• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 777
  • Last Modified:

WSUS (Windows Server Update Services) SSL discussion

I have an internal implementation of WSUS 3.0 SP2 and it is working great for my internal users.  I would like to allow my full time remote users to benefit from this so that I can manage MS patches going to them.  I know what I need to change in GPO's and firewall configuration to allow this.  My question is, why would I want to configure SSL for the user laptops (clients) to connect to my WSUS server?  What data am I worried about securing and why not just use non-SSL for that connection?  Secondary question, if I do setup SSL are there any know issues or specific configuration changes to allow the use of a wildcard certificate from a trusted SSL cert authority?
0
clm000
Asked:
clm000
  • 2
  • 2
1 Solution
 
arnoldCommented:
You should setup a separate instance for the remote users that will be a replica of the existing WSUS server but will direct the remote clients to retrieve the approved updates from microsoft rather than from your WSUS server. No reason to have remote system consume your bandwidth unnecessarily.

The difficulty lies in configuring remote clients.
0
 
clm000Author Commented:
Thank you , that is helpful and confirms what I just figured out.  I would still like to understand why I need SSL on the connections between the clients and my (dedicated for remote users) WSUS server to approve updates.  What data is passed through that connection that I need to be concerned about securing?
0
 
arnoldCommented:
You do not have to use SSL.  It is recommended. Each system transmits specific information to it as well as gets what updates it needs.  Capturing this information could provide an attacker information about an attack vector to which this system is susceptible.
I.e. systemA checks in and gets info that it needs KB123456 that is a TCP/IP stack dealing with stack overflow attack.  i.e. a ping of a particular size with a specific payload, will grant the attacker a foot hold.  While this system is of little consequence (workstation) it has access to the entire network and could be used to attack more sensitive systems (network is using flat design every system on the same segment). VLAN, firewalled systems are more complex dealing with step by step attacks via existing access points.
workstation to serverA via service1
                   to serverA via another service
etc.

Using SSL would enable you to limit the systems that can query this WSUS.

IF the users connect via VPN, there is no external exposure of the WSUS an SSL is a lu
0
 
clm000Author Commented:
Thanks for both your responses, they were very helpful
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now