Security best practices for Windows Server Update Services (WSUS) (2024)

Table of Contents
Configuring WSUS to use HTTPS Obtain a certificate Bind the certificate Enforce SSL/TLS encryption Configure WSUS to use HTTPS Configure clients to use HTTPS Configure WSUS to use HTTPS for synchronization (Downstream servers only) Configuration order Example 1: Environment with a small number of WSUS Servers Example 2: Environment with many WSUS Servers Call to action References

To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS).

In this post, we will walk you through the steps required to configure each of your WSUS servers to use HTTPS. We will then share details on how to obtain and bind the necessary certificate, enforce Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption, and configure WSUS to use HTTPS. From there, we will discuss how to configure clients to use HTTPS and how to configure WSUS to use HTTPS for synchronization for downstream servers only. We will conclude with a recommended configuration order. These steps are critical in keeping the clients within your organization more secure and we hope you will find this post helpful.

At a time when malware attacks are on the rise across industries, configuring WSUS with HTTPS may further reduce the ability of a potential attacker to remotely compromise a client and elevate privileges. To ensure that the best security protocols are in place, we recommend that you use the SSL/TLS protocol to help secure your WSUS infrastructure. Windows Server Update Services uses SSL/TLS to authenticate client computers and downstream WSUS servers to the upstream WSUS server. WSUS also uses SSL/TLS to encrypt update metadata.

See Also
WSUS and the Microsoft Update CatalogWhat Is Windows Server Update Services (WSUS)?WSUS versus Intune – Wat is het verschil?

Configuring WSUS to use HTTPS

Note: Securing your server with TLS may result in a slight loss in performance.

To configure WSUS to use HTTPS, you will need to:

  1. Obtain a certificate.
  2. Bind the certificate.
  3. Enforce SSL/TLS encryption (require SSL) on the following applications:
    1. ApiRemoting30
    2. ClientWebService
    3. DSSAuthWebService
    4. ServerSyncWebService
    5. SimpleAuthWebService
  4. Configure WSUS to use HTTPS using the wsusutil configuressl command.
  5. Configure clients to use HTTPS communications with WSUS, and specify the intranet Microsoft update service location.

If you have downstream WSUS servers, you will need to complete an additional step. Please reference configure downstream WSUS servers to use HTTPS when syncing. (Use SSL when synchronizing update information.)

Important: Follow the WSUS best practices for disabling recycling and configuring memory limits prior to configuring WSUS to use HTTPS.

Obtain a certificate

There are a few methods available to obtain a certificate for use with Internet Information Services (IIS). For example, you can create a certificate request and send that request to a known certificate authority (CA), such as Verisign or GeoTrust, or obtain a certificate from an online CA in your intranet domain. If you are using an online CA in your intranet domain, you can follow the steps below to create the required certificate.

  1. Log on to the WSUS server using a user account that is a member of the local Administrators group.

    NOTE: By default, the WebServer certificate template will only issue to Domain Admins. If the user logging in is not a domain admin, their user account will need to be granted the Enroll permission on the WebServer certificate template.

  2. Launch Internet Information Services (IIS) Manager.
  3. Click on your server and then launch Server Certificates.
  4. In the Actions pane, select Create Domain Certificate.
  5. Fill in the Distinguished Name Properties and select Next. The Common name value must be the FQDN of the WSUS server.
  6. On the Online Certification Authority page, select your CA and enter a friendly name for the certificate and select Finish.

Bind the certificate

  1. In Internet Information Services (IIS) Manager expand your server, expand Sites, and select WSUS Administration.
  2. In the Actions pane, select Bindings.
  3. Select the SSL binding and click Edit.
  4. In the drop-down for SSL certificate, select the appropriate SSL certificate and click OK.
  5. Select Close on the Site Bindings dialog box.

Enforce SSL/TLS encryption

  1. In Internet Information Services (IIS) Manager expand your server, expand Sites, and expand WSUS Administration.
  2. Select the application ApiRemoting30 and launch SSL Settings.
  3. Check Require SSL and then click Apply.
  4. Repeat the same steps for the other applications noted above.

Configure WSUS to use HTTPS

  1. Launch an elevated command prompt on the WSUS server.
  2. Navigate to your WSUS installation folder, e.g. cd “c:\Program Files\Update Services\Tools”.
  3. Execute the following command:
    WSUSUtil.exe configuresslFQDNofWSUSServer
  4. Restart the WSUS server to make sure all changes take effect.

Configure clients to use HTTPS

To configure clients to require HTTPS communication to the WSUS server, simply update the domain Group Policy Object (GPO) or the Configuration Service Provider (CSP) policy used to configure WSUS to leverage HTTPS and the desired port.

  • For those using Group Policy, configure the Specify intranet Microsoft update service location policy values of : Set the intranet update service for detecting updatesandSet the intranet statistics server to point to your desired port (ex. HTTPS://servername:8531). See To enable WSUS through a domain GPO for more info.
  • For those using a mobile device management (MDM) tool, CSPs, please configure the Update/UpdateServiceUrl policy to point to your desired port (for example, HTTPS://servername:8531).

Configure WSUS to use HTTPS for synchronization (Downstream servers only)

  1. Log on to the WSUS server using a user account that is a member of the local Administrators group or the WSUS Administrators group.
  2. LaunchWindows Server Update Services.
  3. In the right pane, expand the server name.
  4. SelectOptions, and then selectUpdate Source and Proxy Server.
  5. On theUpdate Sourcetab, underSynchronize from another Windows Server Update Services server, type the port number that the server uses for SSL connections into thePort numbertext box.
  6. Select Use SSL when synchronizing update information and then selectOK.

Configuration order

Because every WSUS server must be configured to use the SSL/TLS protocol, the order in which the steps are performed will depend on your environment. If you have a simple infrastructure where the required steps can be performed on all WSUS servers within a single timeframe, then a top-down approach can be used. However, if you have a large infrastructure that will require a phased approach, then a bottom-up approach should be used.

Example 1: Environment with a small number of WSUS Servers

In this example, it is assumed that all WSUS servers can be configured within a single timeframe. In this case, the upstream WSUS server can be configured first using the steps above. Any downstream WSUS servers can then be configured using the steps above in addition to setting the WSUS option to Use SSL when synchronizing update information.

Example 2: Environment with many WSUS Servers

In this example, it is assumed that a phased approach will be required to configure all WSUS servers. In this case, a bottom-up approach should be leveraged. All downstream WSUS servers should be configured for HTTPS before their upstream WSUS server is configured to use HTTPS. After their upstream WSUS server is configured to use HTTPS, the WSUS setting Use SSL when synchronizing update information on each downstream server can be enabled.

Call to action

We recommend that you review the security of your WSUS infrastructure. If HTTPS is not currently in use, see Securing WSUS and follow the instructions in this article to achieve a greater level of security.

Security best practices for Windows Server Update Services (WSUS) (2024)

References

Top Articles
The Secrets to Perfect Potato Gnocchi
What Is A Labor And Delivery Nurse? - Noodle.com
Pineapplebrat Linktree
Fear God Forearm Tattoo
Culver’s Flavor of the Day USA | Culver's Flavor of the Day 2022
Father's Day deals: Get food and restaurant discounts from Applebee's, KFC, Arby's, Denny's, more
Busted Paper Sullivan County Tn 2023
Boston Terrier Puppies For Sale Without Papers
The 5 Best Target TV Deals Going on Right Now (June 2024)
The best TV deals at Target: save up to $1,000 on 4K, QLED and OLED TVs
Wjac Closing
2024 NHL Draft 1st-round results, analysis | NHL.com
Latest Posts
What Was The Best Record In A Season For The Bears | StatMuse
Chilaquiles: History & Tradition - Chilatruck
Article information

Author: Laurine Ryan

Last Updated:

Views: 5878

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.