Mailing List Archive

Checking if Windows was restarted after update
Hello!

We use WSUS in our company for updates, but not everyone restart's his workstation for days. So in some cases the computer is still vulnerable if not restarted. How would be the best practice to check this? I'm using Nessus for about 3 months, read the book but have little experience.

Thank you!


--
Bazy <bazy@goofy.celuloza.ro>
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: Checking if Windows was restarted after update [ In reply to ]
> -----Original Message-----
> From: nessus-bounces@list.nessus.org [mailto:nessus-
> bounces@list.nessus.org] On Behalf Of Bazy
> Sent: Friday, January 09, 2009 6:10 AM
> To: nessus@list.nessus.org
> Subject: Checking if Windows was restarted after update
>
> Hello!
>
> We use WSUS in our company for updates, but not everyone restart's his
> workstation for days. So in some cases the computer is still vulnerable
> if not restarted. How would be the best practice to check this? I'm
> using Nessus for about 3 months, read the book but have little
> experience.

It depends on how the plugin for the specific vulnerability works. For
example, if it only checked WMI it would show the patch as being installed
whereas if it actually checks it should identify the system as vulnerable.
Nessus plugins are good for actually checking.

What we do to handle the "but I don't reboot" issue is to have the updates
set with a "forced reboot by." I handle nessus, not windows patching, so I
don't know the technical details but it does deal with those situations.

Tim Doty
Re: Checking if Windows was restarted after update [ In reply to ]
Bazy wrote:
> Hello!
>
> We use WSUS in our company for updates, but not everyone restart's his workstation for days. So in some cases the computer is still vulnerable if not restarted. How would be the best practice to check this? I'm using Nessus for about 3 months, read the book but have little experience.
>

We try to make every effort to test the live system. For example, we
occasionally get false positive reports from customers who say that
a machine is patched, yet Nessus is showing the machine to still be
vulnerable because the machine STILL IS vulnerable, and requires a
reboot.

Are you asking to be able to scan for a machine that is in the state
of needed to be rebooted?

Ron Gula
Tenable Network Security


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Checking if Windows was restarted after update [ In reply to ]
check this out...
http://msmvps.com/blogs/athif/archive/2005/09/06/65550.aspx

On Fri, Jan 9, 2009 at 7:10 AM, Bazy <bazy@goofy.celuloza.ro> wrote:

> Hello!
>
> We use WSUS in our company for updates, but not everyone restart's his
> workstation for days. So in some cases the computer is still vulnerable if
> not restarted. How would be the best practice to check this? I'm using
> Nessus for about 3 months, read the book but have little experience.
>
> Thank you!
>
>
> --
> Bazy <bazy@goofy.celuloza.ro>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--
nexact
Re: Checking if Windows was restarted after update [ In reply to ]
On Fri, 09 Jan 2009 09:15:02 -0500
Ron Gula <rgula@tenablesecurity.com> wrote:

> Bazy wrote:
> > Hello!
> >
> > We use WSUS in our company for updates, but not everyone restart's his workstation for days. So in some cases the computer is still vulnerable if not restarted. How would be the best practice to check this? I'm using Nessus for about 3 months, read the book but have little experience.
> >
>
> We try to make every effort to test the live system. For example, we
> occasionally get false positive reports from customers who say that
> a machine is patched, yet Nessus is showing the machine to still be
> vulnerable because the machine STILL IS vulnerable, and requires a
> reboot.
>
> Are you asking to be able to scan for a machine that is in the state
> of needed to be rebooted?
>
> Ron Gula
> Tenable Network Security
>

Yes Ron, that is exactly what I'm asking.
It's a confusing situation because in WSUS we see the machine as updated, Nessus reports it as vulnerable, it can be exploited, and we as a Security Team open a ticket for IT to patch the machine, witch just needs a reboot.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Checking if Windows was restarted after update [ In reply to ]
It wouldn't be hard to write a plugin to check for a pending reboot or
file rename operation. According to this:
http://blogs.msdn.com/hansr/archive/2006/02/17/PatchReboot.aspx, there are
three areas of the registry to check.




From:
Bazy <bazy@goofy.celuloza.ro>
To:
nessus@list.nessus.org
Date:
01/10/2009 08:24 AM
Subject:
Re: Checking if Windows was restarted after update
Sent by:
nessus-bounces@list.nessus.org



On Fri, 09 Jan 2009 09:15:02 -0500
Ron Gula <rgula@tenablesecurity.com> wrote:

> Bazy wrote:
> > Hello!
> >
> > We use WSUS in our company for updates, but not everyone restart's his
workstation for days. So in some cases the computer is still vulnerable if
not restarted. How would be the best practice to check this? I'm using
Nessus for about 3 months, read the book but have little experience.
> >
>
> We try to make every effort to test the live system. For example, we
> occasionally get false positive reports from customers who say that
> a machine is patched, yet Nessus is showing the machine to still be
> vulnerable because the machine STILL IS vulnerable, and requires a
> reboot.
>
> Are you asking to be able to scan for a machine that is in the state
> of needed to be rebooted?
>
> Ron Gula
> Tenable Network Security
>

Yes Ron, that is exactly what I'm asking.
It's a confusing situation because in WSUS we see the machine as updated,
Nessus reports it as vulnerable, it can be exploited, and we as a Security
Team open a ticket for IT to patch the machine, witch just needs a reboot.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: Checking if Windows was restarted after update [ In reply to ]
Could you not just write a plugin that issues the following command:

Net statistics Server/Workstation <-- choose whichever is relevant

The second line is "Statistics since MM/DD/YYYY M:S", where it shows the
last time and date the machine booted. Based on what time and date the
patch was pushed out, you should be able to tell whether the machine has
rebooted since the patch install.

Andrew Court

IT Security Specialist | CEH | BT Retail - Ireland |
E:Andrew.Court@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899|
www.btireland.com


-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Bazy
Sent: 09 January 2009 12:10
To: nessus@list.nessus.org
Subject: Checking if Windows was restarted after update

Hello!

We use WSUS in our company for updates, but not everyone restart's his
workstation for days. So in some cases the computer is still vulnerable
if not restarted. How would be the best practice to check this? I'm
using Nessus for about 3 months, read the book but have little
experience.

Thank you!


--
Bazy <bazy@goofy.celuloza.ro>
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Checking if Windows was restarted after update [ In reply to ]
Another possibility, if you are not comfortable with plugin writing, is to use the Nessus WMI auditing functionality available to Professional
Feed and Security Center users. WMI stores the last boot time under root/CIMV2 => LastBootUpTime in the following format:

20090203100617.341500-300

It wouldn't be terribly difficult to whip up an audit to check for users who haven't rebooted since a particular date:

<check_type:"Windows" version:"2">
<group_policy: "Last boot audit">

<custom_item>
type : WMI_POLICY
description : "Check last boot time of remote device"
value_type : POLICY_TEXT
# Will fail for users who have not rebooted since Jan 1, 2009
value_data : "200902.*" || "200901.*"
wmi_namespace : "root/CIMV2"
wmi_request : "select LastBootUpTime from CIM_OperatingSystem"
wmi_attribute : "LastBootUpTime"
wmi_key : "LastBootUpTime"
check_type : CHECK_REGEX
</item>

</group_policy>

</check_type>

This regex is oversimplified and could be modified to meet your criteria. You'll have a challenge with relative dates though..

Paul

andrew.court@bt.com wrote:
> Could you not just write a plugin that issues the following command:
>
> Net statistics Server/Workstation <-- choose whichever is relevant
>
> The second line is "Statistics since MM/DD/YYYY M:S", where it shows the
> last time and date the machine booted. Based on what time and date the
> patch was pushed out, you should be able to tell whether the machine has
> rebooted since the patch install.
>
> Andrew Court
>
> IT Security Specialist | CEH | BT Retail - Ireland |
> E:Andrew.Court@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432 5899|
> www.btireland.com
>
>
> -----Original Message-----
> From: nessus-bounces@list.nessus.org
> [mailto:nessus-bounces@list.nessus.org] On Behalf Of Bazy
> Sent: 09 January 2009 12:10
> To: nessus@list.nessus.org
> Subject: Checking if Windows was restarted after update
>
> Hello!
>
> We use WSUS in our company for updates, but not everyone restart's his
> workstation for days. So in some cases the computer is still vulnerable
> if not restarted. How would be the best practice to check this? I'm
> using Nessus for about 3 months, read the book but have little
> experience.
>
> Thank you!
>
>

--
Best Regards,

Paul Davis
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: Checking if Windows was restarted after update [ In reply to ]
There is also a Nessus plugin (35453) which checks for this :

http://nessus.org/plugins/index.php?view=single&id=35453

- Mehul

> -----Original Message-----
> From: nessus-bounces@list.nessus.org
> [mailto:nessus-bounces@list.nessus.org] On Behalf Of Paul Davis
> Sent: Sunday, February 08, 2009 2:44 PM
> To: nessus@list.nessus.org
> Subject: Re: Checking if Windows was restarted after update
>
> Another possibility, if you are not comfortable with plugin
> writing, is to use the Nessus WMI auditing functionality
> available to Professional Feed and Security Center users. WMI
> stores the last boot time under root/CIMV2 => LastBootUpTime
> in the following format:
>
> 20090203100617.341500-300
>
> It wouldn't be terribly difficult to whip up an audit to
> check for users who haven't rebooted since a particular date:
>
> <check_type:"Windows" version:"2">
> <group_policy: "Last boot audit">
>
> <custom_item>
> type : WMI_POLICY
> description : "Check last boot time of remote device"
> value_type : POLICY_TEXT
> # Will fail for users who have not rebooted since Jan 1, 2009
> value_data : "200902.*" || "200901.*"
> wmi_namespace : "root/CIMV2"
> wmi_request : "select LastBootUpTime from
> CIM_OperatingSystem"
> wmi_attribute : "LastBootUpTime"
> wmi_key : "LastBootUpTime"
> check_type : CHECK_REGEX
> </item>
>
> </group_policy>
>
> </check_type>
>
> This regex is oversimplified and could be modified to meet
> your criteria. You'll have a challenge with relative dates though..
>
> Paul
>
> andrew.court@bt.com wrote:
> > Could you not just write a plugin that issues the following command:
> >
> > Net statistics Server/Workstation <-- choose whichever is relevant
> >
> > The second line is "Statistics since MM/DD/YYYY M:S", where
> it shows
> > the last time and date the machine booted. Based on what
> time and date
> > the patch was pushed out, you should be able to tell whether the
> > machine has rebooted since the patch install.
> >
> > Andrew Court
> >
> > IT Security Specialist | CEH | BT Retail - Ireland |
> > E:Andrew.Court@bt.com |Mobile: +353 86 1720 692 | Fax: +353 1 432
> > 5899| www.btireland.com
> >
> >
> > -----Original Message-----
> > From: nessus-bounces@list.nessus.org
> > [mailto:nessus-bounces@list.nessus.org] On Behalf Of Bazy
> > Sent: 09 January 2009 12:10
> > To: nessus@list.nessus.org
> > Subject: Checking if Windows was restarted after update
> >
> > Hello!
> >
> > We use WSUS in our company for updates, but not everyone
> restart's his
> > workstation for days. So in some cases the computer is still
> > vulnerable if not restarted. How would be the best practice
> to check
> > this? I'm using Nessus for about 3 months, read the book but have
> > little experience.
> >
> > Thank you!
> >
> >
>
> --
> Best Regards,
>
> Paul Davis
> Tenable Network Security Inc
> Phone: 410.872.0555 x245
> www.tenablesecurity.com
>
> Is your network TENABLE?
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus