Problem:
If you are using qualys or Nessus tool or other tool to detect vulnerabilities on windows machines ,this post might be helpful to you.
Recently ,our security team has reported that ,lot of servers are vulnerable for adobe flash player and claiming that, these servers are running lower version of Flash player.
When i look at one of the server ,i could not find adobe flash player installed. If there are no application installed, there is no way for SCCM to detect the flash player components are running lower version (we do 3rd party patching as well) and you cannot patch/update flash either using manual method /patching/software distribution.
So i requested security team to provide more information about the detection criteria that is being used to detect the vulnerabilities for flash player.
They come with detection rule saying ,the file version flash.ocx is running low version in C:\windows\System32\Macromed\Flash.
So i look at C:\windows\System32\Macromed\Flash and tried to delete the files because there is no flash player installed ( verified from programs and features). I could not delete the files directly from the folder to match with qualys results.
But what i found is ,an applet in control panel with flash player created as well which is weird to me.
I tried downloading the latest adobe flash version and tried installing but could not go through it (installation did not happen as it says ,server 2012 R2 don't need flash player).
Nothing worked for me until here ,so i dig deeper to identify the reason for creating this folder structure and also applet in control panel.After some time ,found that ,it is coming from desktop experience feature that got installed with OS build image.
So ,i tried to remove the desktop experience feature manually from roles and features ,reboot the server (Reboot is mandate for this feature removal).
After the removal of the feature ,Flash player and the files in flash folder are disappear.
Now ,how do i know the list of servers that has desktop experience feature installed on server and how to remove it through automation ?
Solution:
I use SCCM compliance baseline to identify the list of servers that had desktop experience feature installed .If the role is installed ,you can remove the role as part of remediation script or get list of servers and then create a batch file to remove the role and reboot during the maintenance window.
Using configmgr, we can use compliance item by passing simple script that will check for the desktop experience roles ,if feature installed then output results as Non-compliant (server is vulnerable) and if not installed, output as COMPLIANT (server non vulnerable)
All you need is script to check for desktop experience feature ,if you are looking for other roles and features, feel free to modify it as per your needs.
If you are looking for other roles and features, open the powershell cmd ,import servermanager module and run the following powershell cmd to list the windows roles/features on the server
Get-WindowsFeature
The list above are installed server roles and features .If you are looking for specific name ,pick it from the Name column to check for the installed status.
In this blog post, am not going with remediation script .what it means is ,if the specific role/feature that you are looking is found ,run the remediation script like remove the role from the server to fix it.
How to create configuration item/compliance baseline ?
Follow my blog post to create Configuration item http://eskonr.com/2016/08/sccm-configmgr-how-to-clean-ccmcache-content-older-than-x-days-using-compliance-settings/ , but just replace the discovery script with below powershell script (no remediation script is needed)
Import-module servermanager
$DE=(Get-WindowsFeature -name desktop-experience).Installed
If ($DE -notlike "Installed")
{
write-output "True"
}
else
{
write-output "False"
}
Compliance Rule:
Create Configuration baseline ,deploy to collection that you are interested to find the desktop experience feature installed or not.
This is only to discover the list of servers with this feature installed. Once you get the list server that are non-compliant ,create collection and a simple package with following command line and deploy to the collection .
Once the package run on the server ,it wont reboot the server immediate rather, it wait for the maintenance window for reboot which will happen anyway with schedule reboot.
Powershell.exe -ExecutionPolicy Bypass -command Remove-WindowsFeature -Name Desktop-Experience
Hope it helps!
