5.1 Security Considerations

Because the server can tell the client to install binaries, it is important to prevent a man-in-the-middle or other forms of a spoof server telling the client to install binaries that will compromise the client computer (1). For this reason, it is recommended that the client perform several checks:

  • Only accept content signed by trusted certificates. The set of certificates to be considered trusted is implementation-specific.<47>

  • Only accept content whose SHA1 hash matches the SHA1 hash specified in the metadata.

As a result, it is strongly recommended that the server be configured so that all metadata communication is done over a Secure Sockets Layer (SSL)  port. Using SSL ensures that the client is communicating with the real server and so prevents a spoof server from sending the client harmful requests (for example, to uninstall patches). If the server allows downloading content via SSL, then additional checks are performed on the certificates to verify trust and confirm authenticity of the content.<48>

Because the WSUS server distributes publicly available patches (from Microsoft Update), client authentication is not a particularly important security consideration. In fact, supporting unauthenticated clients is probably the best approach because in most environments, it is more important to keep all machines patched than it is to deny access to unauthenticated clients.

There are two strategies one can use to reduce the impact of denial-of-service (DOS) attacks against the server:

  • Turn on authentication and deny access to unauthenticated clients. This will allow one to quickly disable access to rogue client machines. The downside of this approach, discussed in the section above, is that it means new clients might not get patched by default.

  • Make sure no single operation takes too much processing time on the server. That will ensure that any attacker keeps up a steady stream of requests to deny access to the server, and so a simple network trace will allow one to identify the offending machine and shut it down. This applies to requests sent by "spoof clients" (for example, a virus emulating a client, which might try to pass an unbounded set of parameters to various methods).

If the server implementation stores and displays any data passed to it from clients (for example, DnsName or BiosName), it is important to ensure that the data is not malformed—especially if it is displayed in the context of a scripting language (for example, from JScript from within a webpage).