Solved

WSUS (Windows Server Update Services) SSL discussion

Posted on 2014-01-28
4
616 Views
Last Modified: 2014-01-31
I have an internal implementation of WSUS 3.0 SP2 and it is working great for my internal users.  I would like to allow my full time remote users to benefit from this so that I can manage MS patches going to them.  I know what I need to change in GPO's and firewall configuration to allow this.  My question is, why would I want to configure SSL for the user laptops (clients) to connect to my WSUS server?  What data am I worried about securing and why not just use non-SSL for that connection?  Secondary question, if I do setup SSL are there any know issues or specific configuration changes to allow the use of a wildcard certificate from a trusted SSL cert authority?
0
Comment
Question by:clm000
  • 2
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39817565
You should setup a separate instance for the remote users that will be a replica of the existing WSUS server but will direct the remote clients to retrieve the approved updates from microsoft rather than from your WSUS server. No reason to have remote system consume your bandwidth unnecessarily.

The difficulty lies in configuring remote clients.
0
 
LVL 1

Author Comment

by:clm000
ID: 39821655
Thank you , that is helpful and confirms what I just figured out.  I would still like to understand why I need SSL on the connections between the clients and my (dedicated for remote users) WSUS server to approve updates.  What data is passed through that connection that I need to be concerned about securing?
0
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 39821698
You do not have to use SSL.  It is recommended. Each system transmits specific information to it as well as gets what updates it needs.  Capturing this information could provide an attacker information about an attack vector to which this system is susceptible.
I.e. systemA checks in and gets info that it needs KB123456 that is a TCP/IP stack dealing with stack overflow attack.  i.e. a ping of a particular size with a specific payload, will grant the attacker a foot hold.  While this system is of little consequence (workstation) it has access to the entire network and could be used to attack more sensitive systems (network is using flat design every system on the same segment). VLAN, firewalled systems are more complex dealing with step by step attacks via existing access points.
workstation to serverA via service1
                   to serverA via another service
etc.

Using SSL would enable you to limit the systems that can query this WSUS.

IF the users connect via VPN, there is no external exposure of the WSUS an SSL is a lu
0
 
LVL 1

Author Closing Comment

by:clm000
ID: 39824832
Thanks for both your responses, they were very helpful
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now