WSUS Patch Management Overview

As organizations look to implement a cost-effective patch management solution, many implement systems that are inadequate in providing a consistent patch management solution. Although these systems can provide an effective method for patching vulnerabilities, many of these systems are deployed without additional oversight, which can cause organizations to fall behind in their patch cycle. This report provides a high-level overview of vulnerabilities and event data reported by Windows Server Update Services (WSUS) and managed clients.

Windows Server Update Services (WSUS) provides a built-in service that enables organizations to automatically patch Microsoft based vulnerabilities. In order to address systems in need of patching, organizations must have an accurate and up-to-date asset management system in place. Organizations should also address stand-alone systems or hosts isolated from the main network that may not be a part of an enterprise-wide patch management solution. Many organizations have unmanaged systems that are manually patched, and can be easily overlooked by administrators. Using patch management solutions to scan internal systems can provide a more complete and current picture on the existing security posture of an organization. By continuously testing, monitoring, and rescanning all systems to ensure patches have been applied correctly, organizations can help to keep Windows-based systems secure and up to date. 

The WSUS Patch Management Overview report provides a high-level overview of Microsoft vulnerabilities detected by WSUS. Elements within this report can be useful in comparing the effectiveness of existing WSUS patch management efforts and whether existing security controls need to be modified. Analysts can use this information to focus efforts on identifying both current and previously mitigated vulnerabilities. Vulnerability data reported by Nessus can be used to compare against results reported by WSUS, which can highlight potentially outdated or inaccurate vulnerability information. In addition, vulnerability data from unmanaged systems is also provided, which can be used to compare the efficacy of patch management efforts. Events reported by Windows Update and WSUS can alert to service-related issues that should be reviewed further by analysts. Information on WSUS client status can help analysts detect client connection issues, or hosts that have fallen out of scope. Organizations can use this report to proactively address and strengthen WSUS patch management efforts across the network.

This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Discovery & Detection. The report requirements are:

• Tenable.sc 5.4.0
• Nessus 8.6.0
• LCE 6.0.0

Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring solution, and can assist in securing an organization’s internal network and effectively monitor patch management solutions. Tenable.sc CV is continuously updated with information about advanced threats, zero-day vulnerabilities, and new regulatory compliance data. Active scanning periodically examines systems to determine vulnerabilities and compliance concerns. Agent scanning enables scanning and detection of vulnerabilities on transient and isolated devices. Passive listening provides real-time discovery of vulnerabilities on operating systems, protocols, network services, wireless devices, web applications, and critical infrastructure. Host data and data from other security products is analyzed to monitor patch management solutions on the network. Tenable.sc CV provides an organization with the most comprehensive view of the network and the intelligence needed to support proactive patch management efforts.

The following chapters are included in this report:

• Executive Summary: This chapter provides a comprehensive summary of vulnerabilities detected by WSUS. The Elements in this chapter provide trend data on current and previously mitigated vulnerabilities, which can help analysts monitor how systems are being patched effectively. Analysts can obtain valuable information on the most vulnerable hosts, which can assist with prioritizing patch mitigation efforts. Each element within this chapter can help organizations gain a better understanding on existing risks, and determine the effectiveness of WSUS systems on the network.
• WSUS Vulnerability Summary: This chapter presents a comprehensive view of outstanding vulnerabilities reported by WSUS. Elements included within this chapter are filtered by Critical, High, and Medium severity levels, and present a list of Microsoft Bulletins vulnerabilities reported by patch management systems. Results from each element may include results from multiple patch management systems supported by Tenable. Each table provides targeted information that analysts can use to prioritize remediation efforts and identify the most critical vulnerabilities first.  
• WSUS Client Summary: This chapter presents a comprehensive look at managed WSUS clients across the organization. Information on changes within each subnet can alert analysts to new clients, connection issues on existing clients, or clients that have fallen out of scope. Systems with Windows Update disabled can also be useful in correlating potential patching issues, or alert security teams to configuration issues within security policies that need to be addressed.
• WSUS and Windows Update Event Summary: This chapter includes an overview of both WSUS and Windows Update events that have been detected on the network. Information included within this chapter can be useful in correlating potential patch management issues that need to be addressed by the analyst. Elements within this chapter can be modified to include specific WSUS or Windows Update event information per organizational requirements.