The University Information Security Office (UISO) at Indiana University strongly recommends that any organization running a Windows Server Update Service (WSUS) configure the server to only allow HTTPS to be used for handling activity around metadata files. Clients connecting to the WSUS must also be configured to use HTTPS with metadata activities in order to communicate with the server.
Effects on UITS services, and what IT Pros may need to do in response
The IU Microsoft Update Service, msupdate.iu.edu, currently allows clients to connect via either HTTP or HTTPS. On Tuesday, Sept. 15, the IU WSUS will require clients to connect via HTTPS. After that, clients that are configured to connect to the IU WSUS via HTTP will stop receiving updates until they are reconfigured to use HTTPS.
There are three methods available for configuring clients to use msupdate.iu.edu:
- IU Campus Update Service Configuration Assistant (available on IUware). The assistant has always utilized HTTPS in its configuration. So, clients configured with the assistant will not be affected by the configuration change and no further action is required.
- Get Connected (getconnected.iu.edu\Windows). Get Connected was updated to use HTTPS for WSUS on Aug. 7, 2015. Older versions used HTTP. For systems that ran Get Connected prior to Aug. 7, UIPO recommends running the updated version of Get Connected or using the IU Campus Update Service Configuration Assistant. Either tool will update client settings to enable continued connections with the IU WSUS.
- Group policy objects (GPOs). WSUS connection logs show that this is the most common configuration method. Logs also show that most clients configured via GPO are connecting via HTTP. We recommend that you check your GPOs and set the” intranet Microsoft updates service location” to specify https://msupdate.iu.edu (in both boxes, and without the quotation marks).
Note: It can take between 0-90 minutes for the change to take effect unless you run the “gpupdate /force” command on the target machines. Even then, that is ONLY the update to the GPO. The actual check for updates will happen in 0-22 hours -- unless Windows Update is run manually directly on the target machine.
As an alternative, clients could also be configured to use Microsoft’s update service. But this configuration requires outbound network access to the Internet, which may increase security risks for some clients -- depending on individual circumstances.
If you have questions about configuring updates for the Microsoft systems you support, contact Support Center Tier 2 at email@example.com, or via phone: 812-856-SCT2 (7282) or 317-278-SCT2 (7282).
Why is UISO making this recommendation?
This recommendation from UISO is a result of a security vulnerability that was recently publically published regarding the way metadata files are requested from and delivered by WSUS. Researchers from Context Information Security recently published a report detailing the vulnerability and have openly demonstrated how the vulnerability could be exploited to gain administrative control of clients using HTTP connections to WSUS.
Clients are not vulnerable if they -- and the WSUS server they connect with -- are both configured to use HTTPS with metedata files. Nor are they vulnerable if they use Microsoft’s directly provided update services.
- “What is Windows Server Update Service?”
- “What is the IU Microsoft Update Service, and how do I configure my computer to use it?”
- IU Campus Update service Configuration Assistant
- “In Microsoft Active Directory, what are group policies?”
- From Context
- Secure the WSUS 3.0 SP2 Deployment
- Secure WSUS 3.0 Deployment