Patch Deployment Patch Creation Vulnerability Scanning Vulnerability Intelligence.

Managing Third Party Updates with System Center 2012 Configuration Manager SP1 Kent Agerlund & Lawrence Garvin• @Agerlund• @LawrenceGarvin

UD-B326

Who are weKent AgerlundChief System Management ArchitectCoretech A/S, Denmark Microsoft MVP: Configuration Manager Microsoft Certified Trainer, MCITP Enterprise Administrator

Lawrence GarvinHead GeekSolarwindsMicrosoft MVP: WSUSMicrosoft Certified IT Professional (MCITP)

Agenda• Why worry about 3rd party updates• What are your options

• SCUP 2011 (System Center Updates Publisher)• Install and configure, • Publish, import catalogs • Author, create custom updates

• Solarwinds• Integration with Configuration Manager 2012

• Secunia• Integration with Configuration Manager 2012

What is patch management

PDPatch Deployment

PC

Patch Creation

+

Vulnerability Scanning

VS +VI

Vulnerability Intelligence

+ PM=

Microsoft Programs

14%Third Party Programs

86%

Why worry about 3rd party

Business

View

Criminals

ViewWhat

criminals attack

Business criticalprograms

Programs you know about

Programs you don’t know about

What do you patch

today

Vendors

The numbers speaks for themselves – TOP 50 apps

Cybercriminals know:

patch available≠

patch installed

Vulnerabilitiesin 2012 TOP 50 Apps

1137

421 in 2009229 in 2007

0 10 20 30 40 50 600%

20%

40%

60%

80%

100%

Percentage of risk remediated by patching N programs

Number of programs patched

Perc

enta

ge o

f ri

sk r

em

edia

ted

Patching N of 200 programs

80% risk reduction achieved by either patching the 12 most critical programs, or by patching the 37 most prevalent programs

12 37

Strategy 2: By CriticalityRisk remediated by patching the N most critical programs

Strategy 1: StaticRisk remediated by patching the N most prevalent programs

Where to begin

Are we doomed?

SCUP 2011

SCUP 2011

• What is SCUP• Authoring tool• Publishing tool

• 3rd Party Updates with SCUP• Same experience for all updates in ConfigMgr• Enables authoring of third party / line of business updates• Enables importing catalogs from outside sources (ISVs and OEMs)• Supports EXE, MSI and MSP based updates

SCUP Requirements

• Supported Operating Systems: Windows Vista and later, Windows Server 2008 and later

• Windows Server Update Services (WSUS) 3.0 SP2• Trusted Signing Certificate

• Trusted root and trusted publisher store on all computers

• Support Configuration Manager 2007 SP2 & 2012• Single user application

SCUP Process Flow

Author customSCUP catalog WSUS Server

Catalogs downloaded from web

ConfigMgr ServerSCUP Console

Publish Updates Sync Updates

ConfigMgr Clients

Scan Updates Deploy Updates

Author Updates

Import Updates

The signing certificate

• Used by SCUP to sign updates • Trusted Publishers• Trusted Root

• Configure WSUS GPO• Allow self signed certificates

• Create the self-signed certificate with SCUP• External certificate - http://

blogs.msdn.com/b/steverac/archive/2011/09/18/using-system-center-update-publisher-2007-with-verisign-certificates.aspx

• KB2720211 & KB2661254

Available Catalogs• Free catalogs

• Adobe• Reader and Flash

• Dell• Client and Server updates

• Hewlett-Packard• Client and Server updates

• Fujitsu• ConfigMgr Cumulative updates

• $$ catalogs• Vcenter Protect from VMWARE• PatchMyPC

Installing SCUP

DEMO

Author updates

• Applicable rules• Supersedence• Templates• Installable rules

Author updates

DEMO

Secunia

Secunia

• Products• CSI – Corporate edition• SSB – Small Business edition• PSI – Consumer and free

• Cloud Based solution• Database contains vulnerabilities in software products

since 2003• 40k+ programs, applications and plug-ins from

thousands of software vendors• Automated patch repackaging• Fully integrated with 2012

Secunia Infrastructure

• Installation• Database Cloud VS Standalone• Administrator Console• Integration with Configuration Manager

• Requirements• https://*.secunia.com added to trusted zone in IE• Internet connection SSL 443/TCP to https://*.secunia.com/• WSUS Signing Certificate• WSUS GPO

Vulnerability Scanning• Process

• Collect metadata from *.exe, *.dll and *.ocx• Match against raw metadata against Secunia File Signatures• Compare software against Advisory & Vulnerability Database

• Metadata gathering• Locally installed agent• Agent running from a ConfigMgr package• ConfigMgr Software Inventory• Network scan

• How Often• Configurable

• Support for “Road Warriors”

Reporting

• Integrated with Configuration Manager• Custom Dashboard• Custom reports• E-Mail subscriptions

Deploying patches

• Custom created Secunia packages• Silent installations• Can detect running applications like JAVA

• Script support• PowerShell• VB• Java

• Updates are injected into WSUS

Secunia

DEMO

Solarwinds

• Product: Patch Manager• Database/Catalog info

• Created & tested by SolarWinds• Published to a web-based catalog• Automatically synchronized daily to Patch Manager server

• Packages • Contains all major desktop applications and browsers in use (e.g. Reader, Flash, Java, Firefox,

Chrome, iTunes, Quicktime, Skype, and others)• Provides toolset for customizing provided packages or building packages from scratch

• Fully integrated with ConfigMgr 2007 and 2012• Co-exists as snap-in with ConfigMgr 2007 when ConfigMgr2007 is run in a CLRv4 MMC• Fully integrated with the ConfigMgr 2012 console on the Software Library page

Solarwinds Infrastructure

• Install• Installs as a separate server.• Can be installed on Site Server or Software Update Point.

• Scanning Clients• All compliance scanning is performed by the Configuration Manager agent.

• Deployment• Deployment is handled through standard Configuration Manager deployment techniques• Patch Manager also provides optional deployment tools that can be used on-demand or as

scheduled events to deploy Third Party updates directly from the SUP

Vulnerability and Compliance Reporting

• Dashboard*

• Web-based read-only status

• Custom reports*

• Dozens of pre-defined compliance reports• All customizable

• E-Mail subscriptions*

* Requires WUAgent reporting of events to SUP.

Patching

• How• Configuration Manager Deployment Packages• Update Management Wizard (can deploy Third-Party updates from the SUP)

Solarwinds

DEMO

The annoyance of….. Automatic Upgrade notifications

Adobe Flash

JAVA

Adobe Reader Apple Itunes

Firefox

Google Chrome

Annoyance of…..

DEMO

Links and Questions• Connect with Kent Agerlund & Lawrence Garvin

• Mail: [email protected] / [email protected]• Blog: http://blog.coretech.dk/author/kea / http://www.patchzone.org and http://www.thwack.com

• SCUP• Complete SCUP 2012 guide – http://blog.coretech.dk/kea/the-complete-scup-2011-installation-and-

configuration-guide/• SCUP videos - http://technet.microsoft.com/en-us/video/ff832960.aspx?category=Jason%20Lewis • PatchMyPC - http://patchmypc.net/• Vcenter Protect -

http://www.vmware.com/products/datacenter-virtualization/vcenter-protect-update-catalog/faqs.html• Adobe catalog - http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/sccm.html

• Secunia• CSI - http://secunia.com/vulnerability_scanning/

• Solarwinds• Patch Manager - http://www.solarwinds.com/patch-manager.aspx

Evaluation

Complete your session evaluations today and enter to win prizes daily. Provide your feedback at a CommNet kiosk or log on at www.2013mms.com.Upon submission you will receive instant notification if you have won a prize. Prize pickup is at the Information Desk located in Attendee Services in the Mandalay Bay Foyer. Entry details can be found on the MMS website.

We want to hear from you!

Resources

http://channel9.msdn.com/Events

Access MMS Online to view session recordings after the event.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.