Why do I need an SCCM vulnerability assessment?

SCCM is a popular and very powerful systems managements tool. It has the power of executing code in a high privileged context on a vast amount of systems within the organizations that make use of it. Systems management tools are typically exempted from several other built-in security mechanisms, examples include, but are not limited to, User Account Control and Windows Defender Application Control

All of the above has led to the interest of a number of security researchers focussing on SCCM as a potential way of gaining a foothold within a company. This focus has resulted in a number of publicized items around SCCM security:

  • DefCon presentation: “Owning one to rule them all”
  • PowerSCCM: PowerShell module focusing on SCCM for attack & defense
  • Several blog posts around the same theme

The omni-presence of SCCM as the systems management tool of choice is bound to attract more security research in the future. The product team at Microsoft is aware of the situation described and has introduced a number of increased security controls in recent versions. The rapid release cadence, SCCM receives a new version every 4 months, has a lot to offer. In OSCC’s experience though a lot of these increased security controls are neglected, because organizations don’t know about them are have trouble analyzing their impact and importance.

Vulnerability assessment vs penetration test?

This offer is not a penetration test. Read-only access to the environment and SCCM related components is requested at the start of this engagement. The intend of this offer is to identify vulnerabilities in the configuration and operation of SCCM. A lot of effort is spent to avoid false positives, but this is done without trying to validate whether the vulnerabilities can effectively be abused. The vulnerabilities found are categorized and foreseen of detailed explanations and possible remediations.

In contrast with most vulnerability assessments however this is an assessment tailored to the customer’s environment as opposed to typical automated vulnerability assessments. The value in this assignment is delivered by the wealth of knowledge possessed by the OSCC consultants that deliver the assignment and author the report.

How does OSCC qualify for an assignment like this?

OSCC is driven by 2 senior consultants with a strong focus on understanding how the technologies they consult on work under the hood. Both have been awarded the Microsoft MVP award with one of them being an award holder for 15 years in a row. This drive has resulted in multiple deep dive presentations at multiple events around subcomponents of SCCM. These sessions have led to a wealth of info on internal SCCM operations.

OSCC has worked at close to 100 different customers of different sizes, across different private and public sectors over the years. This has resulted in a ton of experience working with SCCM and has provided a lot of insight into how organizations operate their SCCM environments.

What’s in scope of this Vulnerability assessment?

The scope is largely focused on SCCM, which includes:

  • Site Server configuration
  • SQL Server configuration
  • Content source access
  • Site System configuration
  • Software Updates and processes
  • Network communication between different SCCM components
  • Client configuration
  • Uptake of new Security features delivered by the SCCM product team
  • All the above is checked for common configuration shortcomings and proper security hygiene.

What are the deliverables at the end of the assignment?

The main deliverable is a “Call to action” - document that is discussed with the customer’s Desktop and Server management teams. The Call to action document lists the items found, qualifies and describes them and offers remediations.

How much does an SCCM vulnerability assessment cost?

A security review conducted by one of the 2 qualified MVP’s to deliver this assignment is priced at 4.950€.

Leave a Comment