Security and local publishing RRS feed

  • Question

  • Hi,

    at this time every administrator can publish what he likes to. We have deployed a little application which helps to publish any none-microsoft update.

    The problem is, that everyone who have this tool can publish everything. Securityfeatures in the software are useless because everyone although has access to the WSUS-API (i.e. some evil softwaredevelopers working for the firm ;-)).

    Is there any way to restrict access to the API or it is possible to limit what the WSUS accepts for local publishing?

    It semms that the WSUS uses certificates for local publishing. Is there any way to teach the WSUS to apply only local published updates that are signed with a special certificate?

    With best regards...

    • Moved by Mathias Schiffer Monday, May 11, 2009 8:48 PM English Language Post (From:Windows Server)
    Thursday, May 7, 2009 1:59 PM


  • What applications are you using in conjunction with WSUS to faciliate local publishing?

    First, it's the responsibility of your in-house publishing application to provide it's own security. If anybody can obtain/use the application, then anybody can publish updates. That's a pretty simple associative fact.

    Second, since your local publishing requires access to your local application, your first line of defense is the *people* to whom you make this tool available -- however they're getting access -- whether by installing it on their local machine, or directly accessing the WSUS Server Console.

    Third, publishing requires access to the Publishing Certificate from the publishing computer. If these users are publishing from their desktops, it's a simple matter of removing the publishing certificate from their local stores. If these users are publishing from the WSUS Server Console -- perhaps the solution is restricting their ability to LogOn Locally, or use Remote Desktop

    Fourth, you can certainly use group policy to restrict access to your in-house application for machines/users where this application is not authorized -- not to mention simply restricting access to the application by not installing it. If this is used in combination with individual logons to the WSUS Server Console (or better yet -- Remote Consoles!), you can effectively limit who can run the application.

    Finally, access to the WSUS Server, basic that it is, is driven by membership in either BUILTIN\Administrators or the "WSUS Administrators" group. If you don't want actual WSUS Administrators to be publishing applications, then the question of access to the server is a simple function of who has access to the application and internal personnel management policies and enforcement -- and, as noted earlier, probably the best solution here is to implement and use Remote Desktops, where these admins do not have access to the publishing application from their desktop machines.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2009)
    Friday, June 5, 2009 3:28 PM