Corporate Software Inspector

Transcription

1 Corporate Software Inspector - Integrated with Microsoft WSUS & SCCM for 3rd Party Patch Management - CSI Setup and Usage guide Server Edition -Rev

2 Table of Contents 1. About Secunia About Secunia Research The Secunia CSI Integrated with Microsoft WSUS & SCCM for 3rd Party Patch Management The Scan Process how does it work Patch Management how does it work Installation and System Requirements CSI Operational Requirements CSI GUI/Console Prerequisites CSI with Patching Capability Agent-based Scan - Requirements Scan Groups/Agent-less Scan - Requirements Setting Up Clients to Access WSUS Installing the Secunia CSI GUI How Can I Scan Target Hosts? Agent installation Single Host mode Agent Installation Network Appliance Mode Troubleshooting Scanning Remote Scanning via CSI Quick Scan Scan Groups Scan Progress Remote Scanning via Agents Network Appliance Agents Network Appliance Groups Agent Download & Setup Scanning via Local Agents Single Host Agents Agent Download & Setup Filter Scan Results Scan Paths Ignore Rules Completed Scans Results Sites Hosts Programs and Operating Systems All Insecure Patched Categories Reports Dashboard Change Summary Generate Reports View Scheduled Reports Patch Create Available Deployment Configuration Step 1 Connection Status Step 2 Certificate Status Step 3 Group policy Agent Deployment /45

3 10. Configuration Settings Suggest Software Reset Password Support Manual & FAQ Microsoft WSUS Changelog Contact Information Secunia Advisories About Secunia advisories From (attack vector) Criticality Impact Other Frequently Used Terms Technical Support...31 Appendix A: FAQ...32 Appendix B: Proxy Settings...33 Appendix C: Deploying Agents on a Network via GPO...34 Appendix D: Setup Examples...38 Appendix E: Install the WSUS Administration Console...39 Appendix F: User Management...40 Appendix G: Accessing the CSI Local Database...41 Appendix H: CSI Agent Single Host Mode & Appliance Mode /45

4 1. About Secunia Secunia is an independent, world-leading provider of Vulnerability Intelligence. Our aim is to give you exactly the intelligence you need, which enables you to address vulnerabilities quickly and effectively before intruders cause serious harm to your organisation. We have no ties to specific vendors, nor any strings or bias that go with such ties. We provide objective and verified analyses in the manner and format of your choice. Whether you control security from a central security department or have distributed security responsibilities, our services assure that you receive the security alerts relevant to your IT infrastructure instead of having to spend vast amounts of time browsing through information with questionable relevance. The vulnerability issue cannot be denied. very corporation faces the certain knowledge that vulnerabilities in the IT infrastructure can be used to compromise security. This represents an extra challenge for the person responsible for IT: How can you protect your IT infrastructure more effectively? How can you make sure that you have all the Vulnerability Intelligence you need? How can you do this without spending too much time and effort investigating and evaluating loads of unstructured information compiled from various sources? And how do you achieve the best possible fit with your other security tasks, like compliance, ACL, user management, etc? policy Save both time and money with our solutions, you can rely on being alerted pre-emptively with a full verification and analysis of any vulnerability that could compromise your network security. Furthermore, our solutions give you the tools to both manage your network security and keep it updated at all times. Imagine a solution that ensures you are alerted when someone discovers a major vulnerability in one of your key applications. Imagine that this solution alerts you, even if the vendor does not. Imagine that this solution presents the alert in a comprehensive manner, verifies the exact issue, and tells you how to deal with it in the best possible way and provides you with the tools necessary to eliminate the threat effectively. No more unnecessary worries. No more wasted time trying to keep track of Vulnerability Intelligence. No more guilty conscience about not being able to cover so much ground. 4/45

5 2. About Secunia Research Our experts monitor all available intelligence on vulnerability issues, subscribe to all securityrelated sites, newsgroups and newsletters, and are in ongoing dialogue with vendors regarding vulnerability issues. In addition, our vast network with the industry ensures that we have access to all vulnerability alerts available. Once a vulnerability has been identified, an advisory is issued based on the expertise of the Secunia Research team. The advisory includes thorough analysis, allowing you to evaluate and eliminate the vulnerability immediately. With the Secunia Enterprise Vulnerability Manager solution, you can be at the forefront in eliminating vulnerabilities. With the Corporate Software Inspector you will be pre-emptive in eliminating vulnerabilities and in protecting your network against outside threats. The cutting-edge technology combined with the expertise of the Secunia Research team will enable you to track and eliminate any vulnerability that poses a threat to your network. Professionals rely on Secunia. As a customer, you will have the most comprehensive Vulnerability Intelligence in the palm of your hand and filtered to your specific needs, thus ensuring that you have access to accurate and relevant information. The Vulnerability Intelligence is available in your own customised area, which is updated and accessible 24/7. The Secunia blog is used to communicate our opinions about vulnerabilities, security, ethics, and our responses to articles, research papers, and other blog entries regarding Secunia and vulnerabilities. Please find our blog on this link: Besides the Secunia Corporate Software Inspector, other Secunia solutions include: Intuitive, fast, and easy to use SSL-encrypted web-based interface accessible 24/7. Filtering and management of Secunia Advisories. Overview, documentation, and detailed reports. Vulnerability Scanning of your IP addresses and software. Customised alerting via and SMS. 5/45

6 3. The Secunia CSI Integrated with Microsoft WSUS & SCCM for 3rd Party Patch Management The Secunia CSI is an authenticated internal vulnerability scanner, capable of assessing the security state of practically all legitimate programs running on Microsoft Windows platform. The Secunia CSI also integrates with Microsoft WSUS & SCCM for easy deployment of 3 rd party updates, making patching a simple and straight-forward process for all IT departments. The Secunia CSI utilises the Secunia Advisory & Vulnerability Database to assess the security state of detected programs, thus making the vulnerability intelligence foundation for the Secunia CSI superior in every aspect, especially compared to competitive solutions that rely on ad-hoc/random vulnerability information gathering from various sources. Furthermore, the Secunia CSI's unique and unparalleled scan engine technology is capable of detecting programs based on actual data on the file system, which is extremely reliable compared to making assumptions based on inaccurate/out-of-date information from, e.g., the Windows Registry, which is what many of the competitive solutions do. Since the Secunia CSI is running as a trusted application with the purpose of assisting the system administrator, it can take a light-weight, but much more in-depth approach, suited for internal vulnerability scanning. Furthermore, the Secunia CSI is already running with administrative privileges on the network and thus is capable of logging into the systems being scanned. It can read data from files on the hard-drive of the scanned system and assess whether the installed programs are vulnerable or not, cross-referencing with Secunia Vulnerability Intelligence. 3.1 The Scan Process how does it work The first process of scanning a system is to collect specific META data from primarily.exe,.dll, and.ocx files on the system being scanned. META data is generic non-sensitive text strings embedded in the binary files from the vendor of the program. This data is collected and then sent to Secunia's Secure Data Processing Cloud (DPRC) where it is processed and parsed. After being processed, the data is matched against the Secunia File Signatures, which are the rules that match the raw META data to an actual program installation. Part of this matching process also results in an exact version being extracted from the META data. This means that after the initial parsing the Secunia CSI knows exactly which programs are on the system and their exact version a precise inventory of software on the system. The inventory of software is then compared against the unique Secunia Advisory & Vulnerability Database, which contains the most accurate and current Vulnerability Intelligence available. The result is a precise inventory of programs, their versions, and the exact security state of each, along with a direct reference to the corresponding Secunia Advisory detailing the exact vulnerabilities and their Secunia assessed criticality and impact. Since the scan process works by looking at the actual files on the system being scanned, the result is extremely reliable as a program cannot be installed on a system without the actual files required being present. This in turn means that the Secunia CSI rarely identifies falsepositives and thus the customer can use the result from the Secunia CSI immediately without doing additional data mining! 3.2 Patch Management how does it work Patching of vulnerable software, in particular 3rd party software which is not supported by Microsoft WSUS, has been a cumbersome and resource demanding process causing many enterprises to either neglect patching or only patch very few non-microsoft applications. Through the seamless Microsoft WSUS & SCCM integration with the Secunia CSI the patching process has been simplified and can literally be conducted with a few simple clicks. Patch Management has never been easier and more straightforward than with the Microsoft WSUS & SCCM and the Secunia CSI integration. 6/45

7 4. Installation and System Requirements 4.1 CSI Operational Requirements The following section describes the operational requirements needed by the Secunia CSI 4.1 taking into consideration the different components/features CSI GUI/Console Prerequisites In order to install and run the Secunia CSI 4.1 Console (Graphical User Interface), the following requirements should be met: The CSI Console must be launched by a user with Domain Admin1 privileges http(s)://your-server-domain or http(s)://your-server-ip must be added to the Trusted sites in the Internet Options of IE Connection - Port 80 or 443 (see Appendix C in Server installation Guide) open inbound to the Secunia CSI server Minimum 1024 * 768 screen resolution CSI with Patching Capability To successfully create updates the following requirements should also be present: WSUS installer (Administration console only, please refer to Appendix E) Visual C runtime Microsoft.NET runtime V2.0 SP2 When running the Secunia CSI 4.1 for the first time in Windows Vista, 7 or 2008, rightclick the CSI icon and select 'Run as administrator' Remote Registry must be enabled to successful install the certificates (In Vista and Win7 this service is by default disabled) Agent-based Scan - Requirements The Secunia CSI provides enough flexibility that it can be easily adapted to your environment. If you choose to scan using the installable Agent2 (Agent-based scans), please consider the following requirements that should be present in the target hosts: Administrative privileges (to install the CSI Agent csia.exe) Microsoft Windows 2000, XP, 2003, 2008, Vista and 7 Connection - Port 80 or 443 (see Appendix C in Server installation Guide) open inbound to the Secunia CSI server Windows Update Agent 2.0 or later Scan Groups/Agent-less Scan - Requirements If you prefer to scan without installing the CSI agent (Agent-less scans), please consider the following requirements that should be present in the target hosts: Ports 139/TCP and 445/TCP open inbound (on hosts) File sharing enabled on hosts Easy/simple file sharing disabled Windows Update Agent 2.0 or later Required Windows services started on hosts (should be by default): Workstation service Server service Remote Registry service COM+ services (COM+ System Application: Set to Automatic) 1 The user running the Secunia CSI must have the necessary privileges so it can perform tasks such as: configure/connect to Microsoft WSUS, perform remote scans to hosts in the network, install the necessary certificates so client machines can accept the packages created by the Secunia CSI. 2 Section 4.4 Agent installation - Single Host mode 7/45

8 4.1.5 Setting Up Clients to Access WSUS The Secunia CSI 4.1 uses the WSUS update mechanism so that updates/patches become available to clients in your network. In this way, it is important to configure your clients to access the WSUS server. When connecting the Secunia CSI to a WSUS server for the first time, you will get prompted by the CSI Group Policy wizard1, through this wizard you can easily create a Group Policy that will enable your clients to get updates from the WSUS server. If you choose not to create a new Group Policy using the 'CSI WSUS Group Policy' wizard, please edit your existing WSUS Group Policy in the following manner: 1) In the Group Policy Management Console (GPMC), browse to the Group Policy Object (GPO) on which you want to configure WSUS, and then click Edit. 2) In the GPMC, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. Enable: Configure Automatic Updates (choose your settings) Enable: Specify intranet Microsoft update service location. (Add the hostname/ip of your WSUS server). Enable: Allow signed updates from an intranet Microsoft update service location. (Important enables WSUS to distribute patches through the Secunia CSI) Please refer to section 9.4 Configuration to read about the 'WSUS Publishers Self-Signed' certificate installation. For installing the WSUS server we recommend reading the Step by Step Installation Guide provided by Microsoft: Installing the Secunia CSI GUI Please follow the below steps in order to install the latest version of the Secunia CSI 4.1: Download the Secunia CSI installer from your server. http(s)://your-server-domain/csisetup.exe or http(s)://your-server-ip/csisetup.exe Double click the installer icon and follow the wizard instructions. Launch the Secunia CSI as Domain Administrator, i.e. right-click and 'Run as administrator' (if running on Windows Vista, 7 or 2008) Login with your CSI Account credentials (User name/password) You will be prompted to reset your password. We strongly recommend the user proceeds with the password reset since the first Secunia password will expire after the first login. Upgrading from a previous version of the Secunia CSI, i.e. CSI2.x, to Secunia 4.1 is not possible! Supported Microsoft Operating Systems: Windows 2000 SP4 Windows XP SP3 Windows Vista (x86/x64) Windows 7 (x86/x64) Windows Server 2003 Windows Server 2008 (x86/x64) 1 Section Step 3 Group policy 8/45

9 4.3 How Can I Scan Target Hosts? The Secunia CSI allows scanning of target hosts by using different approaches, namely: Scan the target hosts by launching a scan from the system where the Secunia CSI Console is installed. By using this approach, no software is installed in the target hosts. The scanning is made by using standard operating system services. Please check sections: Scan Groups/Agent-less Scan - Requirements and Scan Groups. Alternatively, you can perform Agent-based scans. This type of scan is conducted by the Secunia CSI agent that can be installed in different modes: Single Host Mode, Network Appliance Mode, or Command Line Mode. Please refer to section Agent Download & Setup for more details. The following sections describe in greater detail the agent installation in Single Host Mode and in Network Appliance Mode. 4.4 Agent installation Single Host mode The Secunia CSI provides different scan approaches, enabling you to select the one that best suits your environment, the Agent-based deployment is more robust and flexible for segmented networks or networks with mobile clients (e.g., laptops). Once installed, the agent will silently run in the background, even behind a firewall. Example: Install the CSIA.exe (Agent) in Single Host mode, download the agent from the CSI console in 'Scan-> Scheduled Scan-> Download Agent'. Please refer to section Agent Download & Setup for further details. NOTE! Make sure that the agent is locally present in a local folder on the target PC before installing. Once the agent is installed, every time the laptop goes online (Internet connection) it will verify if a new scan should be conducted. After scanning, the result will show up in 'Scan-> Completed Scans' in the Secunia CSI Console, allowing full control to scan and view results of hosts that are not always connected to your network. Result: Hosts scanned with the Agent in Single Host mode will show in 'Results-> Hosts'. When and how the hosts are scanned can be controlled from the Secunia CSI console under 'Single Host Agents'. Right-click a host name and select Edit Configuration to change the agent settings. Install the Agent from the command prompt with local Admin account using: >csia.exe -i -L By using the -L parameter, the agent will be installed as a service running under the LocalService user account. If you are a member of a domain and you don't use the -L switch, the service will be installed under the user account performing this action, thus granting the 'logon as a service' privilege. However this privilege is usually removed in the next GPO background refresh, since domain policies will not allow it. As a consequence, the Agent will stop working after the privilege has been removed. 9/45

10 Example of an installation: 4.5 Agent Installation Network Appliance Mode Network Appliance Agents are one solution for scanning one or more networks at scheduled intervals without having to install the Agent in every single target host. With the CSIA.exe installed in Appliance mode, you will have the ability to schedule remote scans. The hosts to be scanned can be identified by an IP-range, IP-network or Host-name. The CSI console allows you to easily manage the scans being done by the Appliance agent. NOTE! Make sure that the agent is locally present in a local folder on the PC before installing. Example: If you want to scan three different networks (i.e. Germany, United States, and United Kingdom) without having to install the agent in single host mode, then you can install three instances of CSIA.exe in Network Appliance mode, one on each network. Afterwards you will be able to scan all the hosts on the three locations at scheduled intervals. This is done by creating the appropriate scan groups in 'Scan-> Scheduled Scanning-> Network Appliance Groups' and assigning each group to its respective and previously installed Network Appliance Agent. Result: After installing a CSIA.exe in Network Appliance mode, the Appliance agent will appear in 'Scan-> Scheduled Scanning-> Network Appliance Agents'. To specify the target host to be scanned by the Appliance mode agent, please configure the scan group in 'Scan-> Scheduled Scanning-> Network Appliance Groups' Installing the Network Appliance Agent from the command prompt: >csia.exe -A -i It is very important that the CSIA.exe is installed with the correct credentials. The user installing the Appliance Agent must have admin rights to all the target hosts that will be scanned by the Appliance Agent. Example of an installation: 4.6 Troubleshooting If the Secunia CSI 4.1 fails to launch properly, please consider the following support resources: Appendix A: FAQ Online FAQ available in Also, examples of different Agent setups are provided in Appendix D: Setup Examples. 10/45

11 5. Scanning 5.1 Remote Scanning via CSI The following options are listed under 'Scanning' : Quick Scan Scan Groups Scan Progress Through these you can perform and monitor the progress of scans conducted on your PC and/or remote hosts on your network. These scans are performed in an Agent-less manner and is important to mention that the credentials used by the Secunia CSI to authenticate on the target hosts will be the same as those of the user that launched the Secunia CSI Console. Please consider the system requirements for the Scan Groups / Agent-less scans, described in section Scan Groups/Agentless Scan - Requirements Quick Scan Simply enter the Computer name and/or IP-address range for the hosts you wish to scan in the 'Enter hosts to scan' area and press the 'Scan Hosts' button. The scan progress will be available 'Scan Progress' Scan Groups Through this option you can create 'Scan Groups' by choosing which hosts you would like to scan for vulnerabilities. After pressing the 'New Scan Group' button, a new window will appear. In this new window you can create and configure a group of hosts to be scanned. After navigating through the different tabs: 'Name & Scan Type', 'IP Ranges', 'IP Networks and Hosts & IPs', press the 'Save' button to save and create the scan group. To start a scan on a previously created group, right-click the group name and select 'Scan Now'. 11/45

12 Please consider the system requirements for the Scan Groups / Agent-less scans mentioned in section Scan Groups/Agent-less Scan - Requirements Scan Progress Through this view you can track the scans being conducted. If you wish to configure the number of simultaneous scans threads, please see section 10. Configuration of this document, the default value is set to Remote Scanning via Agents Network Appliance Agents In this screen you can manage configurations and schedule scans for the hosts where the Agent is installed as a service in Single Host Mode. Double click a row to manage the configuration of the selected agent and change its settings (Inspection type, Check-in frequency, Days between scans). If you right-click on a host name and select 'Edit site configuration' you will be able to manage the configuration for all the hosts in that Site. 12/45

13 5.2.2 Network Appliance Groups In this screen you can create a target group that will be scanned by a Network Appliance Agent. Press the 'New Group' button to start creating a new target group that will be remotely scanned by one of the Network Appliance Agents previously installed Agent Download & Setup The Secunia CSI Agent (CSIA.exe) is a small, simple, customisable and extremely powerful Secunia CSI scan engine that offers a fully featured command line interface (CLI) to the Secunia CSI scanning functionality. In this screen it is possible to download the csia.exe file as well as read an explanation of the Network Appliance and Command Line Agent modes. NOTE! Make sure that the agent is locally present in a local folder on the PC before installing. 5.3 Scanning via Local Agents Single Host Agents In this screen you can manage configurations and schedule scans for the hosts where the Agent is installed as a service in Single Host Mode. Double click a row to manage the configuration of the selected agent and change its settings (Inspection type, Check-in frequency, Days between scans). If you right-click on a host name and select 'Edit site configuration' you will be able to manage the configuration for all the hosts in that Site. The hosts scanned with the CSIA.exe will be grouped by Site. By default the domain name will be used as a Site name. To change a Site name, please refer to section 7.1 Sites. You can also specify a Site name when installing the agent, by using the -g parameter or by specifying a site name in the special parameters when creating the agent deployment package, 9.5 Agent Deployment Agent Download & Setup The Secunia CSI Agent (CSIA.exe) is a small, simple, customisable and extremely powerful Secunia CSI scan engine that offers a fully featured command line interface (CLI) to the Secunia CSI scanning functionality. This allows you to run CSI scans directly from the command line, to embed the Agent in a command script or to distribute it through WSUS/SCCM. Please refer to section 9.5 Agent Deployment to deploy the csia.exe through WSUS/SCCM, or check Appendix C: Deploying Agents on a Network via GPO, to get a better understanding of how to deploy the CSIA.exe via Group Policy. 13/45

14 The 'csia.exe' file is a customised executable, unique and private for your Secunia CSI account. This means that the CSIA.exe automatically links all scan results to your Secunia CSI account. Make sure that the agent is locally present in a local folder on the PC before installing. 5.4 Filter Scan Results This feature will allow you to filter your scan results, either by restricting/allowing the scanning to specific paths or by creating ignore rules that are applied to a scan after its completion Scan Paths This feature allows a user to specify Whitelist or Backlist paths. If using the Whitelist, the paths specified will be the only paths that will be investigated by the scanner. All other paths will be ignored. If using the Blacklist, the specified paths will be ignored and all other paths will be investigated by the scanner. Use this feature with caution. By using the Scan Path Rules some of your paths will be excluded from the scan. Thus, the Secunia CSI will not alert you towards excluded insecure programs, even if they potentially expose your hosts to security threats. It is not possible to simultaneous use both Blacklist and Whitelist Ignore Rules Through this feature the user can create and maintain 'Ignore Rules' for excluding specific content from results and reports. These ignore rules can be applied to backup directories or inactive programs. Once you have configured an 'Ignore Rule', press 'Save' to make the rule effective. The rule will be applied to all new scan results generated by the Secunia CSI. 6. Completed Scans This option gives you a complete list of all performed scans, including the result of those scans. The sorting of both lines and columns can be defined by the user, thus allowing the user to create the layout that best suits their needs. The column's position can be modified by dragging and dropping the selected column to the desired position. To see the details of a scan result, double click or right-click on an entry of the presented table. A new window similar to the one shown below will be displayed. 14/45

15 Programs matching the conditions defined in 'Filter Scan Results' will be excluded from scan results, meaning that the Secunia CSI will not provide information about insecure programs that are potentially exposing your IT environment to security threats. 7. Results 7.1 Sites This view will display all the Sites maintained within your account. You can easily double click a Site name to see its hosts. By rightclicking a Site you can change or view its hosts. Scanned hosts will be grouped in a Site with the same name as the domain they log on to. You can easily right-click a Site to change its name if you prefer to use a different naming standard. In this view you can also compare the performance of the different Sites over a specific time frame, by selecting which Sites you would like to see displayed in the Trend Reporting section. 7.2 Hosts This view will show all the hosts maintained within your account. Double click a host in the presented table to view additional details about the programs installed on that particular host, as well as the current security state of those programs. From this view you can easily move hosts to a new or existing Site by right-click the host name and choosing 'Edit Site'. A graph showing the evolution of the selected host will also be displayed. To generate a graph for more than one host, do a multiple selection of the hosts that you would like to view in the chart area (up to 15 hosts simultaneously). 15/45

16 7.3 Programs and Operating Systems By selecting 'Programs' or 'Operating Systems', you can easily see all the Programs or Operating Systems found through the CSI scans. For a matter of convenience the found software is sorted in accordance with its security status: Insecure, End-of-Life or Patched All In this screen you are presented with a list containing all the unique Programs / Operating Systems installed on the scanned hosts. Double click in any row to view a full report with extensive details about the actual hosts, versions, and security states Insecure This view lists all unique Insecure programs installed on the scanned hosts, including their criticality rating. Double click in any row to view a full report with extensive details about hosts, versions, and security states End-of-Life This view lists all unique End-of-Life programs installed on the scanned hosts, including their criticality rating. Double click in any row to view a full report with extensive details about the actual hosts, versions, and security states Patched This view lists all unique Patched programs installed on the scanned hosts. Double click in row to view a full report with extensive details about the actual hosts, versions and security states. 7.4 Categories This feature allows the user to create and manage software categories. By having different categories you can easily identify specific software that was found during the scans. To add a software product to a previously created category, simply drag and drop the product into the desired category. The categories created can be used to easily find specific products from the the scan results. To do so, go to 'Results-> Programs-> All' and select the category to filter the programs being listed. Based on the result of the filter you can now right-click and select 'View installations'. 16/45

17 8. Reports This section groups the Secunia CSI reporting features, namely the 'Dashboard', the 'Change Summary', the 'Generate Reports' and 'View Scheduled Reports'. In the next sections a more detailed explanation for each of these features will be given. 8.1 Dashboard The Dashboard is the main window of the CSI GUI that summarizes information collected by the Secunia CSI. The information presented in the dashboard can be customised in order to better suit the user's needs. This customisation is done by adding or deleting the available 'portlets'. Each 'portlet' provides specific information. To better manage the information presented in the Dashboard, a user can create several profiles. Each profile stores information about the 'portlets' being displayed - for convenience, a user can create and alternate between several dashboard profiles. For each dashboard profile created, a static URL is available. The user can use the static URL to publish the dashboard into another system simply by copying the Static Dashboard URL. 8.2 Change Summary This feature allows you to receive s containing a Change Summary that covers changes related to added/removed programs, updated programs, and insecure programs. 17/45

18 18/45

19 8.3 Generate Reports This feature contains a three step wizard to schedule report generation based on the state of all hosts and programs associated with your account at the time of generation Step 1 Choose the type of report. Step 2 Select which hosts or programs you would like to include in the report. If in the previous step you have selected the Executive Summary Report, step 2 is not applicable. Step 3 Select the report options (if any) that are specific to the type of report selected in step 1. Optionally you can also choose a file name that will be used to name the.pdf file containing the report. Select if you want to schedule the report and its recurrence and/or if you want the report to be ed as soon as possible. Specify the recipients for the report or select the address entered in 'Configuration-> Settings'. Once this is done, press the 'Schedule Report Generation' button. At any time you can go directly back to step 1 and start over by pressing the 'Return to step 1' button. Data entered without scheduling a report will not be saved or persist. All the reports available through this feature are provided in.pdf format and will be ed to the defined addresses in accordance with the schedule and recurrence specified. The s containing the.pdf reports will be sent from no-reply@secunia.com 19/45

20 8.4 View Scheduled Reports In this feature you can see all the report generation schedules that were set up. Right click on a given schedule to delete it from the database. The 'Reporting On' and ' Recipient List' fields may be long - in this event, you can mouse over the value to see the entire field. You can also remove any fields from the view if desired by click in a column name and selecting which fields should be added/removed. 9. Patch The following sections are dedicated to the Patch Management functionality available in the Secunia CSI. The features related to Patch Management are accessible from the tree Menu located on the left hand side by expanding the Patch section. 9.1 Create This feature shows programs that have Insecure or End-of-Life installations. To see the complete list of programs that should be patched, please clear the check box: 'Show only Insecure/End-of-Life programs for which update packages can be automatically created'. To create an update package, double click or right-click on the program you wish to update. The Create Update option will be displayed. If you choose to patch one of the greyed out products, a warning message will be displayed. These programs are greyed out because the vendor doesn't provide silent installation parameters. If you choose to proceed, you must provide the.msi/.msp/.exe file that will be used by the Secunia CSI to create and publish the update. This file should be a custom package that you have created. 20/45

21 In the Create Update window, select the installations you wish to update (use CTRL + mouse click for multiple selection). When finished, press the 'Next' button. In the next window you will be presented with the link to download the patch directly from the vendor's site. If you choose to patch a product for which the vendor has not provide the silent installation parameters, these will not be available. After downloading the patch, browse to the file that you have just downloaded. If you did not download the patch from the vendor, you should select the custom made package (.exe/.msi/.msp) that the Secunia CSI will repackage and publish to WSUS. After selecting the correct file, you can edit the silent installation parameters if you wish to. Press the 'Next' button to continue. In the next dialogue message you will have the opportunity to change the package name. If you wish to proceed, press 'Finish'. The created package will now be published to your WSUS server. Go to 'Available' from the menu on the left to view all published updates. 21/45

22 If using Microsoft System Center Configuration Manager (SCCM), the package created with the Secunia CSI will be available in your SCCM. In the example below the package created with the Secunia CSI is available in SCCM after running a synchronization at the 'Update Repository' level. The title of the update will include the criticality of the vulnerability addressed by that specific update. 9.2 Available In this screen you are presented with all the locally created packages that are available for your clients. Double click a package from the list below to view additional details about its status. Or right-click for more options, such as Approve, Decline or Delete. 22/45

23 9.3 Deployment In this screen you are presented with a host's information collected from the WSUS Server. By double clicking a host in the list you can view additional details about its 'Scan Result', 'Patch Information', 'Patches Available' and 'Overview'. Also, by right-clicking in a host listed in this view, you can perform actions such as: verifying the additional information stated above or 'Verify and Install Certificate', thus installing the required Certificate on the selected hosts. In order to successfully install certificates, make sure you have started the Secunia CSI with Domain Administrator privileges. In Vista, Windows7 or Windows 2008, this should be done by right-clicking on the CSI icon and selecting 'Run as administrator'. Also, note that the Remote Registry must be enabled on the hosts for which you intend to install the certificate using the CSI GUI. The WSUS Self-Signed certificate can also be installed through a Group Policy. Please check our online FAQ for detailed instructions. 23/45

24 9.4 Configuration In this section you can configure the integration of the Secunia CSI with your WSUS server(s). If you have a single WSUS server, which is connected to Microsoft Update, running the 'Configure Upstream Server' wizard will be sufficient for setting up the Secunia CSI with WSUS. If you have a WSUS server hierarchy with one or more Downstream WSUS server(s) connected to an Upstream WSUS server, please run the 'Configure Downstream Servers' after running the 'Configure Upstream Server' wizard. After pressing the 'Configure Upstream Server' button, a configuration wizard will be initiated. Follow the wizard steps to successfully configure the Secunia CSI with Microsoft WSUS Step 1 Connection Status In this section you should provide the relevant information (IP-address / DNS-name) regarding the WSUS server you wish to use. After inserting the necessary information, press 'Connect'. To check the status of the connection expand 'Step 1.Connection Status'. Please note that the port number used to connect to your WSUS depends on your settings. Ports 80 or 8530 are commonly used when SSL is not configured Step 2 Certificate Status Here you can create and install a WSUS Self-Signed Certificate in all appropriate certificate stores. A WSUS signing certificate is required to create and install local packages. Without it, only packages from Microsoft Update will be installed. 24/45

25 Click 'Automatically create and install certificate' to install the certificate in the appropriate certificate stores. The certificate will be installed on this system and on your WSUS server in the following stores: 1) "Trusted Root Certification Authorities" 2) "Trusted Publishers" Expand the 'Certificate Options' to have access to the import and export certificate features. If you would like to use your own certificate you can do so by using the Import Signing Certificate button. Please be aware that in order to import a certificate through the Secunia CSI, the WSUS connection must be configured to accept SSL connections Step 3 Group policy A Group Policy is required to distribute certificates and locally created packages, the Secunia CSI can easily create this GPO so the WSUS Signing Certificate is distributed to all clients. Please choose if either you use WSUS or SCCM, once this is done expand the Group Policy Options. If creating the CSI WSUS Group Policy for the first time, proceed by selecting all the options and then press the button 'Create Group Policy'. 25/45

26 It is also worth mentioning that the WSUS Self Signing Certificate must be installed in the following systems: WSUS Server (9.4.2 Step 2 Certificate Status) The system running CSI2 (9.4.2 Step 2 Certificate Status) Clients receiving the Updates (9.4.3 Step 3 Group policy) Besides distributing the certificates through the CSI WSUS GPO, it is also possible to install the certificate in the target computers by going to 'Patch-> Deployment', selecting the target computers where the certificate is to be installed (CRTL+ mouse click for multiple selection) and then right-click and select 'Verify and Install Certificate'. If you prefer to create your own Group Policy to distribute the WSUS Signing Certificate, please refer to our online FAQ. In case the user chooses to not create the CSI WSUS Group Policy the existing Windows Updates GPOs must be edited in accordance with section Setting Up Clients to Access WSUS of this document. Also make sure that the required certificates are properly installed in accordance with section Step 3 Group policy. If you use Microsoft SCCM please make sure you do not check the first option 'Use the WSUS Server specified in the CSI'. If you already have the Windows Updates being configured through a Group Policy, we suggest you check the first 3 options in the 'Create a new CSI WSUS Group Policy' window. Then the CSI WSUS Group Policy will be created but not linked to your domain. This way you can easily check the details of the newly created GPO and verify that the existing WSUS GPO's are correctly configured. 9.5 Agent Deployment If you choose to scan the target host by using the Secunia CSI Agent in Single Host Mode (recommended), you can easily distribute and install the agent by deploying it through WSUS. To start the CSI Agent Package wizard click 'Create CSI Agent Package'. In the wizard window, download the Secunia CSI Agent setup file by clicking in the link 'CSIASetup.exe'. Once the 'CSIASetup.exe' has been downloaded, locate the file using the 'Browse' button. The silent install parameters will be automatically included by the wizard. Additional parameters can be included by filling the correspondent fields. Click the 'Finish' button to create an installer package. 2 Note that the certificate must also be installed on the system running the CSI console. 26/45

27 After the package has been created, it will appear in the list of packages in 'Patch-> Available'. Right-click on the package name in order to manage it just like any other package created by the Secunia CSI. 10. Configuration This section is dedicated to the CSI Settings, the Suggest Software and Reset Password features Settings In this screen you are able to configure the Secunia CSI to fit your preferences, namely: The option to start the Secunia CSI automatically with the system start-up. Define the number of simultaneous scan threads. Please note that the number of simultaneous scan threads will not affect the scans being performed by the CSIA (Agent), since these scans are made locally by the agents. Specify the default address for the recipients receiving the reports. See section 8.3 Generate Reports. Manage the behaviour of the Windows Update Agent (WUA). The Secunia CSI will make use of the information gathered by the WUA when checking for missing Microsoft updates. 27/45

28 Be aware that this setting may affect your scan results, i.e. setting the WUA to use a WSUS that is not completely up to date may result in missing important updates information. If you wish to enable the CSI logging feature, which is useful when troubleshooting any issue that you may experience, please check the option 'Enable Logging'. In the event of a support request you send the log file together any other relevant information to CSC@secunia.com 10.2 Suggest Software Using the provided form you are able to send details about software that you would like to be added to the Secunia File Signature database, the same database used by the Secunia Corporate Software Inspector. Please note that it is important to enter as much information as possible, thus facilitating the processing and acceptance of your request. 28/45

29 10.3 Reset Password The form presented allows you to change your password with Secunia. Please note that passwords must be at least 8 characters in length. 11. Support 11.1 Manual & FAQ This feature provides information about available manuals and FAQs Microsoft WSUS This feature provides links where you can obtain more information about setup, installation, and general usage of Microsoft WSUS Changelog The Changelog feature provides information about the changes made to the Secunia CSI since the previous release. In this screen the user also has access to a link to the online forum. The forum can be used to post user's feedback. All feedback is most welcome! 11.4 Contact Information This feature provides the contact information if you need to contact Secunia. 29/45

30 12. Secunia Advisories 12.1 About Secunia advisories Explanation of terms used within Secunia advisories From (attack vector) From Local System Local system describes vulnerabilities where the attack vector requires that the attacker is a local user on the system. From Local Network From local network describes vulnerabilities where the attack vector requires that an attacker is situated on the same network as a vulnerable system (not necessarily a LAN). This category covers vulnerabilities in certain services (e. g. DHCP, RPC, administrative services etc. ), which should not be accessible from the Internet, but only from a local network and optionally a restricted set of external systems. From Remote From remote describes vulnerabilities where the attack vector does not require access to the system nor a local network. This category covers services which are acceptable to expose to the Internet (e. g., HTTP, HTTPS, SMTP) as well as client applications used on the Internet and certain vulnerabilities, where it is reasonable to assume that a security conscious user can be tricked into performing certain actions Criticality Extremely Critical (5 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. These vulnerabilities can exist in services like FTP, HTTP, and SMTP or in certain client systems like programs or browsers. Highly Critical (4 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like programs or browsers. Moderately Critical (3 of 5): Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities that allow system compromises but require user interaction. This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet. Less Critical (2 of 5): Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities. This rating is also used for vulnerabilities allowing exposure of sensitive data to local users. Not Critical (1 of 5): Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities. This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g., remote disclosure of installation path of applications). 30/45

31 12.4 Impact Brute force Used in cases where an application or algorithm allows an attacker to guess passwords in an easy manner. Cross-Site Scripting Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system. Different Cross-Site Scripting related vulnerabilities are also classified under this category, including 'script insertion' and 'cross-site request forgery'. Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks. DoS (Denial of Service) This includes vulnerabilities ranging from excessive resource consumption (e.g., causing a system to use a lot of memory) to crashing an application or an entire system. Exposure of sensitive information Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. Exposure of System Information Vulnerabilities where excessive information about the system (e.g., version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally. Hijacking This covers vulnerabilities where a user session or a communication channel can be taken over by other users or remote attackers. Manipulation of Data This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access. The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries. Privilege Escalation This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users. This typically includes cases where a local user on a client or server system can gain access to the administrator or root account, thus taking full control of the system. Security Bypass This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application. The actual impact varies significantly depending on the design and purpose of the affected application. Spoofing This covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems. 31/45

32 System Access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Unknown Covers various weaknesses, security issues, and vulnerabilities not covered by the other impact types, or where the impact isn't known due to insufficient information from vendors and researchers Other Frequently Used Terms The term users generally refers to authenticated users to the operating system or the application affected. This includes anonymous users when talking about FTP and similar. The term people generally refers to people who are able to make network connections but who are not authenticated. 13. Technical Support Contact Secunia's security experts with any questions regarding advisories or vulnerabilities affecting your systems by opening a new support case. To do so, please send an to Secunia Customer Support Center: csc@secunia.com In order to have your questions answered as soon as possible, please first check our online FAQ located at 32/45

33 Appendix A: FAQ Q: The Secunia CSI seems to hang during start-up? A: You may need to add this entry to Internet Explorer Trusted Sites: or http(s)://your-server-ip If connecting through a proxy, please see Appendix B: Proxy Settings. Q: How do I deploy agents to all my hosts? A: Please refer to section 9.5 Agent Deployment or to Appendix C: Deploying Agents on a Network via GPO. Q: How do I get technical support? A: Support is available by , please send your questions/feedback/comments to csc@secunia.com. Q: How do I delete a Site? A: in order to delete a Site, the user can rename the existing or he can move the host into another site. When all hosts have been moved, the original Site will be automatically deleted. Q: How do I delete an IP address from a scan group? A: From the 'Scan Now' menu, click the relevant scan group, go to the Hosts & IPs tab and after selecting the IP to be deleted, press 'Delete Selected'. Q: Suggest Software does not work in IE8 A: This is most likely because or http(s)://your-server-ip needs to be in the trusted sites in IE. Q: The agents that I have installed are no longer checking in what happened? A: Make sure that you have installed the Agent with L switch, i.e., csia.exe -i -L If you are a member of a domain and you don't use the -L switch, the service will be installed with the user performing this action, thus granting the 'logon as a service' privilege. However, this privilege will usually get removed after the next GPO background refresh since domain policies will not allow it. This will cause the agent to stop working afterwards. Make sure that the agent is locally present in a local folder on the PC before installing. Q: I cannot download the CSI Agent 'csia.exe' even though I have added or http(s)://your-server-ip to my trusted sites. What to do? A: Verify that the following Internet Setting is not enabled: Internet Options-> Advanced (Scroll down to Security)-> (Uncheck 'Do not save encrypted pages to disk'). Q: I am not able to find my answer in this FAQ? A: Please check our online FAQ in porate/csi/faq40 which is more comprehensive and up-to-date. If still having problems, please contact us at CSC@Secunia.com Check our online FAQ at and find the most up to date and comprehensive information that will help you in getting answers to your questions. 33/45

34 Appendix B: Proxy Settings CSI GUI/console through proxy The Secunia CSI uses Internet Explorer proxy settings only. Set these by opening Internet Explorer and select 'Tools-> Internet Options-> Connections-> LAN Settings-> Proxy Server'. Agents Through Proxy Generally the agent will inherit proxy settings from Internet Explorer. However, depending on the proxy server and authentication mechanism used, you may have to perform one of the following actions: To produce a help screen showing proxy settings: csia.exe -h To specify only proxy setting from the command line: csia.exe -i -R account@company.com -x proxy:port To specify proxy settings with user authentication from the command line: csia.exe -i -R account@company.com -x proxy:port -U username:password 34/45

35 Appendix C: Deploying Agents on a Network via GPO The CSI agent can be easily deployed via an AD Group Policy Object definition, controlling a common logon script. Shown below are examples of a GPO and logon/start-up script, which must both be adapted to your specific needs. Example of a Logon Script csiadeploy.bat Generally you can create a file for deploying the CSI Agent (csia.exe) through a common logon script that will install the csia.exe on the PCs at logon, unless the agent is already installed. Save the below content in a file named off if EXIST c:\program Files\Secunia\CSI\csia.exe GOTO end if not EXIST c:\program Files\Secunia\CSI\ md c:\program Files\Secunia\CSI\ copy %LOGONSERVER%\NETLOGON\csia.exe c:\program Files\Secunia\CSI\csia.exe c:\program Files\Secunia\CSI\csia.exe -i -L :end In the above example the file csia.exe is placed on a network-mount with the only purpose of being copied and locally present in a local folder of the target PC where is supposed to be installed. To install csia.exe as a service make sure the file is locally present on the target computer. If changing the csia.exe install path, never install it where users have write access as this may result in privilege escalation. Often used options/switches Producing a help page: csia.exe -h For installing the agent: csia.exe -i -L For use with proxy, no credentials: csia.exe -i -R account@company.com -x proxyip:port For use with proxy, using credentials: csia.exe -i -R account@company.com -x proxyip:port -U username:password For adhoc scan: csia.exe -c -L 35/45

36 Creating a controlling AD GPO Step 1: Open the GPO Policy Management Editor to create a GPO in your domain: Step 2: Create a group policy (GPO) in your domain named CSIagent-deploy. 36/45

37 Step 3: Right click the created GPO and select Edit-> CSIagent-deploy (the GPO that was created in the previous step) to add the script. Expand User Configuration-> Windows Settings-> right-click Logon ->Properties Step 4: In Logon Properties click Show Files and drag and drop the csiadeploy.bat file. Note: In this example the file used is the same file that was mentioned in the beginning of this Appendix. A different file may be used in accordance with the user preferences. In Logon Properties select 'Add' and click 'Browse' to add the csiadeploy.bat file. 37/45

38 Step 5 : Apply for adding the file. Step 6 : Verify the created GPO by clicking in CSIagent-deploy-> Settings-> Expand Logon Test the created GPO by doing a Logoff/Logon with a computer that connects to your ADdomain, after the Logon the CSIA.exe should be installed on the computer being used. A service named Secunia CSI Agent should now be running on the computer. 38/45

39 Appendix D: Setup Examples CSI - Your CSI graphical user interface. CSI-Agent - The csia.exe installed in Agent mode. CSI-Appliance mode - The csia.exe installed in Network Appliance mode. 39/45

40 Appendix E: Install the WSUS Administration Console Depending on the previous installation on the machine installing 'Visual C runtime' and/or 'Microsoft.NET runtime V2.0 SP2 for x86 CPUs' might be necessary. Start installation of WSUS 3.0 SP2. When prompted select 'Administration Console only' Approve all default settings and finish the installation. 40/45

41 Appendix F: User Management The User Management feature is not part of the default Secunia CSI configuration. Through this feature the CSI main account is able to create other CSI accounts. For illustration purposes consider the following diagram representing a decentralized team responsible for identifying, assessing and patching vulnerabilities. Your Account EMEA ASIA PAC Read/Write USA Read Shadow Account Read LATAM This organization can be mapped into the Secunia CSI by creating several user accounts, as in the picture below: To create a new user account, press the button 'New account' and filling the form, providing all the necessary details about the user. To delegate the administration of one account to another account, in this case USA->LATAM, the USA account must be created with the setting 'User Type: Administrator with 1 account' and the LATAM account must be created with 'Administrator: USA'. When done, press the 'Submit Form'. An will be sent to the user address containing a welcome message and the login credentials to the Secunia CSI. A shadow account can be created in same way a normal account is created. This type of account is able to logon and access the information of a normal account (i.e., for audit purposes or to avoid sharing credentials). When creating a shadow account you can specify the type of access (R/RW). The Administrator account is able to access information from any specific account for which it is responsible. To do so, press the button 'Imitate user' and select the account you would like to access. The data being displayed will be the data of the account that you have chosen to imitate. To return to your account, press 'Imitate User' and select 'Your Account'. If you would like to have the User Management feature enabled in your Secunia CSI, please contact your Secunia Sales Representative. 41/45