Wednesday, May 24, 2017

SCCM (ConfigMrg) - WannaCry Ransomware Compliance

WannaCry Ransomware made some damages worldwide, and still lots of doubts about how to check if your infrastructure is safe.
This is been my days lately.

Check if my whole servers are patched, giving management teams compliance reports, and so on.
Lots of online examples, this, yes, is just another one.

Disclaimer: Modify the T-SQL query and VBScript for the specific HotFixID's - in my case are for 2003-2016 windows servers.

So, SCCM query to check out the servers missing the Ransomware fix :


SELECT dbo.v_R_System.Name0 AS 'Computername', v_R_System.Full_Domain_Name0, dbo.v_UpdateInfo.Title AS 'Updatename', dbo.v_StateNames.StateName, dbo.v_Update_ComplianceStatusAll.LastStatusCheckTime, dbo.v_UpdateInfo.DateLastModified, dbo.v_UpdateInfo.IsDeployed, dbo.v_UpdateInfo.IsSuperseded,   
      dbo.v_UpdateInfo.IsExpired, dbo.v_UpdateInfo.BulletinID, dbo.v_UpdateInfo.ArticleID, dbo.v_UpdateInfo.DateRevised,   
      catinfo.CategoryInstanceName as 'Vendor',   
      catinfo2.CategoryInstanceName as 'UpdateClassification'   
      FROM dbo.v_StateNames   
      INNER JOIN dbo.v_Update_ComplianceStatusAll   
      INNER JOIN dbo.v_R_System ON dbo.v_R_System.ResourceID = dbo.v_Update_ComplianceStatusAll.ResourceID   
      INNER JOIN dbo.v_UpdateInfo ON dbo.v_UpdateInfo.CI_ID = dbo.v_Update_ComplianceStatusAll.CI_ID ON dbo.v_StateNames.StateID = dbo.v_Update_ComplianceStatusAll.Status   
      INNER JOIN v_CICategories_All catall on catall.CI_ID = dbo.v_UpdateInfo.CI_ID   
      INNER JOIN v_CategoryInfo catinfo on catall.CategoryInstance_UniqueID = catinfo.CategoryInstance_UniqueID and catinfo.CategoryTypeName='Company'   
      INNER JOIN v_CICategories_All catall2 on catall2.CI_ID=dbo.v_UpdateInfo.CI_ID   
      INNER JOIN v_CategoryInfo catinfo2 on catall2.CategoryInstance_UniqueID = catinfo2.CategoryInstance_UniqueID and catinfo2.CategoryTypeName='UpdateClassification'   
      INNER JOIN v_CH_ClientSummary on v_CH_ClientSummary.ResourceID = v_R_System.ResourceID  
      WHERE (dbo.v_StateNames.TopicType = 500)   
      AND (dbo.v_StateNames.StateName = 'Update is required')   
      AND (dbo.v_R_System.Name0 IN (  
                                     SELECT TOP (100) PERCENT SD.Name0 AS 'Machine Name'   
                                     FROM dbo.v_R_System AS SD INNER JOIN   
                                     dbo.v_FullCollectionMembership AS FCM ON SD.ResourceID = FCM.ResourceID INNER JOIN   
                                     dbo.v_Collection AS COL ON FCM.CollectionID = COL.CollectionID LEFT OUTER JOIN   
                                     dbo.v_R_User AS USR ON SD.User_Name0 = USR.User_Name0 INNER JOIN   
                                     dbo.v_GS_PC_BIOS AS PCB ON SD.ResourceID = PCB.ResourceID INNER JOIN   
                                     dbo.v_GS_COMPUTER_SYSTEM AS CS ON SD.ResourceID = CS.ResourceID INNER JOIN   
                                     dbo.v_RA_System_SMSAssignedSites AS SAS ON SD.ResourceID = SAS.ResourceID   
                                     WHERE (COL.Name like 'All Windows Servers')  
                                   )  
          )   
      AND ((catinfo2.CategoryInstanceName like 'Critical%' ) OR (catinfo2.CategoryInstanceName like 'Security%' ))   
      AND dbo.v_UpdateInfo.ArticleID in ('4012214','4012212','4012213','4012598')  
      AND v_CH_ClientSummary.ClientActiveStatus = 1  
      ORDER BY dbo.v_R_System.Name0

And, a SCCM configuration item VBScript (some servers don't have powershell...! yes, there're a few ...!) :

 strComputer = "."  
 Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")  
 Set colItems = objWMIService.ExecQuery("Select * from Win32_QuickFixEngineering",,48)  
 Set objFSO=CreateObject("Scripting.FileSystemObject")  
 Set wshNetwork = WScript.CreateObject( "WScript.Network" )  
 strComputerName = wshNetwork.ComputerName  
 For Each objItem in colItems   
 If objItem.HotfixID = "KB4012214" or objItem.HotfixID = "KB4012213" or objItem.HotfixID = "KB4012212" or objItem.HotfixID = "KB4012598" then  
 wscript.echo "Compliant"  
 End If  
 Next

So, now just make a configuration baseline or add this configuration item to your existing configuration baseline.

Hope this helps you guys out.
No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)