Nessus Scan

Hi Experts,

We have deployed a new windows 2012 r2 DC. We have done a complete patch cycle using windows update and now have done a complete scan and remediation using GFI Langurard and all is clean. Just to confirm our results we then run a full Nessus scan against the new DC and Nessus comes back with vulnerabilities, most notable is a critical finding missing KB4025336.

When i try to download the KB and install using Windows catalog service I receive this update is not applicable to your computer and GFI, Microsoft Security Baseliner and windows update does not record it missing. Looking at the windows updates it is not listed as installed, so I am not sure if it is  superseded, but if so thought Nessus would not see the patch as missing?

We have security audits in the industry we are in and the auditor uses Nessus, so we can't ignore the findings from the Nessus scan.

Thanks
talltreeAsked:
Who is Participating?
 
btanExec ConsultantCommented:
It is either missing KB4025333 (Security-only update) or the cumulative KB4025336 to be installed. Should try to KB4025333 catalog to see if it also flagged the same as non-applicable.

To clarify also the monthly rollup is accumulative so if you have Dec monthly rollup, it will supersede the past rollup too. The security-only update is only for a given month and is applicable for the affected machine only. See definition https://support.microsoft.com/en-us/help/824684/description-of-the-standard-terminology-that-is-used-to-describe-micro
In short, you need at least either the latest Dec monthly rollup or show that minimally security-only update are installed. Here is a visual drawing from MS for understanding December Update Supersedence Relationshipshttps://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/

In the KB KB4025336, there is prerequisite (which is a April 2014 update) as mentioned by the experts. Also for installing the security updates KB, for CVE-2017-8563, there is need to set registry key LdapEnforceChannelBinding to enable the fix for the CVE. You can find out more in the KB article.
0
 
SunilTechnical Specialist - Wintel Operations.Commented:
That patch has a dependency of KB2919355.
Try installing this KB2919355 then try to install KB4025336.

If you're still getting the error, have a look at your CBS logs.
0
 
talltreeAuthor Commented:
Thanks guys.

Great information,

Using btan's solution I applied  KB4025333 and then  set  the registry key LdapEnforceChannelBinding, DWORD 1. Rescanned with Nessus and it does not show as missing.
0
 
btanExec ConsultantCommented:
Thanks for sharing, glad it helps
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.