15:30 CET, 29th August 2014 By Kent Agerlund, Senior consultant and Configuration Manager MVP at Coretech .
Question if often get when visiting customers;"Is there really a need for managing our 3rd. party applications when we already patch Adobe Reader and JAVA"? The short answer is Yes, and the longer answer is please look at the numbers.
The absolute number of vulnerabilities detected in 2013 was 13,073, discovered in 2,289 products from 539 vendors. The number shows a 45% increase in vulnerabilities in the five year trend, and a 32% increase from 2012 to 2013. Knowing these numbers I get the feeling that only patching Adobe Reader and JAVA is not enough to keep my environment secure. So what do we need in order to increase the overall compliance in our environment? Most important in my opinion is trustworthy Compliance data, without those it’s almost like fighting in the dark – we think we know what to do, where and when. But in reality we do not know if our effort brings us any steps closer to the overall goal – 100% Compliance.
This blog post is part 1 where I will describe how you can configure a complete 3rd party pacth management solution with System Center 2012 Configuration Manager and Secunia CSI. First part will focus on why you need a 3rd party patch solution and also guide you thru the installation and basic configuration. Part 2 will focus on tracking compliance and deploying custom updates.
Vulnerability information: Are you able to get a quick overview of what’s missing in your environment and where you should start to increase security the most with the least amount of effort?
Vulnerability Scan: Are you able to scan for more than just Microsoft Updates?
Patch Creation: Knowing what you have to deploy, are you able to create the packages in an easy and customizable way?
Patch deployment: Are you able to deploy that patches with an existing process or do you need to invent new processes?
System Center Updates Publisher aka SCUP is a free tool from Microsoft that allows you to author and publish your custom updates. The tool will take you part of the way, but it’s not really a true software update solution as it falls short in at least two of the 4 elements making up a complete patch management solution.
Yes (have to create packages manually)
|Supported Platforms||Microsoft operating system||
Microsoft operating system
Installing Secunia CSI is a three step process.
The server side components consist of 3 different components all installed separately. Notice that it’s not a requirement to install all three component. You are not required to install any of the updates on the Configuration Manager primary site server.
There are a couple of requirements that must be in order before starting the installation.
Installing the ConfigMgr plugin can be done on any ConfigMgr administrator console where you want the Secunia components to be visible. You do not have to install the plugin on the primary site server or CAS. Installing the plugin is as simple as running SC2012_CSI7PluginSetupx64.exe. Below is an example of the Secunia plugin installed on a local ConfigMgr administrator console.
Updates not coming from Microsoft Updates must be signed with a certificate. The requirement is the exact same for Secunia as well as for standalone SCUP installation. If you already have a certificate in place there is no reason for creating a new certificate. The certificate can be self-signed (created by Secunia CSI or SCUP) or it can be a real PKI certificate. If you are running WSUS on a Windows Server 2012 R2, please read this first as self-signed certificates has been deprecated in that version.
Besides having a certificate the local computer policy must also trust updates coming from an Intranet source. This is configured by changing your WSUS domain group policy as illustrated below.
The certificate is by default created in the WSUS certificate store. The certificate must be copied to the Trusted Publisher and Trusted Root stores on all client computers. You can do that in any way you like, create group policy or create a package in ConfigMgr using certutil.exe.
Last part is to scan the clients and collect data. In order to do that you have 4 options:
All options comes with various requirements, in my example I’m using option 4 and make use of the ConfigMgr infrastructure.
Within an hour from the first scan you will start seeing compliance data in the CSI portal and in the ConfigMgr console where the CSI plugin is installed. You can
Part II will take a deeper dive into monitoring compliance, creating e-mail notifications, customs reports and deploy updates.