Permissions on WSUS Directories and Registry Keys

  • Article

 

Applies To: Windows Server Update Services, Windows Small Business Server 2011 Standard, Windows Server 2008 R2, Windows Server 2003 with SP2, Windows Server 2008 R2 with SP1

To operate correctly, Windows Server Update Services (WSUS) 3.0 SP2 requires that permissions for the WSUS web services folders and registry keys be correctly set. This topic describes how to check these permissions.

In this topic:

Access control lists

Use the icacls system command to display or modify folder or file access control lists (ACLs). The output of this command specifies the level of access and whether the access is inherited. For more information about the icacls command, see Icacls.

WSUS Setup creates the following web service folders under the <drive>:\Program Files\Update Services folder, where <drive>:\Program Files\Update Services is the drive and folder where WSUS is installed.

  • \WebServices\apiremoting30

  • \WebServices\clientwebservice

  • \WebServices\dssauthwebservice

  • \WebServices\reportingwebservice

  • \WebServices\serversyncwebservice

  • \WebServices\simpleauthwebservice

  • \Inventory

  • \Selfupdate

All of these folders, except for the \Selfupdate folder, should have the following ACLs:

  • NT AUTHORITY\NETWORK SERVICE:(OI)(CI)R

  • BUILTIN\Users:(OI)(CI)R

  • NT AUTHORITY\Authenticated Users:(OI)(CI)R

  • BUILTIN\Administrators:(OI)(CI)F

  • NT AUTHORITY\SYSTEM:(OI)(CI)F

The \Selfupdate folder should have the following ACLs:

  • BUILTIN\Users:(OI)(CI)R

  • BUILTIN\Administrators:(OI)(CI)F

  • NT AUTHORITY\SYSTEM:(OI)(CI)F

Permissions for WSUS registry keys

Warning

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

The following permissions are set for the registry during WSUS Setup:

  • The Users and WSUS Reporters groups have Read permissions to the \HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server registry key.

  • The following accounts must have Full Control permissions to the \HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup registry key:

    • Network Service

    • WSUS Administrators

    • Administrators

    • System

See Also

Troubleshoot an Existing WSUS 3.0 SP2 Installation
Secure the WSUS 3.0 SP2 Deployment
WSUS 3.0 SP2 Security Settings