locked
Adding Default Doc's to IIS vFolders RRS feed

  • Question

  • An Audit says that all virtual directories should have an index.html or default document page.  Can I do this in all of the WSUS IIS v-directories and not break things?
    Saturday, July 1, 2017 12:16 AM

Answers

  • Hello,

    Thanks for your attention, but to me it would seem that WSUS's intended use as a sort of web-API of patch clients will not protect it from malicious intent.  I agree it is not a 'normal' web site in that it does not provide human/user functionality, but it is still IIS.  By this I would think it behaves according to IIS rules and is subject to IIS need for hardening. The notion that it isn't intended for users will not exempt it from scrutiny and leaving it unhardened invites compromise.   Leaving it alone is easy, but security is never easy.  Is there no guidance on IIS for WSUS for security?

    Best,
    Michael

    I'm not an IIS expert, nor a security expert, but, how does configuring a default document equate to 'hardening' ?

    There are several mentions of security aspects for WSUS within the WSUS document library here on TechNet Library.

    IIS discussions in general, are mostly done on the dedicated iis.net forums https://www.iis.net/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, July 6, 2017 9:15 PM

All replies

  • An Audit says that all virtual directories should have an index.html or default document page.  Can I do this in all of the WSUS IIS v-directories and not break things?

    The 'audit' parameters, are incorrect for webservices intended for machine-to-machine applications. Such concepts (all virtual directories should have an index.html or default document page), is not-applicable for webservices, but it *may* be considered applicable for traditional webpages/websites (those intended for browsing by people).

    Having said that, I don't know if it will 'break things', since it is not something I've ever tried nor ever heard of anyone ever doing.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, July 1, 2017 7:43 AM
  • Hi YourPubilc1dentity,

    Agree with DonPick, general we didn't do additional settings for WSUS site in IIS, just leave it as default.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 3, 2017 5:33 AM
  • Hello,

    Thanks for your attention, but to me it would seem that WSUS's intended use as a sort of web-API of patch clients will not protect it from malicious intent.  I agree it is not a 'normal' web site in that it does not provide human/user functionality, but it is still IIS.  By this I would think it behaves according to IIS rules and is subject to IIS need for hardening. The notion that it isn't intended for users will not exempt it from scrutiny and leaving it unhardened invites compromise.   Leaving it alone is easy, but security is never easy.  Is there no guidance on IIS for WSUS for security?

    Best,
    Michael

    Thursday, July 6, 2017 4:12 PM
  • Hello,

    Thanks for your attention, but to me it would seem that WSUS's intended use as a sort of web-API of patch clients will not protect it from malicious intent.  I agree it is not a 'normal' web site in that it does not provide human/user functionality, but it is still IIS.  By this I would think it behaves according to IIS rules and is subject to IIS need for hardening. The notion that it isn't intended for users will not exempt it from scrutiny and leaving it unhardened invites compromise.   Leaving it alone is easy, but security is never easy.  Is there no guidance on IIS for WSUS for security?

    Best,
    Michael

    I'm not an IIS expert, nor a security expert, but, how does configuring a default document equate to 'hardening' ?

    There are several mentions of security aspects for WSUS within the WSUS document library here on TechNet Library.

    IIS discussions in general, are mostly done on the dedicated iis.net forums https://www.iis.net/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, July 6, 2017 9:15 PM