You can use the Secure Sockets Layer (SSL) protocol to help secure your Windows Server® Update Services (WSUS) deployment. WSUS uses SSL to allow client computers and downstream WSUS servers to authenticate the WSUS server. WSUS also uses SSL to encrypt the metadata passed between client computers and downstream WSUS servers. Be aware that WSUS uses SSL only for metadata, not for content. This is also how Microsoft Update distributes updates.
Updates consist of two parts:
- The metadata that describes the update
- The files to install the update on a computer
Microsoft reduces the risk of sending update files over a non-encrypted channel by signing each update. Additionally, a hash is computed and sent with the metadata for each update. When an update is downloaded, WSUS verifies the digital signature and hash. If the update has been altered, it is not installed.
For detailed steps to configure SSL on the WSUS Server and on the WSUS Client, see the WSUS Deployment Guide at
Limitations of WSUS SSL deployments
Administrators planning to implement WSUS SSL deployments should consider two limiting issues:
- Securing your WSUS deployment with SSL increases the workload of the server. You should plan for about a 10-percent loss of performance because of the additional cost of encrypting all the metadata sent over the network.
- If you are using remote SQL, the connection between the WSUS server and the server that is running the database is not secured with SSL. If the database connection must be secured, consider the following recommendations:
- Put the database on the WSUS server (the default WSUS configuration).
- Put the remote server that is running SQL and the WSUS server on a private network.
- Deploy IP security (IPsec) on your network to secure network traffic. For guidance about how to deploy IPsec in your environment, see the Windows Server Deployment Guide
https://go.microsoft.com/fwlink/?LinkId=45154 .
- Put the database on the WSUS server (the default WSUS configuration).
Additional references
Setting up a Certification Authority (CA), binding a certificate to the WSUS Web site, and then bootstrapping client computers to trust the certificate on the WSUS Web site are complex administrative tasks. The step-by-step procedures for each task are beyond the scope of this topic. However, several articles on the subject are available. For more information and instructions about how to install certificates and set up your environment, see the following resources:
-
The Windows Server 2003 PKI Operations Guide (
https://go.microsoft.com/fwlink/?LinkId=83159 ) provides a guide for administrators about how to configure and operate a Windows Certification Authority.
-
Microsoft Knowledge Base article 299875 (
https://go.microsoft.com/fwlink/?LinkId=86176 ) offers step-by-step instructions for implementing SSL in IIS.
-
Certificate Autoenrollment in Windows Server 2003 (
https://go.microsoft.com/fwlink/?LinkId=17801 ) offers instructions about how to automatically enroll client computers running Windows XP in Windows Server 2003 Enterprise environments integrated with Active Directory.
-
Advanced Certificate Enrollment and Management (
https://go.microsoft.com/fwlink/?LinkId=83160 ) offers guidance about how to automatically enroll client computers in other environments.