MNSCUG September 2018 Meeting Notes
Notes taken by MNSCUG Attendee Andre Dupre
Update Strategies Review
Packaging vs Patching
Flexera - sponsor
- Let's try something different than a demo
- Strategies that orgs are using to address vulnerabilities
- Focused on whole life-cycle of software (buy, manage, secure, retire)
- Majority of vulns are non-Microsoft
- ~77% are non-Microsoft
- ~23% are Microsoft products
- Most orgs thing "yea I've got Adobe, Java, iTunes, managed". But there's 1000's of other apps out there. Most of these are unaddressed (7zip, putty, more obscure ones)
- Addressing vulnerabilities
- Apply incremental security patches
- Focus on the usual suspects (MS, Adobe, Java, Browsers, iTunes)
- Managing all apps harboring vulnerabilities
- Some people follow the NIST guidelines on what to patch for. Sometimes driven by the news cycle when the higher ups see a new vuln disclosed in a high profile way - then it generates the will to get the work done.
- Question - what about the software management part?
- How to determine if software is being used? Etc.
- Answer - not in this talk sorry but another person at Flexera can talk about FlexNet mgmt suite - this helps to manage software assets. They've now married that asset management with the vulnerability management that came from Secunia.
- How applications are introduced into our orgs and what happens after that?
- Purposeful apps
- Come from us, we put it into SCCM intentionally
- Other apps
- Typically come from users with admin rights out in the wild.
- Deployment of Purposeful apps
- You plan
- Create collections and filters.
- Deploy the app
- Except not actually
- Vulnerability scanner (typically from Sec team) relies on
- Known vulnerabilities
- Once we find them then we know we are exposed and the clock starts ticking on fast we can remediate.
- These vuln scans usually contain CVE's, but maybe not how many machines have this vulnerable software or if there's a new patched version to install. These are not terribly meaningful to app packagers…
- So once the SCCM admin gets the call from Sec Team they have to
- Determine what/how to patch
- Plan the deployments
- Package the apps
- Problems with this traditional approach
- If your collections are not correct (new PC have the software, some pc don't have the software) then when you deploy are missing machines or deploying it to machines that don't need it.
- Alternative approach
- Instead of building new packages you push updates (SCUP or similar)
- This way we don't need to target anyone, with Windows Update Agent figures it out for us. The client determines if they need the patch and apply it.
- There's still a need to update your base apps so that clients get the latest versions of apps in Software Center / OSD.
- Some apps of course also must not be patched - special custom apps, etc.
- Some apps cannot be patched due to size (Adobe Photoshop for exampled has large updates that are too large for WSUS).
- Some of the patches you will want to customize - Flexera allows you to customize the update.
- One example is that they have a "clean install" switch to remove prior versions
- Deploying updates via WSUS + ConfigMgr with a Catalog service
- Some of these don't let you customize the install (just running silently)
- Sometimes generates extra noise with meta-data filling WSUS/CM
- Doesn’t address new app deployments (your source packages)
- Ideal solution
- Dedicated vulnerability research team to determine all of the problems.
- All vuln data tested and verified for you
- Dashboard that shows what is currently installed, secured, EoL, etc to the operations/desktop/patching teams
- Provide selected group of patches that you specifically need for your environment
- Provides pre-built and pre-tested patches
- Create templates to apply patch customizations (so that the next update to Java you just apply your template automatically to preserve your customizations)
- Allows you to publish custom patches
- Scan your repository of packages to let the Packaging team know when those sources are vulnerable - we don't want to introduce insecure software to new machines. (newer flexera improvement).
- Purposeful apps
Discussion with Group
- F: Do you (SCCM admins) often but heads with sec teams?
- Yes - they want it faster but may not understand the amount of work it takes, or they do and maybe they are willing to pay for it.
- Can we use PowerShell to customize our patches?
- Not yet - but it is future steps. Current focus is on automation - next Flexera wants to do customization.
3 Part ConfigMan-stravaganza
VSCode Like a Boss
Should be pretty basic stuff here - mainly daily tips and tricks, please shout out questions/comments
VSCode is the GREATEST thing since sliced bread - it is free and there's a million ways to do everything
Can handle any programming language you can think of (IDE sprawl is gone). Linux and Mac of course have had this for a while but finally in Windows world we can do this. Even some Linux people doing this now. Last year at Linux-con ~80% of presenters used VSCode
Even XML and JSON is great - auto-formatting.
Chrome OS released an update to run Linux apps - you can do VSCode on a Chromebook!
There's a system version and a user version - makes it easy to allow people to install without packaging (no admin rights). Updates regularly
There's also a portable version (this one prompts for updates, can't do it auto) lets you keep all your settings with you.
There is an insider edition - you too can be the cool kid on your cube-block, rocking the latest version before most people get it.
This is a very configurable program. You can open settings > view settings file then edit directly the settings. It auto-completes the settings as you start typing them. For example you can set your default language as Markdown or PowerShell (whatever you like).
"editor.renderWhitespace": "all", to show you when you have trailing spaces
Weird characters that don't render get called out here!
If you hate the minimap you can get rid of that too, every setting is customizable
You have workspaces on the left where you have folders with files in the folders. They don't all have to live together the workspace is a way to organize them while you're working on them. You can even have different settings for each workspace (for example, default language)
F1 gets you to the command pallet, shows you the command and the shortcut.
You should learn the keyboard shortcuts to really save time.
Icon themes - you can do minimal, normal, ISE, even cats!
Zenmode - full screens just the code writing section, hides everything else.
Side by Side Editor - this is gold if you're doing Pester Tests. Great for lots of other times too. The Compare is outstanding. Compare works with source control tracking too… somehow? If you have GitLens installed it even tells you who made the change.
Ctrl+P will help you find files within folders. You can find / replace (with regex even) within files too.
- Question - can you format my TSQL?
- If you want to format select your code > right click > format-selection. This formats it according to the format set in your settings. For PowerShell (Allman, OTBS, Stroustrup)
Cleanest meanest way to write notes - especially technical documentation.
Can have plugins to make the style work on different platforms (like Github which has its own flavor of markdown).
When you take notes you can see in real time what it will look like when rendered.
SQLConnect extension from Microsoft
Does great at basic stuff. Can't do analytics or query analyzer etc. you can do quick functional SQL in one place without needing to open SSMS. Update: newest version can make T-SQL pretty like Brian had asked.
Has all of the same functions as ISE. It has a separate PowerShell profile from ISE so you can customize it however you want.
If you have an error, you can Ctrl+click and it will take you directly to the line in whatever file the error came from.
Hold Alt you can click and drag a box to select code which is neat.
Multi-select allows you to select multiple things and change them all at once
- Question - how the hell did you find all this stuff out?
- (Fred) I live in the program. I read release notes
Jeff Carreon has a script for WSUS maintenance - perhaps as an free alternative to Adam's
Function definition - if you hit F12 on a function call it takes you straight to the definition of that function. You can do Find All References too so you can easily see where everything is taken.
ISE has a debugger but VSCode can do things like set watch - set to watch a variable. You no longer have to debug by doing things like write-host "I broke here".
You can do remote debugging! Wtf?
Extensions talked about:
Markdownlint - helps you do markdown right
GIT with IT
VSCode works with git really well.
The best way to get used to GIT is by using it. Get yourself familiar, you need source control.
Recommendation: do not commit directly to your master branch, but into a separate branch for testing and then merge.
You can run git commands to checkin/out your changes right from the editor and the files update live.
Merge conflicts gonna happen. Its terrifying the first couple of times. Do not fear the merge conflicts!
A merge conflict will happen if you have two different changes to the same lines within the same file and merge them together. A merge conflict is git's way of telling you that it needs a human to rectify the change.
Its very hard for you to mess up git so bad that you can't recover.
Within VSCode it highlights the current and incoming changes and you can pick which one to accept.
Recommended: tiny commits that can be reviewed by a person in an hour.
Datamining with Style!
- Every times there's a talk about SQL the presenters use Views and Tables interchangeably.
- Queries make sense to SQL, Views make sense to people
- A view is a query that tries to join with and make sense of a query
- Why do programmers use Views?
- Ex: package status - view definition
- Right click on a view > new query, it will show you the definition
- Microsoft recommends that you use Views. They will change tables, but they try not to change Tables.
- When you query a view it can have multiple tables that it is pulling from
Recommendation - don't do "Select *" cause you may not realize how many tables you're pulling back and you might kill your SQL instance.
Recommendation - join on integers (or indexed columns) not strings. Easier on SQL
- Indexed columns = SQL will take columns that you query/use frequently and will create characteristics and organize that data so that it can find it faster.
- Indexed: you know that beef is in the deli area of the grocery store. When asked to go get beef you go directly to the deli and find beef.
- Unindexed: go get cereal. Well I don't know where cereal is so I go up and down every isle until I find it.
- You can create custom indexes but be careful and use the analyzer. The built in ones are pretty good so add sparingly.
- Ola Halagren index scripts will help to make sure your indexes are nice and neat
- If using temp tables be sure to drop the one of the same name if it already exists (its temp right? So is fine). Temp tables don't persist between connections but it is best practice to drop it at the end of your session anyways.
- We want to find all OS not in certain collections but this will hit v_FullCollectionMembership (twice in this example) which is very large and will be very slow.
- To fix we create a temp table which pares down and pulls in v_FullCollectionMembership once
- Then we query against that temp table. In this demo this goes from 250+ million rows down to 40 million rows.
SQL is really good at left join: take two columns/tables and stick them side by side. Then, everything on the LEFT find it on the other side and do something (join it in or discard it).
Fun Fact: as long as the server knows about the Class you can send hardware inventory data even if the computer is not on!
Ryan has a script running that just keeps adding clients to his CM (over 250K so far).
- It needs a valid cert
- We create the objects then set the PC name, netbios name etc. CM needs a new cert per machine to differentiate them.
- Class: ConfigHardwareInventoryMessage
- If we set the cert, client id and what classes to inventory then we can just send the data to CM
- He did try to generate a bunch of certs (per client) on his machine but it was too slow, so he used 50$ of Azure credit to generate 500K certs.
- Script doesn't randomize the client data (yet)
- Working on a way to simulate heartbeats
- Created on .