Good insights in the software landscape are valuable for CIOs and CISOs. Do we have SolarWinds, which version and on which server? These questions are most probably raised by many people for the last few months.
The majority of the workforce is in Corona time working from home on their laptops. Do we know what kind of software they have installed on their laptop? Can we decrease license costs and/or are we actually compliant?
Especially from a security perspective this is interesting to know. Laptops at home are more and more an attack surface. Have people installed software which is not allowed or insecure? Are all patches actually installed as reported by our system management system?
Of course there is Software Asset Management third party tooling available in the market to do the job. However, these tools are quite expensive and not simple to deploy and configure. And for smaller companies maybe a bridge too far.
For some time I was wondering whether this was also possible with easy and native Microsoft technology.
A small advantage of the lockdown period is that you have some more time to experiment. So I have tested below software inventory solution with native Microsoft technology which can be used on on-premise servers, servers hosted in Azure and desktop/laptops.
Step 1 - Setup Azure Log Analytics workspace to store data
To capture and store the monitor data you need a Azure Log Analytics workspace. In Azure this can be easily created and in the workspace you can find your Workspace ID and keys. The ID and key need to be configured at installation of the Azure monitor client (step 2), so the data can be uploaded into the workspace. You can manage monitor agents from this workspace as well. But what about the costs for this service? There are only Azure storage costs and you will be charged on the amount of data stored in your Log Analytics Workspace.
Step 2 – Install Azure Monitor client which does the trick
With Azure monitor you can collect, analyse, and act on telemetry data from your Azure and on-premises environments. This Microsoft monitor client can be easily installed on on-premise servers and your desktops and laptops. On Azure virtual hosts it is also available and you can deploy the client also to guest VM’s. Installation of the client is extremely easy and can be done unattended.
The good news is, there are no license costs to deploy the Azure monitor client. The client can be installed on both Windows and Linux hosts. There is also no requirement for a network connection to Azure. Internet access for the client is sufficient to make sure data can be uploaded into Azure.
Step 3 – Create Azure Automation Account to collect data
Last step is to create an Azure automation account. This automation account will trigger the data collection from the clients. In the Configuration Management section of the Automation Account you can see your Azure and non-Azure machines and get the full software inventory. You can perform change tracking and search for specific software, executables, registry settings and services.
In case you need more insights you can create your own queries in Log Analytics. Also you can execute queries or import data into Excel or PowerBI. You can enrich the data with for example the CMDB and create management dashboards.
Last but not least you can also see in the Azure Automation Account update management section whether machines are patched properly.
There are Azure costs involved for Configuration management by the pull service and change tracking capabilities of the Azure Automaton Account. Billing is based on the number of nodes that have been registered with the service and the log data stored in the Azure Log Analytics service. Good news is that Azure nodes are free of charge and only non-Azure nodes are charged per node. Also update management is free of charge and you only pay for storage consumption.
Each organisation should nowadays have a software inventory capability in place. With one click and within minutes you like to know what software is actually installed on Windows servers, Linux server and your desktop and laptops.
Also with native Microsoft technology this is possible and it is very straightforward to deploy.
The only pre-requisite is, that you have an Azure subscription. The costs of this solution is dependent on the amount of data stored and amount and type of nodes. Compared to software inventory tooling it is for most use-cases a low-cost solution.
In case you like to read a Microsoft tutorial and experiment yourself, please see this link. In case you have a question, feel free to reach out.