Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by
  • When: 12 Aug 2011 1:25 PM
  • Last revision by (cMVP, Microsoft Community Contributo)
  • When: 1 Mar 2013 6:46 PM
  • Revisions: 11
  • Comments: 5
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  Best Practices for Securing WSUS with SSL

Best Practices for Securing WSUS with SSL

Best Practices for Securing WSUS with SSL

Table of Contents



Introduction

One of the questions that always come up during the planning phase of WSUS is how to secure the communication between WSUS and the clients. The general guidelines for this deployment are documented at Securing WSUS with the Secure Sockets Layer Protocol article and you should always read it first. The goal of this article is to extent this list and highlight additional considerations that you should take while planning this type of deployment.

Additional Considerations while Deploying WSUS with SSL

  • Use an FQDN wherever you refer to the WSUS server, including the common name used to create the SSL Certificate even on an intranet.
  • Require SSL so that you know your connections are secure.
  • Use a certificate chained to already known trusted root, issued from a certificate authority that maintains CRL (in case your certificate becomes compromised).

Consider the Algorithm and Certificate Key length of the certificate you are using:

 

, , , , , , [Edit tags]
Leave a Comment
  • Please add 5 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 1 Mar 2013 6:46 PM

    Richard Mueller edited Revision 9. Comment: Removed (en-US) from title, added tags

  • 15 Aug 2011 9:18 AM

    Travis Plunk [MSFT] edited Revision 6. Comment: Added link to what an FQDN is and removed an extra word.

  • 12 Aug 2011 1:40 PM

    Yuri Diogenes [MSFT] edited Revision 1. Comment: making editing changes

Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 12 Aug 2011 1:40 PM

    Yuri Diogenes [MSFT] edited Revision 1. Comment: making editing changes

  • Posted by
    on 15 Aug 2011 9:18 AM

    Travis Plunk [MSFT] edited Revision 6. Comment: Added link to what an FQDN is and removed an extra word.

  • Posted by
    on 15 Aug 2011 11:27 AM

    Nice post. Another thing to point out would be that if you're using firewalls (internal or external to the wsus server) Since EULA's are still downloaded through clear HTTP you need port 80/8530 open aswell. Could be useful to know when putting wsus on DMZ and such as you often limit access through firewalls. Just opening 443\8531 won't cut it.

  • Posted by
    on 27 Feb 2012 12:53 PM

    JLCM, Yuri posted an article on WSUS in a DMZ here:  social.technet.microsoft.com/.../5153.aspx

  • Posted by
    on 1 Mar 2013 6:46 PM

    Richard Mueller edited Revision 9. Comment: Removed (en-US) from title, added tags

Page 1 of 1 (5 items)