12 Replies Latest reply: Apr 10, 2012 6:04 PM by Dave Breslin RSS

Using WSUS with SecurityCenter

Novice

Hi,

 

I am trying to query the WSUS server to verify which patches aren't installed on a host. I followed the url below but when I look at my results, its blank (nothing at all). What I am doing wrong? I appreciate any advice.

 

http://blog.tenablesecurity.com/2011/12/wsus-patch-management-and-nessus.html

 

This is my SecurityCenter WSUS Server Settings

WSUS Server = XXX.XXX.XXX.XXX

WSUS port = 8525

WSUS Username = domain/user

WSUS password = XXXXX

 

Thanks

  • Re: Using WSUS with SecurityCenter
    Guru

    soccer05 wrote:

     

    Hi,

     

    I am trying to query the WSUS server to verify which patches aren't installed on a host. I followed the url below but when I look at my results, its blank (nothing at all). What I am doing wrong? I appreciate any advice.

     

    http://blog.tenablesecurity.com/2011/12/wsus-patch-management-and-nessus.html

     

    This is my SecurityCenter WSUS Server Settings

    WSUS Server = XXX.XXX.XXX.XXX

    WSUS port = 8525

    WSUS Username = domain/user

    WSUS password = XXXXX

     

    Thanks

     

    Have you tried the support document for this? http://static.tenable.com/documentation/Patch_Management_Integration.pdf

     

    There are some plugins to ensure you have enabled and not doubting your service port could be 8525 but the document seems to indicate 443 or 80 is more common.

     

    Regards,

     

    Dave

  • Re: Using WSUS with SecurityCenter
    Guru

    soccer05 wrote:

     

    Hi,

     

    I am trying to query the WSUS server to verify which patches aren't installed on a host. I followed the url below but when I look at my results, its blank (nothing at all). What I am doing wrong? I appreciate any advice.

     

    http://blog.tenablesecurity.com/2011/12/wsus-patch-management-and-nessus.html

     

    This is my SecurityCenter WSUS Server Settings

    WSUS Server = XXX.XXX.XXX.XXX

    WSUS port = 8525

    WSUS Username = domain/user

    WSUS password = XXXXX

     

    Thanks

     

    Does the WSUS server listening on port 8525 in this case use TLSv1 to encrypt traffic? If so, you need to check the "SSL" preference.

     

    George

    • Re: Using WSUS with SecurityCenter
      Novice

      Hello,

       

      We are experiencing a similar issue with Nessus Scanner tying into our WSUS. We have followed the Nessus PDF guide on WSUS patch management, and our WSUS server is working correctly on default port 80. We have enabled several 2012 patch plugins (none of which have yet been 'approved' in WSUS), as well as 57031, 57032, and 58133.

       

      When we scan a Windows host in a domain other than where the WSUS server is located, the report seems to correctly report that there are no missing unauthorized patches; the 'sanity check' plugin 58133 is the only item that shows up when we run this minimal Nessus scan for WSUS.

       

      However, when we run the same scan against a Windows host in the *same* domain as WSUS, it shows the 2012 Microsoft patches as missing, even though none of those patches have yet been authorized.

       

      We did *not* put any domain credentials into this Nessus policy - only the WSUS credentials.

       

      Please advise what we are doing wrong, since this tie-in to WSUS to see missing patches that were approved is very important to us.

       

      Thanks,

      Natalie

      • Re: Using WSUS with SecurityCenter
        Guru

        globalfrog wrote:

         

         

        However, when we run the same scan against a Windows host in the *same* domain as WSUS, it shows the 2012 Microsoft patches as missing, even though none of those patches have yet been authorized.

         

         

        Thanks,

        Natalie


        Hi Natalie,

         

        I don't have a solution for you but I am going through a learning curve myself so you might be able to help me. This is a Microsoft quote:

         

        After updates have been synchronized to your WSUS server, you must approve them to initiate a deployment action. When you approve an update, you are essentially telling WSUS what to do with it (for example, your choices are Install, Detect only, Remove, or Decline update). When approving an update, you specify a default approval setting for the All Computers group, and any necessary settings for each computer group in the Approve Updates dialog box. If you do not approve an update, its approval status remains Not approved and your WSUS server performs no action for the update. The exceptions to this are in the Critical Updates and Security Updates classifications, which by default are automatically approved for detection after they are synchronized.

         

        Have you modified the default for the Security Updates classification so they aren't auto approved? Thanks in advance for help with a learning curve - also, from your experiences is it normal to override this default - I could imagine so if there are some critical production servers, but perhaps not with desktops.

         

        Thanks in advance for some knowledge transfer.

         

        Dave

      • Re: Using WSUS with SecurityCenter
        Novice

        When you run a WSUS scan against your systems the report looks for all missing patches and not the specific status of a patch.

        Meaning that if a patch is not_installed, downloaded (and not installed), failed, installed_pending_reboot it will report this patch as missing and in the report give details on the status.

        • Re: Using WSUS with SecurityCenter
          Novice

          Thanks, Tony. That means that Nessus is not tied into WSUS. The purpose of WSUS is to manage patches, and Nessus would need to query that information in order to report compliance. For example, if a patch was released 4 months ago but it has not yet been approved, then running the Nessus scan right *now* would tell us that the patch is missing, even though that information would be a false positive in this case. If you have any idea when Nessus will properly integrate with WSUS that would be great - we would likely be able to test this for you, too.

           

          And Dave, there are two MS links on the WSUS approval question, and neither are dated:

           

          http://technet.microsoft.com/en-us/library/cc708458%28v=ws.10%29.aspx

           

          http://technet.microsoft.com/en-us/library/cc708474%28v=ws.10%29.aspx

           

           

           

           

          My coworker read them and essentially told me that only 708474 is correct, in that WSUS automatically checks if patches are installed, downloaded, etc., but does *not* automatically install them - ever. This has been my experience. WSUS lacks some very important features, but that is not one of them. FYI, I have some WSUS scripts for automating things. If you're interested, send me a PM and I'll be happy to get them to you.

          - Natalie

          • Re: Using WSUS with SecurityCenter
            Guru

            And Dave, there are two MS links on the WSUS approval question, and neither are dated:

             

            http://technet.microsoft.com/en-us/library/cc708458%28v=ws.10%29.aspx

             

            http://technet.microsoft.com/en-us/library/cc708474%28v=ws.10%29.aspx

             

             

            Very useful - thanks!!!

             

            For example, if a patch was released 4 months ago but it has not yet been approved, then running the Nessus scan right *now* would tell us that the patch is missing, even though that information would be a false positive in this case. If you have any idea when Nessus will properly integrate with WSUS that would be great - we would likely be able to test this for you, too.

             

            FYI, I have some WSUS scripts for automating things. If you're interested, send me a PM and I'll be happy to get them to you.

            - Natalie

             

            Natalie, is it fair to say your goal is to verify selected security patches have been deployed successfully by WSUS and installed successfully versus measuring vulnerability risk across your enterprise. If so, seeing that you obviously have programming skills have you thought about looking at the Nessus API and running a Nessus credential scan for MS Bulletin patches which haven't been applied and pulling that information to correlate with WSUS information about security patches that should have been applied - the "should" be applied will be a subset of all missing patches returned by Nessus? There are examples that others have posted on the Nessus API on the discussions forum. Just a thought.

             

            Also, WSUS as yet does not, as you know deploy, third party patches. I read SCCM does, but I don't know how extensive it is. So if you run a Nessus credentialed scan you'll know about other patches that are failing to install, perhaps the vendor's update agent isn't working properly or wasn't installed at all.

             

            Thanks for all the feedback.

             

            Regards,

             

            Dave

    • Re: Using WSUS with SecurityCenter
      Novice

      Sorry the port is 8530, I must have accidentally typed in 8528. I followed the Patch Management Integration guide and the results are still blank.

       

      No it doesn't use any type of encryption.

      • Re: Using WSUS with SecurityCenter
        Novice

        few questions to try to solve this issue.

         

        Does the user that you supplied for the scan have admin rights over the WSUS system?

         

        can you confirm you have the following plugins enabled,

        57031, 57032, 57033, 58133, along with any microsoft patch bulletins you want to check for.

         

        If all the above are enabled, does the report (plugin ID:58133) have anything in it, and if so is it accurate?

         

        If you are running on Nessus 5 can you right click on one of the hosts in the report, then click on "download knowledge base for host". Inside of this file look for the items below

        patch_management/wsus=1

        wsus/host= //Your Host name

        wsus/port= //your port

        and anything starting with "wsus/missing_patch"