Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?
-
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their reports. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.
You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.
You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.
I remember our Windows guys complaining about this.
Sounds like Nessus is a known broken tool.
?? The patches need manual intervention in the registry. Nessus brought that to light.
It brought what to light? That the patches are failing?
The patches install correctly so it looks like everything is fine, but admins still have to go in and set registry entries. No one realized this because the patches install fine.
Wow, I had no idea that Windows needed that level of manual intervention to get patches working correctly. What a steaming pile it is.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
That’s not how it verifies. There were strings in keys that needed modified. Like one string had a space that needed quoted because it created some vulnerability without quotes. I’ll have to talk with some of those guys and get some examples since I don’t do anything with Windows.
-
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.
They just click buttons in the order they are told.
This too is true.
Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.
Not really, put it on them. Ask them to show which things are missing since all patches are applied.
These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"
Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.
"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8aaaaahahahahahahhahaa... omfg this gave me a good laugh. THANK YOU
-
@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled. -
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled.Right... basically Windows isn't production ready is what I'm hearing. This feels insane.
-
Although Nessus should report that and NOT that they are not patched. Different things.
-
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled.That is for hotfixes mostly no general updates...
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Although Nessus should report that and NOT that they are not patched. Different things.
It may. I have no idea if that’s what is showing on his and I don’t see the reports for the Eindoes stuff in our environment I just know that was something those guys were complaining about and @irj said the same thing.
-
Didn't read through all comments yet but the first thing that comes to mind is this:
Find one of the computers that your software says is fully patched, but the audit says is missing lots of updates. Then run regular Windows update on it to see if Microsoft has any to add to it.
If not, then show the auditor your logs and tell him to FO.
If so, then you know you need to implement WSUS instead of what you are currently using.
-
My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.
-
My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.
Link? I was just going to follow the Microsoft Technet guide.
-
Didn't read through all comments yet but the first thing that comes to mind is this:
Find one of the computers that your software says is fully patched, but the audit says is missing lots of updates. Then run regular Windows update on it to see if Microsoft has any to add to it.
If not, then show the auditor your logs and tell him to FO.
HAHA!!
-
Not at a PC right now, I'll link it in like 10 mins.
-
@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
My WSUS guide on SW is still mostly relavant to get you going fast, but you'd need to use https. Easy to do though and I can help ya.
Link? I was just going to follow the Microsoft Technet guide.
-
He beat me to it.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
That’s not how it verifies. There were strings in keys that needed modified. Like one string had a space that needed quoted because it created some vulnerability without quotes. I’ll have to talk with some of those guys and get some examples since I don’t do anything with Windows.
In that case, wouldn't that mean it's not really patched? And therefore another patch is needed to fix the original patch?
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Although Nessus should report that and NOT that they are not patched. Different things.
Well, if it's still vulnerable without this change - then I'd say it's not patched. But I do agree that it should be a bit more specific.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Although Nessus should report that and NOT that they are not patched. Different things.
Well, if it's still vulnerable without this change - then I'd say it's not patched. But I do agree that it should be a bit more specific.
A broken patch isn't the same as unpatched.