Video Screencast Help

CCS v10.0 Reporting and Analytics: Windows Patch Assessments - Best way to run?

Created: 02 Feb 2011 | 11 comments

(I'm coming from SecurityExpressions to Control Compliance Suite...FYI)

Within Reporting & Analytics (v10.0), I need to check all Windows servers Microsoft OS patches and service packs (any version of Win Server from 2000, 2003 Standard & Enterprise, 2008 Standard and Enterprise both 32 & 64-bit) and report on what is missing.  I need to:

  • Collect (Data Collection) the patch assessment information.
  • Run an Evaluation based on a Standard.
  • Run a report to show each server's % compliance.
  • Run a report to show only the missing patches grouped by server name simply showing a missing patch(es) in row(s) under each server.
  • Track ongoing progress of remediation from the initial findings - either through periodic reports or through dashboarding.

I successfully ran a Patch Assessment query in RMS to initially find all missing patches on each server.  Great!  Now, I need to get this into Reporting & Analytics. I have created numerous Data Collections based on various Patch Assessment standard checks trying to find the most efficient way to obtain and report on the missing patches but nothing is as fast or as simple as the RMS query (I'm finding this is the case on just about anything in R&A). 

I'm betting that someone else has a great process they are using and would like to share?  A while back, I thought I came across some How-To articles on the best way(s) to run Windows Patch Assessments but can't find anything now.

Questions:

  • First, is there a simple process in R&A to import the results of the RMS query for reporting?  Or, do I really have to run a Data Collection, Evaluation, and Reporting (either all in one or separately)?
  • Otherwise, how does anyone else run their Microsoft Windows Patch Assessment? 
  • Which Patch Assessment checks do you run? 
  • Did you create a separate custom standard for each version of Windows Server?  Or did you create one standard for all versions?
  • Do you run the patch assessment checks for all servers at once (let's say based on having 250 Windows servers in a single domain - I'll worry about other domains/DMZ/etc. later)?  Or run checks by OS type/version?
  • What report would be best just grouped by server name with it's missing patch info by MS bulletin and/or Q/KBname?  Seems like I have ran all reports available and can't seem to find just a basic report. 

I found the Standard that basically says it's the same as running the RMS Patch Assessment query.  But, it doesn't report very well as everything all rolls up to pass or fail on "are all patches installed?" or "are all service packs and security patches installed?" rather than by the individual check. 

I've spent the better part of the last two weeks just trying to do all of this in R&A and just takes so much time in getting everything set just right but still don't have a fairly automated way to run a Windows Patch Assessment. 

Hope this finds you well and that you might have a few minutes to spare and share to help a fellow CCS Admin.  :-)

Thanks,

Aaron

Comments 11 CommentsJump to latest comment

Kevin_K's picture

I did try using this stuff once, though currently we use Symantec Altiris for all of the patching and Patch Assessment . This works real well since the machine has to be on and connected to the network for SCCS to scan it ..and the scan has to be running at that time as well. With Altiris we have it scheduled that the machine ' checks in' and reports back to the central server (DMZ or internal) with the infromaton needed.

 

Our Microsoft team also runs some additional data scans for Patch Assessments as part of their policy. Also since we have a msdn and other contracts with Microsoft the software to do that was included.

the majority of what we do though is through Altiris. I had looked at the options in SCCS R&A and Data Collection in the past and it seems that while both are okay you're always hit or miss depending on if the machine is online at the time of the scan.

ahumphries's picture

Thanks for the quick reply.

You have some good points in that the SCCS scans will depend on the machines being up at the time of the scans.  But, I'm Ok with that on the server side and will work around backup schedules and maintenance windows. 

Our server team uses Shavlik primarily to do the actual MS Windows server patching.  What I'm primarily tasked to do from a risk and security perspective is ensure that the patches are getting done.  I'm hoping that using SCCS and some of its workflow capabilities (Entitlements, etc.). 

What other types of activities do you primarily use SCCS for?

Aaron

VSK's picture

I think  CCS R and  A also gives  you  very  good tool, to evaluate against  missing  patches....just  make  sure  you  have the  latest  patch assessment  library  downlaoded.

 

There  are  various  report  templates that  give  you  information, as  you  need...even for  which check failed  etc...

Just  a matter  of using  the  correct  report  template

-VSK

ahumphries's picture

I agree that CCS R & A is great tool but which is the "correct report template" to use for Patch Assessments on Windows Servers?  So far, I have found at least 5 different ways to run a Windows Server patch assessment:

  • By all "products" (non-product specific)
  • By all "products" (Microsoft only)
  • By Windows server version
  • By Microsoft patch severity
  • By Bulletin

In RMS, basically I just selected the Patch Assessment query, scoped to all servers, and away it went.  If I did this withihn R & A, the job runs at least 2 or 3 times as long (probably much longer but aborted the job).

Thanks for the reply but hoping to hear some examples of how CCS can be used to get this job done effectively, efficiently, and correctly.

Thanks again,

Aaron

Kevin_K's picture

vasu123 has a good point with his post.

 

Also someone to consider is if  Shavlik is primarily used to do the actual MS Windows server patching you may be able to run a report with the specific patches they're updating to show the progress of what they're doing.

 

For our environment since we have Altiris we currently do not use SCCS to re-scan what Microsoft and the Altiris data already collects. We would be donig it a third time at that point. We get sent a list of patches that are going out when the Microsft team plans to do them...so if you know those and htey include you in the planning / change process you may be able to create a small standard for that run of patches then tie the results to a dashboard that shows their progress over the course of the patch update process. I do think that part would be easier in SCCS R&A than in the data collection portion....so long as the R&A patch data is up to date

 

We have been using SCCS since it was bindivew back in the pre version 8 days. Right now we're using it qutie a bit to perform variance reports on application access , group memberships and other reports on our network / users. SCCS doesn't do all of this on its own though we have extended our Active directory and Novell schemas so that user accounts hold other attriutes such as employee ID, and department, job code and process level which helps us do what we want. Its not an out of the box solution from SCCS though we bent it and a put a few other steps in the process to make it fill a need. It also helps us look at applications / databases and Unix logins to make sure we've removed accounts for terminations

We are in the process of looking at workflow and creating server templates / checks / gold standards so that we can run evaluations against a group of similiar servers to ensure they are setup the same way...something that I hope leads back to securing the host more.

I'll be looking at workflow more this year and going to vision so I hope to get some other good ideas for expansion of use of the system where I work. i'm one person running all of it for the company so its tough at times to get additional features installed and running.

ahumphries's picture

Is it possible to import BindView query results into Reporting and Analytics as a Data Collection and/or Evaluation?  Or, somehow be able to report on these results instead of forcing R&A to do the Data Collection/Evaluation?

Thanks,

Aaron

VSK's picture

No, we  cannot  report from  CCS   against  data  collected in data  collection. You  have  options  to prepare  report in data collection itself...

-VSK

Kevin_K's picture

If I understand what you're asking

You could make a custom report inside the data collection area...then export that to a xml file to use with a tiered dashboard. Any report you run in Data Collection can be exported to an xml file and used witha  tiered dashboard. Its not an evaluation in the term that perhaps R&A has for an option to run an evaluation against an asset...though you are running the evaluation yourself then just making your own dashboards.

I've done that with custom reports I've made for application access and user terminations though there are some reasons that might not be so hot for looking at patched systems.

The first I  can think of is in the form of a deliverable . You cannot publish tiered dashboards to the web like you can with dynamic dashboards. That might be of use for the powers that be in your organization to see a deliverable that is easy to access whenever they need to see it.

The second is that if you create the check or copy / paste into a new one for the patches you are looking to monitor for the patching period they are working on you'll have the ability to publish it (I believe) as a tiered dashboard. The check in the R&A will then tell the data collection what to check for so that you're not having to create a check for common patches.

 

If you dont' mind me asking a few questions about what you'll be doing I may be able to offer some suggestions. Are you looking to just check Microsoft Patches on the servers only or are there different patches that you'll be including (adobe or stuff like that)

ahumphries's picture

For now, I'm only concerned with Microsoft security patches/updates on servers. 

Dashboards may work.  Although, I need to provide to our server admins a report/list of all servers and their missing patches - as we (Security team) see it in a point in time/snapshot.  This is part of our checks and balances where they use Shavlik to do the patch management.  Then, I'll use SCCS to validate and report that patches have been installed.  I'd much automate this reporting, if at all possible, as opposed to exporting a spreadsheet from an RMS query then creating an Email to attach the file and send. 

I haven't worked with dashboards yet (besides just an overall look at where to create them) as I just don't quite understand what they can do, benefits from their use, difference between tiered and dynamic, and how to configure them correctly.  However, from your message here, this could be a very good possibility.

Then, from a trend reporting perspective, I want to show the number/percentage of servers with missing patches (or % of servers that are fully patched) over time - which hopefully will show a downward trend (for missing patches) and upward trend (for fully patched). 

Does this help?

Thanks,
Aaron

Kevin_K's picture

I saw you were on the webinar today.....did what he cover help you with the checks you're looking to create?

 

So are you going through to look at the patches or is there a patch magement process where they ID which patches they need and are going to apply?  RMS can generate a report and email it out through a task list so that it saves you a step though I understand what you're getting there.

It seems that you would be able to create the check in a standard for the patches you want to verify...then group the assets into an asset group and run that standard against that asset groupl. that way each time its run you'll have a listing of the percentage passed which you can compare to the previous report run(s).

I heard on the webinar asking teh question so I hope that you got some good info

ahumphries's picture

Kevin,

Hey!  Yes, I was on the webinar today.  Wasn't sure if I should have asked the question since I knew this could possibly lead into its own webinar.

Today's webinar didn't exactly answer this particular question but was definitely beneficial for creating custom checks.  What I took away from Kevin's answer was that engineering may be looking at the whole Microsoft Patch Assessment check process within R&A.

One of the ways that I found works is exactly what you described.  However....since R&A isn't exactly the speediest application to use it really takes a long time just to get through selecting a portion of the Patch Assessment library to paste into a custom standard.  The problem I am having with this process is that I'll have to manually copy the updated patch assessment checks after each monthly update. 

I did find that under the Non-Product Specific checks, the description for All Product Checks says it basically the same checks as the Patch Assessment in RMS.  While it seems like it's the same checks, it doesn't report very well.  Instead of seeing the individual check failures in a report, I only see the "roll ups" that fail which are checks like "is all service packs installed" or "is all service packs and security updates installed". 

You bring up a great point about using a task list after the query runs in RMS.  For the time being, I'm just going to run the query in RMS and Email it out.  At least for now, I'll meet the requirement and will worry about automating it with dashboards, etc. in the future. 

Still open for suggestions from others on what they are doing with this. 

Thanks!
Aaron