Home Applications Asset Management Private: Microsoft Endpoint Configuration Manager (MECM) Deploy BWTST MECM Packages Deploy Unquoted Services Fix MECM package

Deploy Unquoted Services Fix MECM package

Background: The Tenable plugin ID 63155 – Microsoft Windows Unquoted Service Path Enumeration – is a high severity vulnerability that has been found on thousands of USGS computer systems. As of July 2012, 8500 systems are reported to have the vulnerability, and it is the top vulnerability found in USGS.  Each vulnerability identified by Tenable equates to a single system that has one or more unquoted service paths. Some systems have been found to have as many as a dozen services with an unquoted service path. Some software vendors have fixed this vulnerability for their product with software updates or new releases, but others have not. An IT administrator, who manually remediates this vulnerability one month for a particular service, may find he or she has to remediate it each time the software product is updated. The eComputing CAB approved an RFC to deploy this fix from Tier 1 across USGS on August 30, 2013. Tier 3 sites are encouraged to advertise this program prior to that date.

Program/Package Description: The Unquoted Services Fix packages is located in the Tier 1 folder. It contains two programs – Find Unquoted Services and Fix Unquoted Services.

Find Unquoted Services creates a text file that lists each of the services on a system that is vulnerable to the unquoted service path vulnerability. The file is created in the Windows directory (typically, this is C:\Windows). If the script finds unquoted service paths, the file is copied up to \\gs\di\reporting\unquoted_services. The file name is as follows: HOSTNAME-quoted_services_report-DATE.txt. If no services are found, a new text file is NOT created.

Fix Unquoted Services fixes the service paths by adding the appropriate quotation marks where needed to the service name in the registry. The service path before and after the fix is logged to a file called HOSTNAME-quoted_services_fixed-DATE.txt in the Windows directory. If services were fixed, the file is copied to \\gs\di\reporting\unquoted_services and an MECM hardware inventory action is kicked off. Every time the program runs, a new log file is created.

Collection Description: The BWTST -> Systems with Unquoted Services collection is a Tier 1 collection that contains all systems that have one or more services with an unquoted service path. This data is gathered with the hardware inventory scan, which runs once every 24 hours on each MECM client. The collection is set to update every 4 hours. If a system gets a new service with an unquoted service path due to a software patch, install, or upgrade, the system will automatically be added to the collection. Once the service path is fixed, it will drop back out of the collection within 4 hours of the hardware inventory scan.

Tier 3 Advertisement Steps

Open the MECM console from Start -> All Programs -> Microsoft System Center -> Configuration Manager 2007 -> ConfigMgr Console

Browse to Site Database -> Computer Management -> Software Distribution -> Packages -> Tier 1-> Unquoted Services Fix-> Distribution Points

Configuration Manager Console - Package - Distribution Points

Right click on Distributions Points and select New Distribution Points

Configuration Manager - New Distribution Points Wizared - Welcome

On the Welcome Screen, click Next

Configuration Manager - New Distribution Points Wizared - Copy Package

Select your Distribution Point(s) (recommended to select all of the non-PXE related DPs) and click Next

New Distribution Points Wizard - Confirmation

Click Close

Configuration Manager Console - Package Status

Browse to Site Database -> Computer Management -> Software Distribution -> Packages -> Tier 1-> Unquoted Services Fix -> Package Status -> Package Status -> SiteName

Verify the State column displayed for your Distribution Point is “Installed”. If the state column for your Distribution Point displays “Install Pending”, then wait (the time will depend on package size and WAN speeds). Do not continue until the State column reads “Installed”, you may need to right click and select refresh to update the column.

Configuration Manager - Advertisment - New

Browse to Site Database -> Computer Management -> Software Distribution -> Advertisements

Right click on an advertisement folder-> New -> Advertisement

New Advertisement Wizard - General Tab

In the New Advertisement Wizard, enter a Name such as Unquoted Services Path Fix
For Package, select Browse, select Tier 1 -> Unquoted Services Fix
For Program, select Fix Unquoted Services
For Collection, select Browse, select BWTST -> Systems with Unquoted Services

 There is also a Find Unquoted Service program. This program does not fix the vulnerability, it only creates a log file in the Windows directory that lists each of the services that needs to be fixed. This file is copied to \\gs\di\reporting\unquoted_services

Click Next

Click the  Button icon

New Advertisement Wizard - Assignment Schedule

Select “Assign to the following schedule”, leaving the current date and time, and click OK

New Advertisement Wizard - Schedule Tab

Check the Ignore maintenance windows when running program and click Next

New Advertisement Wizard - Distribution Points Tab

Verify “Download content from distribution point and run locally” is selected in both areas

LEAVE CHECKED “Allow clients to fall back to unprotected distribution points…”

Click Next

Click Next through the Interaction window, Security window, and Summary windows

Click Close

Comments are closed.