The intention of this guide is to give instructions on how to adjust the settings and configurations of RMS Security Patch Manager in order to use the RayManageSoft Security Analyzer (RMSSA) scan technology. RMSSA has to be used to deploy security patches to managed devices running Windows 8 or Windows Server 2012.
Please follow the step-by-step description to make sure all parts of the Security Manager environment are prepared correctly.
Prerequisite software
RMSSA is part of the Security Patch Management extension to RayManageSoft 10.x. Therefore Security Patch Manager has to be installed on your RMS 10.x administration server to enable the usage of RMSSA.
Managed devices that are about to run RMSSA have to be equipped with the following software and configuration:
- .NET Framework 4.0 must be installed
- Windows Update Agent (WUA) must be installed
- Windows update service (wuauserv.exe) must be running
Download the Security Analyzer package into the software library
RMSSA for Managed Devices is wrapped into a software package Raynet provides free of charge. You can download it from the RayManageSoft Third Party Prerequisite servers.
To do so:
1) Launch your Deployment Manager Administration Console.
2) Open the Deployment Manager Configuration:
- Select the Settings node from the console tree
- Call the advanced tab
- Use the Open advanced settings of Deployment Manager button
The Deployment Manager Configuration Console launches.
3) Select Third Party Prerequisite Downloader from the console tree.
4) From the details pane on the right-hand side, select URL to package index.
5) Set the value to http://raymanagesoft.com/support/PackageIndexRMSSA.xml as displayed in the screenshot below.
6) Click OK to save the new URL.
7) You can close the Deployment Manager Configuration Console now.
8) Return to the Deployment Manager Administration Console to download the RMSSA and prerequisite packages
- Select the Security node
- Call the options tab
- Use the DOWNLOAD PREREQUISITES button
- Within the Download and import third-party prerequisites window, RMS Security Analyzer along with other prerequisite packages are available.
- Activate the checkbox left of the package name
- Click OK to save your changes.
9) Deployment Manager immediately starts to download and import the package.
10) Once the download and import packages wizard is completed, click Finish.
The RMS Security Analyzer package is available within the software library.
Distribute RMS Security Analyzer to managed devices
RMS Security Analyzer is executed on managed devices. You can deploy the package using the Deployment Manager distribution hierarchy.
To do so:
- Select the Software node from the Deployment Manager Administration Console.
- Within the software library, navigate through the package tree as shown in the screenshot below.
- Select the Security Analyzer project.
- Use the MORE button within the side-bar on the right, and select Pack from the options menu to pack the project files.
- Use the DISTRIBUTE button within the side-bar on the right.
The Package Distribution Wizard is displayed.
Follow the steps of the wizard and target all distribution locations and groups that host managed devices you want to run RMSSA on. - Once the Package Distribution Wizard is completed, use the MORE button within the side-bar on the right again, and select Add to policy from the options menu.
- Follow the steps of the wizard.
Add the RMS Security Analyzer to the schedule you use for security patch distribution. Make sure that it placed on the first position within all packages and security patches that have been added to the policy. - Return to the software library, and navigate through the Security patches branch to access the project files for Security Patch Settings for Microsoft Windows. This settings package is required to deploy the Wsusscan.cab to the managed devices.
Repeat steps 4 – 7 to add the security settings package to policy.
The settings package should be placed on the second position within the packages added to the security patch deployment policy.
Update Managed Device settings
You have to advise managed devices to use RMSSA instead of the default MBSA scan tool. This is accomplished by updating the standard configuration Deployment Manager defines within managed device settings packages.
To do so:
1) Open the Managed Device Settings Console:
- Select the Devices node from the console tree
- Call the settings tab
- Use the Open settings editor button
The Managed Device Settings Console is displayed.
2) You have to edit the default settings package:
- From the console tree on the left, select Managed Device Default Configuration
- Within the details pane, click Edit this package
The list of available settings is displayed within the details pane.
3) Scroll down until you reach the Security Management Agent node, and expand the it.
4) Click on the Patch Management item.
5) Within the settings list below the tree structure:
- Select Patch Compliance command line
- Click Add -> to make its value editable within the window on the right-hand side.
- Click on the current content of Patch Compliance command line within the value column
- Replace it with
"$(Programfiles)\Raynet\RMS Security Analyzer\RMSSA.exe" "$(SysDirectory)\config\systemprofile\Appdata\SecurityScans\mbsaresults.xml.mbsa" "$(WSUSSCANPATH)" "$(SecurityUpdatePath)"
Please make sure to copy the value inclusive of quotation marks and blanks between the three parts of the expression.
6) Save your changes by using the Save this package button above the settings tree structure within the details pane.
7) You have to distribute the changed settings package to the managed devices. To do so, use the Distribute this package button from the details pane as shown in the screenshot below.
The Managed Device Settings Distribution Wizard is displayed.
8) Follow the steps of the wizard and target all distribution locations and groups that host managed devices you want to run RMSSA on.
9) Once the wizard is complete, you can close the Managed Device Settings Console.
Update and deploy the security patch management policy
You have already added the required software and security settings packages to the security management policy. Now you have to add the default managed device settings package to your ManageSoft Default Configuration Policy and distribute both policies to finish the RMSSA setup process.
Please note that this description is based on a Deployment Manager configuration that includes the Enhanced Policy Editor. If your license does not cover this feature, consult the RayManageSoft documentation, especially the Deployment policies chapter of the Software Deployment Guide for a detailed description of how to add items to policy.
To update and distribute the ManageSoft Default Configuration Policy:
1) Return to the Deployment Manager Administration Console.
2) Select the Policies node.
3) Within the list of policies displayed in the policies overview tab, select your ManageSoft Default Configuration Policy.
4) Use the EDIT button from the side-bar on the right.
The policy editor is displayed.
5) From the summary page, click the packages tile.
6) Use the ADD… button above the list of packages and select Managed Device Settings from the options menu.
The Add To Policy wizard is displayed.
7) On the Select Managed Device Settings page, activate the checkbox for the Managed Device Default Configuration package.
8) Click NEXT to proceed.
A dialogue is displayed to make sure you want to overwrite the existing Managed Device Default Configuration package.
9) Click OVERWRITE EXISTING to proceed.
10) In turn, click NEXT, PROCESS and FINISH on the displayed pages to finish and exit the Add To Policy wizard.
11) Within the re-displayed policy editor dialogue for the ManageSoft Default Configuration Policy, click CLOSE.
The policies overview is re-displayed.
12) Select the ManageSoft Default Configuration Policy and use the DISTRIBUTE button from the side-bar on the right.
The Policy Distribution Wizard is displayed.
13) Follow the steps of the wizard to distribute the policy to managed devices.
To update and distribute the security patch management policy:
1) Return to the Deployment Manager Administration Console.
2) Select the Policies node.
3) Within the list of policies displayed in the policies overview tab, select your security patch management policy.
(The name of this policy depends on your individual Security Manager policy setup.)
4) Use the DISTRIBUTE button from the side-bar on the right.
The Policy Distribution wizard is displayed.
5) Follow the steps of the wizard to distribute the policy to managed devices.
Your basic RMSSA setup is completed.
What’s next?
According to your distribution settings, packages and policies are on their way through the distribution hierarchy to take effect on managed devices. You can monitor the results within the Reports node of the Deployment Manager Administration Console. Refer to the Reporting chapter of the Software Deployment Guide on how to call the corresponding reports.
Please make use of the other articles available from the RayManageSoft knowledge baseand refer to the RayManageSoft product documentation, which was delivered along with your RayManageSoft installation resources.
Contact our support team via support@raynet.de if you encounter issues regarding this document or the setup process itself.
Comments