Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?
-
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
-
@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
This too is true.
Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.
-
@emad-r said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and
What version of Windows?
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Results came back for around 150 systems and there was something like 500 vulnerabilities, 80% of which were missing critical Windows OS patches.
Boy it seems a lot of people read this and assumed this was 150 Servers (I know JB didn't assume this).
What is the break down of servers vs desktops?Windows 10 has had the cumulative updates since very early in it's life, if not from the very beginning. Windows 7 and 8(8.1) moved to cumulative updates sometime after Aug 2016. If the missing updates are from before that timeframe on those OSes, they definitely could be missing.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Results came back for around 150 systems and there was something like 500 vulnerabilities, 80% of which were missing critical Windows OS patches.
Boy it seems a lot of people read this and assumed this was 150 Servers (I know JB didn't assume this).
What is the break down of servers vs desktops?Windows 10 has had the cumulative updates since very early in it's life, if not from the very beginning. Windows 7 and 8(8.1) moved to cumulative updates sometime after Aug 2016. If the missing updates are from before that timeframe on those OSes, they definitely could be missing.
I didn't assume that either...
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.
In a situation like that, did you look at creating a clean image and rolling that out instead? That would get you to a known good state and clear out any old crap. Sure, it's a hassle too - making sure people don't have stuff saved local, but it's also a good time to make sure people are saving their stuff to the network/cloud shares.
-
@dbeato said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
I didn't assume that either...
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Results came back for around 150 systems and there was something like 500 vulnerabilities, 80% of which were missing critical Windows OS patches.
Boy it seems a lot of people read this and assumed this was 150 Servers (I know JB didn't assume this).
What is the break down of servers vs desktops?Windows 10 has had the cumulative updates since very early in it's life, if not from the very beginning. Windows 7 and 8(8.1) moved to cumulative updates sometime after Aug 2016. If the missing updates are from before that timeframe on those OSes, they definitely could be missing.
The Cumulative Update for Windows 7 covered the old updates as well but what might be missing are the security updates that are separate from the Cumulative on WIndows 7 and 8.
-
Why would anyone assume it was 150 servers?
WSUS hits desktops and servers equally. . .
-
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Why would anyone assume it was 150 servers?
WSUS hits desktops and servers equally. . .
not sure why... I have about 10-15 servers and 200 Clients all with WSUS
-
@dbeato said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Are you using automatic updates directly to Microsoft or WSuS right now?
In my original email, I say I am using a 3rd party software tool named DesktopCentral. It is a pretty nice tool as it has a load of inventory and management features which I've been learning for over a year now. However, I am in the works of setting up WSUS on a server to see how well that works in comparison.
-
@emad-r said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Hi,
I came across many Third party tools to manage deploying updates on Windows but what I learned that you always need to double check, usually there is personnel in IT that does this called service desk (SD) that does this, in big IT company we have 3 teams:
Core Team (patching,storage,virtualization)
Network Team (VPN,network,)
SD (checkup on work of others, ticket handling, some patching, fixing some things that cannot be automated in scripts)since your a lone wolf, and you had this review lately from your auditor, what you need to do is quickly come up with systematic plan to approach deploying updates.
And do you really manage 150 VMs ? OSes ? Systems ? that sounds abit off with person with your experience in IT, usually system admins manage that amount, and that needs ~5 years in IT experience.
So back to your issue, what is your current way of handling and verifying updates ?
How many are the systems that you manage ? and what are there OSes ? are they virtualized ? or workstations ?How about researching more about Saltstack (SS), it is good way to manage Windows I have written a guide with examples, especially if your machines are all connected in LAN, or most of them.
There is nothing you cant do really with SS but it is free and dont have GUI you need to spend time and learn it.https://mangolassi.it/topic/14253/saltstack-windows-playbooks/7
And it is normal for AV to be hard to uninstall, they kinda protect the PC by defending their process and services in hard fashion, however I think there is an option in Kaspersky called self-defense, and if you disabled this, you can uninstall it easily:
https://support.kaspersky.com/12161My Top advice, the more you move your windows servers to Linux the more you relax in the future, and stop worrying, especially when it comes to deploying updates, did you know that Ubuntu Server Linux current update mechanism that it auto-installs security updates and you simply have to reboot the server every once in while, and that can be scheduled.
Also always RDP or VNC into that machine and double check that updates are successful and the services are started, you can consider using monitoring system.
But again it seems someone is over taxing you to be honest, I would sit back and plan using tools and many things, then when it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and install Salt Minion on them for example , after I have setup salt master correctly and test it . And from there you can start really managing those machines.
Thanks... I am the sysadmin/IT administrator here. I manage about 15 VMs with vSphere and then we have about 15 physical servers. I am slowly virtualizing what I can as we go. I also have about 40 thin clients and 30 or so Windows 7 (and a few Windows 10) desktops.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.
In a situation like that, did you look at creating a clean image and rolling that out instead? That would get you to a known good state and clear out any old crap. Sure, it's a hassle too - making sure people don't have stuff saved local, but it's also a good time to make sure people are saving their stuff to the network/cloud shares.
Yeah I've considered it, but I honestly don't know how that would work here since we have a large mix of Dell desktop models as well as custom computer builds (previous sysadmins liked to order parts from NewEgg and build user's expensive computers). I can't just make a single image... I would have to make about 20 different images, and some of them I would only use once...
When I redo computers, I usually just put a new SSD in (if needed) and then manually install Windows and all the applications we need. I've done it enough times now that it only takes me like 20 minutes, minus the wait for Windows to get updated.
-
So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.
You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.
You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.
-
Nessus is proprietary, something that doesn't fit with a security audit very well. I'd question the veracity of an auditing tool that we can't audit.
-
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
This too is true.
Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.
Not really, put it on them. Ask them to show which things are missing since all patches are applied.
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
This too is true.
Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.
Not really, put it on them. Ask them to show which things are missing since all patches are applied.
These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"
Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.
"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8 -
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
This too is true.
Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.
Not really, put it on them. Ask them to show which things are missing since all patches are applied.
These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"
Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.
"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8There is nothing to prove, then. Just say "audit is wrong." You can't prove the negative. It's not possible. Just point out that htere is nothing to prove and it's done.
-
You could sort of double check the results yourself by installing the free openvas vm appliance and scanning a few systems to see if the results are similar to Nessus' results. It only takes a few minutes to setup a basic scan
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.
You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.
You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.
I remember our Windows guys complaining about this.