Solved: ISE 1.3 posture - specific MS KB

gtilburg · ‎05-23-2017

hi,

Our customer wants to protect against WannaCry using posture.

Can we check the presence of specific Microsoft KBs using ISE posture with ISE 1.3?
The predefined posture conditions (i.e. pr_Win7_64_Hotfixes) contain a number of combined KB checks, but we would like to make a new condition that only lists the WannaCry specific ones. If we have the KB number, how can we generate the condition? We are unclear on how the last bit (i.e. pc_W7_64_KB3080446_MS15-109) is generated.

How would it be possible to have different checks for different Win 10 versions?
Windows 10 has different versions with different KBs to protect against WannaCry (see list below). What would be the way to check the correct KBs for a specific Win10 version?

Win 10 initial versione July 2015

May 9, 2017 KB4019474

April 11, 2017 KB4015221

March 22, 2017 KB4016637

March 14, 2017 KB4012606

Win 10 v1511

May 9, 2017 KB4019473

April 11, 2017 KB4015219

March 22, 2017 KB4016636

March 14, 2017 KB4013198

Win 10 v1607

May 9, 2017 KB4019472

April 11, 2017 KB4015217

March 22, 2017 KB4016635

March 22, 2017 KB4015438

March 14, 2017 KB4013429

Many thanks

Gert

kthiruve · ‎05-23-2017

HI Gert,

Please create custom compound conditions for the KB and added it to the requirements. Add requirements to posture policy. Create different requirements for different operating systems in your case.

Here is a documentation that describes that

Posture Services on the Cisco ISE Configuration Guide - Cisco

Thanks

Krishnan

View solution in original post

kthiruve · ‎05-23-2017

HI Gert,

Please create custom compound conditions for the KB and added it to the requirements. Add requirements to posture policy. Create different requirements for different operating systems in your case.

Here is a documentation that describes that

Posture Services on the Cisco ISE Configuration Guide - Cisco

Thanks

Krishnan

gtilburg · ‎05-24-2017

Thanks for the reply Krishnan.

It is not completely answering my question:

If we have the KB number i.e. KB4015217, how could we generate the compound condition to check this? The KB checks I have seen all include a pre and suffix, which I don't know how it is generated i.e. pc_W7_64_KB3080446_MS15-109
I understand you can create different requirements for different operating systems, but we would need to create different requirements for Win10 v1607, Win10 v1511 and Win10 initial version.
This does not seem to be separated out on the list of operating systems on ISE.

Thanks

Gert

hslai · ‎05-28-2017

The components in a compound condition are individual posture conditions in one or more categories. In another word, they need defined as individual posture conditions for file checks, etc.
If you really need differentiated posture requirements based on different Win10 releases, please bring the use cases with our product management team.

gtilburg · ‎05-29-2017

Hi Hsing-Tsu,

Thanks for the reply.

Not all the individual KBs exist on the ISE predefined conditions. i.e. we would need to check KB4015221, KB4016637, KB4012606,… which are not predefined.

Is there a way to create these individual KB conditions manually?

If not, any other recommendation to only allow WannaCry-protected hosts on the network?

Regards

Gert

hslai · ‎05-29-2017

The three KB articles are corresponding to OS Build numbers for Windows 10 which initially released in July 2015:

KB4015221 = OS Build 10240.17354

KB4016637 = OS Build 10240.17320

KB4012606 = OS Build 10240.17319

Thus, you may create them as registry checks on

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

By updating to a later OS build is possibly also addressed the SMB vulnerabilities, but they are not specific to that issue. The KBs added for CSCve42752 are specific to SMB and our engineering team updated it mid last week. That should cover it for all Windows client versions supported by ISE.