@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.

They just click buttons in the order they are told.

This too is true.

Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.

Not really, put it on them. Ask them to show which things are missing since all patches are applied.

These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"

Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.

"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"

aaaaahahahahahahhahaa... omfg this gave me a good laugh. THANK YOU

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

No. THat's the damned suggestion.

Right... that's what we are saying. They are NOT suggesting that you secure your environment, they are suggesting that you use static IPs.

You are trying to find things that are implied that are not there. There is no need to "read into this", it's very clear. They want you on static IPs, and for reasons that aren't about security (they even point out that it is not about security!)

gouges own eyes out

ok. Game over. gg. Static mapped it is.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

So the simple answer is to unplugged every not used.

What is the exact wording of the audit question?

I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: Technical

Read this section again carefully. It's not a section about "why you need to keep unauthorized things from getting onto the network." This is just "use static IPs". Nothing more, nothing less. The audit is telling you that you need to be static, period. No ifs, ands, or buts. Notice that they lead with "aiding network management" not with security. That's an "oh it also does this."

It's very clear, static IPs is their goal, not security. You are misunderstanding the goals and requirements of the audit if you think that this is about security, or that securing the environment will satisfy what they are demanding.

ok well then, ffs, maybe I'll just use DHCP reservation on this...

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

Nope, look again. Their goal is literally to have all devices be static. They don't care if people access the network as long as the device IPs are statically assigned.

No. THat's the damned suggestion.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

So to go against the auditor would be to expose his boss, too.

Exactly

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

Well, not quite. If you were only trying to figure the first part out, that's NAC and doesn't have anything to do with the question asked. If you are trying to meet the requirements of the audit, it has nothing to do with systems not connecting or security, but requires static.

Two completely different things. Your "I'm only trying" point is what I assumed your original goal was, but doesn't match the audit needs nor the asked topic.

No.. The goal here is to not have unauthorized devices able to connect to the network as an additional security measure. Their solution maybe comes out of ignorance or maybe it's just how they consider the simplest method to achieve that.

If I implement any other measure that accomplishes this, then they would be fine. I believe they just plug a laptop in and see if they get an address from DHCP or not.

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

So the simple answer is to unplugged every not used.

What is the exact wording of the audit question?

I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: Technical

If you're checking the box you need to go 100% static on all devices.

rips hair out

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

I'm not trying to point fingers or anything. I'm trying to help you see that you can't be in charge of IT and have someone else calling the IT shots. You can't be focused on security while actively covering up security gaps.

I totally understand being put in a position where you feel responsible for the security AND to meet crazy needs. But at the end of the day, someone is culpable for intentional gaps and you need to know who that is. If it is you, you need to stand up and say "this doesn't secure us and the auditors are scamming us", or you need to say to yourself "my goal is to keep the boss happy and if I secure some stuff along the way, fine."

Doing this won't actively reduce security, it just makes it seem like things are more secure than they are.

Something to keep in your pocket - pressuring you to do things and lying about being a security audit could qualify as "social engineering" and give you strong legal leverage against the auditor.

I am just trying to figure out the best method to avoid having unauthorized systems connected to our network. Furthermore, it seems like there are a LOT of options and so now I am in the boat of which the hell one do I pick? Sigh

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

So the simple answer is to unplugged every not used.

What is the exact wording of the audit question?

I don't know the actual question they ask but here is the text from the relevant section of the suggested practices from the same company:

Static IP Address Assignment
Manually assigning an IP address to a device which will not change automatically. This aids in networm management, but it also improves security by preventing devices introuced to the network from automatically being assigned an IP adddresses and other required network information.
Standards Mapping:
Control Type: (Project)
NIST Cybersecurity Framework: PR.AC-4
NIST 800-53 Mapping: AC-02, AC-03, IA-02, IA-04
Control Class: Technical

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

The toughest part here is.... what is your job? I mean that literally. Is it to "do what your boss says" or is it to "work around the boss and protect the company from themselves?"

My job is to manage all things IT in our company and I do that job pretty well I think. At the same time, I have to satisfy audit needs and my boss is in charge of making sure I'm on track. Not every portion of the audit is this stupid and I am just trying to make sure we don't get dinged on anything we don't have to.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

This gets complex because you are trying to merge the needs of a "real" goal: security, with a "political" goal, satisfying a clueless boss and fake audit.

That's hard because the two don't overlap. In this case they are not directly opposed, but they sure don't line up in any way.

This would verge, though, on an intentional security coverup and at some point you might want to go higher in the chain and point out that you have both an auditor and your boss working hard to pretend that they are securing something but are, quite obviously, not doing it.

The question is... are they trying to scam the government? Or are they trying to scam the owners? Do you think that the owners are aware and are participating in the scam, or are in for a big surprise that they were sold security that was never performed?

I totally hear you Scott. I think there's enough of a real security concern, but at the same time, people are just reading lists that other people created and following instructions and trying to just "do their job" and keep their job. Security was/is a real concern, but it's been buried under the fluff of doing business and passing audits.

I'm going to just do my job and come up with a solution as long as I have time. Worst case scenario, I just implement static addresses again so we don't get dinged on an audit.

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@dave247 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

There we go, a reason that means nothing. I can plug in my laptop, not get an IP, and stll figure out what the IP scheme is on your network. This is trivial stuff.

Yeah, no shit. I tried explaining this to my boss but he does not understand. This is another problem, I know. I am just trying to come up with a reasonable solution for this.

Disabling open ports would satisfy this requirement unless they do something stupid like unplug a valid machine from the network for their checklist.

Yeah I don't know if they would go that far. I doubt any of them actually understand networking so I have to take ignorance into account.

@jaredbusch said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

Disabling wall jacks is helpful. But what do you do when someone plugs into a live one. Or unplugs a live one to plug in their device.

When you start down this route, these are the issues you will encounter.

NAC sounds like what you actually want.

Disable DHCP totally get a NAC solution.

A NAC solution? As in a separate product? Doesn't Windows have one, like the Network Access Protection via the Network Policy Server?

@coliver said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

There a ton of decent NAC product. Even Microsoft's own will do what you want. https://packetfence.org/

But realistically if they come in and plug in to a live jack what will they have access to? Security comes in layers, why is having access to the network important if you have everything locked behind credentials?

Well I work at a financial institution and we have regular audits and exams and one of the things that has been asked in the past is if the auditor can plug their laptop into a jack and get an IP address. If yes, then we get a mark.

And yes, I know that it should be about real security, not about satisfying one of the items on a checklist. I am trying to take care of both here.

@scottalanmiller said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

If security was teh goal, NAC is what is needed.

As in, on the switches or what? Sorry, please elaborate.

@dustinb3403 said in Best way to secure DHCP so that not just anyone can plug their PC in and get an IP? (Windows DC with DHCP):

MAC address filtering would be one way, albeit I think it would be a lot of work to setup.

https://technet.microsoft.com/en-us/library/dd759190(v=ws.11).aspx

But what about Network Access Protection policies for DHCP?

Please, let's keep this on topic as much as possible as I am really just trying to nail down the best solution.

When I came into my job as IT admin, all our servers and workstations and thin clients were statically mapped, like manually, the hard way (no DHCP reservation). It's taken me a while but I rolled out DHCP for all our thin clients and desktops and everything is a lot easier to manage.

One of the security concerns that was brought up to me now was that anyone can plug their laptop into an open network jack and get an IP address and my boss is trying to get me to assign everything static again.

BEFORE YOU SAY IT: Yes, I know that either way is not actually secure and I've tried explaining that someone with Wireshark could still sniff our traffic or use other tools to get onto our network, etc.

I have mentioned that I specifically don't patch in network jacks unless they are needed by someone and that there are no open jacks just hanging out on random walls where customers have easy access.

So now, I am trying to find out the best way to set up DHCP and have it so that only the people I want on our network can get on.

First and foremost, we run a 2008 R2 domain controller and that is also our DHCP server. I noticed in the DHCP settings that there is a "Network Access Protection" tab, which would work with Network Policy Server. I would assume this is the go-to method for this in a Windows domain, but I have never heard about it until now.

Any input is welcome, but please don't get side-tracked with this as I don't want to go down a rabbit-hole of explaining the why of everything.

@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.

In a situation like that, did you look at creating a clean image and rolling that out instead? That would get you to a known good state and clear out any old crap. Sure, it's a hassle too - making sure people don't have stuff saved local, but it's also a good time to make sure people are saving their stuff to the network/cloud shares.

Yeah I've considered it, but I honestly don't know how that would work here since we have a large mix of Dell desktop models as well as custom computer builds (previous sysadmins liked to order parts from NewEgg and build user's expensive computers). I can't just make a single image... I would have to make about 20 different images, and some of them I would only use once...

When I redo computers, I usually just put a new SSD in (if needed) and then manually install Windows and all the applications we need. I've done it enough times now that it only takes me like 20 minutes, minus the wait for Windows to get updated.

@emad-r said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dave247

Hi,

I came across many Third party tools to manage deploying updates on Windows but what I learned that you always need to double check, usually there is personnel in IT that does this called service desk (SD) that does this, in big IT company we have 3 teams:

Core Team (patching,storage,virtualization)
Network Team (VPN,network,)
SD (checkup on work of others, ticket handling, some patching, fixing some things that cannot be automated in scripts)

since your a lone wolf, and you had this review lately from your auditor, what you need to do is quickly come up with systematic plan to approach deploying updates.

And do you really manage 150 VMs ? OSes ? Systems ? that sounds abit off with person with your experience in IT, usually system admins manage that amount, and that needs ~5 years in IT experience.

So back to your issue, what is your current way of handling and verifying updates ?
How many are the systems that you manage ? and what are there OSes ? are they virtualized ? or workstations ?

How about researching more about Saltstack (SS), it is good way to manage Windows I have written a guide with examples, especially if your machines are all connected in LAN, or most of them.
There is nothing you cant do really with SS but it is free and dont have GUI you need to spend time and learn it.

https://mangolassi.it/topic/14253/saltstack-windows-playbooks/7

And it is normal for AV to be hard to uninstall, they kinda protect the PC by defending their process and services in hard fashion, however I think there is an option in Kaspersky called self-defense, and if you disabled this, you can uninstall it easily:
https://support.kaspersky.com/12161

My Top advice, the more you move your windows servers to Linux the more you relax in the future, and stop worrying, especially when it comes to deploying updates, did you know that Ubuntu Server Linux current update mechanism that it auto-installs security updates and you simply have to reboot the server every once in while, and that can be scheduled.

Also always RDP or VNC into that machine and double check that updates are successful and the services are started, you can consider using monitoring system.

But again it seems someone is over taxing you to be honest, I would sit back and plan using tools and many things, then when it is time for action I would request helpers even as a daily worker for day or 2, and have them each take 50 machines each and install Salt Minion on them for example , after I have setup salt master correctly and test it . And from there you can start really managing those machines.

Thanks... I am the sysadmin/IT administrator here. I manage about 15 VMs with vSphere and then we have about 15 physical servers. I am slowly virtualizing what I can as we go. I also have about 40 thin clients and 30 or so Windows 7 (and a few Windows 10) desktops.

@dbeato said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Are you using automatic updates directly to Microsoft or WSuS right now?

In my original email, I say I am using a 3rd party software tool named DesktopCentral. It is a pretty nice tool as it has a load of inventory and management features which I've been learning for over a year now. However, I am in the works of setting up WSUS on a server to see how well that works in comparison.