ABC, Incorporated had identified the need to strengthen their current methodologies of ensuring that all applicable critical and security patches were being deployed and applied. The company believed that this objective would build a solid foundation to further mature its’ IT security practices. In order to facilitate that objective, the company developed five specific goals for this project: 1. Create a functional SCCM infrastructure to facilitate the automation of deploying security patches 2. Identify the current patching compliance of ABC’s deployed workstations and servers against applicable Microsoft critical and security updates 3. Remediate identified deficiencies to bring patching compliance up to an acceptable standard
4. Ensure continued compliance to set standards and facilitate reporting and monitoring 5. Develop guidelines for IT administrators to follow which will ensure future changes within ABC Inc.’s network footprint will conform to established software patching practices Each successful completion of a goal led successive completion of the next goal in a phased manner. If any goal could not be successfully reached, the next tasks could not be started. During this project, all stated goal were realized, leading up the full successful completion of the project. The goals and their associated objectives are delineated as follows” Create a functional SCCM infrastructure to facilitate the automation of deploying security patches
The company recognized that the first step to successfully automating its processes was to ensure a good foundation. To successfully accomplish that goal, the following individual objectives were completed: Created network information documentation and diagram
Created Active Directory infrastructure documentation and diagram Identified individual sites and population of users and systems at each site Determined number of servers required to deploy SCCM infrastructure Identified TCP/IP information for each server
Determined naming convention for SCCM servers
Determined minimum software and hardware requirements for SCCM site servers Designed SCCM systems architecture
Identified boundaries for use within SCCM management and discovery Obtained servers in required quantity meeting established hardware and software specifications Loaded operating systems on provided servers
Created Active Directory SCCM groups
Created Active Directory Service Accounts
Applied required permissions for SCCM site servers to Active Directory containers Added SCCM site server and SCCM administrator group as “local administrator” on SCCM servers Downloaded and installed SCCM software on servers
Configured discovery on site server
Configured boundaries and boundary groups on site server
Configured client installation for pushing SCCM Client software Pushed client software to discovered workstations and servers, checked error logs, and corrected any identified problems Installed WSUS Update Services role on Software Update Point server and verified that patches synchronized with Microsoft Configured Distribution Point servers, checked error logs, and verified Distribution Point installation Installed the Management Point server, configured and checked logs for errors Installed the Reporting Service Point server, configured it and checked logs for errors Installed Asset Intelligence Point server, configured it and checked logs for errors Configured Software Inventory, verified and tested configurations Configured Hardware Inventory, verified and tested configurations Configured Remote Services and checked logs for errors
Configured and verified SCCM reporting
Added primary site server and SQL database to backup scheme
Verified all systems had successfully reported to SCCM primary site server Checked hardware and software inventory for all servers and workstations Validated remote functionality through SCCM Verified successful backup of primary site and SQL database All of the objectives supporting this goal were met, although there were some minor issues during software deployment that caused a deviation from the planned timeline. As a result of incorporating Configuration Manager into the network, deficiencies outside the scope of the initial project were identified, assessed and documented. Utilizing the deployment steps documented on www. windowsnoob.com (Brady, 2011) as a guide, the process went very well. The successful achievement of this goal was a prerequisite for starting on the remaining goals. Identify the current patching compliance of ABC’s deployed workstations and servers against applicable Microsoft critical and security updates This goal was to set a benchmark to measure the return on investment for the project.
To identify the current compliance, the team needed the working SCCM infrastructure set up during the previous goal completion. Also needed was configuration of the SCCM environment in a manner tailored to take advantage of the built-in reporting while ensuring the capture of all the required data points. To accomplish that, the following objectives were identified and accomplished: Created a query based device collection for all discovered servers Created a query based device collection for all discovered workstations Created software update groups for each calendar year from 2003 until current Utilized the software update catalog within SCCM, identified all required and previously applied patches and added them to the appropriate software update group based on date released Created software update group containing all updates listed in previously created groups Downloaded each annual software update group as an individual deployment package and deployed to all SCCM Distribution Points Performed baseline reporting of overall server compliance and exported for record Performed baseline reporting of overall workstation compliance and exported for record These objectives were successfully accomplished without exception.
During this stage, ghost systems within active directory were identified and removed. This discovery was not expected, but the team dealt with it in stride and documented the underlying cause for resolution after the project reached closure. Remediate identified deficiencies to bring patching compliance up to an acceptable standard Working towards this goal was the heart of the project. All the previous work done was in support of patching systems with overdue security and critical patches. The entire project team kept track of this progress, even on their own time, as the successful progression of these objectives provided validation they had done their job correctly on their previous responsibilities. The steps to reach a successful conclusion of this goal were documented as well, with the list of completed supporting objectives being: Developed email template for notification to users of possible system outages and unavailability due to patching Developed and published schedules for weekly and monthly patching Set appropriate maintenance windows for weekly and monthly software patching based on established schedule Deployed each software update group to the servers device collection as “available”
Deployed each software update group to the workstations device collection as “required” Performed periodic reporting of status for each deployment from initiation through deployment deadline and export for record Performed post-deadline reporting of overall compliance and export for record Performed post-deadline reporting for each annual software update group and export for record Ensure continued compliance to set standards and facilitate reporting and monitoring Completion of this goal meant leveraging the deployment automation features native with SCCM. This was another area where preplanning and documentation paid huge benefits for the successful outcome of the overall project. Armed with a checklist of exactly what they aimed at accomplishing, project team members successfully executed and documented the following objectives: Developed and published Automatic Deployment Rule for weekly updates to workstations Defined and documented the previous process
Developed and published Automatic Deployment Rule for monthly updates to servers Defined and documented the previous process
Developed and published Automatic Deployment Rule for zero-day patches Defined and documented the previous process
Documented methods and available reports to determine current overall compliance Documented methods and available reports to determine compliance against specific deployment Much like the goals accomplished before this one, this goal was successfully met. All of the Automatic Deployment Rules were set up and tested. Full documentation of their creation was recorded and provided as deliverables at project closure. The realization of this goal also led to reassurance and confidence from the IT staff that the hard work completed in this project would not go to waste, but would be easily managed for continued success.
Develop guidelines for IT administrators to follow which will ensure future changes within ABC Inc.’s network footprint will conform to established software patching practices The successful completion of this goal meant building a guidebook for the company’s administrators to follow. While some reoccurring tasks are well documented elsewhere, the intent of this goal was to provide a beginning for the administrators to flesh out with additional guides and procedures identified as they manage the system. To meet his goal successfully, the project team addressed and completed the following supporting objectives: Documented procedures for removing expired updates from SCCM update catalog Documented procedures for end of calendar year processes including management of software update groups, deployment packages, and automatic deployment rules Documented procedures to create automatic deployment rules
These documented procedures were developed and approved during the project, and were handed off as deliverables during the project closure meeting. System Center Configuration Manager is a very fully featured software set with enough bells and whistles to keep any administrator busy for many years. The document created provided a quality standard for the administrators to follow. When called upon to document their other processes, the guides provided as a result of this project will continue to provide a standardized templates for them to follow.