WSUS Permissions – WsusContent, Registry, and IIS

If you Google WSUS Permissions, you may end up getting a boatload of links to support help on TechNet, Spiceworks, ExpertsExchange, Microsoft Docs, or other blogs around the Internet. Most of the links are only for specific parts – maybe the WsusContent folder, maybe something to do with 1 particular user (NT Authority\Network Service), but basically they give you a piece of the pie.

This guide is to bring them all together.

Sourcing this from: https://docs.microsoft.com/zh-cn/security-updates/windowsupdateservices/18125970 (Yes… zh-cn. Not even from en-us or en-ca. Why? Because those don’t exist!). This is a copy-paste and modify to make it more easier to understand, and giving the source for the original information. It’s copied and modified because certain places of Microsoft guides and information has (in the past) been wiped off the face of the internet.

The following lists permissions necessary for specific folders on the WSUS server disk and registry permissions.

Disk

The following permissions are configured during WSUS setup, and are important for BITS downloads to work:

  • The root folder on the drive where the WSUSContent folder resides (for example, <%windir%>\WSUS\WSUSContent) must have Read permissions for either the Users account or the NT Authority\Network Service account (on Windows 2003). If this permission is not set, BITS downloads will fail. Note: this is the permission that WSUS setup does not configure, so make sure the permissions are set as described here
  • The WSUS content directory, usually <%windir%>\WSUS\WSUSContent must have Full Control permission granted to the NT Authority\Network Service account. This permission is set by WSUS server setup when it creates the directory, but it is possible that your security software might reset this. permission. Not having this permission set will also cause BITS downloads to fail.
  • The NT Authority\Network Service account (on Windows 2003) must have Full Control permissions to the following folders for the WSUS console to display the pages correctly:
    • <%windir%>\Microsoft .NET\Framework\v1.1.4322\Temporary ASP.NET Files
    • <%windir%>\Temp

Registry

The following permissions are set for the Registry during WSUS setup.

  • The Users group must have Read access to the \HKLM\Software\Microsoft\Update Services\Server Registry key.
  • The following accounts must have Full Control permissions to the \HKLM\Software\Microsoft\Update Services\Server\Setup Registry key:
    • ASP.NET
    • Network Service (for Windows Server 2003)
    • WSUS Administrators

IIS settings

The following virtual directories (vroots) are created in IIS (in the Default Web Site by default) for client to server synchronization, server to server synchronization, reporting, and client self-update.

Vroot in IIS Properties
ClientWebService Directory: %ProgramFiles%Update Services\WebServices\ClientWebService Application Pool: WsusPool Security: Anonymous Access Enabled. Execute Permissions: Scripts Only
Content Directory: e:\wsus\wsuscontent Security: Anonymous Access Enabled Execute Permissions: None
DssAuthWebService Directory: %ProgramFiles%Update Services\WebServices\DssAuthWebService Application Pool: WsusPool Security: Anonymous Access Enabled. Execute Permissions: Scripts Only
ReportingWebService Directory: %ProgramFiles%Update Services\WebServices\ReportingWebService Application Pool: WsusPool Security: Anonymous Access Enabled. Execute Permissions: Scripts Only
ServerSyncWebService Directory: %ProgramFiles%Update Services\WebServices\ServerSyncWebService Application Pool: WsusPool Security: Anonymous Access Enabled. Execute Permissions: Scripts Only
SimpleAuthWebService Directory: %ProgramFiles%Update Services\WebServices\SimpleAuthWebService Application Pool: WsusPool Security: Anonymous Access Enabled. Execute Permissions: Scripts Only
WSUSAdmin Directory: %ProgramFiles%Update Services\Administration Application Pool: WsusPool Security: Integrated Windows Authentication. Execute Permissions: Scripts Only
SelfUpdate Directory: %ProgramFiles%Update Services\SelfUpdate Security: Anonymous Access Enabled, Integrated Windows Authentication. Execute Permissions: Scripts Only
/ Tags: , , , ,