Security best practices for Windows Server Update Services (WSUS)
Published Aug 13 2020 11:39 AM 60.2K Views
Microsoft

To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS).

In this post, we will walk you through the steps required to configure each of your WSUS servers to use HTTPS. We will then share details on how to obtain and bind the necessary certificate, enforce Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption, and configure WSUS to use HTTPS. From there, we will discuss how to configure clients to use HTTPS and how to configure WSUS to use HTTPS for synchronization for downstream servers only. We will conclude with a recommended configuration order. These steps are critical in keeping the clients within your organization more secure and we hope you will find this post helpful.

At a time when malware attacks are on the rise across industries, configuring WSUS with HTTPS may further reduce the ability of a potential attacker to remotely compromise a client and elevate privileges. To ensure that the best security protocols are in place, we recommend that you use the SSL/TLS protocol to help secure your WSUS infrastructure. Windows Server Update Services uses SSL/TLS to authenticate client computers and downstream WSUS servers to the upstream WSUS server. WSUS also uses SSL/TLS to encrypt update metadata.

Configuring WSUS to use HTTPS

Note: Securing your server with TLS may result in a slight loss in performance.

To configure WSUS to use HTTPS, you will need to:

  1. Obtain a certificate.
  2. Bind the certificate.
  3. Enforce SSL/TLS encryption (require SSL) on the following applications:
    1. ApiRemoting30
    2. ClientWebService
    3. DSSAuthWebService
    4. ServerSyncWebService
    5. SimpleAuthWebService
  4. Configure WSUS to use HTTPS using the wsusutil configuressl command.
  5. Configure clients to use HTTPS communications with WSUS, and specify the intranet Microsoft update service location.

If you have downstream WSUS servers, you will need to complete an additional step. Please reference configure downstream WSUS servers to use HTTPS when syncing. (Use SSL when synchronizing update information.)

Important: Follow the WSUS best practices for disabling recycling and configuring memory limits prior to configuring WSUS to use HTTPS.

Obtain a certificate

There are a few methods available to obtain a certificate for use with Internet Information Services (IIS). For example, you can create a certificate request and send that request to a known certificate authority (CA), such as Verisign or GeoTrust, or obtain a certificate from an online CA in your intranet domain. If you are using an online CA in your intranet domain, you can follow the steps below to create the required certificate.

  1. Log on to the WSUS server using a user account that is a member of the local Administrators group.

    NOTE: By default, the WebServer certificate template will only issue to Domain Admins. If the user logging in is not a domain admin, their user account will need to be granted the Enroll permission on the WebServer certificate template.

  2. Launch Internet Information Services (IIS) Manager.
  3. Click on your server and then launch Server Certificates.
  4. In the Actions pane, select Create Domain Certificate.
  5. Fill in the Distinguished Name Properties and select Next. The Common name value must be the FQDN of the WSUS server.
  6. On the Online Certification Authority page, select your CA and enter a friendly name for the certificate and select Finish.

Bind the certificate

  1. In Internet Information Services (IIS) Manager expand your server, expand Sites, and select WSUS Administration.
  2. In the Actions pane, select Bindings.
  3. Select the SSL binding and click Edit.
  4. In the drop-down for SSL certificate, select the appropriate SSL certificate and click OK.
  5. Select Close on the Site Bindings dialog box.

Enforce SSL/TLS encryption

  1. In Internet Information Services (IIS) Manager expand your server, expand Sites, and expand WSUS Administration.
  2. Select the application ApiRemoting30 and launch SSL Settings.
  3. Check Require SSL and then click Apply.
  4. Repeat the same steps for the other applications noted above.

Configure WSUS to use HTTPS

  1. Launch an elevated command prompt on the WSUS server.
  2. Navigate to your WSUS installation folder, e.g. cd “c:\Program Files\Update Services\Tools”.
  3. Execute the following command:
    WSUSUtil.exe configuressl FQDNofWSUSServer
  4. Restart the WSUS server to make sure all changes take effect.

Configure clients to use HTTPS

To configure clients to require HTTPS communication to the WSUS server, simply update the domain Group Policy Object (GPO) or the Configuration Service Provider (CSP) policy used to configure WSUS to leverage HTTPS and the desired port.

  • For those using Group Policy, configure the Specify intranet Microsoft update service location policy values of : Set the intranet update service for detecting updates and Set the intranet statistics server  to point to your desired port  (ex. HTTPS://servername:8531). See To enable WSUS through a domain GPO for more info.
  • For those using a mobile device management (MDM) tool, CSPs, please configure the Update/UpdateServiceUrl policy to point to your desired port (for example, HTTPS://servername:8531).

Configure WSUS to use HTTPS for synchronization (Downstream servers only)

  1. Log on to the WSUS server using a user account that is a member of the local Administrators group or the WSUS Administrators group.
  2. Launch Windows Server Update Services.
  3. In the right pane, expand the server name.
  4. Select Options, and then select Update Source and Proxy Server.
  5. On the Update Source tab, under Synchronize from another Windows Server Update Services server, type the port number that the server uses for SSL connections into the Port number text box.
  6. Select Use SSL when synchronizing update information and then select OK.

Configuration order

Because every WSUS server must be configured to use the SSL/TLS protocol, the order in which the steps are performed will depend on your environment. If you have a simple infrastructure where the required steps can be performed on all WSUS servers within a single timeframe, then a top-down approach can be used. However, if you have a large infrastructure that will require a phased approach, then a bottom-up approach should be used.

Example 1: Environment with a small number of WSUS Servers

In this example, it is assumed that all WSUS servers can be configured within a single timeframe. In this case, the upstream WSUS server can be configured first using the steps above. Any downstream WSUS servers can then be configured using the steps above in addition to setting the WSUS option to Use SSL when synchronizing update information.

Example 2: Environment with many WSUS Servers

In this example, it is assumed that a phased approach will be required to configure all WSUS servers. In this case, a bottom-up approach should be leveraged. All downstream WSUS servers should be configured for HTTPS before their upstream WSUS server is configured to use HTTPS. After their upstream WSUS server is configured to use HTTPS, the WSUS setting Use SSL when synchronizing update information on each downstream server can be enabled.

Call to action

We recommend that you review the security of your WSUS infrastructure. If HTTPS is not currently in use, see Securing WSUS and follow the instructions in this article to achieve a greater level of security.

 

20 Comments
Version history
Last update:
‎Aug 13 2020 01:22 PM
Updated by: