• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

SCCM - workstation experts view

Hey - I am not overly familiar with System Center Configuration Manager and how it can be used to identify control issues with windows workstations/servers.

Historically our security/audit use MBSA / Nessus to scan such devices - can SCCM be used to run similair reports. Or perhaps put another way - what can MBSA / Nessus find that SCCM cant find? If anything?

Does SCCM replace the need to vulnerability scanners?
0
pma111
Asked:
pma111
  • 8
  • 4
2 Solutions
 
pcfreakerCommented:
Hi,

As fas as I have used SCCM on our network, the MBSA scan as being used to before is not integrated, you simply download the pending updates via wsus and for such you could view which ones are missing such updates.

Follow this great tutorial on setting up the windows updating service via SCCM:

http://www.windows-noob.com/forums/index.php?/topic/624-configuring-software-update-point-within-sccm/

Rgds.
0
 
pma111Author Commented:
So there still is a need to use MBSA for control issues?

And SCCM doesnt replace MBSA's worth so to speak?

And SCCM is more a patch verifacation tool?
0
 
pcfreakerCommented:
Well basically, SCCM replaces the need for MBSA, and it can deploy your patch management on your network, I use it for more than 500 servers 3 times a year and works great. Of course I still use MBSA in random cases in which I want to double check a server in particular.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
pma111Author Commented:
>>Of course I still use MBSA in random cases in which I want to double check a server in particular.

Is that because you arent sure SCCM will have done what it should?

Can SCCM do reports similar to MBSA that would suffice for the auditors?

I dont think theyll accept that the cmpany now use SCCM so they dont need to do their MBSA reports - theyll need some evidence to prove systems are secure.

If SCCM can provide that then great.
0
 
pma111Author Commented:
Can you clarify what you mean when you say:

"I use it for more than 500 servers 3 times a year and works great."

Thanks
0
 
pcfreakerCommented:
>>Of course I still use MBSA in random cases in which I want to double check a server in particular.

Is that because you arent sure SCCM will have done what it should?

A>> For me is faster to run a MBSA before the deployment, because this way I know how outdated my servers are and to look for the KB in cases in which applications could be affected, just a peace of mind.
And I use MBSA a couple of weeks before the audit scan, this way I can make sure that we are ok.

As for the reports, this I donĀ“t use, because our auditors use a third party tool, but it kind of the same as MBSA.

I update 3 times a year because it takes about 3 to 4 weeks to prepare the change managent plan, notify the users and owners of the services/applications on the servers (basically because there might be a patch that they know will harm their apps and stuff), and to update group of services at a time (This takes about 2 months) and it takes about a month for the certifications from the users and owners.

Any other let me know.

Rgds.
0
 
pma111Author Commented:
So if the basic process.

COmpany A wants all its servers configured this way in terms of security. And all workstations configured this way in terms of security.

Company A defines a baseline that matches this security baseline.

Company A then uses SCCM to scan all its workstations to produce exception reports where workstations/servers are out there than dont comply to the baseline.

The company A manually has to change the non compliant settings - or does SCCM do it manually?

Have you any default reports or an examples screenshot of the "Non compliant" findings (clients)?
0
 
pcfreakerCommented:
You summarize it well, in fact, it is simpler, you create the Search Criteria of the year, then another one for the last month's updates.
Once you create the deployment task you are set to activate it at your need.

About the non compliant, I have an excel file but what I can do is attach it so you get the idea.
Patch-Management-AA-NT-sample.xlsx
0
 
pma111Author Commented:
Thanks.

WOndered where WSUS fits in with SCCM? Is SCCM just like the management tool which can call other specific tools like WSUS, security config manager etc?
0
 
pma111Author Commented:
And does SCCM automatically rectify "non compliance", say for example you set a baseline of all shares must not have the everyone group on the ACL - if SCCM finds any - does it just whack them off the ACL - or does it have to be done manually? Ie. SCCM is just the information gathering the actual rectifacation must be done manually?
0
 
pma111Author Commented:
And does/can it check 3rd party client side software updates, i.e. adobe reader, flash, java etc. They always seem to be woefully out of date in our environment.
0
 
merowingerCommented:
For this you can use SCCM and the System Center Updates Publisher
http://technet.microsoft.com/en-us/library/bb531022.aspx
0
 
pma111Author Commented:
>>And does SCCM automatically rectify "non compliance", say for example you set a baseline of all shares must not have the everyone group on the ACL - if SCCM finds any - does it just whack them off the ACL - or does it have to be done manually? Ie. SCCM is just the information gathering the actual rectifacation must be done manually?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now