PCI Scan- Microsoft Security Bulletin MS10-040 and KB982666

I just received a failure on our PCI scan and one of the failures was for KB982666.  We have SBS 2011 Standard 64bit SP1 and the WSUS server shows that I do not need that security update.  But if you read the bulletin it says I don't and that I do.

"Is my computer vulnerable if I have not installed KB973917?
Systems running supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008 that do not have KB973917 installed are not vulnerable. Systems running supported editions of Windows 7 and Windows Server 2008 R2 are vulnerable."

And actually there were 4 security bulletins that were given for the failure and all the KB security updates in them our server shows they are not needed.  I am not sure if I should be downloading these manually and install them.  Any suggestions?
gsealesProduction ManagerAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
The scanner probably just doing diligence to check on the latest and completeness of the various OS security patches applied compared to your target server. Not all scan findings can be true positive hence the need to make the assessment on the relevance and impacts of the findings. In this KB, it applies for IIS and if server dont even have IIS then it is not relevant at all.  

Having said that, the point is trust but verify. In this KB, it is supposed to have the extended protection enabled which is supposed to enhance the IIS security. When MS say that it is not applicable or not "affected" is on the basis that this feature is disabled, hence not "affected". So if you look at the kb973917, you can verify from registry if it is enabled or disabled - just to confirm. Then again, if this is disabled, it also means  the server is subjected to other form of attacks like man in the middle etc which Extended protection is supposed to prevent and protect against.  

For other false positive if deem, it is always best to verify again. But having to pass pci scan does not ascertain the state of server is secure too. So it is still best to have the latest patch applied as well (my personnel view)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.