22 Replies Latest reply: Mar 21, 2017 4:58 AM by sdunn RSS

Configure SC to talk to SCCM

chirs Novice

I haven't found a lot about how to actually integrate SCCM and Security Center. There's a nessus guide but that can't be all there is. Any ideas?

  • Re: Configure SC to talk to SCCM
    sdunn Apprentice

    Chris - I can walk you through the SCCM setup.

     

    • Start by creating an Advanced Scan Policy, and make sure that "Enable Safe Checks" are enabled.
    • Under Host Discovery, all options should be disabled.
    • Under Port Scanning, I have all options disabled except for TCP and SYN.
    • Under Report - enabled the 1st 2 options under Output (DNS Name and Ping)
    • Under Authentication - select Add Authentication Settings, and select Microsoft SCCM
      • Enter the IP address of the SCCM server
      • Enter in the Domain name and credentials. (Make sure that you are using a administrative account)
    • Under Plugins - normally I just select all of the plugins by default. However at a bare minimum you should select the General, Misc, Settings, Windows: Bulletins plugin families.
    • Save your policy.

     

    For the Scan you will not need individual host credentials, you only need the SCCM server credentials within the policy you just created.

     

    • Create the Scan, and select the SCCM policy you just created.
    • Under Targets - select the range of IP's supported by SCCM that you want to obtain information on.
    • Once that is completed, save and then run your scan.

     

    Initially, I would recommend starting off of with a small amount of IP addresses within your first scan. Once you get results back from then scan, then add the selected range you want. Once your scan is completed, your results should look similar.

     

    main.png

    Switch the Tool to Vulnerability Detail List, and in the plugin output you should this this result below

    SCCM.png

    Note that these results will only come back with MS Bulletins. Right now, we don't support 3rd party reporting from tools such as SCUP, or SCCM add-ons. If you have your WSUS server residing on your SCCM server, you can also add the WSUS authentication credential to the same policy you just created.

    • Re: Configure SC to talk to SCCM
      chirs Novice

      Awesome!

       

      If I input a range of ip addresses or asset list where only some of the assets are in SCCM, will there be any problems?

      • Re: Configure SC to talk to SCCM
        sdunn Apprentice

        You should be fine. The only time you may not get vulnerability information back is if a host isn't communicating properly with SCCM (inactive, offline, etc.). One other thing I failed to mention is to take a look at the Patch Management Overview dashboard once you get your scans going. There is a Patch Report component leverages Nessus to detect vulnerabilities from software not supported by SCCM.

    • Re: Configure SC to talk to SCCM
      chieudinh Novice

      Are you using SCCM for credential to scan? Or can you select the hosts or devices in SCCM to scan?

      • Re: Configure SC to talk to SCCM
        chirs Novice

        I thought it simply utilized the database within SCCM to report back patching data. Is this not correct?

        • Re: Configure SC to talk to SCCM
          sdunn Apprentice

          That's correct. If you had your database on a separate server, the only instance that you would need to scan the database and not the patch management system is if you were running Symantec Altiris.

          • Re: Configure SC to talk to SCCM
            chirs Novice

            Can you go over this further? What I really want is to just query the database. But in testing it appears the scan job will scan the endpoints. At some point we may want to do the latter but at the moment we only want the former. Any ideas?

            • Re: Configure SC to talk to SCCM
              sdunn Apprentice

              So your SCCM policy needs to be filtered down a bit more, so that your getting just SCCM data. Under Advanced, and make sure that "Enable Safe Checks" is disabled.

               

              Next, go to Plugins, and select "Disable All."  In the upper right corner, you'll see the "Filter Plugins" drop down, select Name, type in SCCM, and click on each plugin to enable them.

              Screen Shot 2017-01-19 at 10.33.00 AM (2).png

               

              Click on the each family to enable the individual plugins. Once the 5 plugins are enabled, go back to the Filter Plugins drop down, and select Clear. You should then see all of the plugin families disabled, and the selected plugins as "Mixed".


              For monitoring patch conflicts and reports on other patches not supported by SCCM, select the "General" plugin family, and type in "Patch" in the Filter Plugins. Note that these 3 plugins are not required, but can be useful.

               

              Next, select the "Windows : Microsoft Bulletins" family to enable all of the plugins. When you are done, your plugin list should look similar.


              Screen Shot 2017-01-19 at 10.42.47 AM (2).png

               

              Try that instead, and see if you get better results.

              • Re: Configure SC to talk to SCCM
                wpruitt Novice

                Greetings,  Figured I would just piggy back off this thread for answers.  Let me start by stating I am not the SC admin; I am the SCCM admin in this equation.  I just have a few questions to clear up my confusion.

                 

                1. SCCM is using WSUS to scan the Windows endpoints for MS patch compliance.  SCUP is used to query for 3rd party/Non-MS products.  What does the integration of SC and SCCM give me that I'm not getting from my SCCM reports already?
                2. The domain account states it needs Administrative access, but this is a very broad term.  Is this Operating System, Database, or SCCM Console level?  If I'm only pulling the scan data from the SCCM database, I'm assuming I only need to use a service account that has read permissions into the DB, correct?
                3. Based on this thread, SC can not only read from the SCCM DB, but can also scan the endpoints it "discovers" from the DB.  If this is correct, what benefit does this serve?  If SC is already scanning from the network level, why would the assets discovered in SCCM need to be scanned again?

                 

                Thanks for any answers you guys can provide.  Our upper management is asking what is the value added in configuring the integration of SC and SCCM, so we're trying to answers to that.

                • Re: Configure SC to talk to SCCM
                  sdunn Apprentice

                  1. The SC/SCCM integration will only cover MS Bulletin vulnerabilities. Meaning if you setup a policy/scan within SC that pulls data off of your SCCM box, you’ll only see the MS Bulletins. Tenable doesn’t support SCUP currently, however you can still pull data from the Patch Report plugin (66334) or the Patch Management: SCCM Report (58186). Usually the Patch Report plugin will cover most of your other vulnerabilities including the ones not supported by SCUP.

                   

                  2. Usually Domain Administrative rights with full access to SCCM, however you can certainly adjust your permissions around to ensure least privilege. You may find a difference in your results, so keep that in mind. The SCCM integration within SC will read off of the SCCM server directly, and not the database. The only patch management product supported by Tenable that needs to read directly off of the database is Symantec Altiris.

                   

                  3. Great question. So the scan results from SC and the results collected from SCCM can be used to compare whether systems are being patched properly. For example, often times WSUS can have issues reporting accurate results back from the managed client. These issues may require manual intervention by sys admins to reset the connection to WSUS. In some instances, patches need to be applied manually to hosts, and fail when deployed. Systems not being rebooted after a patch is applied can also cause a difference in results.

                   

                  Using the Patch Management: SCCM Report (58186) you can get results from the SCCM server on managed hosts where SCCM is reporting that managed host is fully patched. Using the Vulnerability Detail List, at the bottom you’ll see within the plugin output the following text.

                  Screen Shot 2017-02-07 at 12.58.24 PM.png

                  If you scan the same system with this result above, and SC is showing outstanding vulnerabilities, then you can see that there may be an issue with either SCCM or the managed host. Additionally, you can also get notified of managed hosts that are offline or that haven’t checked in.

                  Screen Shot 2017-02-07 at 12.59.18 PM.png

                  I would suggest setting up a SCCM Patch Management scan, and a separate scan using SC, and see if you can pick up on any differences within your environment. Please let me know if this didn’t answer your questions.

                  • Re: Configure SC to talk to SCCM
                    wpruitt Novice

                    Many thanks Stephanie.  Currently there is already a comparison being done between the SC and SCCM scan results, but it's going to be up to management to decide if they still want the integration.

    • Re: Configure SC to talk to SCCM
      stantonst150 Novice

      Does this work with all SCCM versioning? We tried this with server 2012 most recent build. Does tenable plan on keeping up with the updated builds

  • Re: Configure SC to talk to SCCM
    johnmc Novice

    Anyone know when  support  for 3rd party reporting from tools such as SCUP, or SCCM add-ons will be available?