Beruflich Dokumente
Kultur Dokumente
(CSI)
Best Practice Guide
Secunia.com
Contents
Secunia Corporate Software Inspector (CSI) ................................................. 1
Contents ........................................................................................................ 2
About Secunia ................................................................................................ 5
About This Document ..................................................................................... 5
About the Secunia CSI 6.0 ............................................................................. 6
Console Hardware and Software Recommendations ...................................... 7
Prerequisites .............................................................................................................. 7
Scanning ................................................................................................................ 7
Patching ................................................................................................................. 7
The Dashboard ........................................................................................................... 8
The Patch and Vulnerability Management Lifecycle ....................................... 9
Scan ......................................................................................................................... 9
Assess ....................................................................................................................... 9
Remediate ................................................................................................................. 9
Verify ........................................................................................................................ 9
Deployment Scenarios ................................................................................. 10
Introduction ............................................................................................................. 10
Centralized .............................................................................................................. 11
Deployment Architecture ........................................................................................ 11
Secunia CSI Architecture ........................................................................................ 11
Summary .............................................................................................................. 11
Decentralized ........................................................................................................... 12
Deployment Architecture ........................................................................................ 12
Secunia CSI Architecture ........................................................................................ 12
Summary .............................................................................................................. 12
Hybrid ..................................................................................................................... 13
Deployment Architecture ........................................................................................ 13
Secunia CSI Architecture ........................................................................................ 13
Summary .............................................................................................................. 13
Service Provider ....................................................................................................... 14
Classified Networks ..................................................................................... 15
Example 1 ............................................................................................................... 15
Network Architecture .............................................................................................. 15
Secunia CSI Architecture ........................................................................................ 15
Example 2 ............................................................................................................... 15
Network Architecture .............................................................................................. 15
Secunia CSI Architecture ........................................................................................ 16
Secunia CSI Windows Update Settings Configuration ..................................................... 16
Definition of Patch and Vulnerability Management ...................................... 17
The Patch and Vulnerability Equation ........................................................................... 17
Vulnerability Intelligence............................................................................. 18
Vulnerability Scanning ................................................................................. 19
Scan Types .............................................................................................................. 19
Scanning Technologies .............................................................................................. 19
Single Host Agents ................................................................................................. 19
Secunia CSI Single Host Agent Rollout Options .......................................................... 20
How to Configure Additional Silent Parameters in an Agent Deployment Package ........... 20
Proxy Configuration Scenarios ................................................................................. 21
Network Appliance Agents ....................................................................................... 21
2 Secunia.com
Network Appliance Groups.................................................................................... 21
Download Network Agent ..................................................................................... 21
System Center Configuration Manager Inventory Import ............................................. 22
Remote Scanning Services Requirements ..................................................................... 22
Remote Scanning Firewall Requirements ................................................................... 22
RPC Dynamic Port Configuration .............................................................................. 22
Reporting ..................................................................................................... 23
Executive Report ...................................................................................................... 23
Security Manager Report ........................................................................................... 24
Administrator Report ................................................................................................. 25
Example Scenario .................................................................................................. 25
Reporting on Sub-Users ............................................................................................. 26
Security Considerations ............................................................................................. 26
Alerting via Smart Groups .......................................................................................... 26
PCI Compliance ........................................................................................................ 27
Seven Day Insecure Java Alert ................................................................................... 27
The Patching Process ................................................................................... 28
Why is it Important? ................................................................................................. 28
Patch and Scan Frequency ......................................................................................... 29
Number of Hosts .................................................................................................... 29
Configuration Management ..................................................................................... 29
Value of Assets ...................................................................................................... 29
Exposure Level ...................................................................................................... 29
Compliancy ........................................................................................................... 29
Putting Patch Management into Practice ..................................................... 30
Patching Technologies ................................................................................. 30
The Secunia Package System (SPS) - Overview ........................................... 31
Introduction ............................................................................................................. 31
The SPS .................................................................................................................. 31
SPS Integration Capabilities ....................................................................................... 31
Secunia Patching Policy ............................................................................................. 31
Product Classification in the SPS ................................................................................. 32
Update Package Applicability Rules ............................................................................. 33
Digital Certificate Signing ........................................................................................ 34
Scan Detection Time Relevancy ............................................................................... 35
SPS Update Package Design .................................................................................... 36
Product Language Support ...................................................................................... 37
SPS Activity and Error Logging ................................................................................ 37
Secunia Update Package Custom Installation Logging ................................................. 38
Package Applicability Rules Logging ......................................................................... 38
Patch Deployment ........................................................................................ 39
Agent Deployment ................................................................................................. 39
Deploying the Update Package Using WSUS .............................................................. 39
Deploying the Update Package Using System Center Configuration Manager ................. 39
The Secunia PSI for Corporations ................................................................ 40
Secunia CSI - PSI Integration Usage Scenarios ............................................................. 41
Local Database Console ............................................................................... 42
Asset Management and Software Licensing Verification ................................................. 42
Acceptable Use Compliance ........................................................................................ 42
Secunia.com 3
WSUS Integration ........................................................................................ 43
Patching Menu Deployment Actions and Reporting ..................................................... 44
WSUS and System Center Approvals ........................................................................... 44
Patch Targeting in WSUS ........................................................................................ 45
WSUS Upstream-Downstream Integration Flow ............................................................ 46
Secunia CSI Requirements for Upstream-Downstream Integration ............................... 46
System Center 2012 Configuration Manager Integration ............................. 47
Other Patch Deployment Systems ................................................................ 49
Third-Party Integration .............................................................................................. 49
Create and Publish the Package .................................................................................. 49
Terms and Abbreviations ............................................................................. 50
Appendix A .................................................................................................. 52
Patching Java JRE/JDK 1.7.x ...................................................................................... 52
What You Need to Know About Oracle Java Patching with the Secunia CSI ....................... 52
SPS Oracle Java JRE/JDK Facts and FAQs .................................................................. 52
SPS How to Create Packages for Java 1.7.x (EOL 1.6.x) ........................................... 53
Package #1 - 32-bit package to install on 32-bit system .......................................... 53
Package #2 - 32-bit package to install on 32-bit system .......................................... 53
Package #3 - 64-bit package to install on 64-bit system .......................................... 53
WSUS Package Delivery What do Java Special Rules do? ........................................... 54
Oracle Java JRE/JDK Installation Requirements ............................................................ 54
Conditions for Successful Deployment of Oracle Java Patch ......................................... 54
Oracle Java 1.7.x Oracle Java Package Failure Conditions ......................................... 55
Java Package Execution Flow and Troubleshooting ..................................................... 55
Scenario #1: Traditional Installation in Windows Update .......................................... 56
Scenario #2: Scheduled Installation During Shutdown ............................................. 57
Appendix B................................................................................................... 58
Centrally Manage the Secunia CSI Remote Scan Requirements via GPO Configuration ....... 58
Overview .............................................................................................................. 58
Group Policy Creation ............................................................................................. 58
Services Configuration ............................................................................................ 58
Firewall Configuration ............................................................................................. 59
Disclaimer .................................................................................................... 61
4 Secunia.com
About Secunia
Secunia is the leading provider of IT security solutions that help businesses and private
individuals globally manage and control vulnerability threats and risks across their networks
and endpoints. This is enabled by Secunia's award-winning Vulnerability Intelligence,
Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-
effective protection of critical information assets.
Secunias proven, complementary portfolio; renowned for its reliability, usability, and
comprehensiveness, aids businesses in their handling of complex IT security risks and
compliance requirements across industries and sectors a key component in corporate risk
management assessment, strategy, and implementation.
As a global player within IT security and Vulnerability Management, Secunia is recognized for
its market-driven product development; having revolutionized the industry with verified and
actionable Vulnerability Intelligence, simplified Patch Management, and automatic updating of
both Microsoft and third party programs.
Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for
enterprises and government agencies worldwide, counting Fortune 500 and Global 2000
businesses among its customer base. Secunia has operations in North America, the UK, and
the Middle East, and is headquartered in Copenhagen, Denmark.
For more information, visit secunia.com
Follow Secunia:
Twitter: http://twitter.com/Secunia
Facebook: http://www.facebook.com/Secunia
Blog: http://secunia.com/blog/
LinkedIn: http://www.linkedin.com/company/secunia
Secunia.com 5
About the Secunia CSI 6.0
The Secunia CSI is an authenticated internal vulnerability scanner, capable of assessing the
security state of practically all legitimate programs running on Microsoft Windows platforms
and supports scanning on PC, Apple Mac OSX, and Red Hat Enterprise Linux (RHEL) platforms.
The Secunia CSI also integrates with Microsoft WSUS, System Center Configuration Manager
and third-party patch deployment solutions for easy deployment of third-party updates,
making patching a simple and straight-forward process for all IT departments.
The Secunia CSI utilizes the Secunia Advisory & Vulnerability Database to assess the security
state of detected programs, making the vulnerability intelligence foundation for the Secunia
CSI superior in every aspect to competitive solutions that rely on ad-hoc/random vulnerability
information gathered from various sources.
The Secunia CSI's unique and unparalleled scan engine technology is capable of detecting
programs based on actual data on the file system, which is extremely reliable compared to
making assumptions based on inaccurate/out-of-date information from, for example, the
Windows Registry, as many other available solutions do.
Since the Secunia CSI is running as a trusted application with the purpose of assisting the
system administrator, it can take a light-weight, but much more in-depth approach, suited for
internal vulnerability scanning.
The Secunia CSI runs with administrative privileges on the network and is capable of logging
into the systems being scanned. It can read data from files on the hard-drives of the scanned
systems and assess whether the installed programs are vulnerable or not, cross-referencing
with Secunia Vulnerability Intelligence.
6 Secunia.com
Console Hardware and Software
Recommendations
Prerequisites
Scanning
Type of Scan Outbound Port Permission
http://crl.thawte.com
http://crl.verisign.net
CSI Local Agent 443, 80 https://*.secunia.com
http://crl.thawte.com
Network http://crl.verisign.net
Appliance Agent 443, 80 https://*.secunia.com
Ports 139/TCP and 445/TCP open inbound (on hosts)
File sharing enabled on hosts
Easy/simple file sharing disabled
Windows Update Agent 2.0 or later
Required Windows services started on hosts:
Workstation service
Server service
Remote Registry service (by default is disabled on
Win7/Vista)
COM+ services (COM+ System Application: Set to
Automatic)
Agentless Host none RPC dynamic ports
System Center The user running the Secunia CSI Console must have
Configuration access to the database containing the data of the
Manager System Center Configuration Manager with Connect
Inventory Scan 1433 (or SQL port) and Select rights.
Patching
Deployment Tool Role Local Group Membership
WSUS Publish Administrators, WSUS Administrators
WSUS Approve Administrators
System Center Configuration Manager Publish Administrators, WSUS Administrators
Generate
Code
WSUS/System Center Configuration Signing
Manager Certificate Administrators
Create
Group Policy
Domain Service Object Domain Administrator
Domain Service Link GPO Domain Administrator
System Center Configuration Manager deployment roles are not defined by, or associated to,
Secunia CSI users. After publishing a package through the Secunia CSI, you should continue to
use the same operations, practices and work flow for deploying Microsoft updates.
Secunia.com 7
The Dashboard
The Secunia CSI Dashboard provides the user with an overview of their hosts with the help of
various portlets. Portlets are a collection of components that graphically display key data and
allow the user to create unique profiles which can display a unique combination of portlets. For
convenience, a user can create and alternate between several dashboard profiles.
For each dashboard profile created, a static URL will be automatically created. This can be
accessed in the lower right corner of the Secunia CSI Console.
The user can use the static URL to view the dashboard on any web browser or to make this
information accessible externally.
Access to the static dashboard URL is done through https and each URL is unique and
dynamically generated.
Each custom profile that is created will only be published through a URL after being saved.
8 Secunia.com
The Patch and Vulnerability Management
Lifecycle
Scan
Scan your systems to determine what vulnerabilities exist in your organization.
Assess
Determine how the vulnerabilities affect your organization based on vulnerability intelligence.
You can then prioritize updates based on the criticality level.
http://secunia.com/community/advisories/terminology/
Remediate
Create and deploy patches.
Verify
Perform another scan to determine if your remediation efforts were successful.
Secunia.com 9
Deployment Scenarios
Introduction
Patch and vulnerability management can be performed in a variety of administrative and
operational structures. Integrating the Secunia CSI into your organization can be accomplished
seamlessly through the Secunia CSIs flexible account management features. This could be
deployed following a variety of models and four different examples of deployment are
explained in this document.
Most organizations perform patch management in some form when deciding to utilize the
Secunia CSI. Four common deployment scenarios are Centralized, Distributed, a Hybrid of the
two, and Service Provider.
Centralized deployment consists of one central team that performs vulnerability and patch
management for your entire organization - even if your organization is worldwide.
Decentralized deployment consists of having multiple teams that perform vulnerability and
patch management for a limited part of your organization. This could either be logical or
geographical, depending on your organization.
Hybrid deployment consists of a combination of Centralized and Distributed deployment based
on the structure of your organization. This could be a static way of performing deployment, or
used during a change in your organization when you change from Centralized to Decentralized
deployment or vice versa.
Service Provider deployment consists of the service provider allocating host licenses to their
customers as required.
10 Secunia.com
Centralized
Deployment Architecture
Centralized deployment consists of one central team that performs vulnerability and patch
management for your entire organization - even if your organization is worldwide. You would
have one (or many) resources administering the top server and then those settings will be
distributed down in the hierarchy of that specific solution. This setup is possible for both
System Center Configuration Manager and WSUS in replica mode.
Summary
Centralized deployment is the most resource efficient way of delivering vulnerability
management with the Secunia CSI to your organization.
Secunia.com 11
Decentralized
Deployment Architecture
Decentralized deployment is when you have multiple administrators/teams that perform
vulnerability and patch management for only a part of your entire organization. You would
have an administrator/team on each of your update points handling those specific hosts. The
deployment technology could be different in each of these update points and the
administrator/team is only able to see the hosts that they have configured for their
environment.
Summary
Decentralized deployment allows you to use multiple deployment technologies, with local
administrators that manage their own environment.
12 Secunia.com
Hybrid
Deployment Architecture
Hybrid deployment combines both the Centralized and Decentralized deployment methods in
one environment. This could be both a static setup but also used when you are migrating from
one type of architecture to another.
Summary
This deployment allows you to have multiple deployment technologies, with separate
administrators that manage their own environment.
Secunia.com 13
Service Provider
In this example, the service provider can allocate host licenses to your customers as needed.
The service provider has allocated 10000 host licenses to three separate customers. Each
customer then has their own database so that their host scan results are kept private from the
service providers other customers.
Customer C also has the additional flexibility to further sub-divide account and operational
management in a case where they are required to segregate divisional entities. Customer C
can also create a company report at the top level or site reports for each division.
As a service provider you can manage and create reports for each customer. The reports can
be customized for each customer depending on the metrics they wish to receive.
14 Secunia.com
Classified Networks
This section describes the best practices for implementing the Secunia CSI with verification of
Microsoft security updates in environments with strict security policies that do not allow
Internet access for production WSUS/System Center Configuration Manager servers and hosts.
This section includes some manual processes that must be verified for compliance issues.
Example 1
Both the WSUS/System Center Configuration Manager server and the CSI Console will be
installed on the same computer, which will be moved to the network to be patched. Once the
clients report back to this WSUS/System Center Configuration Manager server, the clients
should receive the applicable updates for both Microsoft and third-party updates.
Network Architecture
This example demonstrates a completely standalone environment with a Secunia CSI Server
and a WSUS/System Center Configuration Manager server with the Secunia CSI Console on
the same server. The WSUS/System Center Configuration Manager server has no Internet
access - so communication to the official Windows Update server will not be able to
synchronize with the local WSUS/System Center Configuration Manager server. A manual
process must be in place to perform an offline replication of the official Windows Update Server
to the local WSUS/System Center Configuration Manager server by CD, DVD or USB media.
The Secunia CSI also uses this local WSUS/System Center Configuration Manager server to
deploy third-party updates throughout the internal network. The process for downloading
third-party updates is also dependent on a manual process for successful creation of the
update packages.
Example 2
The WSUS/System Center Configuration Manager server is stationed in the network intended
to be patched and the Secunia CSI Console will be installed on another computer that will be
moved to the same network. The Secunia CSI Console must be integrated with the existing
WSUS/System Center Configuration Manager server to create third-party updates.
Network Architecture
This example demonstrates a completely standalone environment with a WSUS/System Center
Configuration Manager server stationed in the network and the Secunia CSI Console installed
on another computer that will be moved to the same network. The WSUS/System Center
Configuration Manager server has no Internet access - so communication to the official
Windows Update server will not be able to synchronize with the local WSUS/System Center
Configuration Manager server. A manual process must be in place to perform an offline
replication of the official Windows Update server to the local WSUS/System Center
Configuration Manager server by CD, DVD or USB media. The Secunia CSI also uses this local
WSUS/System Center Configuration Manager server to deploy third-party updates throughout
the internal network. The process for downloading third-party updates is also dependent on a
manual process for successful creation of the update packages.
Secunia.com 15
Secunia CSI Architecture
When you are moving the Secunia CSI Server to and from different networks, the most reliant
setup within the Secunia CSI Console is to create a sub-account for each network with a
WSUS/System Center Configuration Manager server. Each of these accounts has been
integrated with the correct WSUS/System Center Configuration Manager server and scan data
for that network. For easy access to the different accounts, a shadow account can be used with
read/write access to all accounts to simplify changing configurations between WSUS/System
Center Configuration Manager servers.
16 Secunia.com
Definition of Patch and Vulnerability
Management
The Patch and Vulnerability Equation
The above equation demonstrates the elements required to deliver Patch Management four
elements are essential:
Vulnerability Intelligence (VI)
Vulnerability Scanning (VS)
Patch Creation (PC)
Patch Deployment (PD)
Vulnerability Intelligence and Scanning tells you which known threats are out there and which
programs these affect. Vulnerability Intelligence maps the entire vulnerability management
lifecycle so that vulnerabilities can be rapidly identified and tracked, and therefore pre-emptive
action can be taken to remediate threats. Having a transparent overview of all vulnerability
threats aids security audits and compliance audits as part of overall risk management.
When you have this information, you are able to prioritize your remediation efforts and get the
highest ROSI (Return on Security Investment).
You then need to create the actual security update, or patch.
Finally, when you have done all this, you will be able to deploy the patches. This might be
performed first in a test environment and, if successful, later in pre-production and then into
production.
The time from when you first received the Vulnerability Intelligence until you successfully
deployed the patch is called exposure time - and it is crucial that you try to minimize this.
If you are missing any of these four elements, you will not have an efficient patch
management program.
Secunia.com 17
Vulnerability Intelligence
The Risk Assessment Process is an approach to evaluating the criticality of a vulnerability
advisory. The Secunia CSI provides organizations with Secunia Advisories for all discovered
vulnerabilities. Secunia Advisories explain in detail the criticality, impact, attack vector as well
as the solution status and a description of how the vulnerability works. This knowledge, along
with the unique insight of the organization, allows IT staff to accurately evaluate the risks
faced by their organization.
18 Secunia.com
Vulnerability Scanning
The unprecedented accuracy of the Secunia CSI scanning technology allows you to be
constantly aware of the security state of your environment. The scanning process can be
configured to be fully automated or it can be manually launched on demand.
Scan Types
The Secunia CSI allows scanning of target hosts by using different approaches:
Single Host Agent-based scans are conducted by the Secunia CSI Agent that can be
installed in different modes: Single Host mode, Network Appliance mode, or Command
Line mode.
Alternatively, you can scan the target hosts by launching a scan from the system where
the Secunia CSI Console is installed. By using this approach, no software is installed in
the target hosts. The scanning is performed using standard operating system services.
This scan is also referred to as a remote scan.
You can also benefit from the integration between the Secunia CSI and the Secunia PSI. The
Secunia PSI is designed to be used in environments where IT managers want to have visibility
and patching control although their users have local Administrative rights to their own
systems. The Secunia PSI also provides visibility and patching control of corporate
workstations that are not connected to the corporate domain. Refer to The Secunia PSI for
Corporations for further information.
Scanning Technologies
Single Host Agents
You can manage configurations and schedule scans for the hosts where the Secunia Agent
(csia.exe) is installed as a service in Single Host mode.
Download the csia.exe file and install the Secunia Agent in Single Host mode. Once the Agent
is installed, every time, for example, the laptop goes online (Internet connection) it will verify
if a new scan should be conducted.
When the Secunia CSI Agent is installed a unique identifier is generated so that each
Agent has its own unique ID. For this reason, the Agent should not be included in OS images.
Doing so will result in having several instances of the same Agent and in the inability to
correlate the scan results with the scanned hosts.
Hosts scanned with the Secunia Agent in Single Host mode will be displayed in Scanning >
Completed Scans and Results > Hosts in the Secunia CSI Console.
When and how the hosts are scanned can be controlled from the Secunia CSI Console under
Single Host Agents. You can double-click a host to manage the configuration of the selected
Agent and change its settings (Inspection type, Check-in frequency, Days between scans) or
right-click a host name and select Edit Configuration to change the Secunia Agent settings.
Secunia.com 19
Secunia CSI Single Host Agent Rollout Options
A Secunia CSI Agent Package represents a Secunia Custom Package deployment, which means
that the package is installable on every host on the network that was approved by the
administrator. With other words, if you approve the Agent package for All Computers, WSUS
will push the package to each system in the domain. This is best-practice in a New Customer
scenario, as the deployment will be fully automated. It is recommended that you test your
Agent Deployment Package against test hosts prior to deployment.
20 Secunia.com
Proxy Configuration Scenarios
You should be very careful when configuring your Agent Deployment package to include Proxy
settings. Depending on the required Local Agent setup scenario, for example Proxy with
Authentication vs. Proxy with No Authentication, you may be required to insert information
about your proxy setup. To configure your package correctly:
1. Proxy with Authentication - requires you to enter seven variables with the
corresponding information that reflects your setup. You may skip configuring var
siteName variable if you do not wish to configure additional settings for your Agent
(logging, CRL ignore switches, and so on).
2. Proxy with No Authentication - leaves you room to experiment with different
configurations depending on which of those will work well for your Local Agent setup.
a) Test a Local Agent installation with no proxy parameters added to the package,
using the default configuration. You may need to add logging to your package if
your setup tests fail.
b) If your first test failed with HTTP=499 connection error, you will need to build a
second Agent Deployment package that reflects the correct proxy information. If
your proxy does not require authentication, you only have to insert the Proxy IP and
Port address information inside the JScript template.
You can also click Create SPS File to export the package directly onto your file system being
ready for installation. Executing this file with administrator privileges is identical to executing it
through the Windows Update service.
Ensure that the Agent file csia.exe is available in the system that will host the Agent in
Network Appliance mode.
Example: If you want to scan three different networks (for example Germany, United States,
and United Kingdom) without having to install the Agent in Single Host mode, then you can
install three instances of csia.exe in Network Appliance mode, one on each network.
Afterwards you will be able to scan all the hosts on the three locations at scheduled intervals
by creating the appropriate scan groups in Network Appliance Groups and assigning each
group to its respective and previously installed Network Appliance Agent.
Result: 15 minutes after installing a csia.exe in Network Appliance mode, the Network
Appliance Agent will appear in Scanning > Remote Scanning Via Agents > Network
Appliance Agents.
Secunia.com 21
To specify the target host to be scanned by the Network Appliance Agent, you should configure
the scan group in Scanning > Remote Scanning Via Agents > Network Appliance
Groups.
22 Secunia.com
Reporting
The Secunia CSI offers different levels of reporting that are appropriate to different roles and
requirements:
Site level
Host level
Program level
The Secunia CSI supports reports for Executives, Security Managers, System Administrators
and Site System Administrators.
Executive Report
An Executive report should include a monthly recurring report. In Site Level Statistics, select
All Sites for all selected users and Overall Summary Statistics. In Host Level Statistics,
select All hosts and Overall Summary Statistics and for Product Level Statistics, select All
products and Overall Summary Statistics.
Secunia.com 23
Security Manager Report
A Security Manager requires an overall threat picture regarding vulnerabilities in the whole
network. The report should be generated with the following parameters:
24 Secunia.com
Administrator Report
An Administrator would require deep reporting on individual machines and products. Host Level
Statistics and Product Level Statistics would provide good indicators.
There could be certain machine which can not afford to have any insecure programs. Host level
reporting gives the capability to generate a host-specific report. For example, Company A
hosts important data on their server machines. In Host Level Statistics, you can choose all
server machines in your environment.
Program Level Statistics can be most relevant to administrators to discover insecure programs
on different machines. In this way, administrators can prioritize specific programs that need to
be patched.
Example Scenario
If you have certain hosts which may not have any insecure programs, Host level reporting
gives you the capability to generate a host-specific report. For example, Company A hosts
important data on their server machines. In the Host Level Statistics, you can choose all server
machines and include Insecure and End of Life installation details.
Secunia.com 25
Reporting on Sub-Users
Example: Company A has three different locations as LOC X, LOC Y and LOC Z. Site X, being
the head quarter, has the main administrator account. Site Y and Site Z each have their own
Secunia CSI account. The main administrator requires a monthly report on level of insecure
programs and hosts from other locations. The Secunia CSI gives you the capability of pulling
the report from sub-users:
Select a group of sub-users from which you want to create a report.
Choose Overall summary statistics and Criticality statistics, which would include
site specific data per user.
You can also compare site by site statistics. You can choose either a one time report or a
recurring report.
Security Considerations
The Secunia CSI will send the reports via plain text email messages. If an attacker intercepts
your email, then they can access sensitive data which includes vulnerabilities present your
machines and their attack vectors.
The Secunia CSI can send alerts via email or SMS. The Secunia CSI also gives you the option
not to send an email but to create a link in the Secunia CSI where you can securely download
reports.
26 Secunia.com
PCI Compliance
Example: Company B deals with customers credit card and regulatory compliance requires
Payment Card Industry (PCI) compliancy. One of the PCI requirements states that you should
not have an insecure program for which an advisory was issued more than 30 days ago.
Company Bs System Administrator can create a Smart Group where the criteria indicates if
the status of a program is insecure and its advisory was issued more than 30 days ago. The
Smart Group would show insecure programs that are affected by this rule.
Secunia.com 27
The Patching Process
Why is it Important?
Patching of vulnerable software, in particular third-party software which is not supported by
Microsoft WSUS, has been a cumbersome and resource intensive process causing many
enterprises to either neglect patching or only patch very few non-Microsoft applications.
Through the seamless Microsoft WSUS and System Center Configuration Manager integration
with the Secunia CSI, the patching process has been simplified and can be conducted with a
few simple clicks.
Organizations should create a patch and vulnerability group (PVG) to facilitate the
identification and distribution of patches within the organization.
The PVG should be specially tasked to implement the patch and vulnerability management
program throughout the organization. The PVG is the central point for vulnerability remediation
efforts, such as OS and application patching and configuration changes. Since the PVG needs
to work actively with local administrators, large organizations may need to have several PVGs;
they could work together or be structured hierarchically with an authoritative top-level PVG.
The duties of a PVG should include the following:
28 Secunia.com
Patch and Scan Frequency
The frequency to scan involves a number of factors, including:
Number of hosts
Configuration management
Value of assets
Exposure level
Compliancy
It is important to consider these factors when deciding on the frequency of scanning hosts.
The Secunia CSI also allows the frequency setting to differ based on site, organizational unit or
individual hosts.
The scan results on a single host will change if:
A program is added, removed or updated.
New vulnerability information is discovered for software that is installed on the host.
Keeping these two aspects in mind is important in determining the scanning frequency.
Number of Hosts
For enterprises that have thousands of hosts, with largely similar applications, scanning less
frequently wont necessarily give out of date information. For example, scanning once a week
would mean that at least 10% of your hosts would be scanned daily, which is a large enough
sample size to know if a new vulnerability exists in your organization on any given day.
Configuration Management
Organizations that have strict controls for the configuration of hosts, that is, control of whom
and when applications can be installed on computers, would be a factor for less frequent
scanning. Dynamic environments where users are free to install applications as needed would
have a bias for more frequent scanning.
Value of Assets
The assets that have value above all others should be scanned more frequently. It is also
recommended to frequently scan systems that can access high value systems, or contain
information to access high value systems.
Exposure Level
Hosts can be exposed to a number of other hosts. Exposure to unrestricted public internet is
the highest exposure level. Stand-alone, air-gapped systems would have the lowest exposure
level. The frequency of scanning should be biased the same way - by scanning more exposed
system more frequently.
Compliancy
There may be compliance regulations that require your organization to perform vulnerability
scanning at minimum intervals. The Secunia CSI can be set to comply with those
requirements.
Secunia.com 29
Putting Patch Management into Practice
The diagram below illustrates the work flow that can be adopted as an approach to planning
the deployment of a patch. At the very minimum, it is recommended that some form of patch
testing be completed prior to delivering a patch to systems. In addition to the tasks illustrated
below, many organizations also include rollback plans and testing. There are many variables
that can have an effect on a successful patch deployment. It is very difficult to test all possible
configurations that exist in a production environment. Depending on the criticality of the
systems, and number of systems about to receive an update, rollback planning can be a
worthwhile effort.
Patching Technologies
The Secunia CSI uses the WSUS Administration Console to integrate with WSUS and the
System Center 2012 SP1. The WSUS Console supplies root access to WSUS SDK
(http://msdn.microsoft.com/en-us/library/bb905331.aspx) for the SPS.
WSUS SDK provides the SPS with full control over all third-party updates published to the
package repository of the Upstream WSUS server. Integration with System Center
Configuration Manager is achieved via the WSUS SDK.
30 Secunia.com
The Secunia Package System (SPS) -
Overview
Introduction
This section is intended to provide a high-level overview of the Secunia Package System (SPS).
For further information on creating Uninstall and Custom packages, refer to the Secunia CSI
Technical User Guide, which is available for download free of charge from:
https://secunia.com/resources/product_sheets/
The SPS
The SPS provides you with the ability to integrate package deployment with a supported
software deployment server of your choice to create:
Update Packages (Automatic Updates)
Secunia Custom Packages (New Deployments)
Uninstall Packages for common third-party software (support for automated Uninstall
Packages is limited)
The SPS is independent from the deployment server it is being integrated with. It allows you to
work with package configurations and patch creation - even in cases where the deployment
server is not available. You can export XML configuration templates for each of the packages
you create and build executable files that contain patches that would otherwise be published
and installed through a traditional deployment scenario with a deployment server in place.
Any type of deployment server or third-party software that includes Open SDK, scripting
integration via XML formatting or patch deployment process automation may be able to
integrate with SPS in automated or semi-automated mode to deploy patches to the domain.
The SPS can export the XML template of any package via a File System Export function.
Secunia.com 31
Product Classification in the SPS
Each Product entry in listed in the SPS can be seen as a data container that holds specific
package applicability and software detection data. The data collected from each independent
scan is appended to either an existing Product entry or to a new product entry that, in some
cases, would be identical to the old one.
Appended scan data collected from the hosts enables your
patch to maximize coverage.
This best-practice ensures a clean, ordered, reliable and
accurate method of creating patches to ensure that you
have the latest, secure, versions of your third-party
software.
The Secunia CSI downloads the latest intelligence update from the Secunia Cloud when a new
scan is completed and uses it to define which secure product version you should create an
Update Package for.
The SPS Interface lists a full software inventory of the products detected in your environment.
The SPS however, displays only the products which are Insecure and supported as Automatic
Updates. The secure installations are hidden for convenience.
The Product column under SPS displays two types of
program entries blue and grey:
Blue Patch = pre-configured automatically
Grey Patch = requires custom configuration
Grey patches require further modification to the
package content, for example the product installer and
the corresponding silent parameter, to make the
package sufficient to install. The remaining part of the
SPS patch configuration will be supplied by default by
the Secunia CSI. Once the package is modified it can
be published.
Secunia may not always be able to provide Automatic
Update configuration for some programs, for legal or
technical reasons. In most cases this is because the vendor of the given program did not
supply, or publicly share, the silent installation parameters for the given product.
If you are uncertain if the program has silent parameters, you can contact the vendors
customer support teams and request this information from them.
32 Secunia.com
Update Package Applicability Rules
SPS Update Packages are prioritized in the deployment process through the use of Package
Custom Applicability Rules. The Secunia CSI relies on Applicability Rules to perform Client-Side
Targeting towards the hosts detected that need security patches.
There are three types of Applicability Rules for the successful deployment and installation of a
Secunia CSI Update Package created in the SPS:
1. Secunia Custom Version Applicability Rules:
a) Minimum Patched Version defines minimum program version that can be
patched by your package.
b) Maximum Patched Version defines maximum program version that can be
patched by your package.
Example SQLite Query:
Mozilla Firefox 9.x (9.0.1.0) Update Package Applicability Rules: IsInstallableApplicabilityRule:
Minimum Version: EqualOrHigherThan=9.0.1.0
Maximum Version: LessThan=20.0.0.0 <C:\Program Files\Mozilla\mozilla.exe>
Lower Secure Version for Mozilla Firefox Update Package: 9.0.0.0
Higher Secure version for Mozilla Firefox Update Package: 20.0.0.0
As you can see, the Version Applicability Rules are used to control the distribution of a package
to a boundary in-between two secure version releases. This ensures that the third-party patch
you create does not leave room for remaining insecure software installations.
Secunia.com 33
2. Program Detection Path Applicability Rule ensures that WSUS will only deliver a
particular secure patch version to the same hosts detected by the Secunia CSI scan
that require this particular secure version of the update package.
Example: <C:\Program Files\Mozilla\mozilla.exe>
If any of the package applicability rules are not met by a host during update request
evaluation by WSUS, the deployment server labels your patch as Not Needed and it will not
deliver your patch to the hosts. The SPS stamps your update package with the necessary pre-
configured Package Applicability Rules when publishing your patch to WSUS or System Center
Configuration Manager.
34 Secunia.com
Scan Detection Time Relevancy
The detection time of an Insecure or EOL product is essentially the most important factor in
the SPS. Product detection data, vulnerability assessment status, patch recommendations;
package applicability rules, and so on are displayed in accordance to the time of the product
detection.
You should not create patches based on
entries older than 7-15 days these may,
and probably will, recommend you to
patch to a version that is no longer secure.
In the above example, you can see Mozilla Firefox 9.x and 19.x detected 18-21 days ago
recommend you to patch to version 19.0.2.0, so back then you would create a patch for
exactly this version.
However, systems scanned 5 days ago show that version 19.x is no longer secure, so the
newest recommendation by Secunia is to patch to the currently known secure version 20.x.
Its always a best-practice to pick the most recently detected product entry to create
the latest secure patch versions for your installations.
Its also a good practice to keep the SPS interface clean from old product detections. You can
use automated Database Cleanup Rules to delete scan data older than the acceptable level
defined by the patch management policies for your organizations. Cleaning scan data from the
database will not be a problem if you maintain frequent scanning of your hosts.
Secunia.com 35
SPS Update Package Design
An Update Package in the Secunia CSI matches the definition of a security and/or critical
update patch that is build based upon a Secunia CSI vulnerability scan result for a product that
was identified as vulnerable by the Secunia CSI version 4.x and above.
The Secunia Update Package may be
comprised of a minimum of two files a
dynamically downloaded software installer
and a default JScript Execution Flow
template, provided by Secunia with each
package. Installers downloaded from Secunia
will, by default, include the original vendor
installer, but these may have been
repackaged to include additional package
support for a successful patch installation.
The SPS independency allows it to not only to successfully build almost any type of package,
but it also allows it to export the package configuration on an XML template. Exported XML
templates can be used to preserve a successful package configuration and to re-use the patch
in a future deployment, or to enable SPS integration with other third-party software
deployment tools that are able to build software packages based on XML package templates.
36 Secunia.com
Product Language Support
By default, SPS downloads English-based software installers. You can change the installation
language of your patches in two ways:
1. The SPS automatically enables the additional Add Localization (Language) File
option for products that support language selection.
Example #1: The full software installer for Mozilla Firefox, version 20.0.0.0, would include the
Add Localization option.
Example #2: Adobe Reader patch, version 10.1.6, does not include language selection
options because this is an incremental release of the Adobe Reader. Adobe Reader does not
include language support for incremental version software installers.
2. Click Add Local File to import your own software installer that supports language
settings via additional installation parameters. The only requirement to do this
successfully is to import the same secure version recommended in the central SPS
interface for this particular package entry.
Secunia.com 37
Secunia Update Package Custom Installation Logging
Sometimes the information available in SecuniaPackage.log and the WindowsUpdate.log is not
enough to debug a failing patch. This problem may cause confusion and unreliability of the
support inquiry. As the Secunia CSC Team, and other internal divisions, need to investigate
technical scenarios thoroughly, Secunia included custom update package logging, which
enables each SPS package to create a special log file upon execution in a Client system.
To enable custom update package logging, modify line 3 of the default JScript Execution Flow
template var silentParams = ;, to include custom logging parameters. When the patch
executes, the custom SPS package log file will be created under %temp% folder or the
location specified in the script. This file usually contains the exact installation flow of a package
until the point of failure.
38 Secunia.com
Patch Deployment
Agent Deployment
If you choose to scan the target host by using the Secunia CSI Agent in Single Host mode
(recommended), you can easily distribute and install the Agent by deploying it through
WSUS/System Center Configuration Manager.
Click Create CSI Agent Package under Agent Deployment to start the CSI Agent Package
wizard.
The CSI Agent Package can be created and managed just like any other SPS package.
Secunia.com 39
The Secunia PSI for Corporations
Secunia Personal Software Inspector (PSI) was developed as an all-in-one vulnerability and
patch management solution for all types of users, from experienced corporate administrators
to basic users that have no knowledge about vulnerability and patch management processes.
The Secunia PSI delivers the same level of vulnerability assessment accuracy as the Secunia
CSI and includes fully-automated patch management capabilities. The Secunia PSI is domain-
independent and integrates completely with the Secunia CSI. This enables the Secunia PSI to
fit into almost all possible patch and vulnerability management scenarios.
The Secunia CSI integrates with the Secunia PSI via a Secunia Custom LinkID identifier that
can only be configured within the Secunia CSI interface under the Scanning > Configure
LinkID menu. Creating a strong and unique LinkID string is a best-practice, equal in
importance to creating a private password. After saving your LinkID in the Secunia CSI,
click Download to download the PSI installation file which has your LinkID embedded.
The Secunia PSI requires Local Administrator privileges to execute scheduled scanning and
auto-updating on the local system. For security reasons, organizations rarely provide regular
users with Local Administrator privileges. In such cases, the best-practice scenario will
be to install the Secunia PSI with a Local Administrator privileged account and to
configure the Secunia PSI to start on boot. The Secunia PSI will cache the privileges that
were used to install it, and will re-use them each time the system starts. Thus, you can have
the Secunia PSI running, scanning and auto-updating the actual systems, while the users of
the system will not require escalation of their privileges.
40 Secunia.com
Secunia CSI - PSI Integration Usage Scenarios
The diagram below illustrates the Secunia CSI PSI setup and the ease of control a single
administrator could apply over remote hosts around the world. The Secunia PSIs capability to
execute an all-in-one, unattended, patch management process adds extra flexibility to the
overall centralized management.
Examples where the Secunia PSI can be very helpful to you and your organization:
1. SMB organizations that do not have the resources, or the policy, to maintain a
centralized deployment server can outsource the update delivery and installation role to
the Secunia PSI. As the Secunia PSI handles patching automatically, a deployment
server is not required. All actions could be scheduled and managed centrally from the
CSI interface.
2. SMBs and Enterprises that required centralized management of traveling laptops can
use the Secunia PSI as personal assistant to ensure timely auto-patching of hosts
outside the corporate network that cannot be patched with a traditional local
distribution scenario.
3. Educational institutions may use CSI-PSI integration to manage the vulnerabilities on
students laptops, which can create vulnerabilities inside an educational network. The
Secunia PSI patches student laptops before, or immediately after, they joined the
network, increasing the overall security of the university network.
Secunia.com 41
Local Database Console
Asset Management and Software Licensing Verification
A benefit from scanning your entire organization is the complete overview of all the software
installed on all your computer systems. The Secunia CSI has a comprehensive inventory of all
the software in the local SQLite database and you can run queries against this database to
extract a complete software inventory that you can import into a CMDB or other asset
management database. The local replicated copy of the database resides in the
%LocalAppData%\Secunia CSI\ directory.
The Export Schedule Setup is found in:
Reporting > Exporting > Scheduled Exports
42 Secunia.com
WSUS Integration
The vulnerability remediation process starts with vulnerability scanning, which is done in two
sub-processes creating a Software Inventory and Vulnerability Assessment (VS + VI).
Secunia first collects a software metadata list of all executable files inspected during a
vulnerability scan and then correlates the product versions list against the Secunia
Vulnerability Advisory Database.
The vulnerability assessments are synchronized in the Secunia CSI SQLite database that
supports the local installation of the Secunia CSI Console, and then synchronized further in the
Secunia Package System. The SPS was designed to immediately allow you to create (PC) and
publish (PD) critical security patches for each unique insecure product and version. The full
integration process between the Secunia CSI and WSUS can be summarized as follows:
1. SPS patches are digitally signed with default 2048 bits WSUS security certificate.
2. The use of an own CA certificate is optional; PKCS#12 and private key required.
3. The Secunia CSI may be setup to publish patches to WSUS through SSL, IIS SSL setup
required.
4. You can Approve published SPS Packages under Patching > Available.
5. You can Edit published SPS Packages under Patching > Available.
6. Patch deployment is targeted based on WSUS Computer Group Approval method.
7. Client Update Requests are evaluated against package custom applicability rules
8. WSUS does not deliver packages to hosts mismatching the package applicability rules.
Secunia.com 43
Patching Menu Deployment Actions and Reporting
The list of hosts displayed under Deployment represents
the WSUS report on the hosts that recently checked-in with
WSUS with requests to download and install SPS Update
Packages. Agent Deployment is where you create Agent
Deployment Packages to automate CSI Agent installation in
your environment. Unless you need to insert proxy details
within the Jscript Template, you are not required to alter the
configuration of the Agent Package.
44 Secunia.com
Patch Targeting in WSUS
The Secunia CSI relies on the existing WSUS Computer
Groups to approve the installation of a patch for the correct
recipients. This somewhat limits the possibilities to deploy
third-party SPS patches to single host targets, or to remove
hosts from the list. An example of a workaround for this
problem is given below.
Secunia.com 45
WSUS Upstream-Downstream Integration Flow
WSUS UpstreamDownstream configuration is more scalable than configuration with a single
WSUS server. All practices explained in this guide that are applicable to a single WSUS
installation also apply to UpstreamDownstream WSUS configurations.
46 Secunia.com
System Center 2012 Configuration
Manager Integration
The Secunia CSI integration with System Center Configuration Manager is the same as WSUS
integration. Each package is dynamically downloaded upon publishing, digitally signed with a
code-signing certificate, and then registered in the WSUS database.
There is one important difference between the WSUS and System Center Configuration
Manager package deployment processes. While WSUS is a web-based server that expects
update requests from the hosts, System Center Configuration Manager initiates the
deployment of each package based on custom configuration schedules.
The Secunia CSI integration with System Center Configuration Manager goes through the
WSUS SDK. All locally published update packages are sent to the central WSUS package
repository C:\WSUS\UpdateServicePackages during a publishing operation in the Secunia
Package Wizard.
After synchronization, you occasionally may not see the exact packages you published recently
under the Software Library > Software Updates menu. You may be required to add the
missing software product to the list of supported updates at the Software Update Point. This is
done under Administration > Site Configuration > Servers and Site Settings > Sites >
<your Site> > right-click > Configure Site Components > Software Update Point >
Products in System Center 2012.
Secunia.com 47
System Center 2012 Configuration Manager has vendor support limitation and allows only 12
vendor lines to be supported. Usually, System Center 2012 Configuration Manager will classify
third-party locally-published packages by the vendor attribute, for example Microsoft or
Mozilla, or alternatively as published by Local Publisher. This leads to exhaustion of the
available supported products lines in System Center 2012 Configuration Manager. You should
use the Secunia Custom Naming option available at the bottom of Step 1 in the
Secunia Package Wizard to avoid unnecessary usage of limited vendor support in
System Center 2012 Configuration Manager. This setting will make all third-party Update
Packages published by the Secunia CSI to System Center 2012 Configuration Manager appear
as published by Secunia.
48 Secunia.com
Other Patch Deployment Systems
With the Secunia CSI, you can build executable files and export your packages through an XML
package content export on the file system. Any type software deployment tool that can deploy
packages via XML formatting can, theoretically, be integrated with the Secunia CSI.
Third-Party Integration
The Secunia CSI 6.0 introduces a new feature for publishing packages using third-party patch
deployment solutions, for example Altiris. In order to support this new feature Secunia has
enhanced the package export feature. The exported XML file now contains additional
information that can be helpful in creating packages in other tools, including:
The version numbers
The executable itself
The vulnerability/criticality
Secunia has retained the simplicity of the XML file by giving you the options to exclude large
binary files and applicability paths from the file, in the form of check boxes in the package
creation wizard. To perform a complete export, deselect the Do not include package files
check box during Step 4 of the package creation wizard.
In order for the Secunia CSI to integrate with other patch deployment solutions, you need to
create a configuration file, a script file and an applicability check script file:
Configuration file. The configuration file is actually a representative of the tool and a
visual integration between the Secunia CSI and that tool. The file is an XML file that
should contain the tool name, script name and the input/setting fields required to
configure the settings for the tool (text fields, radio buttons and check boxes are
supported). When the Secunia CSI is launched it checks for the presence of any
configuration file and, if there is a valid configuration file in the Extensions folder in the
CSI path, it dynamically loads a GUI under the Patching menu of the Secunia CSI. The
configuration file also acts as an input file for the script.
Script file. This script file corresponds to the SDK that the user has created to create
and dispatch the package in the respective tool. The script file can be an executable,
Java, VB, Python, or Perl script. Click Publish to execute the script file.
Applicability Check script file. This script file runs the sps.exe on the computer if the
applicability checks are cleared. This file is published together with the package to
establish if the package is applicable to the system or not.
Secunia.com 49
Terms and Abbreviations
CA
Certification Authority. An entity that issues digital certificates. The digital certificate certifies
the ownership of a public key by the named subject of the certificate. This allows others
(relying parties) to rely upon signatures or assertions made by the private key that
corresponds to the public key that is certified. In this model of trust relationships, a CA is a
trusted third party that is trusted by both the subject (owner) of the certificate and the party
relying upon the certificate.
CSI
EOL
End of Life. A term used with respect to a product supplied to customers, indicating that the
product is in the end of its useful lifetime and a vendor will no longer be marketing, selling, or
sustaining a particular product.
JDK
Java Development Kit. An implementation of either one of the Java SE, Java EE or Java ME
platforms released by Oracle Corporation in the form of a binary product aimed at Java
developers on Solaris, Linux, Mac OS X or Windows. Since the introduction of Java platform, it
has been by far the most widely used Software Development Kit (SDK). On 17 November
2006, Sun announced that it would be released under the GNU General Public License (GPL),
thus making it free software.
JRE
Java Runtime Environment (JRE). Provides the libraries, the Java Virtual Machine, and other
components to run applets and applications written in the Java programming language. In
addition, two key deployment technologies are part of the JRE: Java Plug-in, which enables
applets to run in popular browsers; and Java Web Start, which deploys standalone applications
over a network.
PKI
Public-key infrastructure. A set of hardware, software, people, policies, and procedures needed
to create, manage, distribute, use, store, and revoke digital certificates.
PSI
Personal Software Inspector. The Secunia PSI offers integration with the Secunia CSI 6.0,
making it possible to view PSI scan results and approve patches from the Secunia CSI Console.
This enables an administrator to track all the unmanaged PCs connecting to the network and
take any remediation actions necessary.
50 Secunia.com
PVG
Patch and Vulnerability Group. Facilitates the identification and distribution of patches within
an organization.
ROSI
RPC
Remote Procedure Call. An inter-process communication that allows a computer program to
cause a subroutine or procedure to execute in another address space (commonly on another
computer on a shared network) without the programmer explicitly coding the details for this
remote interaction. That is, the programmer writes essentially the same code whether the
subroutine is local to the executing program, or remote. When the software in question uses
object-oriented principles, RPC is called remote invocation or remote method invocation.
SMB
Small and Medium-sized Business. A business with 100 or fewer employees is generally
considered small, while one with 100-999 employees is considered to be medium-sized.
SPS
Secunia Package System. Created to give administrators the ability to create packages that are
capable of doing a wide range of actions; everything from updating and uninstalling third-party
applications to handling complex execution flows with multiple files.
WSUS
Windows Server Update Services. Previously known as Software Update Services (SUS),
WSUS is a computer program developed by Microsoft Corporation that enables administrators
to manage the distribution of updates and hotfixes released for Microsoft products to
computers in a corporate environment. WSUS downloads these updates from the Microsoft
Update website and then distributes them to computers on a network. WSUS runs on Windows
Server and is free to licensed Microsoft customers.
Secunia.com 51
Appendix A
Patching Java JRE/JDK 1.7.x
This appendix provides information on how to successfully deploy Oracle Java updates built
into the Secunia Package System (SPS).
2. The default configuration of an Update Package for Oracle Java JRE/JDK will not
download the Java installer from Oracles website. The file downloaded from Secunia
consists of the original vendor installer, but it also applies important package control to
help correct installation via the Windows Update service.
3. The SPS window displays, and creates new program entries for, Oracle Java JRE/JDK
packages in accordance with:
4. The SPS creates three separate program entries for a single version of Java. Each
program entry reflects the correct architecture of the Java instance detected as
Insecure, as follows:
5. The SPS Package Wizard includes Special Rules specifically designed for Oracle Java
JRE/JDK packages. The special rule Only make package available if Java or IE is not
running is enabled by default. For further information, refer to WSUS Package Delivery
What do Java Special Rules do?.
52 Secunia.com
SPS How to Create Packages for Java 1.7.x (EOL 1.6.x)
You are recommended to create three different packages for the deployment of a single
version of Java JRE/JDK. This prevents installation compatibility issues with Java in Windows
Update. Each Java package must have a specific configuration that reflects the architecture of
the package and the path where it should be installed. The correct configuration for each
package is listed below:
a) Ensure that 32-bit download URL link is added at step 2 of the SPS.
b) Include only C:\Program Files\Java\ jre7\bin\... paths at step 3 of the SPS.
c) Select 32-bit systems only under System Applicability at step 4 of the SPS.
a) Ensure that 32-bit download URL link is added at step 2 of the SPS.
b) Include only C:\Program Files (x86)\Java\ jre7\bin\... paths at step 3 of the SPS.
c) Select 32-bit systems only under System Applicability at step 4 of SPS.
d) Ensure that 64-bit download URL link is added at step 2 of the SPS.
e) Include only C:\Program Files\Java\jre7\bin\... paths at step 3 of the SPS.
f) Select 64-bit systems only under System Applicability at step 4 of the SPS.
Secunia.com 53
WSUS Package Delivery What do Java Special Rules do?
A minimum of 90% of failed Oracle Java JRE/JDK installations are caused by Windows lockouts
because an older copy of Java is running simultaneously with a Java patch being applied to the
local system.
To help customers deploy Oracle Java patches successfully, Secunia has implemented
conditional Special Rules which are used by WSUS to evaluate whether it is safe to deliver
Oracle Java JRE/JDK patches to a system that needs to update its Java copy.
From the two Special Rules available at Step 4 of the Secunia Package Wizard, Only make
package available for installation if Java and IExplore are not running is the most
important. This particular special rule enables WSUS to evaluate each system for running Java-
related processes.
The decision whether a given system is applicable to download and install your Oracle Java
patch will be based on whether Java/Internet Explorer processes are running on the host or
not (java.exe/iexplore.exe).
If Java-related processes are not running on the local system, the package will be available for
download by any local system that is approved for it.
If Java-related processes are running on the system or Internet Explorer respectively, the local
system will not be able to see the update and WSUS will mark it with a Not Needed status.
The Not Needed status is not permanent - it is conditional up until the point of killing the Java-
related processes on the local system that was refused download earlier.
Killing the java.exe process on the local system will immediately make the Oracle Java
JRE/JDK package available in Windows Update again. The Not Needed status will be forgotten
by WSUS.
54 Secunia.com
Oracle Java 1.7.x Oracle Java Package Failure Conditions
The Java-related process is locked by Windows and cannot be updated. The following
processes will cause Java patch installations to fail:
Java.exe
ssv.dll
javaw.dll
jp2launcher.exe
javaw.exe
The Secunia Package Wizard displays warning message about the Java installer which asks you
to confirm that you want to proceed at your own risk. Please read the warning carefully before
you proceed. By accepting this, you agree to ensure that conditions for successful deployment
of Java are met on your systems.
Secunia.com 55
Scenario #1: Traditional Installation in Windows Update
1. WSUS delivers the Oracle Java JRE/JDK patch to Windows Update.
Secunia customized SPS Oracle Java packages will fail with fixed error codes 20 and 32 in
situations when its expected that Java will not only fail, but it will also bring unexpected
negative consequences to the system or the local user. You must kill all Java-related processes
on the local system to proceed with installation. After Java-processes are suspended, your
package will install seamlessly by simply retrying the installation.
Even though your package may have failed to install for the above reason, you are not
required to perform any troubleshooting. Your package failed upon execution of the executable
file, which means that Windows Update already downloaded the patch locally and scheduled it
for installation. When the local system is Shutdown, the Windows Update service will install all
patches that were downloaded and scheduled for installation, including the previously failed
Oracle Java JRE/JDK patch.
56 Secunia.com
Scenario #2: Scheduled Installation During Shutdown
Many times, it is impossible for an administrator to simply stop running all old instances of
Java, especially if they are dealing with thousands of systems that need patch maintenance on
a daily basis.
Administrators may want to install Java patches during System Shutdown, which ensures that
although users may be actively using Java on their systems, Java will still install upon
shutdown, after users are logged off forcefully by Windows.
1. Windows Update service will only install updates that were downloaded and pending for
installation. The best way to do this centrally is to create a Group Policy configuration
that enables all systems to perform scheduled patch downloads.
a) Edit your WSUS GPO in AD (WSUS-CSI GPO or any other by your choice).
b) Navigate to Computer Configuration\Policies\Administrative
Templates\Windows Components\ Windows Update.
c) Find the setting Configure Automatic Updates and double-click on it.
d) Enable this setting first. Under Configure Automatic Updating you can schedule your
updates to be downloaded on your systems (#3 and #4).
2. On the date and time configured in your GPO, Windows Clients will download all
available updates from the local WSUS server. Only Clients that were approved for the
Java patches will proceed to download them. Once the package being downloaded, the
package is considered pending for installation.
During System Shutdown, the Windows Update service would not be able to shut down before
it installs all pending updates. Thus, the Windows Update service will install the pending Java
patch before the system has halted.
Secunia.com 57
Appendix B
Centrally Manage the Secunia CSI Remote Scan
Requirements via GPO Configuration
Overview
The Secunia CSI provides different methods of scanning. Each of the scan methods requires
different setup requirements to be successful. This appendix describes the Remote Scanning
(Quick Scan; Network Appliance Agents) requirements, setup via Group Policy configuration.
All requirements for Remote Scanning to be successful can be addressed in a single Group
Policy Object (GPO) configuration, which enables CSI admins to manage the requirements for
remote scans in a centralized fashion and avoid scan issues with misconfigured local host-
based firewalls.
Services Configuration
Within the new GPO template, navigate to Computer Configuration > Policies > Windows
Settings > System Services. Enable startup type Automatic for the following services:
COM+ System Application
Remote Registry
Workstation
Server
58 Secunia.com
Firewall Configuration
1. From the left-side pane, scroll down and expand Windows Firewall with Advanced
Security/Windows Firewall with Advanced Security-LDAP/Inbound Rules. Configure File
and Print Sharing, ports 139/445 Outbound, as well as RPC Dynamic port configuration
requirements, by creating separate rules for each of those.
2. Create a New Firewall Rule for RPC Dynamic Port Configuration. Right-click Inbound
Rules and select New Rule.
2.1 At step 1 Rule Type, select Custom Rule and click Next.
2.2 At the next step, enable This program path option, then enter the correct path.
a) %ProgramFiles% (x86)\Secunia\CSI\csi.exe (CSI installed on 64-bit system)
b) %ProgramFiles%\Secunia\CSI\csi.exe (CSI installed on 32-bit system)
Secunia.com 59
3. Next step is to enable the File and Print Sharing feature within the Firewall
configuration. Right-click Inbound Rules in the left-hand side panel, then select New
Rule.
3.2 Under Predefined Rules, enable all check boxes and click Next.
3.3 Under Action leave the default Allow the connection setting and click Next.
4. Create a new, third Inbound Firewall rule that will enable ports 139/445 on the Client
systems. Right-click Inbound rules and select New Rule.
4.3 Under Action, leave the default selection Allow the connection and click Next.
4.4 Under Profile, select Domain and deselect all others.
4.5 At the last step, give your rule an appropriate name and click Finish.
At this point, the only requirement which hasnt been configured in your new GPO is Local
Administrator privileges. You may not want to configure this rule for this particular GPO, rather
you may want to start the Secunia CSI with a right-click and select Run as Administrator
while logging into the Secunia CSI host with a Local Admin account. Starting the Secunia CSI
in such a manner ensures that you meet this requirement and when you run your scans.
60 Secunia.com
Disclaimer
The contents of the Secunia website and all materials, information, links, documents and
quotes (Material) are provided as is. Secunia does not, unless expressively provided
otherwise in an agreement between you and Secunia or except as required by mandatory
applicable law, either express or implied for the accuracy, warrant the accuracy, reliability or
the contents of the Material.
Secunia and any of its licensor or partners are to the extent permitted by applicable law, under
no circumstances responsible for any loss of data or income or any special, incidental,
consequential or indirect damages howsoever caused.
Secunia assumes no responsibility for errors or omissions in the Material or software or other
documents which are referenced by or linked to the Secunia website.
In no event shall Secunia be liable for any special, incidental, indirect or consequential
damages of any kind, or any damages whatsoever. This includes without limitation, those
resulting from (i) reliance on the material presented, (ii) cost of replacement goods (iii) loss of
use, data or profits, (iv) delays or business interruptions, (v) and any theory of liability, arising
out of or in connection with the use or performance of information. This applies irrespectively
whether Secunia has been advised of the possibilities of such damages.
Secunia reserves the right to change any part of the Material without any notice.
Secunia.com 61
For further information please visit
our website: secunia.com
Secunia
Mikado House Email: info@secunia.com
Rued Langgaards Vej 8 Phone: +45 7020 5144
DK-2300 Copenhagen S Fax: +45 7020 5145
Denmark
62 Secunia.com