Solved

WSUS (Windows Server Update Services) SSL discussion

Posted on 2014-01-28
4
630 Views
Last Modified: 2014-01-31
I have an internal implementation of WSUS 3.0 SP2 and it is working great for my internal users.  I would like to allow my full time remote users to benefit from this so that I can manage MS patches going to them.  I know what I need to change in GPO's and firewall configuration to allow this.  My question is, why would I want to configure SSL for the user laptops (clients) to connect to my WSUS server?  What data am I worried about securing and why not just use non-SSL for that connection?  Secondary question, if I do setup SSL are there any know issues or specific configuration changes to allow the use of a wildcard certificate from a trusted SSL cert authority?
0
Comment
Question by:clm000
  • 2
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39817565
You should setup a separate instance for the remote users that will be a replica of the existing WSUS server but will direct the remote clients to retrieve the approved updates from microsoft rather than from your WSUS server. No reason to have remote system consume your bandwidth unnecessarily.

The difficulty lies in configuring remote clients.
0
 
LVL 1

Author Comment

by:clm000
ID: 39821655
Thank you , that is helpful and confirms what I just figured out.  I would still like to understand why I need SSL on the connections between the clients and my (dedicated for remote users) WSUS server to approve updates.  What data is passed through that connection that I need to be concerned about securing?
0
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 39821698
You do not have to use SSL.  It is recommended. Each system transmits specific information to it as well as gets what updates it needs.  Capturing this information could provide an attacker information about an attack vector to which this system is susceptible.
I.e. systemA checks in and gets info that it needs KB123456 that is a TCP/IP stack dealing with stack overflow attack.  i.e. a ping of a particular size with a specific payload, will grant the attacker a foot hold.  While this system is of little consequence (workstation) it has access to the entire network and could be used to attack more sensitive systems (network is using flat design every system on the same segment). VLAN, firewalled systems are more complex dealing with step by step attacks via existing access points.
workstation to serverA via service1
                   to serverA via another service
etc.

Using SSL would enable you to limit the systems that can query this WSUS.

IF the users connect via VPN, there is no external exposure of the WSUS an SSL is a lu
0
 
LVL 1

Author Closing Comment

by:clm000
ID: 39824832
Thanks for both your responses, they were very helpful
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have put this article together as i needed to get all the information that might be available already into one general document that could be referenced once without searching the Internet for the different pieces. I have had a few issues where…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question