locked
WSUS vulnerability RRS feed

Answers

  • Without PKI (setting up Microsoft CA) to push down the wsus server cert to all the client (we have more than 15000 clients).

    What is the best or simple way to make 15000+ client trust this certificate ?



    You must deploy the relevant certificate to all of your endpoints. Which certificate, depends upon your choice of solution implementation. You can use domain group policy to deploy certificates. You can use a script to deploy certificates. If you choose an external certificate, you may choose/find that the relevant root CA cert is already available in the trusted roots store of your endpoints, or, that your endpoints may automatically acquire the root ca cert via certificate automatic-updating mechanisms built-in to Windows (depends upon the Windows versions and features you are using)

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, April 17, 2016 9:09 PM
  • wondering if it is a worthwhile effort to setup WSUS SSL ?

    Is the risk high if our WSUS server is using private IP and only accessing within corporate network ?

    http://www.securityweek.com/default-wsus-configuration-puts-organizations-risk-researchers

    Is using SCCM software update server to push down windows update solve this vulnerability as highlighted in the above link ?


    I'm not a security expert, but it seems to me that SSL is (at least slightly) better than no-SSL.

    Software Update Management via ConfigMgr still uses WSUS. ConfigMgr can be implemented with or without SSL.

    If your endpoints/computers never leave the corporate network, then the risk of MITM is significantly reduced.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, April 18, 2016 9:09 PM

All replies

  • this article (and the comments/discussion) should be helpful:

    http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, April 17, 2016 7:45 AM
  • Thanks for the article.

    Enable WSUS SSL would require PKI as I read from below TechNet link that the client need to trust wsus server cert.

    https://technet.microsoft.com/en-us/library/hh852346.aspx

    Wondering will it work just by using public SSL cert without PKI ?

    Has anyone tested this without PKI ?

    Is public wildcard SSL cert supported ?

    Sunday, April 17, 2016 10:23 AM
  • Wondering if using SCCM software update server which is link to WSUS server to push down Windows update will solve the WSUS vulnerability ?
    Sunday, April 17, 2016 1:24 PM
  • Hi,

    >>Wondering will it work just by using public SSL cert without PKI ?

    Of course, yes.

    A self-signed certificate or commercial certificate is OK.

    If you want to use a self-signed certificate, then you need to make all of the client trust this certificate.

    Best Regards,


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Sunday, April 17, 2016 2:48 PM
  • Without PKI (setting up Microsoft CA) to push down the wsus server cert to all the client (we have more than 15000 clients).

    What is the best or simple way to make 15000+ client trust this certificate ?


    • Edited by cs ong2 Sunday, April 17, 2016 4:06 PM
    Sunday, April 17, 2016 4:06 PM
  • Thanks for the article.

    Enable WSUS SSL would require PKI as I read from below TechNet link that the client need to trust wsus server cert.

    https://technet.microsoft.com/en-us/library/hh852346.aspx

    Wondering will it work just by using public SSL cert without PKI ?

    Has anyone tested this without PKI ?

    Is public wildcard SSL cert supported ?


    Your questions are all answered in the article I linked for you

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, April 17, 2016 9:04 PM
  • Without PKI (setting up Microsoft CA) to push down the wsus server cert to all the client (we have more than 15000 clients).

    What is the best or simple way to make 15000+ client trust this certificate ?



    You must deploy the relevant certificate to all of your endpoints. Which certificate, depends upon your choice of solution implementation. You can use domain group policy to deploy certificates. You can use a script to deploy certificates. If you choose an external certificate, you may choose/find that the relevant root CA cert is already available in the trusted roots store of your endpoints, or, that your endpoints may automatically acquire the root ca cert via certificate automatic-updating mechanisms built-in to Windows (depends upon the Windows versions and features you are using)

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, April 17, 2016 9:09 PM
  • wondering if it is a worthwhile effort to setup WSUS SSL ?

    Is the risk high if our WSUS server is using private IP and only accessing within corporate network ?

    http://www.securityweek.com/default-wsus-configuration-puts-organizations-risk-researchers

    Is using SCCM software update server to push down windows update solve this vulnerability as highlighted in the above link ?

    Monday, April 18, 2016 2:02 PM
  • wondering if it is a worthwhile effort to setup WSUS SSL ?

    Is the risk high if our WSUS server is using private IP and only accessing within corporate network ?

    http://www.securityweek.com/default-wsus-configuration-puts-organizations-risk-researchers

    Is using SCCM software update server to push down windows update solve this vulnerability as highlighted in the above link ?


    I'm not a security expert, but it seems to me that SSL is (at least slightly) better than no-SSL.

    Software Update Management via ConfigMgr still uses WSUS. ConfigMgr can be implemented with or without SSL.

    If your endpoints/computers never leave the corporate network, then the risk of MITM is significantly reduced.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, April 18, 2016 9:09 PM