Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?

Dashrender

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.

OR Nessus needs to find another way to verify that the patch is installed.

stacksofplates

@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.

OR Nessus needs to find another way to verify that the patch is installed.

That’s not how it verifies. There were strings in keys that needed modified. Like one string had a space that needed quoted because it created some vulnerability without quotes. I’ll have to talk with some of those guys and get some examples since I don’t do anything with Windows.

dave247

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.

They just click buttons in the order they are told.

This too is true.

Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.

Not really, put it on them. Ask them to show which things are missing since all patches are applied.

These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"

Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.

"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8

aaaaahahahahahahhahaa... omfg this gave me a good laugh. THANK YOU

momurda

@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled.

scottalanmiller

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled.

Right... basically Windows isn't production ready is what I'm hearing. This feels insane.

scottalanmiller

Although Nessus should report that and NOT that they are not patched. Different things.

dbeato

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled.

That is for hotfixes mostly no general updates...

stacksofplates

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Although Nessus should report that and NOT that they are not patched. Different things.

It may. I have no idea if that’s what is showing on his and I don’t see the reports for the Eindoes stuff in our environment I just know that was something those guys were complaining about and @irj said the same thing.

Obsolesce

Didn't read through all comments yet but the first thing that comes to mind is this:

Find one of the computers that your software says is fully patched, but the audit says is missing lots of updates. Then run regular Windows update on it to see if Microsoft has any to add to it.

If not, then show the auditor your logs and tell him to FO.

If so, then you know you need to implement WSUS instead of what you are currently using.

Obsolesce

My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.

dave247

@tim_g said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.

Link? I was just going to follow the Microsoft Technet guide.

dave247

@tim_g said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Didn't read through all comments yet but the first thing that comes to mind is this:

Find one of the computers that your software says is fully patched, but the audit says is missing lots of updates. Then run regular Windows update on it to see if Microsoft has any to add to it.

If not, then show the auditor your logs and tell him to FO.

HAHA!!

Obsolesce

Not at a PC right now, I'll link it in like 10 mins.

dbeato

@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@tim_g said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.

Link? I was just going to follow the Microsoft Technet guide.

https://community.spiceworks.com/how_to/133316-how-to-control-windows-10-and-server-2016-updates-with-wsus

Obsolesce

He beat me to it.

Dashrender

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.

OR Nessus needs to find another way to verify that the patch is installed.

That’s not how it verifies. There were strings in keys that needed modified. Like one string had a space that needed quoted because it created some vulnerability without quotes. I’ll have to talk with some of those guys and get some examples since I don’t do anything with Windows.

In that case, wouldn't that mean it's not really patched? And therefore another patch is needed to fix the original patch?

Dashrender

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Although Nessus should report that and NOT that they are not patched. Different things.

Well, if it's still vulnerable without this change - then I'd say it's not patched. But I do agree that it should be a bit more specific.

scottalanmiller

@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Although Nessus should report that and NOT that they are not patched. Different things.

Well, if it's still vulnerable without this change - then I'd say it's not patched. But I do agree that it should be a bit more specific.

A broken patch isn't the same as unpatched.

Emad R

@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@emad-r said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dave247

Hi,

I came across many Third party tools to manage deploying updates on Windows but what I learned that you always need to double check, usually there is personnel in IT that does this called service desk (SD) that does this, in big IT company we have 3 teams:

Core Team (patching,storage,virtualization)
Network Team (VPN,network,)
SD (checkup on work of others, ticket handling, some patching, fixing some things that cannot be automated in scripts)

since your a lone wolf, and you had this review lately from your auditor, what you need to do is quickly come up with systematic plan to approach deploying updates.

And do you really manage 150 VMs ? OSes ? Systems ? that sounds abit off with person with your experience in IT, usually system admins manage that amount, and that needs ~5 years in IT experience.

So back to your issue, what is your current way of handling and verifying updates ?
How many are the systems that you manage ? and what are there OSes ? are they virtualized ? or workstations ?

How about researching more about Saltstack (SS), it is good way to manage Windows I have written a guide with examples, especially if your machines are all connected in LAN, or most of them.
There is nothing you cant do really with SS but it is free and dont have GUI you need to spend time and learn it.

https://mangolassi.it/topic/14253/saltstack-windows-playbooks/7

And it is normal for AV to be hard to uninstall, they kinda protect the PC by defending their process and services in hard fashion, however I think there is an option in Kaspersky called self-defense, and if you disabled this, you can uninstall it easily:
https://support.kaspersky.com/12161

My Top advice, the more you move your windows servers to Linux the more you relax in the future, and stop worrying, especially when it comes to deploying updates, did you know that Ubuntu Server Linux current update mechanism that it auto-installs security updates and you simply have to reboot the server every once in while, and that can be scheduled.

Also always RDP or VNC into that machine and double check that updates are successful and the services are started, you can consider using monitoring system.

But again it seems someone is over taxing you to be honest, I would sit back and plan using tools and many things, then when it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and install Salt Minion on them for example , after I have setup salt master correctly and test it . And from there you can start really managing those machines.

Thanks... I am the sysadmin/IT administrator here. I manage about 15 VMs with vSphere and then we have about 15 physical servers. I am slowly virtualizing what I can as we go. I also have about 40 thin clients and 30 or so Windows 7 (and a few Windows 10) desktops.

Since you said thin clients, if those people just want browser, like I have some thin clients that just needs chrome web browser updated. you can get away with linux OS for them and make your life easier for my thin clients I went with Fedora LXDE spin.

And did you also came to the conclusion that Windows 10 is crap compared to 7 ? I DID hehe.

IRJ

Even Microsoft themselves tell you that you are still vulnerable if you don't make the reg changes. If you carefully read the security bulletins released by MS you'd see that