Implementation of a comprehensive vulnerability management program from inception to completion.
Inception State: the organization has no existing policy or vulnerability management practices in place.
Completion State: a formal policy is enacted, stakeholder buy-in is secured, and a full cycle of organization-wide vulnerability remediation is successfully completed.
- Tenable (enterprise vulnerability management platform)
- Azure Virtual Machines (Nessus scan engine + scan targets)
- PowerShell & BASH (remediation scripts)
- Vulnerability Management Policy Draft Creation
- Mock Meeting: Policy Buy-In (Stakeholders)
- Policy Finalization and Senior Leadership Sign-Off
- Mock Meeting: Initial Scan Permission (Server Team)
- Initial Scan of Server Team Assets
- Vulnerability Assessment and Prioritization
- Distributing Remediations to Remediation Teams
- Mock Meeting: Post-Initial Discovery Scan (Server Team)
- Mock CAB Meeting: Implementing Remediations
- Remediation Round 1: Outdated Wireshark Removal
- Remediation Round 2: Insecure Protocols & Ciphers
- Remediation Round 3: Guest Account Group Membership
- Remediation Round 4: Windows OS Updates
- False Positive Troubleshooting
- First Cycle Remediation Effort Summary
This phase focuses on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines, and may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.
Draft Policy
In this phase, a meeting with the server team introduces the draft Vulnerability Management Policy and assesses their capability to meet remediation timelines. Feedback leads to adjustments, like extending the critical remediation window from 48 hours to one week, ensuring collaborative implementation.
After gathering feedback from the server team, the policy is revised, addressing aggressive remediation timelines. With final approval from upper management, the policy now guides the program, ensuring compliance and reference for pushback resolution.
Finalized Policy
Collaborate with the server team to initiate scheduled credential scans. Compromise to determine how to conduct scan, what resources to monitor for impact and suggest using just-in-time Active Directory credentials for secure, controlled access.
In this phase, an insecure Windows Server is provisioned to simulate the server team's environment. After creating vulnerabilities, an authenticated scan is performed, and the results are exported for future remediation steps.
We assessed vulnerabilities and established a remediation prioritization strategy based on ease of remediation and impact. The following priorities were set:
- Third Party Software Removal (Wireshark)
- Windows OS Secure Configuration (Protocols & Ciphers)
- Windows OS Secure Configuration (Guest Account Group Membership)
- Windows OS Updates
The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up review.
The server team reviewed vulnerability scan results, identifying outdated software, insecure accounts, and deprecated protocols. The remediation packages were prepared for submission to the Change Control Board (CAB).
The Change Control Board (CAB) reviewed and approved the plan to remove insecure protocols and cipher suites. The plan included a rollback script and a tiered deployment approach.
The server team used a PowerShell script to remove outdated Wireshark. A follow-up scan confirmed successful remediation.
Scan 2 - Third Party Software Removal
The server team used PowerShell scripts to remediate insecure protocols and cipher suites. A follow-up scan verified successful remediation, and the results were saved for reference.
PowerShell: Insecure Protocols Remediation PowerShell: Insecure Ciphers Remediation
Scan 3 - Ciphersuites and Protocols
The server team removed the guest account from the administrator group. A new scan confirmed remediation, and the results were exported for comparison.
PowerShell: Guest Account Group Membership Remediation
Scan 4 - Guest Account Group Removal
Windows updates were re-enabled and applied with multiple reboots until the system was fully up to date.
During the post-update validation phase, a recurring critical vulnerability (plugin ID 261804) flagged the Windows kernel (ntoskrnl.exe) as outdated. Despite applying cumulative update KB5065429 and confirming its installation, the file version remained at 10.0.19041.6328, whereas Tenable expected 10.0.19041.6332.
-
Verified Update Installation
Get-HotFixconfirmed KB5065429 was installed on the VM.- DISM reported the presence of
Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.6332.1.15. - Windows reported Build 19045.6332, but kernel file version remained
6328.
-
Integrity Checks
- Ran
DISM /Online /Cleanup-Image /RestoreHealthandsfc /scannow– no integrity violations were found. - Confirmed servicing stack packages (SSUs) were current.
- Ran
-
Remediation Attempts
- Manually downloaded and installed KB5065429
.msupackage multiple times. - Attempted cumulative rollup reinstallation (KB5034119, KB5005698).
- Rebooted after each cycle; kernel version unchanged.
- Manually downloaded and installed KB5065429
-
Tenable Validation
- Remediation scan of plugin 261804 still flagged the kernel mismatch.
- Creating a local plugin exclusion in Tenable was attempted, but without admin rights, exclusion did not persist.
This appears to be a longstanding mismatch issue between Microsoft cumulative updates and Tenable’s plugin checks. Microsoft packages correctly advance the OS build to 19045.6332, but the kernel binary (ntoskrnl.exe) version lags at 19041.6328.
- Community discussions confirm similar discrepancies have persisted for years:
Until Microsoft resolves the version alignment, this detection should be treated as a false positive and documented accordingly. CVE-2013-3900 was mitigated, Microsoft Paint 3D uninstalled, and one more round of multiple updates in both the Microsoft Store and Windows Update were done before conducting the final tenable vulnerability management scan.
Scan 6 - Confirmed False Positive
The remediation process reduced total vulnerabilities by 78%, from 32 to 7. Critical vulnerabilities were effectively resolved by the second scan (100% disregarding the false positive). High vulnerabilities dropped by 89%. Mediums were reduced by 79%. In an actual production environment, asset criticality would further guide future remediation efforts.
After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode. This phase ensures that vulnerabilities continue to be managed proactively, keeping systems secure over time. Regular scans, continuous monitoring, and timely remediation are crucial components of this phase. (See Finalized Policy for scanning and remediation cadence requirements.)
Key activities in Maintenance Mode include:
- Scheduled Vulnerability Scans: Perform regular scans (e.g., weekly or monthly) to detect new vulnerabilities as systems evolve.
- Patch Management: Continuously apply security patches and updates, ensuring no critical vulnerabilities remain unpatched.
- Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing based on risk and impact.
- Policy Review and Updates: Periodically review the Vulnerability Management Policy to ensure it aligns with the latest security best practices and organizational needs.
- Audit and Compliance: Conduct internal audits to ensure compliance with the vulnerability management policy and external regulations.
- Ongoing Communication with Stakeholders: Maintain open communication with teams responsible for remediation, ensuring efficient coordination.
By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.