given

' -d means to create a log file where indicated

' --ignore-crl is because we are intrAnet, not inTERnet

' --no-win-update means don't run a wua scan (no need, we

have that already w/cm)

' --type 1 means look in the common areas of where software

lives, not the entire hard drive (takes less time)

' NOTE: all available cmd line options are visible by running

csia.exe -h

'==================

set sho = WScript.CreateObject("Wscript.Shell")

set fso = CreateObject("Scripting.FileSystemObject")

strCurrentDir = Left(Wscript.ScriptFullName,

(InstrRev(Wscript.ScriptFullName, "\") -1)) & "\"

'=================

'Pick a random number from 1 to 365. If 1 or less, then continue. else,

exit.

intMaxNumber = 365

intMinNumber = 1

Randomize

intNumber = Int((intMaxNumber - intMinNumber + 1) * Rnd + intLowNumber)

if intNumber > 1 then

wscript.echo 0

wscript.quit

end if

'=================

strTemp = sho.ExpandEnvironmentStrings("%Temp%")

if fso.fileexists(strTemp & "\SecuniaScan.log") then

fso.DeleteFile(strTemp & "\SecuniaScan.log")

end if

If fso.fileexists(strCurrentDir & "csia.exe") then

sho.run strCurrentDir & "csia.exe -cc -d " & strTemp & "\SecuniaScan.log

--ignore-crl --no-win-update --type 1 ",0,vbtrue

Else

wscript.echo 1612

'1612 is the msi code for 'Installation source not available’

End If

end if

if fso.fileexists(strTemp & "\SecuniaScan.log") then

wscript.echo 0

end if

wscript.quit

Internal Server

Why did we choose to have an internal server?Technical challenges, and advantages.

Secunia vs. Other

Observed benefits of Secunia vs. other (used in the past) 3rd party integration tools.• Vendor Name• Pre-packages-for-us content to deploy.•Wizards

Evaluations: Please provide session feedback by clicking the EVAL button in the scheduler app (also download slides). One lucky winner will receive a free ticket to the next MMS!Session Title: Managing Third Party Updates with Microsoft’s System Center Configuration Manager

Discuss…

Ask your questions-real world answers!

SPO

NSO

RS