Cleanup your Java versions

April 16, 2010 Leave a comment

How to get down to one version of java on all systems.

Read more…


Patch content BKM

March 13, 2010 Leave a comment


This article talks about the vulnerability content you should be scanning for with LANDesk Patch Manager. The recommendations are based on research conducted by several leading security firms. I provide a synopsis of the conclusions here, but the short version is that over the course of 2009 client-side applications were the most exploited aspects of your endpoints.   The purpose of this document is to help you manage your patch content so that you can focus on what’s most important.

Read more…

Categories: LANDesk, Patch management

Patch more, patch faster

March 12, 2010 1 comment

If you haven’t read the report from Qualys The Laws of Vulnerabilities 2.0 (delivered at the Black Hat conference in 2009), you should.

Qualys uses data collected from over 100 million vulnerability scans performed on corporate networks, taking into account both servers and desktops.  A couple of key points from the report:

  • The half-life of vulnerabilities in corporate networks (half-life is defined as the amount of time it takes an organization to patch half of their vulnerable machines) remains basically unchanged from 2004.
  • While IT organizations have improved at the deployment of Microsoft Windows patches, patches for vulnerabilities in apps like Microsoft Office, Adobe products and Java take twice as long on average.

There are other great data points administrators can learn from in this report, including a breakdown by industry that allows you to compare yourself to your peers.  The most important takeaway, however, is that the very applications it takes organizations so long to patch are the most exploited on your endpoints.

This article from SANS provides a nice overview, combining data from Qualys, Tippingpoint and the ISC.  Their conclusion is very succinct:  unpatched client-side applications should be your number one endpoint security priority.  Specifically, Microsoft Office, Adobe products and Quicktime.

They don’t mention Java in the SANS article but it should be on your list as well.  This post shows how exploits are used in the real world to infect clients.  Java is near the top of the successful exploitation list.

The article also discusses how exploit kits are bought and sold and can then be customized for different CnC servers.  Note that the browser itself does not need to be exploitable for these types of attacks to be successful !!  These kits work a lot like brute-force password attacks, they simply run through a list of vulnerabilities until one is successful.  So being diligent in patching the OS but ignoring other vulnerabilities basically means nothing.

Improving your patch strategy

The good news is that LANDesk customers can scan for and remediate all of these applications.  Pushing out an Adobe Flashplayer patch is just as easy as MS09-055, a Java update or anything else in content.  The bad news is that a number of organizations I go into aren’t taking advantage of this capability.

If you are a LANDesk customer and still using WSUS to patch your systems:  WSUS is not enough.  You are not doing a whole lot to secure your endpoints from current attacks if you only patch through WSUS.  If you are not a LANDesk customer, whatever patch system you use must address 3rd party applications.  This should no longer be considered a nice-to-have feature.  It’s a critical part of a successful patch strategy.

I understand that in the real world it is not just about the functionality of your patch management solution.  There are barriers raised in many organizations that make it difficult to aggressively patch endpoints.  Here are some of the common issues I see and some thoughts on improving your patch management practices:

Training. Time and again I see desktop administrators who have been thrown into their current roles and are simply not comfortable suddenly deploying a bunch of patches.  I don’t blame you.  I don’t want to be responsible for rebooting the CEO’s machine in the middle of a presentation either.  So get trained !!  Most vendors have a variety of training options.  I know you have no budget or time so in the case of LANDesk use the e-learning courses (accessible via the web for a few hundred dollars a year and may even be free depending on your support program) and the forums to build up your comfort level.

Use the workflow tools you have. Many organizations have very mature practices for patching their servers but leave desktop administrators to fend for themselves.  LANDesk patch management includes a workflow component that automates e-mail notifications, approvals and targeting.  I know !!  Its not perfect.  But keep your process/workflow simple and get the ball moving in the right direction within your organization.  LANDesk has made many improvements to the default workflow in version 9 and can work as a good baseline.  This kind of automation is critical !!

Make compliance requirements/auditors work for you. Most industries now fall under some kind of regulatory compliance.  Use this to get the political will necessary to patch aggressively within your organization.  It can be very difficult to overcome complaints by end users about lost productivity so use third party sources (like the studies linked above or an impending audit) to convince management of the need to aggressively patch.  Then, be smart about how you deploy, use reboot deferrals, caching and other common patch features to show you can be effective and minimize impact.  It’s up to you to make the business case to your management.

Narrow your target. So many times I see people overwhelmed by how many vulnerabilities they have to patch.  Only scan for things you care about (remote execution, needed for audit compliance, etc.).  Don’t enable every vulnerability thrown at you !!  Go after items rated critical and high first and then back your way into less critical vulnerabilities.  You’ll build some early success and confidence in how your patch management solution works.

Go forth and patch !!!

Categories: LANDesk, Patch management

Quick walkthrough: deploying Adobe Reader 9.3

Searching out in Internetland you find a lot of different ways to deploy the latest Adobe Reader versions. With PDF exploits becoming increasingly popular, keeping up with these versions has become increasingly important. Prior to Reader 9.3 I would simply deploy the downloaded executable with a set of command line switches. Since then I’ve taken to using the Adobe Customization Wizard to create a transform file for the MSI. You can download my MST file or build your own. If you use mine, the result will be as follows.

Deployment Behavior
Silent install
No EULA acceptance required
No reboot
No add-ons like links to or AIR
Autoupdates are turned off

Steps to Follow

  1. Download Adobe Reader 9.3 from
  2. Download this transform file or create your own
  3. Move the MSI and MST to the web or UNC share you typically use to deploy software
  4. Add it to your LANDesk Software Distribution Packages
  5. For Install/Uninstall Options paste: /i TRANSFORMS=AdbeRdr930_en_US.mst /quiet /norestart
  6. Under Additional files add the MST file

LANDesk 8.8 database tables you actually care about

November 3, 2009 Leave a comment
Below is the list of tables you’ll want to consider when doing any direct querying of the LANDesk database.  Beneath the table name are the columns you’ll find the most useful data in.  This is not comprehensive, its meant to narrow down your search through the database schema. Know of some key ones we missed? Let us know !!

BIOS – Note most columns of use under BIOS (other than the two listed) should be queried under CompSystem
– Computer_Idn, Manufacturer, ROMVersion

– Computer_Idn, PhysAddress, Description, IPAddress, SubnetMask, DefaultGateway, PrimaryDNS, SecondaryDNS

– Computer_Idn, Manufacturer, Model, SerialNum, ChassisType, HasBattery

– Computer_Idn, FixedDrives_Idn, StorageTotal, Model, Interface

– Computer_Idn, LogicalDrives_Idn, SerialNumber, DriveLetter, StorageTotal, StorageAvail

– Computer_Idn, BytesTotal, BytesAvail, NumSlots, MaxMem

– Computer_Idn, MemorySlot_Idn, SlotNo, SocketDesignation, InstalledSize, FormFactor, Manufacturer, PartNum, SerialNum

– Computer_Idn, Partitions_Idn, PartitionNumber, Name

– Computer_Idn, Type, MaxSpeed, ProcCount, CoresPerPkg

– Computer_Idn, NetworkAdpater_Idn, Vendor, Description, DataRate, DriverName

– FileInfo_Idn, Filename, Title, Version, Vendor

– Computer_Idn, FileInfoInstance_Idn, FileInfo_Idn, FileDate, Path, SCM_TotalSessionTime, SCM_SessionCount, SCM_LastUser, SCM_LastSessionStart, SCM_LastSessionTime, SCM_DateDiscovered

– Computer_Idn, AppSoftwareSuites_Idn, SuiteName, Version, Publisher

AppSoftware (view)
– Computer_Idn, Software_Idn, FileInfo_IDN FileSize, Filename, FileDate, Title, Version, Path, SCM_TotalSessionTime, SCM_SessionCount, SCM_LastUser, SCM_LastSessionStart, SCM_LastSessionTime, SCM_DateDiscovered, SCM_DaysSinceLastUsed, SCM_DaysSinceDiscovered,

– Computer_Idn, Antivirus_Idn, ProductName, AutoProtect, ProductVersion, EngineVersion, PubDate, DefInstDate, LastVirusScan, AgentRunning, PatternServer

– Computer_Idn, ComputerVulnerability_Idn, Vul_ID, PatchDetected, Reason, Patch, PatchInstallDate, PatchInstallStatus, PatchInstallSucceeded, DateDetected, LastScanDate

– Patch_Idn, Vulnerability_Idn, UniqueFilename, URL, Name, Download, Reboot

– Computer_Idn, PatchHistory_Idn, Patch, ActionDate, Message

PatchTrend – Populated when you run Gather Historical Information
– PatchTrend_Idn, Vulnerability_Idn, Detected, Scanned, Repaired, RepairFailures, LogDate

– Vulnerability_Idn, CVE_ID, Vul_ID, PublishDate, Title, Lang, Severity, Vendor, Status, Type, Fixable, CanRunSilent

Query (shows the SQL behind GUI-based queries)
– Query_Idn, Name, Filter, QuerySQL

– Computer_Idn, DeviceName, LoginName, HWLastScanDate, SWLastScanDate, VALastScanDate, PrimaryOwner, DomainName, Workgroup

– Computer_Idn, Landesk_Idn, ClientConfigurationName, ConfiguredOn

– Computer_Idn, LocalGroups_Idn, Name, Members

– Computer_Idn, LocalUsers_Idn, Name, FullName, Description

Tying management tools to a platform

November 2, 2009 Leave a comment
(This was originally posted in February 2009, reposted here for archive)
Microsoft OS market share declined in January 2009 (Apple market share has grown in 7 of the last 11 months).Internet Explorer market share is down to 66.7% (Firefox crossed the 20% threshold in December 2008).


Windows Mobile now sits in 4th place (behind Nokia, RIM and Apple) after a mere 2 years of the iPhone being on the market.

Microsoft Live Search continues to lag with single digit market share in Internet search.


No, this is not a prediction of Microsoft’s demise.  Microsoft will be around for some time and anyway there are millions of Apple users, Firefox users and Bob Cringely to make those predictions.

What I am thinking about is the systems management marketspace and a question I would ask of Novell customers several years ago regarding Zenworks.

Why tie your systems management tools to your platform?  Or put another way:  if you decide to leave the Novell platform (as many companies were doing at the time) do you really want to be forced into ripping out your management platform at the same time?  (Zenworks was– and continues to be– tied to the hip with eDirectory and removing the latter seriously debilitated the former).

Your systems managements tools should enable these inevitable transitions, not hinder them.  They should give you greater business agility, make your platform decisions easier to make, help you weather change, future-proof your business, free it rather than lock it in.Sure your business may not be on the brink of making any decisions this bold (but wouldn’t you like to hand your CFO that check?)  The numbers above show that choice continues e x p a n d i n g.  What if in 3 years your business wants to use something other than Active Directory?  Another collaboration vendor?  What if your departmental servers no longer ran Windows?  What if your organization no longer buys in to a Microsoft EA?  How many of the early transitions from Groupwise to Exchange were seen as flukes?


Technology naturally lends itself to self-contained ecosystems.  But your systems management tools belong on the outside.

Google Earth, monetization and dreamy platitudes

November 2, 2009 Leave a comment

(This was originally posted in February 2009, reposted here for archive)


CNBC ran a short segment today on the newest version of Google Earth (non-CNBC-related link here).  Their background on the tech was relatively light and the post-segment chatter focused on one word:  monetization.

It was CNBC, so this makes sense, but after several disparaging remarks about how researchers might use it (but who else really?) and how no revenue stream for it seemed likely, I was left thinking:

Can’t there be good tech that is good on the face of it and doesn’t require monetization?  Also, isn’t investment in the Google brand more tangible than in your average company?

Bagging on Google for being a one-trick ad pony has long been popular, right up there with Google as the next Evil Empire (the latter of these is likely to be true eventually, if history is any guide).  This comes with the territory of being top dog.  Someone will eventually be right and get to say I told you so.  So what?

My initial reaction was fostered by a desire to believe that a company can do something for the greater good without collecting more eyeballs, more personal information, more me.  That good will with your customers, your community can (and does) come back around in some karmatic way.

But back to the brand investment bit.  Google’s ad revenue and ~107bn market cap are the result of a mythos that their witchdoctor programmer’s know the secrets of turning chicken bones into 1’s and 0’s in a way no one else can (or will) figure out.

(For all I know they’re using some AI locked deep in a California fault line.  After all, it would be very American to take future alien technology and apply it to a search engine only to sell advertising.)

The point is that the mythology surrounding their search is a huge part of their brand.  Doesn’t cool tech like Google Earth build on that in spades?