Dell KACE K1000 System Management Appliance Version 5.4. Patching and Security Guide

Transcription

1 Dell KACE K1000 System Management Appliance Version 5.4 Patching and Security Guide October 2012

2 Dell Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. Dell and the DELL logo are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own. 2 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

3 Contents 1 Introduction to the Patch Management Component 7 About the Patch Management component Patching workflow About patch signature files About patch packages About patch testing and security About the patch testing environment About assessment testing About deployment testing Best practices for patching Review patches before deploying them Test patches before deploying them Use labels to organize machines and patches Use either Windows Update or the K1000 to patch Windows operating systems Minimize downtime during patching Notify users when machines are being patched Set time limits on patching jobs to reduce impact on users Use Replication Shares to optimize network resources Find information on the Dell KACE Knowledge Base Use ITNinja.com to connect with other IT professionals Subscribing to and Downloading Patches 15 About patch subscription and downloads Applications that the K1000 is contracted to support Overview of first-time patch-subscription workflow Gathering information about installed operating systems and applications Subscribing to patches Selecting patch download settings Viewing available patches Viewing patch download status Creating and Managing Patching Schedules 25 About scheduling critical OS patches for desktops and servers Workflow for critical OS patches for desktops and servers About scheduling critical patches for laptops Workflow for critical patches for laptops About scheduling non-critical patches About using Smart Labels for patching Creating Smart Labels for patches Creating a Smart Label for critical OS patches Creating a Smart Label for new patches Creating Smart Labels for machines Creating a Smart Label for desktops Creating a Smart Label for servers Creating a Smart Label for laptops Creating patch schedules Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 3

4 Contents Editing patch schedules Monitoring patching status Viewing patch status Viewing patch status by machine Searching for individual packages within patches Viewing patch reports Viewing unscheduled patches Managing patch rollbacks Determining whether a patch can be rolled back Undoing the last patching job Managing Patch Inventory 49 Prerequisites Viewing the Patch Listing page Information on the Patch Listing page Patch status Detection and deployment status Patch Cache Size Marking patches as inactive Hiding patches that do not meet subscription criteria Viewing patch information for computers in Inventory Viewing patching statistics Viewing the patch log Deploying and Managing the Dell KACE Secure Browser 55 About Dell KACE Secure Browser Available versions of Secure Browser System software requirements Manually downloading and installing Secure Browser Downloading and distributing Secure Browser from the appliance Adding Secure Browser to the Software Library Creating a Secure Browser Software Library item Managing Secure Browser Using the K Exporting the Isolation Configuration file Generating a custom Secure Browser MSI package Centrally managing Secure Browser settings Controlling when users can use Secure Browser Controlling which websites users can visit Restoring Secure Browser to its original configuration Shutting down Secure Browser on a managed machine Additional resources Using OVAL Security Features 69 Using OVAL security checks Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

5 Contents Understanding OVAL definitions Viewing OVAL definitions About OVAL test definitions Running OVAL tests Using labels to restrict OVAL tests Understanding OVAL updates Configuring OVAL Settings Specifying OVAL settings Using the Vulnerability Report Accessing OVAL vulnerability reports Applying a label to affected machines Viewing OVAL Computer Reports Accessing OVAL Computer Reports Creating security policies Creating Windows-based security policies Creating Enforce Internet Explorer Settings scripts Creating Enforce XP SP3 Firewall Settings scripts Creating Enforce Disallowed Programs Settings scripts Creating Enforce McAfee AntiVirus Settings scripts Configuring McAfeeSuperDAT Updater scripts Creating Enforce Symantec AntiVirus Settings scripts Creating Quarantine Policy scripts Creating the Lift Quarantine Action scripts Creating Mac OS-based security policies Creating Enforce Firewall Settings scripts Creating Enforce Parental Controls scripts Creating Enforce Security Settings scripts Using SCAP 89 Overview SCAP supported platforms Definitions More about SCAP (Secure Content Automation Protocol) About benchmarks How a SCAP scan works Overview of the SCAP Scan tab Viewing benchmarks Importing and loading a benchmark SCAP scan scheduling Editing a SCAP scan schedule Viewing the resolved XCCDF files Viewing the OVAL timestamp Viewing script tasks SCAP scan results Getting the Benchmark archive Accessing the benchmark archive Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 5

6 Contents Index Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

7 1 Introduction to the Patch Management Component This section provides an overview of the K1000 Management Appliance Patch Management component. Topics in this section: About the Patch Management component on page 7 Patching workflow on page 7 About patch signature files on page 8 About patch packages on page 9 About patch testing and security on page 9 Best practices for patching on page 10 About the Patch Management component The Patch Management component enables you to detect and deploy the latest important security patches and software updates to the Windows and Macintosh machines you manage. This increases security and protects your machines and network from vulnerabilities. The Patch Management component is supported on machines running Windows and Macintosh operating systems only. Patch Management is not available for machines running Linux operating systems. Patching workflow The patching workflow includes these tasks: 1. Subscribing to the patches that you want to download. If the Organization component is installed on your appliance, you set subscription settings for each organization separately. Additional workflow details are available for first-time patch subscription. See Subscribing to patches on page Selecting patch download settings on the K1000 Settings: Patching See Selecting patch download settings on page Creating Smart Labels to group machines for patching and patches for deployment. See Creating Smart Labels for patches on page 28. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 7

8 1 Introduction to the Patch Management Component 4. Creating patching schedules to detect and deploy packages. If the Organization component is installed on your appliance, you create patch schedules for each organization separately. See Creating patch schedules on page 33. Figure 1-1 illustrates this workflow. Figure 1-1: Patching workflow Signature files for patches you subscribe to are downloaded to the appliance from Lumension. Patch packages are downloaded from Lumension and from software vendors. Smart Labels group the downloaded patches. Smart Labels select machines to patch. Machines that need the patch are detected according to a schedule.? Patches are deployed to machines according to a schedule. About patch signature files Patch signature files include the security bulletins and other files that define patches; they do not include the patch packages that are used to install patches. Patch signature files are downloaded from Lumension according to the subscription and download options you select. For more information on downloading patch signature files, see Selecting patch download settings on page Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

9 Introduction to the Patch Management Component 1 About patch packages Patch packages are the files required to install patches. Patch packages are downloaded from Lumension according to the subscription and download options you select. In some cases, patch packages are also downloaded directly from vendors, such as Microsoft and Adobe. There are two options for downloading patch packages: Downloading only those patches that you need: You can choose to download only those packages that have been detected as required by machines you manage. This reduces download time and disk space, because the appliance downloads only those packages that are detected as required. In addition, you can choose to automatically remove patches after a specified period of time if detect results show that they are not needed. Maintaining a full cache of patches: You can choose to maintain a full cache of packages regardless of whether they are required by the machines you manage or not. This keeps packages available for quick deployment, but it requires more download time and disk space than downloading only those packages that you need. For more information about package download options, see Selecting patch download settings on page 20. About patch testing and security Dell KACE partners with Lumension Security, Inc. to provide safe, timely, and high-quality patch signatures for all major operating systems and many popular applications. Before patch signatures are made available to the appliance, Lumension performs the following security checks: Verification of patch metadata produced by each content development team. Validation of patch installation and uninstallation processes. Confirmation that the patch does not disrupt the stability of the targeted operating systems and applications. In addition, Dell KACE performs sanity checks on patch feeds after Lumension security checks are complete. For more information, search for Lumension at About the patch testing environment Built-in Lumension security uses VMware ESX, vcenter Lab Manager, and custom hardware bench testing. Testing methods include: Verification that patch-naming conventions comply with Lumension policy. Verification that patch content supports the replication process. Each patch created by the content team is validated with the Symantec Ghost Solution Suite distribution and Update Server products. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 9

10 1 Introduction to the Patch Management Component About assessment testing Assessment testing verifies that: An applicable non-patched machine shows as applicable and not patched. A patched machine shows as installed and not applicable. No false positives exist in the detection of the digital fingerprint. Patch content is compliant with mandatory baselines. Vulnerability is correctly displayed in the Update Server. All Smart Label, filtering, sorting, and other visual features are functioning properly. About deployment testing Deployment testing verifies that: The package is deployable. The suppress-reboot functionality works. The uninstallation functionality works. On-demand package caching works. Automatic deployment scheduling works. Agent package download works. CRC checksum ensures package integrity. The Agent automatically runs assessment after patch deployment. The Agent restarts automatically after reboot. Best practices for patching Dell KACE recommends the following best practices for patching. Review patches before deploying them Review new patches before you deploy them to machines. Create a filter to display new active patches that have been downloaded to the K1000 Management Appliance within a specific time period. For instructions, search for article 814 on the Dell KACE Knowledge Base Test patches before deploying them Test patches on selected machines before deploying them to all machines. This ensures that patches do not break anything before they are widely deployed. When choosing test machines, look for these characteristics: 10 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

11 Introduction to the Patch Management Component 1 Machines whose users are technically sophisticated and can communicate problems effectively. Machines that have access to the systems and software that reflect the working environment. For a thorough test, machines should function normally for at least a week after being patched. If no problems are reported after a week, the patch can be deployed to the remaining machines on the network. Use labels to organize machines and patches You can use Smart Labels to automatically group machines by type, such as laptop, desktop, and server. In addition, you can use Smart Labels to automatically group patches by importance, such as critical operating system patches and lower priority patches for other applications. You can then create patching schedules to match each type of machine and patch. For more information, see: Creating Smart Labels for patches on page 28 Creating and Managing Patching Schedules on page 25. Use either Windows Update or the K1000 to patch Windows operating systems There are two options for patching Windows operating systems on managed machines: Use Windows Update: Windows Update is a Microsoft feature that downloads and installs updates to Windows operating systems. If you enable Windows Update on managed machines, use the K1000 Patch Management component only to detect Windows operating system patches, not to deploy them. Patches will be deployed by Windows Update. Use the K1000: You can download and deploy patches for Windows operating systems using the K1000 Patch Management component. If you do this, disable Windows Update on managed machines, because patches will be deployed by the K1000. The K1000 appliance enables you to create a policy that specifies whether or not managed machines use Windows Update. For more information, see the Scripting section of the K1000 Administrator Guide. Minimize downtime during patching Schedule patch deployment during periods when machine use is lower to minimize downtime. Keep in mind that machine use varies depending on the machine type: Servers: These require careful and well-publicized upgrades. When patching servers, you might need to plan ahead by several weeks. Desktops: These have more flexible options for patching because they are often left running when they are not in use. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 11

12 1 Introduction to the Patch Management Component Laptops: These are the most difficult to patch because they are often only available to patch while being used. For more information about creating patch schedules for each type of machine, see: About scheduling critical OS patches for desktops and servers on page 25 About scheduling critical patches for laptops on page 26 Notify users when machines are being patched Be sure to notify users when the machines they use are being patched. This is especially important if machines need to be restarted as part of the patching process. There are several ways to inform users of patching schedules: Send or use other messaging systems: Notify users in advance through and other messaging systems outside the appliance Administrator Interface. This is especially useful when patching might prevent access to critical systems, such as servers, for a period of time. Send an alert message from the appliance: Use the appliance Administrator Interface to create an alert and broadcast it to all machines or to selected machines. These alerts can be used to remind users that patching is about to start. For more information on creating alerts, see the reporting section of the K1000 Administrator Guide. Provide alerts during patching: When you schedule patching, choose to alert users before patching, and prompt users before rebooting their machines. You can also enable users to snooze or postpone reboots if necessary. For more information, see Creating patch schedules on page 33. For more information about scheduling patching for various machines, see: About scheduling critical OS patches for desktops and servers on page 25 About scheduling critical patches for laptops on page 26 Set time limits on patching jobs to reduce impact on users Patching jobs can require extensive bandwidth and resources. To reduce the impact on users, you can set time limits on patching jobs. For example, you could configure patching jobs to start at 4:00 AM and stop at 7:00 AM. Any patching jobs that are in progress at 7:00 AM are suspended. Jobs resume where they left off when the next scheduled patching job begins. For more information, see Creating patch schedules on page 33. Use Replication Shares to optimize network resources Use Replication Shares to optimize network resource requirements and download time. Replication Shares are machines that keep copies of files for distribution, which can be useful for K1000 client machines that are deployed across multiple geographic locations. For example, using a Replication Share, a machine in New York could download patch files from another machine at the same office, rather than downloading those files from a K1000 in Los 12 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

13 Introduction to the Patch Management Component 1 Angeles. For more information on setting up and using Replication Shares, see the K1000 Administrator Guide. Find information on the Dell KACE Knowledge Base Dell KACE has a Knowledge Base of articles about the K1000 Management Appliance, which you can access at The Knowledge Base is continually updated with solutions to real-world K1000 Management Appliance problems that administrators encounter. To view patching articles, go to the Knowledge Base and search for Security. Use ITNinja.com to connect with other IT professionals Sponsored by Dell KACE, ITNinja.com (formerly AppDeploy.com) is a product-agnostic ITfocused community website. It is the Internet s leading destination for IT professionals to share information and ask questions about system-management related topics. The website provides a question and answer section, a blogging platform, and integration with the K1000 Management Appliance through AppDeploy Live. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 13

14 1 Introduction to the Patch Management Component 14 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

15 2 Subscribing to and Downloading Patches This section explains how to subscribe to patches and schedule patch downloads to the appliance. About patch subscription and downloads on page 15 Overview of first-time patch-subscription workflow on page 16 Gathering information about installed operating systems and applications on page 17 Subscribing to patches on page 17 Selecting patch download settings on page 20 Viewing available patches on page 23 Viewing patch download status on page 24 About patch subscription and downloads Patch subscription is the process of selecting the operating systems and applications for which you want to receive patches. If the Organization component is enabled on your appliance, you select subscription settings for each organization separately. After you subscribe to patches, the K1000 Management Appliance downloads them according to the schedule you set for the appliance. When patches are downloaded, you can test and deploy them. You can choose to automatically deploy patches as well, but this is recommended for low-risk or timeimportant patches only. For more information, see: Selecting patch download settings on page 20. Creating Smart Labels for patches on page 28. Applications that the K1000 is contracted to support Dell KACE has contractual agreements with the following software vendors for downloading patches to the K1000 Management Appliance: Adobe Acrobat and Reader software The Symantec family of Norton antivirus software Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 15

16 2 Subscribing to and Downloading Patches The McAfee family of antivirus software Mozilla Firefox The Machine Associates etrust family of antivirus software Microsoft Office applications Apple applications, such as QuickTime, itunes, and ilife software Applications in Java environments TrendMicro applications Overview of first-time patch-subscription workflow Patch detection signatures and patch packages are not downloaded to the appliance by default; you must subscribe to the patches you want and then schedule a time to download them. To save network bandwidth and disk space, Dell KACE recommends that you download patch definition signatures first because they are much smaller in size than patch packages. Then you can detect the patches that you need, and select the download settings that work best for your network. This is the first-time patch-subscription workflow: 1. Gather information: Identify the operating systems, language packages, and applications installed on machines you manage so that you know what you need to subscribe to. You can find this information on the appliance Summary page as well as by running reports. See Gathering information about installed operating systems and applications on page Select initial patch subscription settings: Subscribe to the operating systems and languages required by the machines you manage. See Subscribing to patches on page Download patch detection signatures: Patch detection signatures are smaller files that can be downloaded quickly and do not require much disk space. Download the patch detection signatures of the patches you subscribe to. This enables you to view available patches and identify the patch packages you want to download later. See Selecting patch download settings on page Run a detect-only patching job: Schedule a Detect-only patching job to identify the patches required by machines you manage. This is a one-time operation that shows how large the first patching job is going to be and indicates how to allocate resources based on system availability for patch installations and reboots. To do this, create a patching schedule that detects patches on all machines. See Creating patch schedules on page Select patch package download settings: After you have identified the patch packages that you need, set a time for package downloads to occur. See Selecting patch download settings on page Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

17 Subscribing to and Downloading Patches 2 Gathering information about installed operating systems and applications Before you subscribe to patches, gather information about the operating systems, language packages, and software installed on machines you manage so that you know what you need to subscribe to. To gather information about installed operating systems and applications 2. Click Home. The K1000 Summary page appears. 3. Scroll to the bottom of the Summary page, then click View Details. The K1000 Summary Details page appears. The Computer Statistics table shows the operating systems of managed machines. 4. In the Software Statistics table, click Software Titles. The appliance runs a report that displays the software installed on managed machines. For more information on running reports, see the reporting section of the K1000 Administrator Guide. Subscribing to patches Subscribe to patches and configure download settings as described in this section. Before you subscribe to and download patches, identify the operating systems and applications installed on machines you manage, and verify patching requirements. For more information, see Overview of first-time patch-subscription workflow on page 16. To subscribe to patches 2. Click Security. The Patch Management page appears. 3. Click Subscription Settings. The K1000 Settings: Patch Subscription page appears. 4. Click Edit Mode. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 17

18 2 Subscribing to and Downloading Patches 5. Select the operating systems of the machines you manage. The following example shows all the Windows Vista, Windows XP operating systems selected. Current Platforms updates after you save the settings. 6. Specify the following settings: Option Languages Download Application Patches Description The languages of the machines that you manage. To select multiple languages, press the Ctrl or Command key then click the languages you want to select. (Optional) Include software patches and OS patches in your subscription. Note: Some application patches have the ability to install applications on machines as well as update applications that are already installed on machines. To prevent the application from being installed on machines that do not already have it, you can create a Smart Label to identify machines that have the application. You can then use that label to schedule patch deployment and apply the patch only to machines that already have the application installed. 18 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

19 Subscribing to and Downloading Patches 2 Option Include Software Installers Limit Patch Download to Selected Labels Hide Disabled Patches on Patch Listing Allow Detect of Disabled Patches Automatically Inactivate All New Patches Automatically Inactivate Superseded Patches Description (Optional) Subscribe to software installers in addition to application updates. Software installers are used to deploy applications to any machine regardless of whether an earlier version installed. If you want to deploy application updates only to machines that already have the application installed, do not select this option. If you subscribe to software installers, you might want to: Exclude these patches from other patching labels Create a separate set of labels and patch schedules to selectively deploy certain applications using the full installers. On the Patch Listing page, the word Software appears in the Impact column for software installers. For application updates that do not include installers, the word Critical or Recommended appears in the Impact column. (Optional) Download only those patches that match the selected labels. This is important if disk space is limited; if the total disk space required for selected patches exceeds the space available on the K1000, patches cannot be downloaded. Note: If the appliance runs out of disk space, the message, No space available appears when you click Update Patching in the Update Patches from KACE section. (Optional) Prevent disabled patches, which are patches that do not meet the platform, language, label and other subscription criteria, from being displayed on the Patch Listing (Optional) Enable the appliance to identify disabled patches when it runs a Detect job. If this option is selected, the signatures for disabled patches are downloaded for detection purposes only. Patches cannot be deployed unless they meet subscription criteria. (Optional) Mark new patches as Inactive. This prevents patches from being deployed automatically, and enables you to test patches before they are deployed. If this option is not selected, patches that match a Deploy schedule are automatically deployed. (Optional) Mark superseded patches with a red X on the Patch Listing Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 19

20 2 Subscribing to and Downloading Patches 7. Click Save. The selected operating systems and languages appear in bold below the selection fields. Selected patches are downloaded automatically at the next scheduled download time. After the next download, patches that were previously downloaded, but that were identified on the Patch Listing page with a gray X because they did not match subscription settings, appear with a red X if they now match subscription settings. Selecting patch download settings The patches you subscribe to are downloaded to the appliance according to the settings you choose. Be aware that the first patch download might use a large amount of network bandwidth. This section explains how to schedule patch downloads. To schedule patch detection and deployment for the machines you manage, see Creating and Managing Patching Schedules on page 25. To schedule patch downloads 1. If the Organization component is enabled on the appliance, select System in the dropdown list in the top-right corner of the page, then click K1000 Settings. Otherwise, click Settings. The K1000 Settings: Control Panel page appears. 2. Click Patch Settings. The K1000 Settings: Patching page appears. 3. Click Edit Mode. 4. Select Download New Patch Signatures options. Patch signatures include the security bulletins and other files that define patches downloaded from Lumension. Option Disable download of patch detection signatures Download every Description Prevent the downloading of patch signatures. Select day to download patch detection signatures every day, or select a day of the week to download once a week. Select the time to start the download. Time is displayed in 24-hour clock format, where 1 is 1:00 AM and 23 is 11:00 PM. Note: When setting up patch downloads, timing is important. The appliance activity log is created at 12:30 AM, and maintenance tasks occur between 1:00 and 1:30 AM. Dell KACE recommends that you schedule patch downloads to occur after the log and maintenance tasks are complete, which is about 3:00 AM. 20 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

21 Subscribing to and Downloading Patches 2 Option Download on the nth of Every Month or on a Specific Month at HH:MM AM/PM Description Select the day of the month to download patch detection signatures on a monthly basis. 5. Select Package Download Options. Packages include the installers that are required to install the patches, and they are downloaded directly from vendors such as Microsoft and Adobe. Option Disable download of patch deployment packages Maintain full cache of subscribed packages on K1000 Determine packages to download using detect results Description Prevent the downloading of patch packages. Maintain a full cache of subscribed packages on your K1000 Management Appliance. This downloads all deployment packages to which you subscribe without verifying that your environment actually needs them. It is important for some environments to maintain a full cache. For example, if you select the Offline Target or Online Source option in step 8 below, full caching is required. For more information about subscription settings, see Subscribing to patches on page 17. Allow the appliance to determine which packages to download based on the results of Detect jobs. If a patch detection signature has been detected as Not Patched on any managed machine, the patch package is downloaded. If no managed machines are detected as Not Patched, no packages for this patch are downloaded. 6. In the Package Download Schedule section, select one of the following: Option Run after signature download Run every Description Download packages after the signatures have been downloaded. This option is not available if package download is disabled in the Package Download Options section. Specify the frequency with which signatures and packages are downloaded. This option is available only if Determine packages to download using detect results in the Package Download Options section is selected. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 21

22 2 Subscribing to and Downloading Patches 7. In the Stop Download Of Patches section, select one of the following: Option Allow download of patches to complete Do not download patches between Description Allow downloads to complete no matter how long it takes. If you select this option, the appliance continues downloading patches until the download process is complete. In addition, the appliance performs validation checks and downloads required patch detection signatures and packages, as specified by detect results and package download settings. Specify a time period during which patch detection signatures cannot be downloaded. For example, use an early morning stop time to prevent the process from using a large amount of network bandwidth during working hours. If you select this option, the appliance stops patch downloads at the specified time. It does not start patch downloads again until the next specified patch download time. When the download resumes, it starts up where it left off. Downloads that are incomplete might not appear on the Patch Listing 8. Select Offline Update Options to specify what to do if your K1000 Management Appliance is offline when the update process is scheduled to start. Option Not Enabled Offline Target Online Source Description Whether Offline Update Options are enabled or disabled. Select this option if the appliance is connected to the Internet and can download patches directly. The Offline Target to use if the appliance is not connected to the Internet and you want to upload the patch files from a local directory. If you have a K1000 appliance that is connected to the Internet, you can configure that appliance as an Offline Source. Then you can manually copy the patch files from the Offline Source Patches file share to the following directory on the Offline Target: \\k1000_host\patches. Whether the appliance is used as a source for a different appliance. When this option is selected, patch files are downloaded to the appliance s Patches file share. 9. Specify the following settings: Option Update Patches from KACE Description Click Update Patching to immediately download the patches to which you have subscribed, regardless of the schedule. 22 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

23 Subscribing to and Downloading Patches 2 Option Delete All Patch files Cache Cleanup Options Automatically purge unused patches from cache after: days Description Click Delete All Patch Files to immediately remove all patch files from the appliance. This can be useful if you no longer need any patches and you want to quickly reclaim the disk space they used. Purge Active patches that have been detected as not patched and that have not been deployed in the specified number of days. This helps to reduce the amount of disk space required for patches on the appliance. Note: Inactive and Disabled patches are automatically removed from the cache when the patch download runs. 10. Click Save Patch Settings. Viewing available patches After you have downloaded patch detection signatures, you can review the available patches and set appropriate patch download filters to download only the patches you need. For example, you might have only one antivirus application installed on your network, so you do not need patches from both McAfee and Symantec. In the subscription settings, you could exclude one or the other. To view available patches 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. 4. To search for patches, click the Advanced Search tab above the list on the right. The Advanced Search panel appears. 5. In the Patch Type menu, select Application. 6. Click Search. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 23

24 2 Subscribing to and Downloading Patches Viewing patch download status After you have scheduled patch downloads you can view download status. To view patch download status 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. 4. Do one of the following: In the View by drop-down list in the top-right corner of the page, select Download Status > Downloaded or Download Status > Not Downloaded. Click the Advanced Search tab above the list on the right, then use the Download Status drop-down list to search. For more information, see Patch status on page Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

25 3 Creating and Managing Patching Schedules This section describes how to manage patching schedules that detect, deploy, and rollback patches to which you subscribe. For information on subscribing to patches, see Subscribing to and Downloading Patches on page 15. Topics in this section: About scheduling critical OS patches for desktops and servers on page 25 About scheduling critical patches for laptops on page 26 About scheduling non-critical patches on page 27 About using Smart Labels for patching on page 27 Creating Smart Labels for patches on page 28 Creating Smart Labels for machines on page 30 Creating patch schedules on page 33 Editing patch schedules on page 43 Monitoring patching status on page 44 Viewing patch reports on page 45 Viewing unscheduled patches on page 45 Managing patch rollbacks on page 46 About scheduling critical OS patches for desktops and servers This section explains how to automatically install critical OS patches on desktops and servers. Desktops are usually less crucial than servers and less mobile than laptops, so it is easier to schedule a time to patch them. Usually, you can schedule routine updates for the early morning hours before users arrive. Servers run critical services that your organization requires. Schedule patching for servers in advance and warn users of the temporary service outages that patching requires. Push server patches in the early morning hours or other times when the fewest number of users require the server resources. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 25

26 3 Creating and Managing Patching Schedules Workflow for critical OS patches for desktops and servers Identify desktops: Create a Smart Label that identifies all machines that are desktops. This excludes servers and laptops. See Creating a Smart Label for desktops on page 30. Identify servers: Create a Smart Label that identifies all servers. Creating a Smart Label for desktops on page 30. Identify critical OS patches: Create a Smart Label that identifies all critical OS patches. See Creating a Smart Label for critical OS patches on page 28. Schedule detect and deploy actions: Schedule a detect and deploy job that identifies whether the machines in the Smart Label need to be updated, deploys critical patches to them, and forces a reboot if required. See Creating patch schedules on page 33. Deploy patches individually to servers: Schedule a job that deploys patches to servers as needed. See Creating patch schedules on page 33. Notify users: When you schedule patching, be sure to notify users of the schedule so that they know when the machines they use are being patched. This is especially important if machines need to be restarted and might be unavailable as part of the patching process. You can notify users by sending and other messaging services outside the appliance Administrator Interface. For more information, see Notify users when machines are being patched on page 12. About scheduling critical patches for laptops Because laptops are often powered off or disconnected from the network, it can be difficult to find a good time to patch them. The two most popular choices for patching laptops are at the start of the business day or during lunch time. Most Dell KACE customers patch laptops using two schedules, one for detecting and one for deploying. Workflow for critical patches for laptops To set up automatic detect and deploy actions: Identify critical patches: Create a patch Smart Label to automatically identify critical patches for laptops. See Creating Smart Labels for patches on page 28. Schedule Detect actions: Create and run a schedule to periodically detect critical patches on laptops. See Creating patch schedules on page 33. Schedule Deploy actions: Create and run a schedule to periodically deploy critical patches on laptops. See Creating patch schedules on page 33. Check patching status: Periodically check patching status using reports and the patch. See Viewing unscheduled patches on page 45. Notify users: Notify users of the patching schedule. 26 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

27 Creating and Managing Patching Schedules 3 About scheduling non-critical patches To schedule non-critical patches: Detect patches: Create a patching schedule to detect patches on all machines to determine the size of the patching job. See Creating patch schedules on page 33. Inactivate patches: If there are patches you do not want to deploy, mark them as Inactive. Test patches: Create a schedule to detect and deploy patches to your test machines. See Creating patch schedules on page 33. Identify patches for desktops and servers: Create a patch Smart Label to automatically capture the patches to deploy on servers. See Creating Smart Labels for patches on page 28. Detect and deploy desktop and server patches (see Creating patch schedules on page 33): Create a schedule to periodically detect and deploy patches on your desktops. Create a schedule to periodically detect and deploy patches on your servers. Detect and deploy laptop patches (see Creating patch schedules on page 33): Create a schedule to periodically detect patches on your laptops. Create a schedule to periodically deploy patches on your laptops. Check patching status: Periodically check the patching status. See Monitoring patching status on page 44. About using Smart Labels for patching Smart Labels are a type of label that can be applied and removed automatically based on criteria you specify. For example, to track laptops in a specific office, you could create a label called San Francisco Office, and create a Smart Label based on the IP address range or subnet for machines located in the San Francisco office. Whenever a machine that falls within the IP address range checks in, the Smart Label San Francisco is automatically applied. When the machine leaves the IP address range, the label is automatically removed. You can use Smart Labels to automatically group patches and machines.you can also label patches and machines manually, but Smart Labels are usually better because they are applied automatically. For example, you can create a patch Smart Label that matches all Windows XP server patches. Each time a Windows XP server patch becomes available to the K1000 Management Appliance, it is added to the label. If you set up a patching schedule to automatically detect and deploy machines with this label, it is automatically applied to your Windows XP servers. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 27

28 3 Creating and Managing Patching Schedules You can create a labeling scheme that organizes patches by operating system and importance, such as P (patch)_<operating_system>_<importance>. For example: P_Vista P_Vista_Critical P_Vista_Important P_MS_Office P_Leopard P_Mac10.4_Critical_Test Similarly, you create machine Smart Labels to specify the machines, on which you want to install patches: P_OS_Servers for the server label M_Servers to capture all servers The K1000 Management Appliance evaluates the information provided by the Agents when they check in, and it applies machine Smart Labels if the data matches the label criteria. Patch Smart Labels are immediately applied to existing patches that meet the criteria. The label is added to new patches that meet the criteria when they are downloaded. See the K1000 Administrator Guide for detailed information on labels, including Smart Labels and label groups, and how to use labels in other components of the appliance. Creating Smart Labels for patches Creating a Smart Label for critical OS patches To create a Smart Label for critical OS patches 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. If you do not have patches available on your K1000 Management Appliance, see Selecting patch download settings on page 20. If you have not subscribed to patches, see Subscribing to and Downloading Patches on page Click the Create Smart Label tab on the right side of the The Create Smart Label form appears. 5. Enter search criteria that capture active critical Windows OS patches: Status = Active 28 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

29 Creating and Managing Patching Schedules 3 AND Impact = Critical AND Operating System = Windows AND Patch Type = OS 6. Click Test Smart Label. Items that match the search criteria are displayed. 7. Adjust the criteria as needed until the results are what you expect. 8. Enter a name for the patch, such as Critical_OS_Windows. 9. Click Create Smart Label. The Smart Label is applied to existing patches that meet the criteria. The label is added to new patches that meet the criteria when they are downloaded. 10. To view label groups, select Show Label Groups in the Choose Action menu. Label groups are displayed and [groups hidden] is removed from the column heading. 11. To hide label groups, select Hide Label Groups in the Choose Action menu. Label groups are not displayed, and [groups hidden] appears in the column heading. Creating a Smart Label for new patches Smart Labels can be used to quickly identify new patches that must be deployed. To create a Smart Label for new patches 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. 4. Click the Create Smart Label tab on the right side of the The Create Smart Label form appears. 5. Enter search criteria that identify non-critical patches that were added after a specified date: Release Date > (greater than) <date>. For date, use the format yyyy-mm-dd. AND Impact!= (is not equal to) Critical AND Status = (Active 6. Click Test Smart Label. All non-critical patches added after the specified date are displayed. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 29

30 3 Creating and Managing Patching Schedules 7. In the Choose Label field, enter a name for the new patch, such as New Patches since Click Create Smart Label. The label is saved. It is automatically applied to existing patches and to new patches that match the criteria when they are downloaded. 9. To view label groups, select Show Label Groups in the Choose Action menu. Label groups are displayed and [groups hidden] is removed from the column heading. 10. To hide label groups, select Hide Label Groups in the Choose Action menu. Label groups are not displayed, and [groups hidden] appears in the column heading. Creating Smart Labels for machines You can create Smart Labels to organize machines by type, such as desktop, server, and laptop. Creating a Smart Label for desktops To create a Smart Label for desktops 2. Click Inventory. The Machine Inventory page appears. 3. Click the Create Smart Label tab on the right side of the The Create Smart Label form appears. 4. Set up search criteria to include all machines whose operating system name does not include the word server and whose chassis type is not laptop: OS Name does not contain Server AND Chassis Type does not contain Laptop Other useful criteria for identifying desktops include: System Names, if you give all of your desktops a similar name. System Models, such as all systems with XPS in the model name. IP addresses, or partial IP addresses using the contains criteria. BIOS Serial Numbers, or use the Includes partial serial number criteria. This is useful if you have purchased desktops with sequential numbers. For more information, contact your vendor. Software Title, if desktops have a title in common. 30 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

31 Creating and Managing Patching Schedules 3 5. Click Test Smart Label. Items that match the search criteria are displayed. 6. In the Choose label drop-down list, select a label name or enter a name for the Smart Label, such as All_Desktops. 7. Click Create Smart Label. The Smart Label is created. 8. (Optional) To confirm that the new label appears on the Labels list, click Home > Label > Smart Labels or Label Management. The new label appears empty at first. As machines check in, the label is applied to them when they match the Smart Label criteria. 9. To test the Smart Label: a. Go to Inventory > Computers. b. Click the name of a machine that matches the criteria, but to which the label has not yet been applied. c. On the Computers: Detail page, click Force Update. If the Smart Label is working correctly, the machine checks in and the label is applied to it. Creating a Smart Label for servers To create a Smart Label for servers 2. Click Inventory. The Machine Inventory page appears. 3. Click the Create Smart Label tab on the right side of the The Create Smart Label tab appears above the Inventory table. 4. Set up search criteria to include all machines whose operating system name includes the word server and whose chassis type is not laptop: OS Name contains Server AND Chassis Type does not contain Laptop Other useful criteria for identifying servers include: System Names, if you give all of your servers a similar name. IP addresses, or partial IP addresses using the contains criteria. BIOS Serial Numbers, or use the Includes partial serial number criteria. This is useful if you have purchased servers with sequential numbers. For more information, contact your vendor. Software Title, if servers have a title in common. 5. Click Test Smart Label. Items that match the search criteria are displayed. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 31

32 3 Creating and Managing Patching Schedules 6. In the Choose label drop-down list, select a label name or enter a name for the Smart Label, such as All_Servers. 7. Click Create Smart Label. The Smart Label is created. 8. (Optional) To confirm that the new label appears on the Labels list, click Home > Label > Smart Labels or Label Management. The new label appears empty at first. As machines check in, the label is applied to them when they match the Smart Label criteria. 9. To test the Smart Label: a. Go to Inventory > Computers. b. Click the name of a machine that matches the criteria, but to which the label has not yet been applied. c. On the Computers: Detail page, click Force Update. If the Smart Label is working correctly, the machine checks in and the label is applied to it. Creating a Smart Label for laptops To create a Smart Label for laptops 2. Click Inventory. The Machine Inventory page appears. 3. Click the Create Smart Label tab on the right side of the The Create Smart Label form appears. 4. Set up search criteria to include all machines whose operating system name does not include the word server. OS Name does not contain Server AND Chassis Type contains Laptop Other useful criteria for identifying laptops include: System Names, if you give all of your laptops a similar name. IP addresses, or partial IP addresses using the contains criteria. BIOS Serial Numbers, or use the Includes partial serial number criteria. This is useful if you have purchased laptops with sequential numbers. For more information, contact your vendor. Software Title, if laptops have a title in common. 5. Click Test Smart Label. Items that match the search criteria are displayed. 6. In the Choose label drop-down list, select a label name or enter a name for the Smart Label, such as All_Laptops. 32 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

33 Creating and Managing Patching Schedules 3 7. Click Create Smart Label. The Smart Label is created. 8. (Optional) To confirm that the new label appears on the Labels list, click Home > Label > Smart Labels or Label Management. The new label appears empty at first. As machines check in, the label is applied to them when they match the Smart Label criteria. 9. To test the Smart Label: a. Go to Inventory > Computers. b. Click the name of a machine that matches the criteria, but to which the label has not yet been applied. c. On the Computers: Detail page, click Force Update. If the Smart Label is working correctly, the machine checks in and the label is applied to it. Creating patch schedules This section explains how to create patching schedules and set a time for them to run. To create patch schedules 2. Click Security. The Patch Management page appears. 3. Click Detect and Deploy Patches. The Patch Schedules page appears. 4. In the Choose Action menu, select Add New Item. The Patch Schedule: Edit Detail page appears. 5. In the Schedule Description field, enter a description for the schedule. This appears on the Patch Schedules 6. In the Patch Action drop-down list, select a patch action for the schedule. The patch action behavior is dependent on the combination of reboot, detect, deploy, and rollback selections you make. Whenever a patch action does both a Detect pass and something else, as is the case with Detect and Deploy and Detect and Rollback, the action is repeated cyclically until the Detect action finds no further patches to deploy or roll back. This might result in multiple Reboot actions for a single scheduled run. In addition, the type of machine you are patching affects the type of patch action to use. Detect and Deploy patching jobs require an AMP (Agent Messaging Protocol) connection between the machine and K1000 Management Appliance; they do not run offline. For more information about the Agent and AMP connections, see the K1000 Administrator Guide. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 33

34 3 Creating and Managing Patching Schedules Option Detect Detect and Deploy Detect and Deploy with Force Reboot Description Perform Detect-only actions. This is useful when you want to detect patches that are installed on or missing from managed machines. Detect-only actions are most useful for laptops. Detect actions can be run anytime, but they should be run at least one day before Deploy actions, which might require a reboot. Perform Detect and Deploy actions. This is usually appropriate for desktops and servers. Note: If patch deployment is unsuccessful after the maximum number of attempts, the deployment fails and the machine is skipped. For more information about the maximum number of deploy attempts, see Select Deploy Patch Label Selection options or Rollback Patch Label Selection options: on page 39. For information on viewing patch status, including failures, see Viewing patch status by machine on page 44. When you select Detect and Deploy and choose Force Reboot in the Reboot Options section, the following occurs according to the patching schedule: A Detect job runs. All patches are deployed and the machine is rebooted as needed. After the last reboot, a final Detect job runs. Detect and Deploy with Force Reboot works well with servers because they usually have no dedicated users. However, it is important to warn users that services will not be available when servers are being patched and rebooted. For more information, see Notify users when machines are being patched on page Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

35 Creating and Managing Patching Schedules 3 Option Detect and Deploy with Prompt User Detect and Deploy with No Reboot Description When you select Detect and Deploy and choose Prompt User in the Reboot Options section, the following occurs according to the patching schedule: A Detect job runs. Patches are deployed until a reboot is required, then the user is prompted to reboot. If no user is logged in, the machine is rebooted immediately. If the user clicks OK, the machine reboots. The patching process continues until another reboot is required and the user is prompted again. The pattern continues until the patch list is exhausted. If the user snoozes or cancels the reboot, patching stops until a reboot occurs. When a reboot occurs, patching continues until the next reboot is needed, and the user is prompted again. The pattern continues until the patch list is exhausted. A final Detect job runs to verify patch status. Detect and Deploy with Prompt User is risky because deploying patches without rebooting when required can leave systems unstable. Further, patches that require reboots only shown as deployed after the reboot. When you select Detect and Deploy and choose No Reboot in the Reboot Options section, the following occurs according to the patching schedule: A Detect job runs. Patches are deployed. If no reboot is required, and the patch list is exhausted, a final Detect job runs to verify patch status. If a reboot is required, patching stops. When the machine is rebooted, patching continues until either the patch list is exhausted, or a reboot is needed and patching stops. When the patch list is exhausted, a final Detect job runs to verify patch status. Detect and Deploy with No Reboot is not recommended because deploying patches without rebooting when required can leave systems unstable. Further, patches that require reboots are only shown as deployed after the reboot. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 35

36 3 Creating and Managing Patching Schedules Option Deploy Deploy with Force Reboot Deploy with No Reboot Detect and Rollback Description Perform Deploy-only actions. This is useful when you know that specific patches need to be deployed to managed machines. A final Detect job runs either after the patch is deployed or, if a reboot is required, after the machine reboots and the Agent reconnects to the appliance. Note: If patch deployment is unsuccessful after the maximum number of attempts, the deployment fails and the machine is skipped. For more information about the maximum number of deploy attempts, see step 9 on page 39. For information on viewing patch status, including failures, see Viewing patch status by machine on page 44. When you select Deploy and choose Force Reboot in the Reboot Options section, the following occurs according to the patching schedule: All patches are deployed and the machine is rebooted as needed. A Detect job runs. Patching continues at the next scheduled patch deployment time. A final Detect job runs either after the last patch is deployed or, if a reboot is required, after the machine reboots and the Agent reconnects to the appliance. When you select Deploy and choose No Reboot in the Reboot Options section, the following occurs according to the patching schedule: Patches are deployed until a reboot is required, then patching stops. A Detect job runs. Patching continues at the next scheduled patch deployment time. A final Detect job runs either after the last patch is deployed or, if a reboot is required, after the machine reboots and the Agent reconnects to the appliance. Find and remove unwanted patches. 36 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

37 Creating and Managing Patching Schedules 3 Option Detect and Rollback with Prompt User Rollback Rollback with Prompt User Description When you select Detect and Rollback and choose Prompt User in the Reboot Options section, the following occurs according to the patching schedule: A Detect job runs to identify unwanted patches. If unwanted patches are found, the appliance attempts to remove them. If removal is unsuccessful after the maximum number of attempts, the rollback fails and the machine is skipped. For more information about the maximum number of attempts, see step 9 on page 39. If the rollback is successful, the user is prompted to reboot. If no user is logged in, the machine is rebooted immediately. If the user clicks OK, the machine reboots. The rollback process continues until another reboot is required and the user is prompted again. The pattern continues until the patch list is exhausted. If the user snoozes or cancels the reboot, patching stops until a reboot occurs. When a reboot occurs, rollback continues until the next reboot is needed, and the user is prompted again. The pattern continues until the patch list is exhausted. Roll back patches that have been applied. When you select Rollback and choose Prompt User in the Reboot Options section, the following occurs according to the patching schedule: The appliance attempts to remove the unwanted patches If removal is unsuccessful after the maximum number of attempts, the rollback fails and the machine is skipped. For more information about the maximum number of attempts, see step 9 on page 39. If rollback is successful, the user is prompted to reboot. If no user is logged in, the machine reboots immediately. If the user clicks OK, the machine reboots. The rollback process continues until another reboot is required and the user is prompted again. The pattern continues until the patch list is exhausted. If the user snoozes or cancels the reboot, the rollback process stops until a reboot occurs. When a reboot occurs, rollback continues until the next reboot is needed, and the user is prompted again. The pattern continues until the patch list is exhausted. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 37

38 3 Creating and Managing Patching Schedules 7. Select Machine Selection options: Option Run On All Machines Limit Run To Selected Machine Labels Limit Run To Machines Limit Run To Machines With Selected Operating Systems Description Run the schedule on all machines in the selected organization. Use caution with this setting. It is usually better to test patch actions on a limited number of machines, and to limit patch actions to selected machines or machine labels. This ensures that patch actions are applied appropriately. Restrict the patch actions to the machines in the labels that you select. Limiting the run to labels, especially Smart Labels, helps to ensure that patches are applied appropriately. For example, some application patches have the ability to install applications as well as update applications that are already installed. To prevent the appliance from installing the application on machines that do not already have the application installed, you can create a Smart Label to identify machines that have the application. You can then limit the patch action to machines that have that label. The patch is then applied only to machines that already have the application installed. To use this option, you must already have labels or Smart Labels. For more information, see About using Smart Labels for patching on page 27. Run detect and deploy patching actions on a small set of machines that you select. You can use this option for a small set of users that do not require a label. Select Machines in the Select Machines to add drop-down list. After this option is selected, the machines appear in the Limit Run To Machines box. You can also create a filter to select machines and enter it in the Filter field. This is the most commonly used machine selection option. It limits the machines shown in the list to only those that contain the characters you type in the filter. Create an on the fly filter by selecting the operating systems of the machines on which you want to run the actions. The default is all operating systems. 38 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

39 Creating and Managing Patching Schedules 3 8. Select Detect Patch Label Selection options: Option Detect All Patches Limit Detect To Selected Patch Labels Description Detect all available patches. This process can take a long time, and it might detect patches that are not required by managed machines. For example, if managed machines use antivirus applications from only one vendor, you might not need to detect patches for all antivirus vendors. Detect All, however, detects all missing patches regardless of whether they are required by managed machines. To refine patch detection, set up labels for the patches you want to detect, then use the Limit Detect to Selected Patch Labels option. Restrict the action to the patches in the labels that you select. This is the most commonly used patch detection option. To select labels, click Edit. To use this option, you must already have labels or Smart Labels for the patches you want to detect. For more information, see About using Smart Labels for patching on page Select Deploy Patch Label Selection options or Rollback Patch Label Selection options: Option Deploy All Patches Rollback All Patches Limit Deploy To Selected Patch Labels Limit Rollback To Selected Patch Labels Limit Patches To Matching Machine Labels Description Deploy or rollback all patches; this can take a long time. To refine patch deployment or rollback, set up labels for the patches you want to deploy or rollback, then use the Limit Deploy to Selected Patch Labels option. Restrict the action to the patches in the labels that you select. This is the most commonly used patch deployment or rollback option. To select labels, click Edit. To use this option, you must already have labels or Smart Labels for the patches you want to detect. For more information, see About using Smart Labels for patching on page 27 Dell KACE recommends that you do not select this option; it is provided for backward-compatibility in specific and rare cases. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 39

40 3 Creating and Managing Patching Schedules Option Max Deploy Attempts Max Rollback Attempts Description The maximum number of attempts, between 0 and 99, to indicate the number of times the appliance tries to deploy or rollback the patch. If you specify 0, the appliance attempts to deploy or rollback the patch indefinitely. As a last step in patch deployment or rollback, the appliance verifies whether the patch was deployed or rolled back successfully. If a deployment or rollback fails, the appliance attempts to deploy or rollback the patch again until one of the following occurs: The deployment or rollback succeeds. The maximum number of attempts is reached. The scheduled deployment or rollback period ends and patching is suspended. 10. In the Alerts section, choose alert options: Option Alert User Before Run Alert Dialog Options Dialog Timeout (Minutes) Dialog Timeout Action Snooze Duration (Minutes) Alert Message Description Allow the user to run, cancel, or delay the action. This is especially important when reboots are required. If no user is logged in, the script runs immediately. Options presented to the user in the alert dialog: OK: Run immediately. Cancel: Cancel until the next scheduled run. Snooze: Prompt the user again after the Snooze Duration. The amount of time, in minutes, for the dialog to be displayed before an action is performed. If this time period elapses without the user pressing a button, the appliance performs the action specified in the Dialog Timeout Action drop-down list. The action to be performed when the Dialog Timeout period elapses without the user choosing an option. The amount of time, in minutes, for the period after the user clicks Snooze. When this period elapses, the dialog appears again. The message to be displayed to users before the action runs. To customize the logo that appears in the dialog, see the K1000 Administrator Guide. 40 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

41 Creating and Managing Patching Schedules 3 Option Show Patch Progress Patch Progress Message Patch Completed Message Description The option to display the progress of the patch installation. If Show Patch Progress is selected, the message displayed to users during the installation. If Show Patch Progress is selected, the message displayed to users when the process is complete. 11. In the Reboot Options section, use the following settings for desktops: Option Reboot Mode Message Message Timeout Reprompt Interval Limit number of prompts Timeout Action Reboot Delay (countdown) Description Reboot options: Prompt User: Wait for the user to accept the reboot before restarting the machine. Used with the Message Timeout and Reboot Message fields. No Reboot. The machine does not reboot even though a reboot might be required for the patch to take effect. Force Reboot. Reboot as soon as a patch requiring it is deployed. Forced reboots cannot be canceled. Force Reboot works well for desktops. You might not want to force reboot on servers or laptops. The message to be displayed to the user before the machine reboots. For information about adding a custom logo to the message dialog, see the K1000 Administrator Guide. The amount of time (in minutes) that the appliance waits for the user to respond to the Reboot Message. If the time specified in the Message Timeout field elapses without the user pressing a button, the appliance performs the action specified in the Reboot Options - Timeout Action section. The time that elapses before the user is reprompted to reboot. The number of prompts the user receives before the machine reboots. For example, if you enter a value of 5, the fifth time the user receives the reboot prompt, the machine automatically reboots. The user can delay the reboot only four times. The action to take when the timeout period for Reboot Options elapses. Postpone the reboot using a countdown. The countdown is in minutes. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 41

42 3 Creating and Managing Patching Schedules Option Reboot Now Reboot Later Automatically Reboot Description Perform the reboot immediately. Perform the reboot later. Automatically reboot when no one is logged in to the appliance. 12. In the Patch Schedule section, specify when the patch action should run: Option Don t Run on a Schedule Run every _ hours Run every day/specific day at HH:MM AM/PM Run on the n th of every month/specific month at HH:MM AM/PM Run custom Schedule according to Run on next connection if offline Delay Schedule by... Description Run in combination with an event rather than on a specific date or at a specific time. This is useful if you want to patch servers manually or perform patch deployments that you do not want to run on a scheduled cycle. Run at a specified interval. Run daily at a specified time, or run on a designated day of the week at a specified time. Run on the same day every month, or a specific month, at the specified time. Run according to a custom schedule. The timezone to use when scheduling the action. Select Server to use the timezone of the appliance. Select Agent to use the timezone of the client machine. Run the action the next time the client machine connects to the appliance, if the client machine is currently offline. If this option is not selected, and the client is offline, the action does not run again until the next scheduled time. This option is useful for laptops and other machines that are periodically offline. Delay the schedule by a specified amount of time. The time delay period begins when the patch action is scheduled to run. 42 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

43 Creating and Managing Patching Schedules 3 Option Suspend pending tasks after... Description The time limit for patching actions. For example, if you schedule patches to run at 4:00 AM, you might want all patching actions to stop at 7:00 AM to prevent bandwidth issues when users start work. So, you could select the Suspend pending tasks after check box, and then specify 180 in the minutes box. When this time limit is reached, any patching tasks that are in progress are suspended, and their status on Security logs is Suspended. Suspended tasks resume where they left off when the next scheduled patching action begins. 13. Click Save. The schedule is created. If you add desktops that match the Smart Label criteria, they are automatically included in the patching schedule. For details on tracking the status of patching, see Viewing unscheduled patches on page 45. Editing patch schedules To edit patch schedules 2. Click Security. The Patch Management page appears. 3. Click Detect and Deploy Patches. 4. In the list of schedules, click the name of a schedule. The Patch Schedule: Edit Detail page appears. 5. Edit the schedule as needed. For information about patch schedule settings, see Creating patch schedules on page Click Save. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 43

44 3 Creating and Managing Patching Schedules Monitoring patching status Viewing patch status You can view the status of patches, including a list of the machines on which patches have been deployed. To view patch status 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. 4. Click the title of a patch. The Patch: Detail page appears. 5. Scroll down to the Deployment Status table. The table shows details about the patch, including a list of the machines on which the patch has been deployed. Viewing patch status by machine You can view the status of patches for each managed machine. To view patch status by machine 2. Click Inventory. The Computer Inventory page appears. 3. Click a computer name. The Computers: Detail Item page appears. 4. Scroll down to the Security section, then click the Patching Detect/Deploy Status link. The list of the patches installed on the machine appears. Searching for individual packages within patches To search for individual packages within patches 1. Click Security. The Patch Management page appears. 44 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

45 Creating and Managing Patching Schedules 3 2. Click Patch Listing. The Patch Listing page appears. 3. Click the title of a patch. The Patch: Detail page appears. 4. Scroll down to the Packages Contained in this Patch table. Viewing patch reports To view patch reports 2. Click Security. The Patch Management page appears. 3. Click Reporting. The K1000 Reports page appears, with Patching selected in the View by drop-down list. This page provides links to patch-related reports. To generate a report, click the format name in the Generate Report column: HTML, CSV or TXT. For more information about reports, see the K1000 Administrator Guide.The right-most column indicates whether the patch supports rollback. Viewing unscheduled patches To determine whether your subscribed patches are accounted for in a schedule, use the search feature to view unscheduled patches. To view unscheduled patches 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. 4. Click the Advanced Search tab above the list on the right. The Advanced Search panel appears. 5. Select the Not Scheduled check box to the right of the search criteria. 6. (Optional) Enter additional search criteria. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 45

46 3 Creating and Managing Patching Schedules 7. Click Search. Unscheduled patches are displayed. Managing patch rollbacks In cases where you might need to roll back a deployed patch, you must determine if there is support for patch rollbacks. Not all vendors support rollbacks. For example, large software patches, such as Service Packs, cannot be rolled back. Determining whether a patch can be rolled back To determine whether a patch can be rolled back 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. 4. Click the Advanced Search tab above the list on the right. The Advanced Search panel appears. 5. Select the Support Rollback check box to the right of the search criteria. 6. (Optional) Enter additional search criteria. 7. Click Search. Patches that support rollback are displayed. Undoing the last patching job If the patch vendor supports a rollback, you can undo the last patch deployment by creating and running a Rollback or Detect and Rollback patching schedule. To undo the last patching job 2. Click Security. The Patch Management page appears. 3. Click Detect and Deploy Patches. The Patch Schedules page appears. 4. In the Description column, click a patch schedule. 46 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

47 Creating and Managing Patching Schedules 3 The Patch Schedule: Edit Detail page appears for the selected patch. 5. In the Patch Action section, select Rollback or Detect and Rollback. 6. Select the patches to rollback, in the same way that you specified them in the original schedule, by creating a Smart Label. See Creating Smart Labels for patches on page 28. This option is supported only for removing the last installed patch on a software application. See Managing patch rollbacks on page 46. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 47

48 3 Creating and Managing Patching Schedules 48 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

49 4 Managing Patch Inventory This section explains how to manage patch inventory. Topics in this section: Prerequisites on page 49 Viewing the Patch Listing page on page 49 Information on the Patch Listing page on page 50 Marking patches as inactive on page 52 Hiding patches that do not meet subscription criteria on page 52 Viewing patch information for computers in Inventory on page 53 Viewing patching statistics on page 53 Viewing the patch log on page 54 Prerequisites Before managing patch inventory, you need to subscribe to and download patches. For more information, see: Subscribing to patches on page 17 Selecting patch download settings on page 20 Viewing the Patch Listing page The Patch Listing page displays patch detection signatures for the platforms to which you subscribe. To view the Patch Listing page 2. Click Security. The Patch Management page appears. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 49

50 4 Managing Patch Inventory 3. Click Patch Listing. 4. The Patch Listing page appears. 5. To filter the patch list, select one of the following in the View by drop-down list above the patch list on the right: All Patches: View all patches. Label: View patches that are assigned to a selected label. Status: View Active or Inactive patches. Download Status: View patches that are Downloaded or Not Downloaded. Impact: Filter the patch list by Critical, Recommended, and so on. Year: Filter the patch list by the year the patch was released. Operating System: Filter the patch list by operating system. Information on the Patch Listing page The Patch Listing page provides information on: Patch status Detection and deployment status Cache size Patch status The Patch Listing page shows the status of each patch. To get to the Patch Listing page, see Viewing the Patch Listing page on page 49. Status Icon Definition Subscription? Setting Detected? Deployed? Active (none) Patches that you subscribe to, that are downloaded, and that are ready to detect or deploy. These patches have no icon next to them on the Patch Listing Yes Yes Yes Inactive Patches that you subscribe to, but that have been marked as inactive to prevent them from being detected or deployed automatically. Yes No No 50 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

51 Managing Patch Inventory 4 Status Icon Definition Subscription? Setting Detected? Deployed? Disabled Patch detection signatures for patches that you have not subscribed to. The patch packages (installation files) have not been downloaded to the appliance. No, just the patch record Yes if Allow Detect of Disabled Patches is selected Yes Detection and deployment status The Patch Listing page shows the number of machines that have received a patch, are waiting for a patch, or have encountered errors during patching. To get to the Patch Listing page, see Viewing the Patch Listing page on page 49. Column Description The number of machines that have received the patch. The number of machines that have been detected as needing the patch and that are waiting for deployment. The number of machines that have failed the maximum number of deployment attempts. The maximum number of deployment attempts is configured in the patch schedule. See Creating patch schedules on page 33. Patch Cache Size The Cache Size column on the Patch Listing page indicates the amount of disk space patches are using in the appliance s local cache. To get to the Patch Listing page, Viewing the Patch Listing page on page 49. Indicator Black Red Zero (0) Actual size (other than zero) Description Inactive or Disabled patches. Patches to which you are subscribed; however, no associated packages for this patch have been downloaded at this time. To see which associated packages are missing, click the patch name to view the patch detail None of the patch packages are downloaded. At least one of the patch packages has been downloaded. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 51

52 4 Managing Patch Inventory Marking patches as inactive To mark patches inactive 2. Click Security. The Patch Management page appears. 3. Click Patch Listing. The Patch Listing page appears. 4. Select the check box next to a patch. 5. In the Choose Action menu, select Change Status to > Inactive. Patches marked as Inactive are automatically purged from the cache during the next scheduled patch download. Hiding patches that do not meet subscription criteria You can prevent patches from appearing on the Patch Listing page when they do not meet the platform, language, label, and other subscription criteria you set. To hide patches that do not meet subscription criteria 2. Click Security. The Patch Management page appears. 3. Click Subscription Settings. The K1000 Settings: Patch Subscription page appears. 4. Click Edit Mode. 5. In the Disabled Patch Options section, do the following: a. Select the Hide Disabled Patches on Patch Listing check box. b. Clear the Allow Detect of Disabled Patches check box. 6. Scroll to the bottom of the page, then click Save. After the next download, patches that do not meet subscription criteria no longer appear on the Patch Listing 52 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

53 Managing Patch Inventory 4 Viewing patch information for computers in Inventory The Inventory tab contains detailed patch information about the machines you manage. This includes: The list of patches deployed on the machine. Details of the patch schedules that apply to the machine. Information about successful and failed patching and roll-back attempts. To view patch information for a computer 2. Click Inventory. The Computer Inventory page appears. 3. Click a machine name. The Computers: Detail Item page appears. 4. Scroll down to the Security section. 5. Click Patching Detect/Deploy Status. The Patching Detect/Deploy Status details expand. 6. For more information, click the question mark icons next to Scheduled Task Status and Deployment Status. Viewing patching statistics To view patching statistics Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 53

54 4 Managing Patch Inventory 2. Click Security. The Patch Management page appears, showing patch statistics. Viewing the patch log To make sure there is not an error in the patch download process, access the patch log. To view the patch log 1. If the Organization component is enabled on the appliance, select System in the dropdown list in the top-right corner of the page, then click K1000 Settings. Otherwise, click Settings. The K1000 Settings: Control Panel page appears. 2. Click Logs. The K1000 Server Logs page appears. 3. In the Current log drop-down list, select Server > Patch Download Log. The patch log appears. 54 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

55 5 Deploying and Managing the Dell KACE Secure Browser This section explains the tasks to set up, deploy, and manage the Dell KACE Secure Browser. Topics in this section: About Dell KACE Secure Browser on page 55 Manually downloading and installing Secure Browser on page 56 Downloading and distributing Secure Browser from the appliance on page 56 Adding Secure Browser to the Software Library on page 60 Managing Secure Browser Using the K1000 on page 62 Additional resources on page 67 About Dell KACE Secure Browser Dell KACE Secure Browser is a free tool that provides a secure version of Firefox web browser. This tool uses virtualization technology to provide a safer web experience. When you access websites using Secure Browser, any malicious files downloaded from the Internet are contained within Secure Browser, protecting the operating system of the computer. For more information about Dell KACE Secure Browser, go to freetools/secure-browser. Dell KACE Secure Browser enables you to: Contain all web downloads, both intended and unintended, in a single directory. This helps to prevent system corruption and conflicts. Use white lists and black lists to control the processes browsers can run and the websites they can access. View statistics related to the number of processes detected and blocked. Easily reset the browser to its installation state, clearing all downloads and installed plug-ins. Deploy and manage the browser remotely from the Dell KACE K1000 System Management Appliance. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 55

56 5 Deploying and Managing the Dell KACE Secure Browser Available versions of Secure Browser Dell KACE currently provides the following Secure Browser: Mozilla Firefox 3.6 with Adobe Flash and Adobe Reader plug-ins System software requirements Dell KACE Secure Browser is supported on the following platforms: Windows 7 Windows Vista Windows XP SP3 Manually downloading and installing Secure Browser You can manually download Secure Browser from the Dell KACE website and install it onto machines as described in this section. To manually download and install Secure Browser onto machines 1. Log in to a machine that meets the System software requirements on page Download Secure Browser from index.php?action=artikel&cat=63&id=1014&artlang=en. 3. Double-click the Secure Browser installer file, then follow the instructions in the wizard to complete the installation. When the installation is complete, the Secure Browser icon appears on the desktop. Downloading and distributing Secure Browser from the appliance This section explains how to download and distribute Secure Browser from the K1000 System Management Appliance to managed machines that meet the System software requirements on page 56. To download and distribute Secure Browser through the Administrator Interface 2. Click Security > Secure Browsers > Updates. The Secure Browser Updates page appears. 3. Select the check box of the Secure Browser version you want to download. 4. In the Choose Action menu, select Download Secure Browser. 56 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

57 Deploying and Managing the Dell KACE Secure Browser 5 The download is scheduled, and Download Pending or Downloading appears in the Status column. When the download is complete, Available in Managed Installations appears in the Status column. 5. Click Distribution > Managed Installations. The Managed Installations page appears. 6. Click that name of the Secure Browser version you want to distribute. The Managed Software Installation: Edit Detail page appears. The Secure Browser version you selected appears in the Software drop-down list. 7. Provide the following information: Option Also show software without an Associated File Upload & Associate New File Installation Command Run Parameters Delete Downloaded Files Use Alternate Download AppDeploy Live Notes Description Show software applications regardless of whether they have an associated executable. When you select this option, the Software drop-down list is updated to show the new number of software applications. Click Browse or Choose File, then navigate to the location of the executable you want to associate with the software. Select the Use Default option. No run parameters are needed. Delete the installation files when the installation is complete. Clear this option. Deployment tips from AppDeploy Live, available only if AppDeploy Live is enabled. For more information, about AppDeploy Live, see the K1000 Administrator Guide. (Optional) Any additional information you want to provide. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 57

58 5 Deploying and Managing the Dell KACE Secure Browser Option Managed Action Description Select an appropriate time for the package to be deployed. Options include: Disabled: Do not deploy the package. Execute anytime (next available): Deploy the package at the next opportunity, such as the next time the K1000 Agent reports inventory information to the appliance. Execute before logon (at machine bootup): Deploy the package the next time the machine starts up. Note: If a machine has an Active Directory or Group Policy Object setting that displays a message that the user must acknowledge before logging on, packages are not deployed and scripts do not run until the message is acknowledged. Execute after logon (before desktop loads): Deploy the package after the user logs in but before the desktop loads. Execute while user logged on: Deploy the package while the user is logged on. Execute while user logged off: Deploy the package only when the machine is running and the user is logged off. 8. Specify the following settings: Option Deploy to All Machines Limit Deployment To Labels Limit Deployment To Listed Machines Description Deploy to all machines. Clear the check box to limit the deployment to specific labels or machines. Limit the deployment to items that are assigned to the selected labels. To select multiple labels, use Ctrl-click or Command-click. Limit deployment to specific machines. In the drop-down list, select the machine or machines you want to deploy to. If your list of machines is long, you can use the Filter field to filter the list by entering a few characters of the machine name. 58 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

59 Deploying and Managing the Dell KACE Secure Browser 5 Option Deploy Order Max Attempts Deployment Window (24H clock) Description The order in which to install or uninstall software. The lowest value is deployed first. If an install action and an uninstall action both have the same order value, the uninstall action is performed first. The maximum number of attempts, between 0 and 99, to indicate the number of times the appliance tries to install the package. If you specify 0, the appliance attempts to install the package indefinitely. The time, in 24-hour clock format, for package deployment. The Deployment Window time affects all Managed Action options. Also, the run intervals defined in the Administrator Interface, under the K1000 Settings for this specific organization, interact with or override the deployment window of specific packages. 9. Specify user interaction settings. These options are displayed when you select the Deploy to All Machines option. Option Allow Snooze Description Enable snooze features. When you select this option, the following fields appear: Snooze Message: The message displayed on the managed machine during snooze. Snooze Timeout: The time period, in minutes, during which the message appears. Snooze Timeout Action: The action that occurs at the end of the timeout period. Select Install now to install the software immediately, or select Install later to postpone the installation until a user responds. Install later is useful when you want to notify users of an installation or reboot before it occurs. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 59

60 5 Deploying and Managing the Dell KACE Secure Browser Option Custom Pre- Install Message Description Display a message on managed machines prior to installation. When you select this option, the following fields appear: Pre-Install User Message: The message that appears on managed machines before installation begins. Pre-Install Message Timeout: The length of time, in minutes, during which the message appears. Pre-Install Timeout Action: The action that takes place at the end of the Pre-Install Message Timeout period. Options include Install later or Install now. Select Install now to install the software immediately, or select Install later to postpone the installation until a user responds. Install later is useful when you want to notify users of an installation or reboot before it occurs. Custom Post- Install Message Display a message on managed machines after the installation is complete. When you select this option, the following fields appear: Post-Install User Message: The message that appears on managed machines when the installation is complete. Post-Install Message Timeout: The length of time, in minutes, during which the message appears. The summary information at the bottom of the page shows the installation status for Secure Browser. 10. Click Save. Secure Browser is deployed according to the selected settings. Adding Secure Browser to the Software Library You can add Secure Browser software to the Software Library in the K1000 User Portal. This enables users to download and install Secure Browser software to their machines from the User Portal. All software or scripts that you want to include in the Software Library must already exist in the Inventory > Software or Scripting sections; you cannot upload software or author scripts in the Software Library. For more information about the Software Library and the User Portal, see the Service Desk Administrator Guide. Creating a Secure Browser Software Library item To create a Secure Browser Software Library item 60 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

61 Deploying and Managing the Dell KACE Secure Browser 5 2. Click Service Desk > Software Library. The Software Library page appears. 3. In the Choose Action menu, select Add New Item. The Software Library: Edit Detail page appears. 4. Select the Enabled check box to make the item visible on the User Portal. 5. In the Package Type section, select Install. 6. Select Dell Secure Browser in the drop-down list. 7. Enter the command line to run the installation in the Install Command Line field. 8. In the User Portal page Details section, specify the information to include with the Secure Browser: Option Installation Instructions Product Key Product Key to User Request Manager Notification Additional Notes Corporate License Text Vendor License Text Unit Cost Documentation File and Documentation File (size) Description Instructions, legal notes, or any other information you want to upload to the Software Library along with the software item. Not applicable to Secure Browser. Not applicable to Secure Browser. Require users to enter their manager s address before enabling them to download or install software. (Optional) Any additional information you want to provide. (Optional) Enter any corporate license text. (Optional) Enter any vendor license text. (Optional) Enter a cost per unit. (Optional) The file to be included as documentation. The file size appears after the item is saved. 9. Specify any distribution restrictions in the Access Control section. Option Limit Access To User Labels Also Restrict By Machine Label Description (Optional) Click Edit to select a label and limit software deployment to users who are included in the label. (Optional) Restrict access to specific machine labels. 10. Click Save. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 61

62 5 Deploying and Managing the Dell KACE Secure Browser Secure Browser is available in the Software Library in the K1000 User Portal as specified. Managing Secure Browser Using the K1000 This section explains how to manage Secure Browser using the K1000 Management Appliance. Exporting the Isolation Configuration file The Isolation Configuration file allows the K1000 Management Appliance to centrally manage Secure Browser Network Access and Process Control settings. The configuration file can be pushed from the appliance to Secure Browser clients periodically. Dell KACE recommends that you set up the Secure Browser on a provisioned network node, with the proper access permissions, and then export the Isolation Configuration file for use in the K1000 Management Appliance Administrator Interface. To generate a configuration file: 1. Log in to a machine where Secure Browser is installed and start Secure Browser. 2. On the Secure Browser toolbar at the top of the browser window, click the configuration icon. 3. Click the Advanced tab. The advanced options appear. 4. Click Export. The Secure Browser network and process configuration settings display in XML format. 62 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

63 Deploying and Managing the Dell KACE Secure Browser 5 5. Click Copy then click Close. 6. Log in to the K1000 Management Appliance Administrator Interface. 7. If applicable, select an organization in the drop-down list in the top-right corner of the 8. Click Security > Secure Browser > Manage. The Secure Browser Management page appears. 9. In the Choose Action menu, click Edit Default Settings. 10. Scroll to the Isolation Configuration XML field and paste the data that you exported from Secure Browser. 11. Click Save. All Secure Browsers managed by the K1000 Management Appliance now have the same Network Access and Process Control settings. Generating a custom Secure Browser MSI package You can make an exact copy of a Secure Browser instance and upload it to the K1000 Management Appliance for deployment or installation directly on another computer. This installation includes the history, favorites, and cookies available in the original instance of the Secure Browser. On a Windows 7 computers, you must use elevated privileges to generate the MSI. Use the Run as administrator option to open the Secure Browser. To generate a custom MSI package: 1. Open the Secure Browser instance that you want to copy. 2. Click the configuration icon then click the Advanced tab. The advanced options appear. 3. Click Generate. If the Permissions menu appears on a Windows 7 computer, close the browser and reopen it using the Run as administrator option. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 63

64 5 Deploying and Managing the Dell KACE Secure Browser The Generate Custom Deployment Package dialog appears. 4. In the Original Secure Browser MSI file field, enter the path to the original Secure Browser MSI. If the Secure Browser was deployed from the K1000 Management Appliance, the installer is located in the K1000 Agent installation folder. 5. In the Deployed Secure Browser Directory field, enter the path to the installation location. By default, the field contains the path to the Secure Browser installation location. 6. In the New Secure Browser MSI file field, enter the path and name of the new customized Secure Browser package, including the file extension (MSI). 7. Specify the MSI file properties. 8. Click Create. The new Secure Browser installer is created and saved to the location you specified. Centrally managing Secure Browser settings To centrally manage the Secure Browser settings from the K1000, you must add machines to the managed machines list on the Secure Browser 64 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

65 Deploying and Managing the Dell KACE Secure Browser 5 To centrally manage Secure Browser settings 2. Click Security > Secure Browsers > Manage. The Secure Browser Management page appears. 3. Select the check box next to the browser in the list. 4. In the Choose Action menu, select Edit Default Settings. The Secure Browsers: Edit Settings page appears. 5. Under Add Machines, select the machine(s) on which you want to manage Secure Browsers from the Select Machine to Add drop-down list. The machines appear in the Management Limited To Listed Machines list. 6. Click Save. For machines that are not managed by the K1000, Secure Browser settings cannot be managed centrally; they can be managed only on the local machine. Controlling when users can use Secure Browser To control when users can use Secure Browser 2. Click Security > Secure Browsers > Manage. The Secure Browser Management page appears. 3. Select the check box next to the browser in the list. 4. In the Choose Action menu, click Edit Default Settings. The Secure Browsers: Edit Settings page appears. 5. Use the settings in the Launch Restrictions section: Option Network Connection to K1000 Required Restrict to Days of Week Restrict to Time of Day Description Allow Secure Browser to launch only when the machine is connected to the appliance. Allow Secure Browser to launch only on the selected days. Allow Secure Browser to launch only during specified times. Controlling which websites users can visit This section describes how to control the websites that can be visited using Secure Browser. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 65

66 5 Deploying and Managing the Dell KACE Secure Browser To control which websites users can visit 2. Click Security > Secure Browsers > Manage. The Secure Browser Management page appears. 3. Select the check box next to the browser in the list. 4. In the Choose Action menu, select Edit Default Settings. The Secure Browsers: Edit Settings page appears. 5. Copy and paste the isolation XML in the Isolation Configuration XML text field. 6. Click Save. Restoring Secure Browser to its original configuration If Secure Browser becomes corrupted or is configured incorrectly, you can return it to its original configuration. To restore Secure Browser to its original configuration 2. Click Security > Secure Browsers > Manage. The Secure Browser Management page appears. 3. Select a secure browser row by double-clicking the row. The details of the Secure Browser instance appear below the table. Scroll down to the bottom of the page to see the details. 4. Click Reset Secure Browser. Secure Browser is restored to its original configuration. Shutting down Secure Browser on a managed machine You can shut down instances of Secure Browser running on managed machines as described in this section. Alert users before shutting down Secure Browser. To shut down Secure Browser on a managed machine 2. Click Security > Secure Browsers > Manage. 66 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

67 Deploying and Managing the Dell KACE Secure Browser 5 The Secure Browser Management page appears. 3. Select a secure browser row. The details of the instance appear below the table. 4. Click Terminate. Secure Browser instances that are running on managed machines are shut down. Additional resources For more information about Secure Browser, including videos and guided tours, a dedicated Secure Browser forum, FAQs (frequently asked questions), or to report issues and request new features, go to Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 67

68 5 Deploying and Managing the Dell KACE Secure Browser 68 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

69 6 Using OVAL Security Features This section describes how to use Open Vulnerability and Assessment Language (OVAL) security features within the Dell KACE K1000 Management Appliance to run vulnerability tests on your network. Topics in this section: Using OVAL security checks on page 69 Understanding OVAL definitions on page 69 Configuring OVAL Settings on page 71 Using the Vulnerability Report on page 75 Viewing OVAL Computer Reports on page 75 Creating security policies on page 76 Using OVAL security checks OVAL is an internationally recognized standard for detecting security vulnerabilities and configuration issues on computers. OVAL security checks determine assets that are out of compliance and let you customize security policies to enforce rules, schedule tests to run automatically, and run reports based on the results. OVAL is compatible with the Common Vulnerabilities and Exposures (CVE) list. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. New information about security vulnerabilities discussed on the Community Forum is sent to the CVE Initiative for possible addition to the list. For more information about CVE, MITRE Corporation, or the OVAL Board, go to The ability to describe vulnerabilities and exposures in a common language makes it easier to share security data with other CVE-compatible databases and tools. Understanding OVAL definitions The K1000 Management Appliance checks for updates to available OVAL definitions. Definitions are displayed on the OVAL Tests page, along with its associated OVAL ID and CVE Number. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 69

70 6 Using OVAL Security Features Viewing OVAL definitions To view OVAL definitions 2. Click Security > OVAL Assessment. The OVAL Vulnerability Assessment page appears. 3. Click OVAL Tests. The OVAL Tests page appears. 4. (Optional) Limit which tests are displayed by using the View by drop-down list or Search field to find OVAL tests by OVAL ID, CVE Number, operating system, or text. 5. Click a Description link in the OVAL Tests list. The OVAL Tests: Definition page displays the following information: Field OVAL-ID Class Ref-ID Description Definition Description The status of the vulnerability following the OVAL-ID. Possible values are Draft, Interim, or Accepted. The nature of the vulnerability. Possible values are: Compliance, Deprecated, Patch, and Vulnerability. A link to additional details about the vulnerability. The common definition of the vulnerability as found on the CVE list. The steps used to test whether or not the vulnerability exists. The table at the bottom of the OVAL Tests: Definition page displays the list of machines in your network that contain the vulnerability. For convenience, a printer-friendly version of this data is available. About OVAL test definitions OVAL test definitions pass through a series of phases before being released. Depending on where a definition is in this process, it is assigned one of the following status values: Status Draft Interim Description Indicates the definition is assigned an OVAL ID number and is under discussion on the Community Forum and by the OVAL Board. Indicates the definition is under review by the OVAL Board and available for discussion on the Community Forum. Definitions are generally assigned this status for two weeks, unless additional changes or discussions are required. 70 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

71 Using OVAL Security Features 6 Status Accepted Description Indicates the definition has passed the Interim stage and is posted on the OVAL Definition pages. All history of discussions pertaining to Accepted definitions are linked from the OVAL definition. Other possible status values include: Initial Submission Deprecated For more information about the stages of OVAL definitions, go to When OVAL tests are enabled, all available OVAL tests run on the target machines. OVAL test details do not indicate the severity of the vulnerability. Use your own judgment to determine whether to test your network for the presence of a particular vulnerability. Running OVAL tests The K1000 Management Appliance runs OVAL tests that are automatically based on the schedule specified in OVAL Settings. Because OVAL Tests consume a large amount of memory and CPU, they impact the performance of the target machines. OVAL Tests take between 5 and 20 minutes to run. To minimize the disruption to users, run OVAL Tests weekly or monthly and during hours when users are least likely to be inconvenienced. Using labels to restrict OVAL tests If you are running OVAL tests periodically or if you want to obtain the OVAL test results for only a few machines, you can assign a label to those machines. You can then use the Run Now function to run OVAL test on those machines only. See the K1000 Administrator Guide. Understanding OVAL updates The K1000 Management Appliance checks for new OVAL definitions every night, but you should expect new definitions every month. If OVAL tests are enabled, the appliance downloads new OVAL definitions to all client machines on the next scripting update whenever a new package becomes available, regardless of the OVAL schedule settings. The update ZIP file can be up to 2MB large enough to impact the performance of machines with slow connections. Only enable OVAL tests when you need to run them. Configuring OVAL Settings Use the following configurations to set the OVAL test checks. OVAL updates that are downloaded when OVAL tests are disabled are stored on the appliance and are only pushed out to the target machines when enabled again. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 71

72 6 Using OVAL Security Features You can configure OVAL scan settings using this link. You should exercise caution when applying OVAL settings. Specifying OVAL settings To specify OVAL settings 2. Click Security > OVAL Assessment. The OVAL Vulnerability Assessment page appears. 3. Click OVAL Settings. The OVAL Settings & Schedule page appears. 4. Specify the Configuration settings: Setting Enabled Allow Run While Logged Off Description Run on the target machines. Only enabled configurations can run. Run even if no user is logged in. Clear this check box to run the item only when a user is logged in to the machine. 5. Specify the following settings: Setting Deploy to All Machines Limit Deployment To Selected Labels Limit Deployment To Listed Machines Description Deploy to all machines. Clear the check box to limit the deployment to specific labels or machines. Limit deployment to machines that belong to specified labels. To select labels, click Edit, select labels from the list, then click OK. If you select a label that has a Replication Share or an alternate download location, the appliance copies digital assets from that Replication Share or alternate download location instead of downloading them directly from the appliance. Note: The appliance always uses the KACE Alt Location before it uses a Replication Share. Limit deployment to specific machines. In the drop-down list, select the machine or machines you want to deploy to. If your list of machines is long, you can use the Filter field to filter the list by entering a few characters of the machine name. 72 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

73 Using OVAL Security Features 6 Setting Supported Operating Systems Description Select the operating systems you want to deploy to. To select multiple items, use Ctrl-click or Command-click. Note: Leave all operating systems unselected to deploy to all supported operating systems. 6. In the Scheduling area, specify the time and frequency for running OVAL: Setting Don t Run on a schedule Run Every n minutes/hours Run Every day/specific day at... Run on the n th of every month/specific month at... Description Run in combination with an event rather than on a specific date or at a specific time. Run at a specified interval. Run daily at a specified time, or run on a designated day of the week at a specified time. Run on the same day every month, or a specific month, at the specified time. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 73

74 6 Using OVAL Security Features Setting Custom Schedule Description Use standard 5-field cron format (extended cron format is not supported): * * * * * day of the week (0-6)(Sunday=0) month (1-12) day of the month (1-31) hour (0-23) minute (0-59) About standard cron format: Use a space to separate fields. For example, Use a comma to separate values within a field. For example, 1,3,7. Use a hyphen to indicate a range of values in a field. For example, 0-5. Use an asterisk (*) to include the entire range of values in a field. For example, * in the minute column specifies minutes Use a slash (/) to repeat an action at specified intervals. For example, if you specify the following value in the hour field, 0-23/2, the action is performed every two hours. This has the same effect as writing out the hour values as 0,2,4,6,8,10,12,14,16,18,20,22. Use an asterisk with a slash (*/) and a value to repeat an action at the specified interval. For example, */5 in the minute column repeats the action every 5 minutes. This has the same effect as 0/5 and 1-59/5. Examples: * * * * * Run every minute */30 * * * Run every 30 minutes * Run at 8:30 AM on Feb * 1 Run on the first Monday of each month at 9:00 AM 7. Click Run Now to run the script immediately. Tests run on the machines selected in the Deployment section. 74 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

75 Using OVAL Security Features 6 Using the Vulnerability Report The Vulnerability Report shows all of the OVAL tests that were run. Accessing OVAL vulnerability reports To access OVAL vulnerability reports 2. Click Security > OVAL Assessment. The OVAL Vulnerability Assessment page appears. 3. Click Vulnerability Report. The OVAL Report page appears containing a list of vulnerability reports. Applying a label to affected machines From the Test detail view, you can view all the machines that failed the OVAL test, and you can assign a label to those machines so that you can patch them at a later time. To apply a label to affected machines 2. Click Security > OVAL Assessment. The OVAL Vulnerability Assessment page appears. 3. Click Vulnerability Report. The OVAL Report page appears. 4. Select the check box next to the test to which you want to apply a label. 5. In the Choose Action menu, select the appropriate label under Apply label to Affected Machines. You can also search tests by making the appropriate selection in the View by and View by class menus located in the top-right corner of the Viewing OVAL Computer Reports The Computer Reports link offers a list of machines with OVAL results. Here, you can view a summary of tests that were run on specific machines. The label under the Machine column in the OVAL Computer Report page is the K1000 Management Appliance inventory ID assigned by the Inventory component. For more information about any of the machines in the report, click the linked machine name to navigate to the machine s Inventory Detail Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 75

76 6 Using OVAL Security Features Accessing OVAL Computer Reports To access OVAL Computer Reports 2. Click Security > OVAL Assessment. The OVAL Vulnerability Assessment page appears. 3. Click Computer Report. The OVAL Computer Report page appears containing a list of OVAL computer reports. Creating security policies The Security component includes wizards that you can use to create security policies for deployment to Windows and Mac machines on your network. Creating Windows-based security policies The following sections provide details on the default Windows-based policies. Creating Enforce Internet Explorer Settings scripts on page 76. Creating Enforce XP SP3 Firewall Settings scripts on page 78. Creating Enforce Disallowed Programs Settings scripts on page 79. Creating Enforce McAfee AntiVirus Settings scripts on page 80. Configuring McAfeeSuperDAT Updater scripts on page 82. Creating Enforce Symantec AntiVirus Settings scripts on page 82. Creating Quarantine Policy scripts on page 84. Creating the Lift Quarantine Action scripts on page 85. Creating Enforce Internet Explorer Settings scripts The Enforce Internet Explorer settings policy allows you to control user Internet Explorer preferences. You can control specific preferences while keeping others as user-defined. Policy settings overwrite the corresponding user s Internet Explorer preferences. Because this script modifies user settings, schedule it to run when the user is logged in. To create Enforce Internet Explorer Settings scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 76 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

77 Using OVAL Security Features 6 3. Click Enforce Internet Explorer Settings. The Security Policy: Internet Explorer Policy page appears. 4. In the User Home Page section, select the Enforce user home page policy check box, then specify the URL to use as the home The User Home Page policy forces the user s home pages to the specified 5. In the Security section, select the Enforce Internet Zone settings policy check box, then choose the security level from the Security level drop-down list. The Security zone policies allow you to specify the security level for each zone. 6. Select the Enforce Local Intranet Zone settings policy check box, then choose the security level from the Security level drop-down list. 7. Specify the following settings: Include all local (intranet) sites not listed in other zones Include all sites that bypass the proxy server Include all network paths (UNCs) 8. Select the Enforce Trusted Zone settings policy check box, then choose the security level from the Security level drop-down list. 9. Select the Enforce Zone Map check box, then specify the IP addresses or ranges for the following zones: Restricted sites Local Intranet sites Trusted sites The Zone Map allows you to assign specific domains and IP ranges to zones. Domains that are not listed default to the Internet Zone. 10. In the Privacy section, select the Enforce Privacy settings policy check box, then set the Cookie policy. Privacy policies allow you to control the cookies that are accepted by Internet Explorer from the Internet Zone. 11. Select the Enforce pop-up settings policy check box. 12. Specify the following settings: Pop-up Filter Level Web sites to allow 13. Click Save. The Script: Edit Detail page appears. 14. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 77

78 6 Using OVAL Security Features 15. Click Save. Creating Enforce XP SP3 Firewall Settings scripts The Enforce XP SP3 firewall settings policy enables you to enforce firewall settings on target machines running Windows XP with Service Pack 3. You can enforce different policies based on whether the target machine is authenticated with a domain controller or is accessing the network remotely If your target machine has authenticated with a domain controller, it uses the Domain Policy; otherwise, it uses the Standard Policy. Therefore, you might want to configure it to impose tighter restrictions. To create Enforce XP SP3 Firewall Settings scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. Click Enforce XP SP3 Firewall settings. The Security Policy: XP Firewall Config page appears. There are two types of policies described under the Windows XP SP3 Firewall Configurator section: Domain Policy: Used when the desktop machine has authenticated with a domain controller. If you do not have a domain controller, use the Standard Policy configuration. Standard Policy: Used when the desktop machine has not authenticated with a domain controller, for example, when a laptop user is at home or using a Wi-Fi hotspot. This configuration is more restrictive than the Domain Policy. 4. In either the Domain Policy or Standard Policy areas, indicate whether the firewall is Enabled, Disabled, or if No Policy is in effect. If the firewall is enabled, the policy settings override any settings the user might have set. If the firewall is disabled, the user cannot enable the firewall. If the firewall is set to No Policy, the user's configuration for the firewall are used. The following fields are available only if you select the Enabled option for the firewall. 5. Select or clear the Enable logging check box, then specify a location and name for the log file. By default, the log is stored in: C:\Program Files\KACE\firewall.log. Selecting the Enable Logging check box enables the firewall to log information about the unsolicited incoming messages that it receives. The firewall also records information about messages that it blocks and successful inbound and outbound messages. 78 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

79 Using OVAL Security Features 6 6. Specify the following settings: Setting Allow WMI traffic Allow Remote Desktop Allow file and printer sharing Allow Universal Plugand-Play (UPnP) Description Enable inbound TCP traffic on ports 135 and 445 to traverse the firewall. These ports are necessary for using remote administration tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). Enable inbound TCP traffic on port 3389 to traverse the firewall. This port is required for the machine to receive Remote Desktop requests. Enable inbound TCP traffic on ports 139 and 445, and inbound UDP traffic on ports 137 and 138. These ports are required for the machine to act as a file or printer sharing server. Enables inbound TCP traffic on port 2869 and inbound UDP traffic on port These ports are required for the machine to receive messages from Plug-and-Play network devices, such as routers with built-in firewalls. 7. To specify Inbound Port Exceptions, click Add Port Exception. 8. Inbound Port Exceptions enable additional ports to be opened in the firewall. These might be required for the machine to run other network services. An Inbound Port Exception is automatically added for port for the KACE Client Listener, which is required to use the Run Now function. Specify a Name, Port, Protocol, and Source for the exception. 9. Click Save. The Script: Edit Detail page appears. 10. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 11. Click Save. Creating Enforce Disallowed Programs Settings scripts The Enforce Disallowed Programs Settings policy allows you to quickly create a script that prevents specified programs from running on the target machines. This policy takes effect only when the resulting script is executed on a target machine and the machine is rebooted. On Windows XP or 2000, you can add a shutdown command as the last step of the script to force a reboot. The script created as a result of this wizard overwrites any disallowed program settings on the target machines. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 79

80 6 Using OVAL Security Features To create Enforce Disallowed Programs Settings scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. Click Enforce Disallowed Programs Settings. The Security Policy: Enforce Disallowed Programs page appears. 4. In the Policy Name field, enter a name for the policy. 5. Select or clear the Disallow programs check box. When selected, all disallowed programs cannot run. When cleared, all programs can run. 6. Add disallowed programs. For example, to prevent Notepad from running, enter notepad.exe. You can add more than one program. 7. Click Save. The Script: Edit Detail page appears. 8. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 9. Click Save. Creating Enforce McAfee AntiVirus Settings scripts The Enforce McAfee AntiVirus settings policy allows you to configure selective McAfee VirusScan features to be installed on all machines. This policy verifies that the software is installed with the configuration you specify. The policy also confirms that the On Access Scanner (McShield) is running. Zip the McAfee VirusScan installation directory and upload it to the appliance. A Software Inventory item is created automatically if it does not already exist. To create McAfee AntiVirus Settings scripts 2. Zip the McAfee VirusScan installation directory. 3. Click Scripting > Security Policy. The Security Policy page appears. 4. Click Enforce McAfee AntiVirus Setting. 80 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

81 Using OVAL Security Features 6 The Security Policy: McAfee Policy Enforcement page appears. 5. Click Browse or Choose File to search for the McAfee zip file. 6. Use the User Interaction drop-down list to specify how the installation appears to your users. For a description of the available options, refer to the McAfee documentation. 7. Select the McAfee Features to install. Use Ctrl-click or Command-click to select multiple features. To install the Alert Manager, use the McAfee tools to include the Alert Manager installation files in the deployment package. See the McAfee documentation for specific information about the features available here. 8. Select or clear the following check boxes depending on your configuration: Enable On Access Scanner Lockdown VirusScan Shortcuts Preserve earlier version settings Remove other anti-virus software 9. Specify the location on the target machine where the following files will be installed: Install Directory (McAfee installation directory) Alert Manager Source Path SITELIST.XML Source Path Desktop Firewall Source Path EXTRA.DAT Source Path 10. In the Logging list, select the information you want to log. Use Ctrl-click or Command-click to select multiple items. 11. Enter a filename for the log in the Log File Name field. 12. Enter any additional arguments in the Additional Arguments field. 13. Select the appropriate reboot option from the Reboot drop-down list. 14. Enter the behavior following installation using the After Installation drop-down list. Options include Run AutoUpdate or Run AutoUpdate silently. You can also select to Scan all local drives or Scan all local drives silently. 15. Click Save. The Script: Edit Detail page appears. 16. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 17. Click Save. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 81

82 6 Using OVAL Security Features Configuring McAfeeSuperDAT Updater scripts The McAfee SuperDAT update policy allows you to build a script for applying McAfee SuperDAT or XDAT updates. There are several steps involved in creating this script: Specify the update files and reboot behavior on the target machines. Select the software packages to push to target machines during update. Verify the network scan status. To create McAfeeSuperDAT Updater scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. Click McAfee SuperDAT Updater. The Security Policy: McAfee SuperDAT Configurator page appears. 4. Enter a file name in the SDAT or XDAT file field. 5. Click Browse or Choose File to search for the SDAT or XDAT file. 6. Set update options: Setting Install Silently Prompt for Reboot Reboot if Needed Force Update Description Install the file without providing installation feedback or progress on the user s machine. If the installation requires the machine to be rebooted, prompt the user before rebooting. Reboot machine as needed. Without this option, a silent installation does not reboot the machine. Update all file versions, even if the machine already appears to have the latest versions. 7. Click Save. The Script: Edit Detail page appears. 8. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 9. Click Save. Creating Enforce Symantec AntiVirus Settings scripts The Enforce Symantec AntiVirus Settings script allows you to configure which Symantec AntiVirus features are installed. It verifies that the software is installed with the configuration you specify here. This policy is intended to run periodically to ensure that Symantec AntiVirus is configured and running properly. 82 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

83 Using OVAL Security Features 6 To create Enforce Symantec AntiVirus Settings scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. Click Enforce Symantec AntiVirus Settings. The Security Policy: Symantec AntiVirus page appears. 4. From the Action drop-down list, specify the action to perform: Install Uninstall Repair missing files Reinstall all files 5. From the Software drop-down list, select the software package to use for this script. 6. If the software package is zipped, enter the MSI file name in the MSI Filename field. 7. Use the User Interaction drop-down list to specify how the installation should appear to your users. 8. Specify the install directory in the Install Directory field. 9. Specify any additional switches in the Additional Switches field. 10. Specify any additional properties in the Additional Properties field. 11. Specify behavior after installation in the After Install field. 12. Select a restart option from the Restart options drop-down list. 13. Select the information you want to log in the Logging list. Use Ctrl-click or Command-click to select multiple items. 14. Enter a file name for the log in the Log File Name field. 15. Select a network type from the Network Management drop-down list. 16. Specify the server name, if required, in the Server Name field. This field is mandatory if you select Managed from the Network Management drop-down list. 17. Set the AutoProtect option using the Enable AutoProtect drop-down list. 18. Set the Disable SymProtect option using the Disable SymProtect drop-down list. 19. Set the Live Update behavior using the Run Live Update drop-down list. 20. Select the features you want to install from the Features to Install list. Use Ctrl-click or Command-click to select multiple features. See the Symantec documentation for specific information about the options available here. You must include the SAVMain feature for this script to work properly (although this wizard does not enforce this requirement). 21. Click Save. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 83

84 6 Using OVAL Security Features The Script: Edit Detail page appears. 22. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 23. Click Save. Creating Quarantine Policy scripts Use the Quarantine Policy wizard to create a script that you can use to quarantine machines. The script that is created as a result of this wizard is merely a template. Use the script editor to modify the template script and add the appropriate verification steps to decide which machines to quarantine. When a machine is under quarantine, all communication from it is blocked except for communication to the K1000 Management Appliance. Use care when performing this action. If you were to deploy this accidentally to all machines on your network, you could take your network down very quickly. After a user s machine is in quarantine, it cannot be reversed without intervention by the K1000 Management Appliance administrator. The user cannot recover from this without you taking some action. Quarantined machines only have access to the K1000 Management Appliance to receive a Run Now event to lift the quarantine. To create Quarantine Policy scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. Click Quarantine Policy. The Security Policy: Quarantine page appears. 4. (Optional) Enter a policy name in the Policy Name field. Enter a meaningful name that relates to the vulnerability, so that you can lift the quarantine later once that vulnerability is resolved. 5. Leave the K1000 Management Appliance Server IP unchanged in the K1000 Server IP field 6. Specify the DNS Server IP address in the DNS Server IP field. 7. Modify the Message dialog text as required in the Message Dialog field. Users see this message before the appliance places their machine in quarantine. 8. Modify the description text in the Description field as required. 9. Click Save. The Script: Edit Detail page appears. 10. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 84 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

85 Using OVAL Security Features 6 Modify the Verify steps in the Script: Edit Detail page to determine the conditions under which you want the quarantine to take effect. Although it is not enabled automatically, it is configured to deploy to everyone. For more information on how to modify the Verify steps, see the K1000 Administrator Guide. For example, you can add a step under verify, to check whether the file K1000Client.exe exists on the target machine. You can define a log message, create a message window, or launch a file. The file kbq2.exe is launched for quarantine. 11. Click Save. Creating the Lift Quarantine Action scripts To create Lift Quarantine Action scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. Click Lift Quarantine Action. The Security Policy: Lift Quarantine Action page appears. 4. From the Labels drop-down list, select the label (under the Labeled Machines section) for the quarantined machines, or select the specific machine from the Machines list in the Specific Machine(s) section to remove the quarantine. You can filter the machine list by entering any filter options. 5. Click Send Lift Quarantine Now. If there are many quarantined machines, it can take time for all of them to receive and process the request. Creating Mac OS-based security policies The Security component includes wizards that you can use to create the following security policies for deployment to Mac OS-based machines on your network: Creating Enforce Firewall Settings scripts on page 85 Creating Enforce Parental Controls scripts on page 86 Creating Enforce Security Settings scripts on page 86 Creating Enforce Firewall Settings scripts The Enforce Firewall Settings scripts is a security policy that allows you to protect your Mac OS systems. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 85

86 6 Using OVAL Security Features To create Enforce Firewall Settings scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. In the Macintosh section, click Enforce Firewall Settings. 4. The Security Policy: Mac Application Layer Firewall page appears. 5. Choose the firewall settings. 6. In the Trusted Applications section, enter the full path to the application binaries, for example: /Applications/Safari.app/Contents/MacOS/ 7. Click Save. The Script: Edit Detail page appears. 8. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 9. Click Save. Creating Enforce Parental Controls scripts To create Enforce Parental Controls scripts 2. Click Scripting > Security Policy. The Security Policy page appears. 3. In the Macintosh section, click Enforce Parental Controls. 4. Click Save. The Script: Edit Detail page appears. 5. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 6. Click Save. Creating Enforce Security Settings scripts To create Enforce Security Settings scripts 86 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

87 Using OVAL Security Features 6 2. Click Scripting > Security Policy. The Security Policy page appears. 3. In the Macintosh section, click Enforce Security Settings. 4. Click Save. The Script: Edit Detail page appears. 5. Select Deployment and Scheduling options. For more information, see the Scripting section of the K1000 Administrator Guide. 6. Click Save. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 87

88 6 Using OVAL Security Features 88 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

89 7 Using SCAP This section provides information about using the SCAP/FDCC Configuration Scan component of the Dell KACE K1000 System Management Appliance to scan client machines using Secure Content Automation Protocol (SCAP). Topics in this section: Overview on page 89 More about SCAP (Secure Content Automation Protocol) on page 91 About benchmarks on page 91 How a SCAP scan works on page 92 Overview of the SCAP Scan tab on page 93 SCAP scan scheduling on page 95 Editing a SCAP scan schedule on page 96 SCAP scan results on page 100 Getting the Benchmark archive on page 102 Overview The SCAP/FDCC Configuration Scan component of the K1000 Management Appliance imports a security configuration checklist from the National Checklist Repository. After importing the K1000 Management Appliance verifies the checklist and performs compliance checking using the K1000 Agent on each client machine. The scan implements compliance checking of a SCAP 1.1 data stream written in the XML formats using the following SCAP standards: XCCDF, CCE, CPE, and OVAL (defined in the next section: Definitions on page 90). The agent performs the compliance check at a scheduled time and generates several files in OVAL format containing the CPE and CCE tests. These results files are then uploaded to the K1000 appliance s Organization database and collated into a single results file for reporting to a government agency (if required). Results are also displayed for each machine on the appliance s SCAP Configuration Scan Results SCAP supported platforms SCAP has been certified to run on these Windows platforms: Windows 7, Windows Vista, and Windows XP. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 89

90 7 Using SCAP Definitions This section provides definitions of each SCAP protocol and briefly describes how it is implemented in the K1000 Management Appliance. Standard SCAP XCCDF CCE CPE OVAL Definition Secure Content Automation Protocol is a set of open standards that enumerate software flaws, monitor security-related configurations and product names, and examine machines to determine the presence of vulnerabilities and rank (score) the impact of the discovered security issues. SCAP is more fully described in More about SCAP (Secure Content Automation Protocol) on page 91. The extensible Configuration Checklist Description Format is a specification language for writing security checklists, benchmarks, and related documents. An XCCDF file contains a structured collection of security configuration rules for a set of target machines. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. Information about how XCCDF is implemented in the K1000 Management Appliance is described in How a SCAP scan works on page 92. Common Configuration Enumeration provides unique identifiers to system configuration issues for facilitating fast and accurate correlation of configuration data across multiple information sources and tools. The compliance checking results produced by the K1000 Management Appliance SCAP scan include the relevant CCE ID references for XCCDF and OVAL definitions for every rule checked as designated by the checklist definition. CCE information is available both in the XCCDF result file and the appliance s SCAP Configuration Scan Results Common Platform Enumeration is a structured naming scheme for information technology systems, platforms, and packages. Based on the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name. In essence, CPE ensures that the security checklist is applied to the correct platform. This information is available both in the XCCDF result file and the appliance s SCAP Configuration Scan Results Open Vulnerability and Assessment Language is an international, information security, community standard for promoting open and publicly available security content. It standardizes the transfer of this information across the entire spectrum of security tools and services. The results of each OVAL test are written to several files on the target machine and then compiled into a single result file on the appliance and displayed on the SCAP Configuration Scan Results 90 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

91 Using SCAP 7 More about SCAP (Secure Content Automation Protocol) SCAP (Secure Content Automation Protocol), is a set of open standards that enumerate software flaws, monitor security-related configurations and product names, and examine systems to determine the presence of vulnerabilities and rank (score) the impact of the discovered security issues. SCAP provides: Security configuration monitoring of machines that have different operating systems and software applications. System security status at any given time. Compliance for various sets of security requirements. A standardized, automated way to perform security tasks. Interoperability across security tools. These features improve software security and help avoid delays in threat assessment, decision-making, and vulnerability correction. SCAP utilizes the National Vulnerability Database (NVD). NVD is the United States government standards-based vulnerability management data repository. NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics. For more information on SCAP and NVD, see the National Institute of Standards and Technology (NIST) web sites at and About benchmarks A benchmark is a security configuration checklist. (The terms benchmark and checklist are interchangeable.) A benchmark is a series of rules for evaluating the vulnerabilities of a machine in a particular operational environment. NIST maintains the National Checklist Repository ( that contains a variety of security configuration checklists for specific IT products and categories of IT products. You can browse and search the repository to locate a particular checklist using a variety of criteria. You can tailor these checklists to meet your particular security and operational requirements. The checklists are XML documents. Two standards currently exist: FDCC (Federal Desktop Core Configuration): Addresses Microsoft Windows Vista and XP operating systems. USGCB (United States Government Configuration Baseline): Evolved from the FDCC and currently addresses Windows 7 and Internet Explorer 8. A checklist consists of a ZIP file that contains several XML files called a SCAP Stream. The primary file in the Stream is the XCCDF file. The XCCDF file is a structured collection of security configuration rules for a set of target machines. Essentially, it is a list of OVAL tests that should be run. The other XML files contain the OVAL tests specified in the XCCDF file. For detailed information on the XCCDF Specification, see specifications/xccdf/. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 91

92 7 Using SCAP A benchmark can contain one or more profiles. A profile specifies the rules that run on specific kinds of machines. For example, a benchmark might contain one set of rules for desktops and another set for servers. How a SCAP scan works The K1000 Management Appliance imports a benchmark into the K1000 server. During the import process the benchmark is verified. After importing, the benchmark is loaded into the server and the XCCDF file undergoes a process called resolution. During resolution, the oval-command.zip file is generated. This ZIP file contains the input files necessary to run a particular profile. You can view the files on the Script: Edit Detail See SCAP scan scheduling on page 95. The SCAP scan is controlled by a KScript. When the scan runs, the following files are downloaded to the client as script dependencies: benchmark.zip: contains the benchmark files, that is, the SCAP Stream that was uploaded to the K1000 Management Appliance. (The XCCDF file is not actually used by the client.) oval-command.zip: contains the input files generated by the XCCDF. oval.ref.zip: contains the OVAL scanning engine (ovaldi.exe). The KScript initiates the OVAL scans on the client machine and generates several results files. The OVAL scanning engine runs two or three times: The first run checks that the target machine is the correct platform for that benchmark profile using the CPE files contained in the Benchmark. The second run checks the vulnerability of the machine using the rules defined in the benchmark. It implements the CCE standard. The third run checks that the security patches are up-to-date. Each run generates a results file. These files are named according to the run. For example, the file from the first run is named scap-profile-10-result-1.xml and the second is named scap-profile-10-result-2.xml. These files are located in the following directories: Windows XP: C:\Documents and Settings\All Users\Dell\KACE\kbots_cache\packages\kbots\<working directory> Windows Vista and Windows 7: C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\<working directory> To find the Agent s working directory, click Scripting Logs in Inventory > Computers > Computers: Detail Item page > Logs. These results files are then uploaded to the K1000 server and collated into a single results file (xccdf-results.xml). You can use this file for reporting the results to a government agency such as the OMB (Office of Management and Budget). The K1000 server and client machine retain only the latest results files. 92 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

93 Using SCAP 7 In the final step of a run, a subset of the results files are extracted and stored in the Organization database for reporting and displayed on the SCAP Configuration Scan Results page for each machine. The database Tables that contain this information are SCAP_RESULT, SCAP_RESULT_RULE, and SCAP_RESULT_SCORE. See SCAP scan results on page 100. Overview of the SCAP Scan tab The SCAP Scan tab is the primary page for accessing the K1000 Management Appliance SCAP functionality. To access the SCAP Scan tab 2. Click Security > SCAP Scan. The SCAP/FDCC Configuration Scan page has three links: Benchmarks: shows the status of SCAP benchmarks. Additionally from this page, you can import checklists, delete checklists, and export a checklist to CSV format. Scan Schedule: displays the name of the benchmarks and when they are scheduled to run. Additionally from this page, you can add and delete benchmarks, enable or disable benchmarks, and export a benchmark to CSV format. Scan Results: shows the general results of SCAP scans. The page also displays a dashboard that shows the results by benchmark. For a machine to pass a benchmark, it must score 100%. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 93

94 7 Using SCAP Viewing benchmarks The following instructions provide information accessing the SCAP Benchmarks page, where you can manage XCCDF checklists, see the time and date of the scan, and view scan summaries. Additionally, with the Choose Action button, you can import checklists, delete checklists, and export a checklist to CSV format. To view benchmarks: 2. Click Security > SCAP Scan > Benchmarks. The SCAP Benchmark page appears. 3. (Optional) Specify which benchmarks are displayed using either the View by dropdown list or Search field. You can search by partial string in the title or identifier. 4. (Optional) To sort the Benchmarks, click a column heading. 5. Click a Benchmark - Profile to view more information about a particular Benchmark. The SCAP Benchmark page appears. The SCAP Benchmark page contains general information about the selected benchmark and the time and date that the SCAP data (XCCDF, CCE, CPE, and OVAL) was uploaded to the K1000 Management Appliance. See Getting the Benchmark archive on page 102. Importing and loading a benchmark You can download benchmarks from the National Checklist Repository at checklists.nist.gov/. You can modify the downloaded benchmarks or create your own benchmarks. After the benchmarks are downloaded and ready for use, import them into the K1000 Management Appliance. To import and load a benchmark: 2. Click Security > SCAP Scan > Benchmarks. The SCAP Benchmark page appears. 3. In the Choose Action menu, select Import New Checklists. The SCAP Configuration Scan Settings page appears and displays Step 1, Benchmark Selection of the import wizard. 4. Click Browse or Choose File to import the Benchmark ZIP file from your machine. 5. Click Next. 94 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

95 Using SCAP 7 A dialog box appears indicating that the file is being uploaded. After the file is uploaded, a message appears on the SCAP Configuration Scan Settings page that the import was successful. The K1000 Management Appliance verifies that the ZIP file contains valid benchmarks. If no valid benchmarks are present, an error message appears and the file is not uploaded. 6. Select a benchmark in the Select a profile to scan drop-down list, then click Next. The wizard displays Step 2. Oval Scan Engine. 7. Select the OVAL Engine that you what to use in the Scan using existing engine dropdown list. The default engine is MITRE s OVAL Interpreter (ovaldi.exe). The K1000 automatically downloads updates to this engine when Dell KACE certifies and releases new versions of the engine and OVAL definitions. 8. (Optional) Click Browse or Choose File to find and upload a custom engine and its configuration files. A dialog box appears indicating that the file is being uploaded and a message appears on the SCAP Configuration Scan Settings page that the engine was successfully imported. Use a custom engine if you need local control of the OVAL engine or if you do not want automatic updates to change the engine. The custom engine must be a ZIP file of a folder containing the custom ovaldi.exe and any necessary configuration files required to run the engine. This ZIP file replaces the ovalref.zip dependency file in the SCAP scan script. See Viewing the resolved XCCDF files on page Click Next. A dialog box appears indicating that the benchmark file is being loaded, followed by the Script: Edit Detail See Editing a SCAP scan schedule on page 96. SCAP scan scheduling The SCAP Scan Schedules page provides information about the benchmarks files that have been loaded into the K1000 Management Appliance. From this page you can enable, disable, run, export to CVS format, and access the Script: Edit Detail The SCAP Scan Schedules page displays a list of KScripts for running the SCAP scans. After a checklist is imported and loaded into a KScript, use this page to access the Script: Edit Detail To use SCAP scan scheduling Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 95

96 7 Using SCAP 2. Click Security > SCAP Scan > Scan Schedules. The SCAP Scan Schedules page appears. 3. Use the Choose Action button to add and delete benchmarks, enable or disable benchmarks, and export a benchmark to CSV format. 4. Click a benchmark to edit its schedule. The Script: Edit Detail page appears. 5. Scroll down the page to the Scheduling section and make the necessary changes. Editing a SCAP scan schedule You can view or edit a benchmark schedule on the Script: Edit Detail This page allows you to manage and customize scripts for configuring, scheduling, and specifying which machines the SCAP scan runs on. The scripts for SCAP are regular KScripts. This section does not provide information about every feature available on the Script: Edit Detail page; it only contains information pertinent to using and understanding a SCAP scan. For more detailed information on editing a KScript, see the K1000 Administrator Guide. You can access the Script: Detail page from the Benchmark wizard, as described in Overview of the SCAP Scan tab on page 93 and from the SCAP Scan Schedules page, as described in SCAP scan results on page 100. Viewing the resolved XCCDF files As mentioned in How a SCAP scan works on page 92, a benchmark is loaded into the server and the XCCDF file undergoes a process called resolution, which generates the input files necessary to run a particular profile. This section describes how to view these files. To view the resolved XCCDF files 2. Click Scripting. The Scripts page appears. 3. Click the name of a script. 4. On the Script: Edit Detail page, scroll down to the Dependencies section. 96 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

97 Using SCAP 7 5. (Optional) To add any supporting executable files necessary to run the script, click Add a new dependency, then click Browse or Choose File. 6. (Optional) To view the details of these files, click and download the selected ZIP file. 7. To see how these dependency files are executed, view the Task sections. Figure 7-1 on page 99 shows specific actions of how the script executes the scan. Viewing the OVAL timestamp This section provides information on how to view the OVAL timestamp (the time the OVAL document was compiled). To view the OVAL timestamp: 2. Click Scripting. The Scripts page appears. 3. Click the name of a script. On the Script: Edit Detail page, scroll down to the Dependencies section. 4. Click benchmark.zip. and extract the OVAL XML file. For example, fdcc-winxp-oval.xml. 5. In the OVAL file, look for <oval:timestamp>. Viewing script tasks To view script tasks 2. Click Scripting. The Scripts page appears. 3. Click the name of a script. 4. On the Script: Detail page, scroll down to the Task sections. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 97

98 7 Using SCAP The Task sections are displayed on the Script: Detail page, as shown in Figure 7-1 on page 99. The Task 1 section shows the execution of oval-command.bat file, which runs the OVAL scanning engine. Task 2 verifies that the results files exist and if successful, those files are uploaded to the K1000 Server. 98 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

99 Using SCAP 7 Figure 7-1: SCAP Task Sections Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 99

100 7 Using SCAP SCAP scan results The Scan Results page shows the results of SCAP scans per machine. From this page you can access detailed information about each scan. To view SCAP scan results 2. Click Security > SCAP Scan > Scan Results. The SCAP Configuration Scan Results page appears. 3. (Optional) To display the results for a specific benchmark, select the desired benchmark in the View by drop-down list. The results page contains the following information: Section Machine Benchmark - Profile Scanned On Pass Fail Other Total Description The machine on which the scan was run. The particular profile in a benchmark that was used. The date and time that the scan was run. The number of rules that the machine passed. The number of rules that the machine failed. The number of rules having other values such as error, unknown, not checked, not applicable, and informational. The XCCDF specification also defines not selected, which is excluded from the results. The total number of rules that were executed. % Pass The percentage of rules that were passed. Score The default score defined by the benchmark. 4. To view the details on a particular machine, click its name in the Machine column. 100 Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide

101 Using SCAP 7 A page containing the details of the scan result for the selected machine appears. The following table describes each section in more detail: Section Summary Test Results Scores Results by CCE Description General information about the benchmark. Test results in a tree structure that represents the grouping of the rules. Symbols display the pass-fail status of a rule. You can click a rule to open a dialog box containing the rule s details. Compliance scores for each scoring model as defined for the benchmark. Pass-fail results by CCE. The FDCC requires that compliance is reported by CCE. Dell KACE K1000 System Management Appliance Version 5.4, Patching and Security Guide 101