This project simulates a vulnerability management workflow in a local Windows environment using open-source tools and manual patching. Adapts Josh Madakor Vulnerability Management Program It demonstrates a real-world vulnerability remediation workflow: from identifying, prioritizing, and remediating vulnerabilities to validating fixes through rescans.
If you would like to recreate this lab:
- Deploy 3 VMs:
- DC (Windows Server 2016)
- CLIENT01 (Windows 10)
- CLIENT2 (Windows 10)
- Ensure they are networked
- Configure DC as a Domain Controller
- Join both clients to the domain
- Set up Ubuntu Linux with Nessus Essentials
- Link Nessus Local Scan to Tennable Console
- Ubuntu VM: Runs Nessus Essentials
- Windows Server: Domain Controller
- CLIENT1: Windows 10
- CLIENT2: WINDOWs 10
| Step | Description |
|---|---|
| Identification | Collected vulnerabilities using Nessus local Scan |
| Categorization | Grouped by severity amount of vulnerabilities |
| Prioritization | Focused first on Host with the most vulnerabilities, then medium then low |
| Remediation | Applied OS updates, patched missing KB's |
| Verirification | Ran a follow-up Nessus Scan to confirm fixes |
- Nessus Essentials installed and confifured to scan 10.10.1.200, 10.10.1.201, 10.10.1.202
- Initial scan discovered:
- CLIENT1: 31 Vulnerabilities
- CLIENT2: 172 Vulnerabilities
- DC : 142 Vulnerabilities
- Inicial report here
| System Affected | Fix Plan | Priority | No of Vulns |
|---|---|---|---|
| CLIENT2 | Install Windows Updates | Critical | 172 |
| CLIENT2 | Uninstall Microsoft 3D Implementations | High | 6 |
| DC | Install Windows Updates | High | 142 |
| CLIENT1 | Install Windows Updates | Medium/Low | 31 |
- Applied all critical Windows updates manualle via:
- Windows Update GUI
- Uninstall Microsoft Programs that aren't part of the Environment.
- Verified services hardened
- Snapshots taken before/after for tracking
- Scan before installing updates and patching KB's
- Installed Windows updates in CLIENT2 reducing critical vulnerabilties to 0
- Scan before installing updates and patching KB's
- Installed Windows updates in DC
- Scan before installing updates and patching KB's
- Installed Windows updates in CLIENT1
- Re-ran Nessus scan after updates
- All critical vulnerabilities gone
- Confirmed patch integrity and no service disruption
- Final report here
The remediation process reduced total vulnerabilities by 87%, from 345 to 46. Critical vulnerabilities were resolved by the second scan (97.88%), and high vulnerabilities dropped by 84.88%. Mediums were reduced by 58.6%. In an actual production environment, asset criticality would further guide future remediation efforts.
- VirtualBox
- Windows Server 2016 (DC)
- Windows 10 Pro x2 (CLIENTS)
- Ubuntu Linux (for Nessus local Scan)
- Nessus (local Scan)
- Tennable Cloud
- Gained hands-on experience with vulnerability scanning.
- Learned how to interpret Nessus plugin results and prioritize risks.
- Practiced structured remediation planning and tracking across systems.
- Compared real patching workflows to cloud-based vulnerability platforms like Tenable.