Secure Your WSUS Deployment RRS feed

  • General discussion

  • Dear All,

    I was trying to secure my WSUS server. This WSUS was installed in Server 2012R2.

    just to check does the following link apply to Server 2012 R2 as well? I did a search there little post or result can be found in Server 2012 R2. Appreciate that anyone can guide or alighting me in this issue.

    https://technet.microsoft.com/en-us/library/cc708550(v=ws.10).asp x

    Thank & regards


    Tuesday, June 23, 2015 2:31 PM

All replies

  • that's pointing to wsus 2.0 which is quite old. while I don't think much has changed, I would go with this if you have 2012 R2:


    Tuesday, June 23, 2015 2:52 PM
  • Hi Armin19,

    Thank you for the link. Just the check is that the only method to hardening the WSUS? Is there any link or guide that have a full process to better hardening the wsus for security purpose. Other then the IIS change to hostname and etc. Looking forward to your reply

    Thank & regards



    Friday, June 26, 2015 1:20 AM
  • as far as I know, implementing SSL certificates in WSUS is really the main security focus of the product and that's done through IIS.

    the rest of the security options are really outside of WSUS and depend on the infrastructure that's in front of the WSUS server, such as using proxy servers when WSUS goes out to the internet to retrieve updates - this is the most high risk portion of WSUS communication which requires protection so a proxy would definitely help.

    same goes for protecting the database, if you're following best practices for SQL then you will have the database protected for WSUS, eg. not using SQL/mixed authentication and leveraging Windows authentication exclusively

    you can always put WSUS behind IPsec implementations and use Microsoft NAP/NPS to really lock it down and again, these are all done beyond WSUS itself and more on the server level

    the SSL implementation mentioned in the article above is really to provide a more secure means for the wsus clients communicating with the wsus server so it does nothing in protecting the server going out to the internet to retrieve updates from Microsoft - it's a bit redundant if all your clients are located in the same site and domain as the SSL option does add some performance overhead but if you want to be safe you can implement it

    Tuesday, June 30, 2015 1:28 PM
  • Dear armin19,

    Thank you for the reply and inside about the hardening details. Just do check do you this still comply in Server 2012R2?


    Thank & regards


    Tuesday, June 30, 2015 4:21 PM
  • I can't seem to find the document for 2012 R2 but WSUS has not really changed much since v3.0 SP2 so I think it would still apply
    Tuesday, June 30, 2015 5:07 PM
  • Dear armin19,

    I adpoted the step on the secure and seem like does not work in 2012R2

    Enable general IIS error messages

    1. On the Start menu, point to Programs, point to Administrator

    Tools, and then click Internet Information Services Manager.

    2.Expand the local computer node.

    3.Right-click Web Sites, then click Properties.

    4.On the Home Directory tab, click Configuration.

    5. On the Debugging tab, under Error messages for script errors, click Send the following text error message to client, where the error message reads "An error occurred on the server when processing the URL. Please contact the system administrator."

    Result: Unable to set the re-drect to customer error page

    Remove header extensions

    1. On the Start menu, point to Programs, point to Administrator Tools, and then click Internet Information Services Manager.

    2. Expand the local computer node.

    3. Right-click Web Sites, then click Properties.

    4. On the HTTP Headers tab, select the X-Powered-By: ASP.NET check box, then click Remove.

    Result: Able to include headers, unsure about header extensions

    Able to advise on these??

    Thank & regards



    • Edited by Melvin_C Friday, July 3, 2015 4:16 AM
    Friday, July 3, 2015 4:08 AM
  • I haven't had to implement this in 2012 but following this article it looks like you can skip some of the steps in the 2008 documentation:


    Friday, July 3, 2015 1:44 PM