WSUS Product Team Blog

WSUS Product Team thoughts, information, tips and tricks and beyond :-)

Further Hardening of WSUS Now Available

Further Hardening of WSUS Now Available

  • Comments 21
  • Likes

Hello, 

As we mentioned previously, Microsoft is releasing an update to further harden the Windows Server Update Services (WSUS) as a defense-in-depth precaution for our customers. This update is now available for download. As an additional measure, we are providing the SHA1 and SHA2 hashes of the WSUS update and the WU client files we released today. This allows administrators to verify that the files they download are from Microsoft. The hashes are listed in the update KB article. We strongly urge WSUS administrators to apply these updates as soon as possible to take advantage of the added security they offer. If you’d like to read more, please review the MSRC blog for more information.

Please follow the following steps to ensure a smooth deployment:

  1. Apply Security Advisory Update 2718704, issued on June 3, which moved unauthorized digital certificates derived from a Microsoft Certificate Authority to the Untrusted Store.
  2. Apply the WSUS update, issued on June 08, see KB 2720211.

 

Thank you,

WSUS team

Comments
  • Why don't you fix the problem by supporting OCSP Nonces?  The client validation portion of the crypto library.  Read more here:::::   security.stackexchange.com/.../396

    Will you also set path constraints on all other CAs, and set Basic Constraints to Critical?

    Lastly, why do I have to trust a CA with all purposes enabled?  Why not allow me to set the starting point of the trust within the PKI tree?  Contrain a tier 3 CA with just code signing and let me use that for WSUS.  

    Frankly I want to trust as few roots as possible.  See this post: How feasible is it for a CA to be hacked, and how do I remove non-trusted roots::::: security.stackexchange.com/.../396

  • If you want to follow up, you can do so here: www.linkedin.com/.../makerofthings

  • Installed later update, keeps asking for in after every reboot, MMC broke down

    Running on Windows Server 2008 R1 x64

  • Sorry, my bad, Server service was off :)

  • Does the average Joe home PC user need to apply this update?

  • Since Security Advisory Update 2718704, was issued first on June 3 does this mean that we need approve 2718704 and have it installed everywhere BEFORE approving the WSUS update KB 2720211, issued on June 08?

    Or can I approve both at the same time now?

  • Cannot install update KB 2720211 error message: "Product: Windows Server Update Services 3.0 SP2 -- Error 1712. One or more of the files required to restore your computer to its previous state could not be found.  Restoration will not be possible."

  • I had to rebuild my WSUS server after installing KB272011. Just a heads up. Take a snapshot of the Wsus server before installing this. I could roll back at all...

  • Thanks for breaking our WSUS. Errors 12012, 13042, 12002, 12032, 12022, 12042, 12052 - all for free with this "fix".

  • Wsus Server crashed . Error ( mmc has detected an error in a snap-in and will unload it )

  • Install update via download, not via wsus

  • My WSUS Server became corrupted as well! I manually downloaded the WSUS update and ran the executable. The WSUS app had to be removed and reinstalled. The databases were rebuilt from scratch (including our 3rd party updates via SolarWinds Patch Manager). This is definitely a notable issue that is occurring for a lot of folks.

  • Now that I have installed the update, WSUS won't start.  The application log is full of SQL errors like:

    (Event 33002)

    Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid.

    Access to module dbo.spConfiguration is blocked because the signature is not valid.

  • KB2720211 was a disaster here also. Looks like an inability to connect to the DB after the reboot. What fun..

  • Would be nice to hear back from the WSUS team. This update has been out for a week, with Technet flooded by angry admins with ruined WSUS and the only "solution" being to reinstall WSUS from scratch.

    social.technet.microsoft.com/.../136d0367-4372-41aa-b3ab-798104137677

    social.technet.microsoft.com/.../32b7bdac-be20-4d93-ac17-1d9fb3bbdfd8

    social.technet.microsoft.com/.../79f76bdf-83cc-47d1-8244-5d544fe7d21e

    social.technet.microsoft.com/.../705fb5dc-df9f-4a6d-b99b-8123b162091f

    social.technet.microsoft.com/.../91ffed49-22f6-46f7-9e68-6890dc5a8076

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment