patch deployment patch creation vulnerability scanning vulnerability intelligence
TRANSCRIPT
Managing Third Party Updates with System Center 2012 Configuration Manager SP1 Kent Agerlund & Lawrence Garvin• @Agerlund• @LawrenceGarvin
UD-B326
Who are weKent AgerlundChief System Management ArchitectCoretech A/S, Denmark Microsoft MVP: Configuration Manager Microsoft Certified Trainer, MCITP Enterprise Administrator
Lawrence GarvinHead GeekSolarwindsMicrosoft MVP: WSUSMicrosoft Certified IT Professional (MCITP)
Agenda• Why worry about 3rd party updates• What are your options
• SCUP 2011 (System Center Updates Publisher)• Install and configure, • Publish, import catalogs • Author, create custom updates
• Solarwinds• Integration with Configuration Manager 2012
• Secunia• Integration with Configuration Manager 2012
What is patch management
PDPatch Deployment
PC
Patch Creation
+
Vulnerability Scanning
VS +VI
Vulnerability Intelligence
+ PM=
Microsoft Programs
14%Third Party Programs
86%
Why worry about 3rd party
Business
View
Criminals
ViewWhat
criminals attack
Business criticalprograms
Programs you know about
Programs you don’t know about
What do you patch
today
Vendors
The numbers speaks for themselves – TOP 50 apps
Cybercriminals know:
patch available≠
patch installed
Vulnerabilitiesin 2012 TOP 50 Apps
1137
421 in 2009229 in 2007
0 10 20 30 40 50 600%
20%
40%
60%
80%
100%
Percentage of risk remediated by patching N programs
Number of programs patched
Perc
enta
ge o
f ri
sk r
em
edia
ted
Patching N of 200 programs
80% risk reduction achieved by either patching the 12 most critical programs, or by patching the 37 most prevalent programs
12 37
Strategy 2: By CriticalityRisk remediated by patching the N most critical programs
Strategy 1: StaticRisk remediated by patching the N most prevalent programs
Where to begin
SCUP 2011
• What is SCUP• Authoring tool• Publishing tool
• 3rd Party Updates with SCUP• Same experience for all updates in ConfigMgr• Enables authoring of third party / line of business updates• Enables importing catalogs from outside sources (ISVs and OEMs)• Supports EXE, MSI and MSP based updates
SCUP Requirements
• Supported Operating Systems: Windows Vista and later, Windows Server 2008 and later
• Windows Server Update Services (WSUS) 3.0 SP2• Trusted Signing Certificate
• Trusted root and trusted publisher store on all computers
• Support Configuration Manager 2007 SP2 & 2012• Single user application
SCUP Process Flow
Author customSCUP catalog WSUS Server
Catalogs downloaded from web
ConfigMgr ServerSCUP Console
Publish Updates Sync Updates
ConfigMgr Clients
Scan Updates Deploy Updates
Author Updates
Import Updates
The signing certificate
• Used by SCUP to sign updates • Trusted Publishers• Trusted Root
• Configure WSUS GPO• Allow self signed certificates
• Create the self-signed certificate with SCUP• External certificate - http://
blogs.msdn.com/b/steverac/archive/2011/09/18/using-system-center-update-publisher-2007-with-verisign-certificates.aspx
• KB2720211 & KB2661254
Available Catalogs• Free catalogs
• Adobe• Reader and Flash
• Dell• Client and Server updates
• Hewlett-Packard• Client and Server updates
• Fujitsu• ConfigMgr Cumulative updates
• $$ catalogs• Vcenter Protect from VMWARE• PatchMyPC
Secunia
• Products• CSI – Corporate edition• SSB – Small Business edition• PSI – Consumer and free
• Cloud Based solution• Database contains vulnerabilities in software products
since 2003• 40k+ programs, applications and plug-ins from
thousands of software vendors• Automated patch repackaging• Fully integrated with 2012
Secunia Infrastructure
• Installation• Database Cloud VS Standalone• Administrator Console• Integration with Configuration Manager
• Requirements• https://*.secunia.com added to trusted zone in IE• Internet connection SSL 443/TCP to https://*.secunia.com/• WSUS Signing Certificate• WSUS GPO
Vulnerability Scanning• Process
• Collect metadata from *.exe, *.dll and *.ocx• Match against raw metadata against Secunia File Signatures• Compare software against Advisory & Vulnerability Database
• Metadata gathering• Locally installed agent• Agent running from a ConfigMgr package• ConfigMgr Software Inventory• Network scan
• How Often• Configurable
• Support for “Road Warriors”
Reporting
• Integrated with Configuration Manager• Custom Dashboard• Custom reports• E-Mail subscriptions
Deploying patches
• Custom created Secunia packages• Silent installations• Can detect running applications like JAVA
• Script support• PowerShell• VB• Java
• Updates are injected into WSUS
Solarwinds
• Product: Patch Manager• Database/Catalog info
• Created & tested by SolarWinds• Published to a web-based catalog• Automatically synchronized daily to Patch Manager server
• Packages • Contains all major desktop applications and browsers in use (e.g. Reader, Flash, Java, Firefox,
Chrome, iTunes, Quicktime, Skype, and others)• Provides toolset for customizing provided packages or building packages from scratch
• Fully integrated with ConfigMgr 2007 and 2012• Co-exists as snap-in with ConfigMgr 2007 when ConfigMgr2007 is run in a CLRv4 MMC• Fully integrated with the ConfigMgr 2012 console on the Software Library page
Solarwinds Infrastructure
• Install• Installs as a separate server.• Can be installed on Site Server or Software Update Point.
• Scanning Clients• All compliance scanning is performed by the Configuration Manager agent.
• Deployment• Deployment is handled through standard Configuration Manager deployment techniques• Patch Manager also provides optional deployment tools that can be used on-demand or as
scheduled events to deploy Third Party updates directly from the SUP
Vulnerability and Compliance Reporting
• Dashboard*
• Web-based read-only status
• Custom reports*
• Dozens of pre-defined compliance reports• All customizable
• E-Mail subscriptions*
* Requires WUAgent reporting of events to SUP.
Patching
• How• Configuration Manager Deployment Packages• Update Management Wizard (can deploy Third-Party updates from the SUP)
The annoyance of….. Automatic Upgrade notifications
Adobe Flash
JAVA
Adobe Reader Apple Itunes
Firefox
Google Chrome
Links and Questions• Connect with Kent Agerlund & Lawrence Garvin
• Mail: [email protected] / [email protected]• Blog: http://blog.coretech.dk/author/kea / http://www.patchzone.org and http://www.thwack.com
• SCUP• Complete SCUP 2012 guide – http://blog.coretech.dk/kea/the-complete-scup-2011-installation-and-
configuration-guide/• SCUP videos - http://technet.microsoft.com/en-us/video/ff832960.aspx?category=Jason%20Lewis • PatchMyPC - http://patchmypc.net/• Vcenter Protect -
http://www.vmware.com/products/datacenter-virtualization/vcenter-protect-update-catalog/faqs.html• Adobe catalog - http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/sccm.html
• Secunia• CSI - http://secunia.com/vulnerability_scanning/
• Solarwinds• Patch Manager - http://www.solarwinds.com/patch-manager.aspx
Evaluation
Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.
We want to hear from you!
Resources
http://channel9.msdn.com/Events
Access MMS Online to view session recordings after the event.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.