How to Cheat at Managing Windows Server Update Services

There are a number of simple ways to helpsecure a Windows Software Update Services (WSUS) platform. This chapter looks at some of theaspects of hardening your WSUS environment while still providing for ease of use.
In a typical environment, not much has to be done to the firewall configuration in order toallow the WSUS server to download updates from Microsoft. Many environments allow most protocols togo outbound from the inside (trusted) network, but this is not always the case. Some organizations,such as the government and the military, may only allow access via certain protocols and ports, orto a particular list of preapproved sites.
If the restriction within your organization is port-based (limiting the types of TransmissionControl Protocol/User Datagram Protocol [TCP/UDP] traffic that is allowed to pass), you won t needto do that much. WSUS only uses port 80 (Hypertext Transfer Protocol [HTTP]) and port 443(Hypertext Transfer Protocol over SSL [HTTPS]) for accessing the Microsoft update sites. If yourorganization only allows traffic to pass to specific sites, Microsoft requires that the sites in Table 8.1be added to the approved list.
| Web Site | Port |
|---|---|
| windowsupdate.microsoft.com | 80 |
| *.windowsupdate.microsoft.com | 80 |
| *.windowsupdate.com | 80 |
| *.update.microsoft.com | 80 |
| download.windowsupdate.com | 80 |
| download.microsoft.com | 80 |
| *.download.windowsupdate.com | 80 |
| wustat.windows.com | 80 |
| ntservicepack.microsoft.com | 80 |
| *.windowsupdate.microsoft.com | 443 |
| *.update.microsoft.com | 443 |
| An asterisk ( *) represents awildcard. |
If you are using a Web filtering service such as Websense (www.websense.com), make sure that it is notblocking...