This is the latest blog post in my "Third party patching with Secunia CSI" series. In the previous post we started using the CSI portal but now we will look at the first portal configurations.
(As before you must use Internet Explorer to use the CSI portal. You must run IE as Administrator in order to complete the WSUS configuration).
Live Update is not activated by default (I think it should be). When Live Update is activated, scan results are updated in real time as new vulnerabilities are discovered. This may have an effect on your compliance but I believe that these issues should be highlighted quickly.
In the CSI portal navigate to Configuration > Settings and check Activate Live Update. Note that this only comes into effect from this point and has no effect on historical data or reporting.
Also check the box to choose your email recipients for notifications.
Now we will connect CSI to our WSUS/Configuration Manager environment. Navigate to Patching > Configuration > WSUS/System Center.
See that it is currently "disconnected". Of course it is. We have to configure the integration. See the error "the Secunia CSI plugin for Microsoft WSUS could not be loaded". There are some prerequisites:
- .Net Framework 4.5
- Visual C++ Runtime 2012
- WSUS console
Download and install Microsoft Visual C++ 2012.
Now we can access the WSUS configuration.
Side note: during the WSUS integration we will create a self-signed certificate that will be published to the certificate stores on the local server. This is not allowed by default on Windows Server 2012 R2 (it has been deprecated). You can get around this problem by creating a registry key.
Navigate to HKLM\Software\Microsoft\Update Services\Server\Setup and create a DWORD (32-bit) key.
Call the key EnableSelfSignedCertificates and set the value to 1
Now click on "Configure Upstream Server" to launch the CSI WSUS Configuration Wizard.
In step 1 enter the WSUS server name and port used.
Step 2 deals with the self-signed certificate. If you have ever implemented a System Center Updates Publisher solution you will have carried out this process manually. Secunia have done a good job in automating the process.
Click "Automatically create and install certificate"
Click OK to continue.
The certificate is created and installed in the Trusted Root Certificate Authorities and Trusted Publisher stores on the local server.
In step 3 select "Use System Center to distribute packages". The wizard will automatically a GPO that will allow SCCM/WSUS to distribute non-Microsoft packages (as with SCUP). Essentially the GPO allows you to deploy the self-signed certificate to your servers and workstations.
Select "Create Group Policy"
Click OK to create the GPO.
The GPO has been created.......
....and you can close the configuration wizard.
See that you are now "connected" to WSUS/SCCM.
This is the GPO that was automatically created.
Details of the GPO.
You should now link the GPO to the required OUs to deploy the self-signed certificate.
I've carried out all this configuration by using an IE session directly on the SCCM server. This might not always be the preferred option. Note that if you are carrying out the configuration on a desktop then the operating system of desktop and server must be part of the same family (eg Windows Server 2012 R2 and Windows 8.1).