Blog Post

Windows IT Pro Blog
5 MIN READ

Security best practices for Windows Server Update Services (WSUS)

Michael_Cureton's avatar
Michael_Cureton
Brass Contributor
Aug 13, 2020
To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS). In this post, we will walk you through the steps r...
Updated Aug 13, 2020
Version 2.0
security
servicing and updates
The_Smart_One's avatar
The_Smart_One
Iron Contributor
Aug 21, 2020

Karl-WE 

Oh, hello! 😊 Glad to see you write back! First, you are welcome! It was a pleasure. After all, your post did an excellent job of listing obscure WSUS quirks that I had learned over the years. Your WSUS knowledge seems to genuinely come from experience, despite all the typos in your post. 😉 (But maybe you'd like to refrain from writing WuFB. Its proper spelling is WUfB.)

 

By the way, ever since I've talked to you about the certificate, my colleagues keep telling me I should get a Let's Encrypt certificate. I vaguely remember having heard about it. I keep postponing an investigation into it.

 

I had a strained relationship with Delivery Optimization (DO) since the time I was called into the manager's office to explain the reason behind a spike in the Internet bill. (Apart from the incurred cost, such a spike in the Internet bandwidth usage could mean being under attack.) Our newly deployed Windows 10 devices were the culprits. The so-called Dual Scan circumvented WSUS. Since then, I made it my duty to read everything Microsoft publishes about DO and fully test it. In the end, my answer to DO is NO!

 

The computers in the same subnet or whatever you define per GPO will download Feature updates, WU, Office Updates, drivers all from their neighbors.

Ethernet LAN ndoes don't have neighbors. (Mesh and token ring nodes do.) All Ethernet nodes are connected to a hub or switch. All computers downloading from the WSUS machine is the same as all computers downloading from each other. Even when there are two or three hubs and switches between WSUS and its clients, WSUS is still more efficient than DO. After all, DO relies on a server on the Internet, in which case, there are definitely many, many, many more intervening hubs, switches, and routers. And while DO can download from LAN peers, most of the times, it does not. By the way, I install Feature Updates on my own terms. Not even WSUS is allowed to download them.

 

Whereas WSUS will download once but ALL clients will have to pull from WSUS with full package, where as DO (P2P) will only download the needed bits from neighbors.

I've heard it before. I used Wireshark to test the veracity of this claim. For Office 365, it was correct. For everything else, no. DO downloads full packages, but downloads them in chunks. Each chunk can come from a different source. One of the chunks always comes from Microsoft. These chunks are usually massive. So, for small updates (say below 50 MB), there is no saving whatsoever. Mind you, I eventually jury-rigged a much more efficient update system for Office 365.

 

... WAN...

WANs are crazy expensive here. Internet connection is not. The cheapest policy is: Deploy one WSUS per site, connect it to the Internet. Keep the WAN traffic to the absolute minimum.