Securing Windows Server Update Services (WSUS) servers in your environment is critically important. Learn how two recent Windows Update changes help to secure WSUS.

With the latest round of updates in January 2021, an update to Windows 10 adds security measures that affect how Windows 10 interacts with WSUS. What are these other security measures? Why is security important with WSUS? In addition to these enhancements, how can you ensure WSUS is secured?

Why is securing WSUS necessary?

Securing your WSUS servers helps minimize the risk that an attacker can compromise your WSUS environment, compromise clients, and elevate privileges. Many organizations may have forward-facing WSUS servers that are visible on the Internet. Additionally, if they did not have externally accessible WSUS servers before the COVID-19 pandemic, they may have configured these to help continue patching remote end-user clients no longer on premises. This type of configuration underscores the need to secure WSUS properly.

By default, WSUS defaults to the non-secure port 80 (HTTP) for client connectivity to pull Windows Updates. This configuration presents serious security concerns. Working proof-of-concepts such as WSUSpect can capitalize on HTTP-configured WSUS servers and allow an attacker to use a Windows client configured to download WSUS updates over HTTP. When Windows Update runs, the WSUSpect proxy will insert malicious update metadata between the Windows client and the WSUS server in a classic man-in-the-middle (MITM) attack. It allows an attacker already on the network or even a low-level user to compromise WSUS clients. In this way, an attacker can inject malicious updates into a Windows client machine.

Even when securing WSUS with HTTPS, in May 2020, a new CVE came to light regarding how Windows clients are handling certificate acceptance from the current user certificate store. Due to this new vulnerability, Microsoft has changed the way WSUS handles user proxies. Let's see how.

Security changes to WSUS

Many of these changes flew under the radar. However, if you missed these, Microsoft made changes to the way Windows devices scan WSUS as part of the September 2020 cumulative update for Windows 10.

There are essentially two proxy types with a Windows host that are configurable. These are a user proxy and a system proxy. Users can generally make changes to user proxies using the Internet Options found in the Control Panel. However, system proxies are set by administrators. It is usually done using manual means with an elevated prompt or Group Policy.

With the September 2020 Windows Updates, Microsoft is attempting to mitigate the risk of an attacker using the user proxy settings with malicious code. After the September 2020 cumulative update, if the WSUS server uses HTTP, Windows clients will no longer use the user proxy settings. They will only use the system proxy. If communication requires a proxy, this will need configuring at the system proxy level. You can read more about these behavior changes here.

As noted with these changes, administrators can decide to allow a user proxy as a fallback mechanism if they choose. However, this is not desirable from a security perspective. It ensures it is a conscious effort on the part of the administrator to allow this configuration.

Allow WSUS user proxy failback to be used

Allow WSUS user proxy failback to be used

WSUS certificate pinning

Microsoft is further helping to increase the security of WSUS in the January 2021 cumulative updates. What has changed with this update? In the January cumulative updates, Microsoft is building on the changes introduced in September 2020 by introducing certificate pinning as part of the measures to increase WSUS security. How does this new configuration change work?

This new change allows customers to pin certificates and prevent scanning WSUS with the system proxy (not the user proxy) if certificate pinning fails. Certificate pinning restricts which SSL certificates the system considers to be valid for a specific URL. It helps to limit the risk of an attacker introducing a rogue certificate to compromise an end-user system. Making this change to only allow a particular SSL certificate for WSUS will help to bolster security. However, it will place an extra administrative burden on the WSUS administrator.

How is SSL certificate pinning configured with the new January 2021 cumulative updates? The process to enable certificate pinning with a WSUS server is relatively simple.

  • To enable cert-pinning, the administrator needs to add the correct certificates to the new WSUS certificate store.
  • If valid certificates are not found in the WSUS certificate store, then certificate pinning is not enabled or enforced.

Administrators can also choose to effectively disable this new functionality from a client perspective by setting the Do not enforce TLS certificate pinning for Windows Update client for detecting updates.

Turning off WSUS certificate pinning for WSUS clients

Turning off WSUS certificate pinning for WSUS clients

Wrapping up further security for WSUS Server

Your WSUS server may fly under the radar of infrastructure you need to secure. However, attackers are looking for any way to compromise your environment quickly and effectively. It can certainly happen through your WSUS server if it is not appropriately secured.

It is critically important to secure your WSUS implementation by enabling the HTTPS protocol for client communication and installing a proper certificate. The new settings introduced as part of the September 2020 and January 2021 cumulative updates will further increase security for WSUS. Outside of these measures, what else can you do for WSUS security?

The following can help:

Subscribe to 4sysops newsletter!

  • Make sure you correctly harden the OS for your WSUS server.
  • Harden the IIS server.
  • Scope down which users and devices have access to WSUS.
  • Set up an authentication list.
  • Define specific network ports for communicating with WSUS.
  • Add authentication between chained WSUS servers in Active Directory.

Implementing these and other WSUS security measures will help significantly reduce the attack surface of your WSUS server. Attackers are often looking for the "low-hanging fruit" and those devices, systems, or software that provide the most straightforward way into the environment. Implementing WSUS security measures will help reduce the likelihood of an attack on your WSUS server.

1 Comment
  1. Rui Paz 3 years ago


    How to configure the WSUS certificate store to accept only a certain certificate?

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account