I have a number of Windows 2003 R2 servers which are patched using WSUS. I am evaluating network security scanners and am currently testing a device from nCircle. The problem I am having is that the reports of the scanner are at odds with the reports of WSUS and the Windows update site. I'm not sure how to interpret what I am seeing and hoped someone here might have some insight into what is going on. A good example of what I am talking about is a reported vulnerability involving the lack of the KB953155 Patch. It is also listed as MS08-062 and deals with Internet printing Integer Overflow Vulnerability. I saw the vulnerability reported and talked to the person responsible for running WSUS. He checked and WSUS had the patch in inventory and when he checked the report on the server in question it said it's patch levels were up to date and that the KB was "not applicable". Since we had encountered a problem and had to completely rebuild our WSUS and looking at the age of the patch, we took this as having been installed by the old WSUS. I was a bit confused so I thought I may as well go to the source and browsed to windowsupdate.microsoft.com from the server in question. This patch was not listed in the needed items. At that point I returned to the report that I got from the nCircle product and drilled down in the vulnerability it listed. It explained that the test for this is the lack of a registry key (HKLM\Software\Microsoft\Updates\Windows Server 2003\sp3\KB953155). I went into regedit and manually checked for the existence of this key and it was indeed missing. I then went to the Microsoft site and manually downloaded and applied the MS08-062 patch to the server. I then went back to regedit and checked and this time the necessary key was present. I ran the scan again and the vulnerability was no longer listed. At this point I'm lost. I'm curious about how WSUS and the Microsoft site checks for the existence of a patch on a server. I'm also wondering how the patch could have been installed by either without the associated registry update. Any guidance greatly appreciated

Looking at the details of that particular update, there are two things I notice. Firstly, while the different service pack levels of 2003 are listed individually, there is no mention of this applying to 2003 R2 servers. That said it does still apply to 2008 servers which seems weird if it had been resolved by the time 2003 R2 appeared. Secondly, if you check the FAQ it states "Windows Server 2003 and Windows Server 2008 systems that do not have both IIS and Internet printing installed are not affected and will not receive this update.", so the questions I'd ask are 1) do your 2003 R2 servers have IIS and Internet Printing installed on them, and 2) how does nCircle determine if the update is required? Does it simply check for the existance of the update, and not also check for its requirement? In terms of the output from your WSUS reports, I believe the fact that the update is listed as "not applicable" isn't because it is a new installation, but that the update is not relevant to that server. Even with a new WSUS implementation, the report generated will still show all installed updates for the servers, regardless of them being provided by that WSUS installation, Windows Update or a previous WSUS installation.

As I said, I'm in eval mode on the nCircle, so my experience with it is extremely limited. One thing they constantly stress is that they have the ability to identify OS / Version / Installed programs and base their evaluatiion on that criteria. Hmmmmmm.... Think some "quality time" with their tech support is definitely in order. Appreciate the response. Guess I trusted the technology too much and should have spent more time RTFM. <Blush>