This article is contributed. See the original author and article here.
To help prevent man-in-the-middle attacks, the January 2021 cumulative update for Windows 10 further improves security for devices that scan Windows Server Update Services (WSUS) for updates. These improvements build on the security changes for Windows devices scanning WSUS we introduced on September 8, 2020 and can be combined with certificate pinning for greater security. I’ll now explain these changes in more detail.
Scanning behavior changes
For devices scanning HTTPS-configured WSUS servers
For those using proxies, we have switched to using system proxy first, rather than user proxy. This ensures that we are first trying the most secure proxy path if a proxy is needed. We will no longer fall back to user proxy for scanning WSUS servers if the policy to allow user proxy as a fall back is not enabled. This ensures that admins must consciously enable a less secure method for scanning as doing so will put them at higher risk of attack.
If you need to allow devices to scan utilizing user proxy as a fallback method, you can do so by configuring one of the following policies:
- Group Policy – GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > Select the proxy behavior for Windows Update client for detecting updates > “Allow user proxy to be used as fallback if detection using system proxy fails”.
- Configuration Service Provider (CSP) policy – Update/SetProxyBehaviorForUpdateDetection to 1 Allow user proxy to be used as a fallback if detection using system proxy fails.
- Configuration Manager Setting – You can also configure the new Allow User Proxy for software update scans setting to Yes to allow user proxy in Microsoft Endpoint Configuration Manager, version 2010 and later.
To further increase security, we have added the capability for customers to pin certificates (cert-pinning) and not allow scans, even with system proxy, if cert-pinning fails. This provides the highest level of security for devices but will require more overhead for the admin in order to ensure that certificate stores are properly configured.
Note: This capability is only available to those who have secured their WSUS servers with TLS protocol/HTTPS.
To enable cert-pinning, simply add the correct certificates to the new WSUS certificate store. Devices will then automatically begin enforcing cert-pinning when scanning your WSUS server. If no certificates are in your WSUS certificate store, cert-pinning will not be enforced. Further, if you do not wish devices to have this extra layer of security upon scan, you can ensure that cert-pinning is not enforced by configuring one of the following policies:
- Group Policy – GPEDIT > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet Microsoft update service location > “Do not enforce TLS certificate pinning for Windows Update client for detecting updates”
- Configuration Service Provider (CSP) policy: Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection to 1 – Do not enforce certificate pinning.
For devices scanning HTTP-configured WSUS servers
For those devices scanning HTTP-configured WSUS servers, there have been no additional changes since those we introduced with the September 2020 cumulative update.
For online scans
The order of proxy selection for online scans, if a proxy is needed, has changed:
- Scan with user proxy.
- If user proxy fails, attempt scan with system proxy.
New behavior as of the January 2021 cumulative update:
- Scan with system proxy.
- If system proxy fails, attempt scan with user proxy.
This change ensures that we first try the most secure proxy path if a proxy is needed.
Note: For user-driven, interactive scenarios, we always use the user proxy, if one is available, regardless of policy configuration.
To prevent scan failures and ensure the highest level of security, please follow these recommendations:
- Don’t enable user proxy.
- If you require user proxy, enable user proxy via “Select the proxy behavior for Windows Update client for detecting updates” to ensure that devices do not encounter scan issues.
Note: While this will allow you to fallback to use user proxy for scans against your WSUS server, you should be leveraging this process only as a stop gap to continue getting updates while transitioning to system proxy or no proxy.
- Secure your WSUS server with TLS protocol/HTTP. This is pivotal to maintain the chain of trust and prevent attacks on your client computers, see Recommendations for greater security in the previous Changes to improve security for Windows devices scanning WSUS blog.
- When scanning against a TLS/HTTPS-configured WSUS server, leverage cert-pinning to get the highest level of security and keep your devices protected. (Reminder that this requires populating the device’s certificate store.)
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.