Best Practices for Securing WSUS with SSL

Best Practices for Securing WSUS with SSL


One of the questions that always come up during the planning phase of WSUS is how to secure the communication between WSUS and the clients. The general guidelines for this deployment are documented at Securing WSUS with the Secure Sockets Layer Protocol article and you should always read it first. The goal of this article is to extent this list and highlight additional considerations that you should take while planning this type of deployment.

Additional Considerations while Deploying WSUS with SSL

  • Use an FQDN wherever you refer to the WSUS server, including the common name used to create the SSL Certificate even on an intranet.
  • Require SSL so that you know your connections are secure.
  • Use a certificate chained to already known trusted root, issued from a certificate authority that maintains CRL (in case your certificate becomes compromised).

Consider the Algorithm and Certificate Key length of the certificate you are using:


Sort by: Published Date | Most Recent | Most Useful
  • Nice post. Another thing to point out would be that if you're using firewalls (internal or external to the wsus server) Since EULA's are still downloaded through clear HTTP you need port 80/8530 open aswell. Could be useful to know when putting wsus on DMZ and such as you often limit access through firewalls. Just opening 443\8531 won't cut it.

  • JLCM, Yuri posted an article on WSUS in a DMZ here:

Page 1 of 1 (2 items)