<div>
<div class="content wysiwyg-content">
I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.<br />
<br />
Here's my question. &nbsp;When installing WSUS you need to install IIS. &nbsp;Is that the main reason it's ill-advised to run WSUS on a DC? &nbsp;If so, since it's not a public facing web server, does that decrease your vulnerability? &nbsp;I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers? &nbsp;Where they would then be connecting to the box and could compromise your security database?<br />
<br />
I'm just trying to dig a bit deeper into the topic. &nbsp;Thanks in advance for your thoughts.
</div>
</div>


I know it's not best practice to install WSUS on a DC, and I've read conflicting opinions on the subject ranging from it's fine to don't do it.

Here's my question.  When installing WSUS you need to install IIS.  Is that the main reason it's ill-advised to run WSUS on a DC?  If so, since it's not a public facing web server, does that decrease your vulnerability?  I realize that IIS can increase your attack surface, but wouldn't that be mostly for public facing web servers?  Where they would then be connecting to the box and could compromise your security database?

I'm just trying to dig a bit deeper into the topic.  Thanks in advance for your thoughts.

WSUS on a DC

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

IIS is Internet Information Services, the web server included with Windows Server operating systems. All current versions are built on a modular architecture; modules can be added or removed individually so that those required for specific functionality are installed. The full installation of IIS includes HTTP, security, content, compression, caching, logging and diagnostics.

Microsoft IIS Web Server

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.