Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?
-
I work for a financial institution and I've been in IT for only like a 1.5 years, so I'm still learning this stuff. We have regular IT audits and such and now that I'm the only IT guy, I got to sit with the auditor and helped him fully scan our environment with Nessus. Results came back for around 150 systems and there was something like 500 vulnerabilities, 80% of which were missing critical Windows OS patches.
I was pretty shocked because I always stay on top of monthly Windows updates. The auditor says, "well, it says there's some here from as far back as August of 2016" in a condescending tone. I was pretty pissed but just accepted it and let him finish the scan and then I got the full assessment a few weeks later, which I'm now combing through.
So, first of all, I'm wondering.... don't Windows OS updates supersede past updates? --- meaning, if I miss some critical Windows OS updates for a month or two, but then I get all the critical updates for the following months all the way up until current time, then those newer updates take the place of those missing updates, meaning I no longer have to worry about those missed patches, correct? I assume the only thing Nessus is seeing is that those individual KB's are not listed in the Windows registry, and therefore flags them as not installed, despite the fact that it doesn't matter since all updates after those have been faithfully updated.
Other than that, I was thinking, we currently don't use WSUS because when I came on my job here, they had a 3rd party patch and software management tool called DesktopCentral by ManageEngine. That's how I do updates now, and I can view all the missing updates for every system and all I see are the missing updates for this month and a few for last month (machines that were turned off for weeks).
Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.
Anyway, I'm hoping someone here has had a similar thing happen so you can maybe give some advice... otherwise, I'll just be knee-deep in manually patching super old updates.
-
Hi,
I came across many Third party tools to manage deploying updates on Windows but what I learned that you always need to double check, usually there is personnel in IT that does this called service desk (SD) that does this, in big IT company we have 3 teams:
Core Team (patching,storage,virtualization)
Network Team (VPN,network,)
SD (checkup on work of others, ticket handling, some patching, fixing some things that cannot be automated in scripts)since your a lone wolf, and you had this review lately from your auditor, what you need to do is quickly come up with systematic plan to approach deploying updates.
And do you really manage 150 VMs ? OSes ? Systems ? that sounds abit off with person with your experience in IT, usually system admins manage that amount, and that needs ~5 years in IT experience.
So back to your issue, what is your current way of handling and verifying updates ?
How many are the systems that you manage ? and what are there OSes ? are they virtualized ? or workstations ?How about researching more about Saltstack (SS), it is good way to manage Windows I have written a guide with examples, especially if your machines are all connected in LAN, or most of them.
There is nothing you cant do really with SS but it is free and dont have GUI you need to spend time and learn it.https://mangolassi.it/topic/14253/saltstack-windows-playbooks/7
And it is normal for AV to be hard to uninstall, they kinda protect the PC by defending their process and services in hard fashion, however I think there is an option in Kaspersky called self-defense, and if you disabled this, you can uninstall it easily:
https://support.kaspersky.com/12161My Top advice, the more you move your windows servers to Linux the more you relax in the future, and stop worrying, especially when it comes to deploying updates, did you know that Ubuntu Server Linux current update mechanism that it auto-installs security updates and you simply have to reboot the server every once in while, and that can be scheduled.
Also always RDP or VNC into that machine and double check that updates are successful and the services are started, you can consider using monitoring system.
But again it seems someone is over taxing you to be honest, I would sit back and plan using tools and many things, then when it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and install Salt Minion on them for example , after I have setup salt master correctly and test it . And from there you can start really managing those machines.
-
Are you using automatic updates directly to Microsoft or WSuS right now?
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
So, first of all, I'm wondering.... don't Windows OS updates supersede past updates? --- meaning, if I miss some critical Windows OS updates for a month or two, but then I get all the critical updates for the following months all the way up until current time, then those newer updates take the place of those missing updates, meaning I no longer have to worry about those missed patches, correct? I assume the only thing Nessus is seeing is that those individual KB's are not listed in the Windows registry, and therefore flags them as not installed, despite the fact that it doesn't matter since all updates after those have been faithfully updated.
Depending on what your Update source is, some updates may get installed to catch up. Other solutions may require individual selection and approval of every update. WSUS has different options (I'm sure others do as well) to automatically install critical and Zero day updates.
Other than that, I was thinking, we currently don't use WSUS because when I came on my job here, they had a 3rd party patch and software management tool called DesktopCentral by ManageEngine. That's how I do updates now, and I can view all the missing updates for every system and all I see are the missing updates for this month and a few for last month (machines that were turned off for weeks).
Might be time to consider WSUS.
Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.
Might be a good time to simply rebuild those servers from the ground up (as Virtual Machines of course).
Anyway, I'm hoping someone here has had a similar thing happen so you can maybe give some advice... otherwise, I'll just be knee-deep in manually patching super old updates.
I'd recommend using a secondary vulnerability scanner to confirm what was found. You can also check which updates are installed on what systems and go from there. At least it would give you confirmation of any vulnerabilities.
-
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
-
@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
This too is true.
Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.
-
@emad-r said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and
What version of Windows?
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Results came back for around 150 systems and there was something like 500 vulnerabilities, 80% of which were missing critical Windows OS patches.
Boy it seems a lot of people read this and assumed this was 150 Servers (I know JB didn't assume this).
What is the break down of servers vs desktops?Windows 10 has had the cumulative updates since very early in it's life, if not from the very beginning. Windows 7 and 8(8.1) moved to cumulative updates sometime after Aug 2016. If the missing updates are from before that timeframe on those OSes, they definitely could be missing.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Results came back for around 150 systems and there was something like 500 vulnerabilities, 80% of which were missing critical Windows OS patches.
Boy it seems a lot of people read this and assumed this was 150 Servers (I know JB didn't assume this).
What is the break down of servers vs desktops?Windows 10 has had the cumulative updates since very early in it's life, if not from the very beginning. Windows 7 and 8(8.1) moved to cumulative updates sometime after Aug 2016. If the missing updates are from before that timeframe on those OSes, they definitely could be missing.
I didn't assume that either...
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.
In a situation like that, did you look at creating a clean image and rolling that out instead? That would get you to a known good state and clear out any old crap. Sure, it's a hassle too - making sure people don't have stuff saved local, but it's also a good time to make sure people are saving their stuff to the network/cloud shares.
-
@dbeato said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
I didn't assume that either...
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Results came back for around 150 systems and there was something like 500 vulnerabilities, 80% of which were missing critical Windows OS patches.
Boy it seems a lot of people read this and assumed this was 150 Servers (I know JB didn't assume this).
What is the break down of servers vs desktops?Windows 10 has had the cumulative updates since very early in it's life, if not from the very beginning. Windows 7 and 8(8.1) moved to cumulative updates sometime after Aug 2016. If the missing updates are from before that timeframe on those OSes, they definitely could be missing.
The Cumulative Update for Windows 7 covered the old updates as well but what might be missing are the security updates that are separate from the Cumulative on WIndows 7 and 8.
-
Why would anyone assume it was 150 servers?
WSUS hits desktops and servers equally. . .
-
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Why would anyone assume it was 150 servers?
WSUS hits desktops and servers equally. . .
not sure why... I have about 10-15 servers and 200 Clients all with WSUS
-
@dbeato said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Are you using automatic updates directly to Microsoft or WSuS right now?
In my original email, I say I am using a 3rd party software tool named DesktopCentral. It is a pretty nice tool as it has a load of inventory and management features which I've been learning for over a year now. However, I am in the works of setting up WSUS on a server to see how well that works in comparison.
-
@emad-r said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Hi,
I came across many Third party tools to manage deploying updates on Windows but what I learned that you always need to double check, usually there is personnel in IT that does this called service desk (SD) that does this, in big IT company we have 3 teams:
Core Team (patching,storage,virtualization)
Network Team (VPN,network,)
SD (checkup on work of others, ticket handling, some patching, fixing some things that cannot be automated in scripts)since your a lone wolf, and you had this review lately from your auditor, what you need to do is quickly come up with systematic plan to approach deploying updates.
And do you really manage 150 VMs ? OSes ? Systems ? that sounds abit off with person with your experience in IT, usually system admins manage that amount, and that needs ~5 years in IT experience.
So back to your issue, what is your current way of handling and verifying updates ?
How many are the systems that you manage ? and what are there OSes ? are they virtualized ? or workstations ?How about researching more about Saltstack (SS), it is good way to manage Windows I have written a guide with examples, especially if your machines are all connected in LAN, or most of them.
There is nothing you cant do really with SS but it is free and dont have GUI you need to spend time and learn it.https://mangolassi.it/topic/14253/saltstack-windows-playbooks/7
And it is normal for AV to be hard to uninstall, they kinda protect the PC by defending their process and services in hard fashion, however I think there is an option in Kaspersky called self-defense, and if you disabled this, you can uninstall it easily:
https://support.kaspersky.com/12161My Top advice, the more you move your windows servers to Linux the more you relax in the future, and stop worrying, especially when it comes to deploying updates, did you know that Ubuntu Server Linux current update mechanism that it auto-installs security updates and you simply have to reboot the server every once in while, and that can be scheduled.
Also always RDP or VNC into that machine and double check that updates are successful and the services are started, you can consider using monitoring system.
But again it seems someone is over taxing you to be honest, I would sit back and plan using tools and many things, then when it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and install Salt Minion on them for example , after I have setup salt master correctly and test it . And from there you can start really managing those machines.
Thanks... I am the sysadmin/IT administrator here. I manage about 15 VMs with vSphere and then we have about 15 physical servers. I am slowly virtualizing what I can as we go. I also have about 40 thin clients and 30 or so Windows 7 (and a few Windows 10) desktops.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.
In a situation like that, did you look at creating a clean image and rolling that out instead? That would get you to a known good state and clear out any old crap. Sure, it's a hassle too - making sure people don't have stuff saved local, but it's also a good time to make sure people are saving their stuff to the network/cloud shares.
Yeah I've considered it, but I honestly don't know how that would work here since we have a large mix of Dell desktop models as well as custom computer builds (previous sysadmins liked to order parts from NewEgg and build user's expensive computers). I can't just make a single image... I would have to make about 20 different images, and some of them I would only use once...
When I redo computers, I usually just put a new SSD in (if needed) and then manually install Windows and all the applications we need. I've done it enough times now that it only takes me like 20 minutes, minus the wait for Windows to get updated.
-
So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.
You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.
You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.
-
Nessus is proprietary, something that doesn't fit with a security audit very well. I'd question the veracity of an auditing tool that we can't audit.
-
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
This too is true.
Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.
Not really, put it on them. Ask them to show which things are missing since all patches are applied.
