Excellent points ☺ From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On Behalf Of Sherry Kissinger Sent: Monday, April 18, 2016 12:51 PM To: ms...@lists.myitforum.com Subject: Re: [mssms] RE: Bulletins and manual patching
"Hundreds. All of the vulnerability scans coming in from security "... If your security team is similar to the people running reports here; we had to do some push back to educate the report-creators and report-readers of those reports to apply some logic. here are some things which those people needed to understand. 1) Almost everything on their list which was "missing" (not everything, but a significant portion) were for superseded updates. Quite often those updates may have been superseded by a Service Pack--and the "real fix" was to require Service Packs be deployed... not just "things that have a MSxx-xxx designation". I.e., that there are pre-requisites beyond just the MSxx-xxx updates in order to actually be fully patched. 2) The next biggest hit was the report creators and readers were often creating and compiling their reports on say... January 11th. so on January 12th, a ton of updates were released which superseded a bunch of articles and msxx-xxx updates they just identified. They had to understand that we deploy fast--and their reports are dated. How to "fix" that is still not certain... 3) The next thing was we have multiple teams which "scan for vulnerabilities". Some of those teams simply look for "is this File called "blah.dll" anywhere on the system, and that blah.dll is NOT this patched version? So a ton of boxes are flagged as vulnerable to the Blah.dll update required... and then when you finally drill into where they find the blah.dll file... it's in c:\BobsSavedWindowsFolderBecauseHeIsAWierdo folder. i.e., not in use at all by the system. Sure, it "exists". but it's not being used. For those situations, we indicated that a local technician would need to reimage the system as the easiest fix. <grin> 4) This might be just local to the security team here, but it took a LOT of meetings to get this concept through to the report-creators and report-readers. Those security teams were used to very simplistic rules. "MS11-999 is missing". That's what *they* wanted to read. and as you know, for us in ConfigMgr (or WSUS). MS11-999 could be multiple updates--it's not just 1 thing. So we always need to know, ok EXACTLY which article in MS11-999 are you claiming is missing? And once they "got" that concept, those missing updates were superseded; sometimes 20 times; and we're deploying MS16-001 for that vulnerability. 5) MAYBE it is your fault. :). Are all of the hundreds of updates for Office 2010 and you never bothered to check the Office 2010 Product in your Software update settings in CM? Remember you do NOT want to check everything... but nevertheless you do want to be sure you are pulling in the products that you need to support. As for importing updates into the WSUS console, I've done that perhaps... 4 times. I think. It's very rare that an update isn't automatically being sync'd. How To: in your WSUS console (which remember as a CM admin you are told to never launch, lol) you go to Updates on the left. Then pull down "Action" "Import Updates". and you can search for a kb article there. If you find it, then "add it to your Cart" and go through the download process. HOWEVER. that is not a panacea. as mentioned, it's very, very rare. If you (for example) try to import an update for say... Windows 8, but you don't have the Windows 8 product checked as something "to sync". it's still not going to show up in CM. What I usually do is I research the kb article thoroughly. I also have a home lab and look there. I may ask here on this email list to see if it's a missing update that other people see, and it's just personal to my environment. Last but not least--3rd party. Lots of ways to address that from simply deploying an application; to roll-your-own rules right in SCUP, to evaluating and purchasing a 3rd party rule provider that you can inject patch rules into your top-level SUP (WSUS). On Mon, Apr 18, 2016 at 1:24 PM, Jason Sandys <ja...@sandys.us<mailto:ja...@sandys.us>> wrote: I’ve never seen a security bulletin hotfix not be in the WSUS catalog. Can you give an example of one? J From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> [mailto:listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>] On Behalf Of Brian McDonald Sent: Monday, April 18, 2016 1:16 PM To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com> Subject: [mssms] Bulletins and manual patching How are folks handling security vulnerabilities that do not sync up with WSUS/SCCM? I'm trying to grasp how to best approach patches that require manual package creation in SCCM, such as MS Security Bulletins. This seems to be a never ending battle and we have a very lean team. Thanks, Brian -- Thank you, Sherry Kissinger My Parameters: Standardize. Simplify. Automate Blogs: http://www.mofmaster.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mofmaster.com&d=AwMFaQ&c=2xnLwh7NkVc11mY1OvUjcSpdR6rwBFHfeIYWOiIKm7Y&r=SP2Y-aNp_3gghK54OKVXcfi0FRHj1u7aOQstL6r6I5w&m=lbqtOQpAPuIMabrHXTO6dU94pbeB_qgml-GR2VTmKTw&s=ErXxZf8jkUp3qwIdCwDAWaCzSxSqf_cL6QFASnULs1I&e=>, http://mnscug.org/blogs/sherry-kissinger<https://urldefense.proofpoint.com/v2/url?u=http-3A__mnscug.org_blogs_sherry-2Dkissinger&d=AwMFaQ&c=2xnLwh7NkVc11mY1OvUjcSpdR6rwBFHfeIYWOiIKm7Y&r=SP2Y-aNp_3gghK54OKVXcfi0FRHj1u7aOQstL6r6I5w&m=lbqtOQpAPuIMabrHXTO6dU94pbeB_qgml-GR2VTmKTw&s=KBwFPw_Wxii5EW_kRR2EixFWgeDT2yb_tNkzZvRDZAs&e=>, http://www.smguru.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.smguru.org&d=AwMFaQ&c=2xnLwh7NkVc11mY1OvUjcSpdR6rwBFHfeIYWOiIKm7Y&r=SP2Y-aNp_3gghK54OKVXcfi0FRHj1u7aOQstL6r6I5w&m=lbqtOQpAPuIMabrHXTO6dU94pbeB_qgml-GR2VTmKTw&s=8AXw19co50tXw6oMxFKNYVACPxKBlKSzwMUaxHPbouE&e=>
