Security best practices for Windows Server Update Services (WSUS)
To help provide additional protection from potential malware attacks, Microsoft recommends using HTTPS with Windows Server Update Services (WSUS). In this post, we will walk you through the steps required to configure each of your WSUS servers to use HTTPS. We will then share details on how to obtai…
...This is a weird post. I’m guessing companies that have WSUS over HTTP and have the “allow signed updates from an intranet update service” option on are having malicious applications delivered connected on hostile nation networks? It’s how I’d do it... https://t.co/SAULpgyP5F
— SwiftOnSecurity (@SwiftOnSecurity) August 15, 2020
[CORRECTION] My initial post, where I implied a code certificate is enough to sign a WSUS payload, is incorrect. That attack vector doesn’t work.
— SwiftOnSecurity (@SwiftOnSecurity) September 8, 2020
The incredible @NathanMcNulty reminded me, you also have to be directly added to the Trusted Publishers certificate store via GPO. Thx https://t.co/mBpRZfCtHo pic.twitter.com/javyyaxn8V