Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?
-
My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.
-
My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.
Link? I was just going to follow the Microsoft Technet guide.
-
Didn't read through all comments yet but the first thing that comes to mind is this:
Find one of the computers that your software says is fully patched, but the audit says is missing lots of updates. Then run regular Windows update on it to see if Microsoft has any to add to it.
If not, then show the auditor your logs and tell him to FO.
HAHA!!
-
Not at a PC right now, I'll link it in like 10 mins.
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.
Link? I was just going to follow the Microsoft Technet guide.
-
He beat me to it.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
That’s not how it verifies. There were strings in keys that needed modified. Like one string had a space that needed quoted because it created some vulnerability without quotes. I’ll have to talk with some of those guys and get some examples since I don’t do anything with Windows.
In that case, wouldn't that mean it's not really patched? And therefore another patch is needed to fix the original patch?
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Although Nessus should report that and NOT that they are not patched. Different things.
Well, if it's still vulnerable without this change - then I'd say it's not patched. But I do agree that it should be a bit more specific.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Although Nessus should report that and NOT that they are not patched. Different things.
Well, if it's still vulnerable without this change - then I'd say it's not patched. But I do agree that it should be a bit more specific.
A broken patch isn't the same as unpatched.
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@emad-r said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Hi,
I came across many Third party tools to manage deploying updates on Windows but what I learned that you always need to double check, usually there is personnel in IT that does this called service desk (SD) that does this, in big IT company we have 3 teams:
Core Team (patching,storage,virtualization)
Network Team (VPN,network,)
SD (checkup on work of others, ticket handling, some patching, fixing some things that cannot be automated in scripts)since your a lone wolf, and you had this review lately from your auditor, what you need to do is quickly come up with systematic plan to approach deploying updates.
And do you really manage 150 VMs ? OSes ? Systems ? that sounds abit off with person with your experience in IT, usually system admins manage that amount, and that needs ~5 years in IT experience.
So back to your issue, what is your current way of handling and verifying updates ?
How many are the systems that you manage ? and what are there OSes ? are they virtualized ? or workstations ?How about researching more about Saltstack (SS), it is good way to manage Windows I have written a guide with examples, especially if your machines are all connected in LAN, or most of them.
There is nothing you cant do really with SS but it is free and dont have GUI you need to spend time and learn it.https://mangolassi.it/topic/14253/saltstack-windows-playbooks/7
And it is normal for AV to be hard to uninstall, they kinda protect the PC by defending their process and services in hard fashion, however I think there is an option in Kaspersky called self-defense, and if you disabled this, you can uninstall it easily:
https://support.kaspersky.com/12161My Top advice, the more you move your windows servers to Linux the more you relax in the future, and stop worrying, especially when it comes to deploying updates, did you know that Ubuntu Server Linux current update mechanism that it auto-installs security updates and you simply have to reboot the server every once in while, and that can be scheduled.
Also always RDP or VNC into that machine and double check that updates are successful and the services are started, you can consider using monitoring system.
But again it seems someone is over taxing you to be honest, I would sit back and plan using tools and many things, then when it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and install Salt Minion on them for example , after I have setup salt master correctly and test it . And from there you can start really managing those machines.
Thanks... I am the sysadmin/IT administrator here. I manage about 15 VMs with vSphere and then we have about 15 physical servers. I am slowly virtualizing what I can as we go. I also have about 40 thin clients and 30 or so Windows 7 (and a few Windows 10) desktops.
Since you said thin clients, if those people just want browser, like I have some thin clients that just needs chrome web browser updated. you can get away with linux OS for them and make your life easier for my thin clients I went with Fedora LXDE spin.
And did you also came to the conclusion that Windows 10 is crap compared to 7 ? I DID hehe.
-
Even Microsoft themselves tell you that you are still vulnerable if you don't make the reg changes. If you carefully read the security bulletins released by MS you'd see that
-
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
It looks at the attack surface of CVE itself. Auditing patches can be done easily through powershell , nessus looks specifically for vulnerabilities.
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
It looks at the attack surface of CVE itself. Auditing patches can be done easily through powershell , nessus looks specifically for vulnerabilities.
Then it should list vulnerabilities, not missing patches. That just makes it wrong.
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
The question here is about patching, not securing.
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
It looks at the attack surface of CVE itself. Auditing patches can be done easily through powershell , nessus looks specifically for vulnerabilities.
Then it should list vulnerabilities, not missing patches. That just makes it wrong.
Not sure what you mean here. Nessus is s vulnerability scanner.
The OP is confused because Tenable uses the name MS1503 for the vulnerability as it is related to patch MS1503. The CVE is named something different. Would you rather have a list of friendly names or CVE that mean nothing to you?
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus is proprietary, something that doesn't fit with a security audit very well. I'd question the veracity of an auditing tool
Here is how it works. Every CVE is given a specific plugin from Nessus of any other vulnerability scanner. You can easily read the script yourself if you're worried its inaccurate. Whats proprietary is the delivery and the scanning itself.
Openvas performance wise is terrible compared to nessus. Although the scan results are similar. Openvas does not scale well
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
The question here is about patching, not securing.
Then nessus is the wrong tool as it is a vulnerability scanner not patch auditor. If you want to audit patches use powershell
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
