Blog Post

Windows IT Pro Blog
5 MIN READ

Security best practices for Windows Server Update Services (WSUS)

Michael_Cureton's avatar
Michael_Cureton
Former Employee
Aug 13, 2020
To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS). In this post, we will walk you through the steps r...
Updated Aug 13, 2020
Version 2.0
security
servicing and updates
Karl-WE's avatar
Karl-WE
MVP
Aug 14, 2020

The_Smart_One You can use a Microsoft PKI CA certificate which comes for free.

But before you do please consider some day-to-day pitfalls:

Setting up a Microsoft PKI CA is not a click and point adventure

- all default templates are nuts, designed for maximum compatibility (down to Windows 2000!) not aimed for any security of todays standards.

- MS PKI CA still supports CSP for compatiblity but KSP should be used, reason: see above.

- you should not use RSA DH 2048 and higher causes high response time and CPU load, Germany BSI recommends using EC methods instead.  512 Keylenght are ok. 

 

Now for the caveats in WSUS Michael_Cureton 

 

If one does install WSUS on Server Core there are different issues:

- IIS certificate management is ugly via Powershell

- IIS Remote management, also secured by a MS PKI and limited to certain addresses is a good practice

- IIS Remote Management does not support any certificate management
- WAC does not offer any remote management IIS capabilities or WSUS capabilities for now

The biggest bummer imho: If you follow the instructions to secure WSUS, this does not mean you are allowed to remove binding in IIS with Port 80, as this will render clients contacting the WSUS sending no reports or not even showing up in WSUS with an error code on the client.

even if you specify both links in GPO to use https. 

 

This means: whatever you do to secure WSUS with https: WSUS does utilize port 80 and needs it to be enabled on bindings.

 

In addition IIS on WSUS, and other IIS, should be hardened. There is no official MS tool to do so.
https://techcommunity.microsoft.com/t5/itops-talk-blog/windows-server-101-hardening-iis-via-security-control/ba-p/329979

This can be recommended:
https://www.nartac.com/Products/IISCrypto/

 

offopic:
WSUS is a (not officially) deprecated product in many ways. I strongly recommend moving on to WuFB and Delivery Optmization.


If you setup a new WSUS server on Windows Server 2019:

 

- it will use an outdated local DB (SQL 2012) by default.

 

- will require lots of outdated stuff like Report Viewer 2012 etc. 

 

- Importing WSUS updates from update catalog only works if IE is your default browser on your remote place using Windows Updates MMC, or locally on the WSUS Server. No Edge Chromium does not do. It is hard coded. 

 

- the IIS App Pool settings are wrong and leading to malfunctions like crashing IIS. All of this is pretty much documented.

 

No one at Microsoft does really maintenance WSUS anymore so the wizard would make a perfect and easy deployment. perhaps including all the Reportviewer etc in the wizard / dism, or use more recent ones. The fact WSUS does still exist, might me not the SMB but other things like MECM / ConfigMgr and other do use it as a base.

In fact till today


- WSUS has a lot of issues, MS call by design, just like not being able to seperate 1903 from 1909 machines. AJtek WSUS script (paid) will fix this and many other things, but leaves the taste why MS is not doing this anymore - even saying it is by design, when it can be fixed by others. 

 

Do not expect any better: vServer Next will have no GUI based fixes or improvements new features / improvements in traditional GUI based tools such as MMC, Server Manager, ADAC. Citing Jeff Woosley (WAC team).

 

So please consider this, if you really want to use WSUS, before investing into potential security. 

edit: correcting the cite of Jeff Woosley.