WSUS IIS hardening

Gan Seng Leng 1 Reputation point
2021-06-01T09:27:37.483+00:00

hi,

there is a hardening setting in CIS IIS10 2.1 (L1) Ensure 'global authorization rule' is set to restrict access that recommend to remove All Users.

What is the rule to set to allow for? or WSUS must use "Allow All Users"

Thanks and regards

Internet Information Services
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SUNOJ KUMAR YELURU 13,951 Reputation points MVP
    2021-06-01T12:17:23.72+00:00

    Hi @Gan Seng Leng

    Configuring a global Authorization rule that restricts access will ensure inheritance of the
    settings down through the hierarchy of web directories; if that content is copied elsewhere,
    the authorization rules flow with it. This will ensure access to current and future content is
    only granted to the appropriate principals, mitigating risk of accidental or unauthorized
    access.
    Audit:

    At the web site or application level, verify that the authorization rule configured has been
    applied:

    1. Connect to Internet Information Services (IIS Manager)
    2. Select the site or application where Authorization was configured
    3. Select Authorization Rules and verify the configured rules were added
      To verify an authorization rule specifying no access to all users except the Administrators
      group, browse to and open the web.config file for the configured site/application/content: <configuration>
      <system.webServer>
      <security>
      <authorization>
      23 | P a g e
      <remove users="*" roles="" verbs="" />
      <add accessType="Allow" roles="administrators" />
      </authorization>
      </security>
      </system.webServer>
      </configuration>

    Remediation:

    To configure URL Authorization at the server level using IIS Manager:

    1. Connect to Internet Information Services (IIS Manager)
    2. Select the server
    3. Select Authorization Rules
    4. Remove the "Allow All Users" rule
    5. Click Add Allow Rule…
    6. Allow access to the user(s), user groups, or roles that are authorized across all of the
      web sites and applications (e.g. the Administrators group)

    https://learn.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization#configuring-url-authorization

    If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.

    0 comments
  2. Gan Seng Leng 1 Reputation point
    2021-06-02T05:42:52.02+00:00

    i have tried adding:
    administrators
    domain\Domain Users
    domain\Domain Admins
    NT AUTHORITY\Authenticated Users
    Network Service
    Local System

    but still unable to get clients to successfully connect to WSUS, facing error (0x80244022) or unnable to connect to update services.

    Any other rules i need to add to get WSUS working?

    0 comments
  3. Sam Wu-MSFT 7,041 Reputation points Microsoft Vendor
    2021-06-02T14:09:07.62+00:00

    Hi @Gan Seng Leng

    You can try the follwoing steps to slove the 0x80244022 error.

    1. On your WSUS Server, launch the IIS Manager.
    2. Click 'Application Pools' is in the Connections list.
    3. Right-click 'WSUSPool' and select ' Start ' to restart the WSUSPool.

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Gan Seng Leng 1 Reputation point
    2021-06-03T10:14:06.84+00:00

    the memory limit is set 0 which has no limit

  5. Gan Seng Leng 21 Reputation points
    2022-09-27T04:31:45.82+00:00

    Anyone have this issue?

    0 comments