How to Setup, Manage, and Maintain WSUS: Part 7 – SSL Setup for WSUS and Why You Should Care!

Home Blog WSUS How to Setup, Manage, and Maintain WSUS: Part 7 – SSL Setup for WSUS and Why You Should Care!

I can go on explaining why you should switch over your WSUS Server to SSL so that you can mitigate Man-In-The-Middle (MITM) attacks, but sometimes it’s better to show you.

The following video is worth the watch as they explain exactly how relatively easy it is to take over a network by just having access to it with a WSUS Server that does not have SSL Enabled.

From Blackhat USA 2015 – WSUSpect – Compromising The Windows Enterprise Via Windows Update

Please, everyone, mitigate this risk and switch your WSUS to SSL. This does NOT mean that you can turn off HTTP as communication between clients and the WSUS server use both http and https much like FTP uses port 20 (data) and 21 (command channel).

I follow a really smart guy named Emin Atac and he posted a simple PowerShell method of switching your WSUS Server to use SSL with a self-signed Certificate. Of course if you have an internal CA, utilize that for the creation of your certificates as it is already a trusted authority by your systems. Another alternative is to buy a public certificate, but make a note that public certificates cannot include .LOCAL addresses anymore and require fully qualified domain names (FQDNs) which is not a problem if you have been following this guide.

Related Posts

WSUS Permissions – WsusContent, Registry, and IIS
How To Get WSUS Reports Working In Server 2019
Read More
Language Packs in WSUS – Are They Worth It?
Read More
Best Way to Maintain WSUS in a Law Office
RSAT Tools on 1809 And Higher, Other Features On Demand AKA Optional Features
Read More
Access to the Right People Means Getting Things Done
Read More
Listen to AJ Tek’s Adam Marshall on the RunAs Radio Podcast
How to Remove WSUS Completely and Reinstall it