Answered by:
WSUS vulnerability

Question
-
Hi,
Someone found the vulnerability in WSUS server, wondering if this is true, see below link:
http://www.securityweek.com/default-wsus-configuration-puts-organizations-risk-researchers
Any way to mitigate this vulnerability ?
To setup WSUS SSL require PKI correct ? Can we setup WSUS SSL without PKI using the normal public SSL cert or wildcard cert ?
Sunday, April 17, 2016 4:11 AM
Answers
-
Without PKI (setting up Microsoft CA) to push down the wsus server cert to all the client (we have more than 15000 clients).
What is the best or simple way to make 15000+ client trust this certificate ?
You must deploy the relevant certificate to all of your endpoints. Which certificate, depends upon your choice of solution implementation. You can use domain group policy to deploy certificates. You can use a script to deploy certificates. If you choose an external certificate, you may choose/find that the relevant root CA cert is already available in the trusted roots store of your endpoints, or, that your endpoints may automatically acquire the root ca cert via certificate automatic-updating mechanisms built-in to Windows (depends upon the Windows versions and features you are using)Don [doesn't work for MSFT, and they're probably glad about that ;]
- Proposed as answer by Steven_Lee0510 Monday, May 9, 2016 8:50 AM
- Marked as answer by Steven_Lee0510 Monday, May 9, 2016 4:04 PM
Sunday, April 17, 2016 9:09 PM -
wondering if it is a worthwhile effort to setup WSUS SSL ?
Is the risk high if our WSUS server is using private IP and only accessing within corporate network ?
http://www.securityweek.com/default-wsus-configuration-puts-organizations-risk-researchers
Is using SCCM software update server to push down windows update solve this vulnerability as highlighted in the above link ?
I'm not a security expert, but it seems to me that SSL is (at least slightly) better than no-SSL.
Software Update Management via ConfigMgr still uses WSUS. ConfigMgr can be implemented with or without SSL.
If your endpoints/computers never leave the corporate network, then the risk of MITM is significantly reduced.
Don [doesn't work for MSFT, and they're probably glad about that ;]
- Proposed as answer by Steven_Lee0510 Monday, May 9, 2016 8:50 AM
- Marked as answer by Steven_Lee0510 Monday, May 9, 2016 4:04 PM
Monday, April 18, 2016 9:09 PM
All replies
-
this article (and the comments/discussion) should be helpful:
http://jackstromberg.com/2013/11/enabling-ssl-on-windows-server-update-services-wsus/
Don [doesn't work for MSFT, and they're probably glad about that ;]
Sunday, April 17, 2016 7:45 AM -
Thanks for the article.
Enable WSUS SSL would require PKI as I read from below TechNet link that the client need to trust wsus server cert.
https://technet.microsoft.com/en-us/library/hh852346.aspx
Wondering will it work just by using public SSL cert without PKI ?
Has anyone tested this without PKI ?
Is public wildcard SSL cert supported ?
Sunday, April 17, 2016 10:23 AM -
Wondering if using SCCM software update server which is link to WSUS server to push down Windows update will solve the WSUS vulnerability ?Sunday, April 17, 2016 1:24 PM
-
Hi,
>>Wondering will it work just by using public SSL cert without PKI ?
Of course, yes.
A self-signed certificate or commercial certificate is OK.
If you want to use a self-signed certificate, then you need to make all of the client trust this certificate.
Best Regards,
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
Sunday, April 17, 2016 2:48 PM -
Without PKI (setting up Microsoft CA) to push down the wsus server cert to all the client (we have more than 15000 clients).
What is the best or simple way to make 15000+ client trust this certificate ?
- Edited by cs ong2 Sunday, April 17, 2016 4:06 PM
Sunday, April 17, 2016 4:06 PM -
Thanks for the article.
Enable WSUS SSL would require PKI as I read from below TechNet link that the client need to trust wsus server cert.
https://technet.microsoft.com/en-us/library/hh852346.aspx
Wondering will it work just by using public SSL cert without PKI ?
Has anyone tested this without PKI ?
Is public wildcard SSL cert supported ?
Your questions are all answered in the article I linked for youDon [doesn't work for MSFT, and they're probably glad about that ;]
Sunday, April 17, 2016 9:04 PM -
Without PKI (setting up Microsoft CA) to push down the wsus server cert to all the client (we have more than 15000 clients).
What is the best or simple way to make 15000+ client trust this certificate ?
You must deploy the relevant certificate to all of your endpoints. Which certificate, depends upon your choice of solution implementation. You can use domain group policy to deploy certificates. You can use a script to deploy certificates. If you choose an external certificate, you may choose/find that the relevant root CA cert is already available in the trusted roots store of your endpoints, or, that your endpoints may automatically acquire the root ca cert via certificate automatic-updating mechanisms built-in to Windows (depends upon the Windows versions and features you are using)Don [doesn't work for MSFT, and they're probably glad about that ;]
- Proposed as answer by Steven_Lee0510 Monday, May 9, 2016 8:50 AM
- Marked as answer by Steven_Lee0510 Monday, May 9, 2016 4:04 PM
Sunday, April 17, 2016 9:09 PM -
wondering if it is a worthwhile effort to setup WSUS SSL ?
Is the risk high if our WSUS server is using private IP and only accessing within corporate network ?
http://www.securityweek.com/default-wsus-configuration-puts-organizations-risk-researchers
Is using SCCM software update server to push down windows update solve this vulnerability as highlighted in the above link ?
Monday, April 18, 2016 2:02 PM -
wondering if it is a worthwhile effort to setup WSUS SSL ?
Is the risk high if our WSUS server is using private IP and only accessing within corporate network ?
http://www.securityweek.com/default-wsus-configuration-puts-organizations-risk-researchers
Is using SCCM software update server to push down windows update solve this vulnerability as highlighted in the above link ?
I'm not a security expert, but it seems to me that SSL is (at least slightly) better than no-SSL.
Software Update Management via ConfigMgr still uses WSUS. ConfigMgr can be implemented with or without SSL.
If your endpoints/computers never leave the corporate network, then the risk of MITM is significantly reduced.
Don [doesn't work for MSFT, and they're probably glad about that ;]
- Proposed as answer by Steven_Lee0510 Monday, May 9, 2016 8:50 AM
- Marked as answer by Steven_Lee0510 Monday, May 9, 2016 4:04 PM
Monday, April 18, 2016 9:09 PM