Solved

WSUS (Windows Server Update Services) SSL discussion

Posted on 2014-01-28
4
646 Views
Last Modified: 2014-01-31
I have an internal implementation of WSUS 3.0 SP2 and it is working great for my internal users.  I would like to allow my full time remote users to benefit from this so that I can manage MS patches going to them.  I know what I need to change in GPO's and firewall configuration to allow this.  My question is, why would I want to configure SSL for the user laptops (clients) to connect to my WSUS server?  What data am I worried about securing and why not just use non-SSL for that connection?  Secondary question, if I do setup SSL are there any know issues or specific configuration changes to allow the use of a wildcard certificate from a trusted SSL cert authority?
0
Comment
Question by:clm000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39817565
You should setup a separate instance for the remote users that will be a replica of the existing WSUS server but will direct the remote clients to retrieve the approved updates from microsoft rather than from your WSUS server. No reason to have remote system consume your bandwidth unnecessarily.

The difficulty lies in configuring remote clients.
0
 
LVL 1

Author Comment

by:clm000
ID: 39821655
Thank you , that is helpful and confirms what I just figured out.  I would still like to understand why I need SSL on the connections between the clients and my (dedicated for remote users) WSUS server to approve updates.  What data is passed through that connection that I need to be concerned about securing?
0
 
LVL 78

Accepted Solution

by:
arnold earned 250 total points
ID: 39821698
You do not have to use SSL.  It is recommended. Each system transmits specific information to it as well as gets what updates it needs.  Capturing this information could provide an attacker information about an attack vector to which this system is susceptible.
I.e. systemA checks in and gets info that it needs KB123456 that is a TCP/IP stack dealing with stack overflow attack.  i.e. a ping of a particular size with a specific payload, will grant the attacker a foot hold.  While this system is of little consequence (workstation) it has access to the entire network and could be used to attack more sensitive systems (network is using flat design every system on the same segment). VLAN, firewalled systems are more complex dealing with step by step attacks via existing access points.
workstation to serverA via service1
                   to serverA via another service
etc.

Using SSL would enable you to limit the systems that can query this WSUS.

IF the users connect via VPN, there is no external exposure of the WSUS an SSL is a lu
0
 
LVL 1

Author Closing Comment

by:clm000
ID: 39824832
Thanks for both your responses, they were very helpful
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question