Nessus Scan

Hi Experts,

We have deployed a new windows 2012 r2 DC. We have done a complete patch cycle using windows update and now have done a complete scan and remediation using GFI Langurard and all is clean. Just to confirm our results we then run a full Nessus scan against the new DC and Nessus comes back with vulnerabilities, most notable is a critical finding missing KB4025336.

When i try to download the KB and install using Windows catalog service I receive this update is not applicable to your computer and GFI, Microsoft Security Baseliner and windows update does not record it missing. Looking at the windows updates it is not listed as installed, so I am not sure if it is  superseded, but if so thought Nessus would not see the patch as missing?

We have security audits in the industry we are in and the auditor uses Nessus, so we can't ignore the findings from the Nessus scan.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SunilTechnical Specialist - Wintel Operations.Commented:
That patch has a dependency of KB2919355.
Try installing this KB2919355 then try to install KB4025336.

If you're still getting the error, have a look at your CBS logs.
btanExec ConsultantCommented:
It is either missing KB4025333 (Security-only update) or the cumulative KB4025336 to be installed. Should try to KB4025333 catalog to see if it also flagged the same as non-applicable.

To clarify also the monthly rollup is accumulative so if you have Dec monthly rollup, it will supersede the past rollup too. The security-only update is only for a given month and is applicable for the affected machine only. See definition
In short, you need at least either the latest Dec monthly rollup or show that minimally security-only update are installed. Here is a visual drawing from MS for understanding December Update Supersedence Relationships

In the KB KB4025336, there is prerequisite (which is a April 2014 update) as mentioned by the experts. Also for installing the security updates KB, for CVE-2017-8563, there is need to set registry key LdapEnforceChannelBinding to enable the fix for the CVE. You can find out more in the KB article.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
talltreeAuthor Commented:
Thanks guys.

Great information,

Using btan's solution I applied  KB4025333 and then  set  the registry key LdapEnforceChannelBinding, DWORD 1. Rescanned with Nessus and it does not show as missing.
btanExec ConsultantCommented:
Thanks for sharing, glad it helps
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.