Microsoft Patch Management Integration with Nessus - Part 1 WSUS
This is the first post in a two-part series that will cover how to configure Nessus and/or SecurityCenter to integrate with Microsoft's patch management software.
WSUS Patch Management Integration
Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. WSUS server 3.0 SP2 supports management of patches for the products listed here, as well as Windows 7 and Windows server 2003 SP2 patches. If you are not familiar with WSUS it is freely available to Microsoft customers as part of your Windows server licensing agreement. A great article that covers all aspects of planning, deployment, and configuration is Windows Server Update Services Learning Roadmap Community Edition.
Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter. When performing scans with the WSUS patch management plugins enabled and configured please note the following:
Credentials entered into the policy take priority - If you've entered credentials into the scan policy and they are valid for a target system, Nessus will login and perform credentialed scanning without querying the WSUS server data.
- WSUS is queried when credentials fail - If credentials are not valid for a target system, or credentials are not entered at all into the policy at all, the WSUS server will be queried to obtain patch information for those targets. This also applies to other policy settings that may cause a credentialed scan to fail, such as the remote registry or administrative shares settings.
- The WSUS plugin communicates only with the WSUS server - The WSUS plugin makes a connection to the WSUS server IP/hostname and port specified in the policy configuration (see below in the "Patch Management WSUS Preferences"). This is an important point, as the Nessus server(s) will require access to your WSUS server, which could mean making firewall rule changes to allow the connections. However, this is a significant advantage as your target systems do not need to communicate with the Nessus server directly, which means host firewalls and remote registry settings will not get in the way of a patch audit.
- Patch information is only as up-to-date as your WSUS server - The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.
WSUS scanning is performed using the following two Nessus plugins:
wsus_init_info.nbin (Plugin ID 57031) - This script configures WSUS.
wsus_get_missing_updates.nbin (Plugin ID 57032) - This plugin stores missing updates from the remote host via an authenticated WSUS session.
You can receive patch information for systems you may not be able to access directly from the scanner, or for systems for which you may not have valid credentials, which allows for a more a more reliable and robust scan. Nessus also now implements a way to view WSUS patch information from the web interface. Following is a walk-through on how to configure this feature for WSUS:
|CAUTION: IT administrators are expected to manage the patch monitoring software themselves and install any agents required by the patch management system on their systems.|
Creating the Policy
From the Nessus web interface, click on the "Policies" tab and then "Add". For SecurityCenter go to the "Support" menu and choose "Scan policies", then click "Add". Directions for each tab under the Add Policy menu are described in this section.
If WSUS patch management scans are run as part of a network-based or credentialed vulnerability scan, all port scanning settings can be configured as they would in a typical scan policy. If you plan to run a separate scan and only wish to see results obtained from WSUS you can safely disable all of the port scanners, including "Ping Host". This will force Nessus to only run the plugins you've selected and skip the port scanning entirely.
When Nessus is configured to query a WSUS server it does not require that you enter credentials into the policy. For the WSUS patch management scans to run, at least two specific plugins must be enabled. These plugins can easily be found by searching for “WSUS” or “Patch Management” on the plugin filtering configuration page:
Next, you will need to enable the plugins required as shown below:
Enabling the Patch Management: Missing updates from WSUS Plugin
Enabling the Patch Management: WSUS server setting
Patch Management: Microsoft Plugin Families
Be certain to enable all of the plugins associated with Microsoft bulletins by selecting the "Windows : Microsoft bulletins" plugin family. WSUS contains information about Microsoft bulletins, which covers more than operating system patches and extends to software such as Microsoft Office.
Patch Management WSUS Preferences
To provide Nessus with the required information about your WSUS server go to "Preferences" and select "Patch Management WSUS server settings" from the drop-down menu:
The IP address or hostname, port, and credentials for the WSUS server must be provided for WSUS scanning to work properly:
The reports currently look very much the same as the ones generated if Nessus were to log into the host directly, except it includes an indication that the patch information was obtained from WSUS:
|Reporting Tip: You can filter on the string "according to WSUS" in the "Vulnerability text" field to obtain a list of all patching information obtained from your WSUS server.|
It should be noted that this new feature, as well as the integration with other patch management systems, is also available to our SecurityCenter customers. The policy configuration screens are very similar and the functionality is the same. Look for more posts on how to configure integration with SCCM, VmwareGo, and Red Hat Satellite server in addition to new SecurityCenter dashboards that will include information from your patch management systems.