Further Hardening of WSUS Now Available

Hello, 

As we mentioned previously, Microsoft is releasing an update to further harden the Windows Server Update Services (WSUS) as a defense-in-depth precaution for our customers. This update is now available for download. As an additional measure, we are providing the SHA1 and SHA2 hashes of the WSUS update and the WU client files we released today. This allows administrators to verify that the files they download are from Microsoft. The hashes are listed in the update KB article. We strongly urge WSUS administrators to apply these updates as soon as possible to take advantage of the added security they offer. If you’d like to read more, please review the MSRC blog for more information.

Please follow the following steps to ensure a smooth deployment:

1. Apply Security Advisory Update 2718704, issued on June 3, which moved unauthorized digital certificates derived from a Microsoft Certificate Authority to the Untrusted Store.
2. Apply the WSUS update, issued on June 08, see KB 2720211.

 

Thank you,

WSUS team

Comments

• Anonymous
  June 08, 2012
  Why don't you fix the problem by supporting OCSP Nonces?  The client validation portion of the crypto library.  Read more here:::::   security.stackexchange.com/.../396 Will you also set path constraints on all other CAs, and set Basic Constraints to Critical? Lastly, why do I have to trust a CA with all purposes enabled?  Why not allow me to set the starting point of the trust within the PKI tree?  Contrain a tier 3 CA with just code signing and let me use that for WSUS.   Frankly I want to trust as few roots as possible.  See this post: How feasible is it for a CA to be hacked, and how do I remove non-trusted roots::::: security.stackexchange.com/.../396

• Anonymous
  June 08, 2012
  If you want to follow up, you can do so here: www.linkedin.com/.../makerofthings

• Anonymous
  June 09, 2012
  Installed later update, keeps asking for in after every reboot, MMC broke down Running on Windows Server 2008 R1 x64

• Anonymous
  June 09, 2012
  Sorry, my bad, Server service was off :)

• Anonymous
  June 09, 2012
  Does the average Joe home PC user need to apply this update?

• Anonymous
  June 11, 2012
  Since Security Advisory Update 2718704, was issued first on June 3 does this mean that we need approve 2718704 and have it installed everywhere BEFORE approving the WSUS update KB 2720211, issued on June 08? Or can I approve both at the same time now?

• Anonymous
  June 12, 2012
  Cannot install update KB 2720211 error message: "Product: Windows Server Update Services 3.0 SP2 -- Error 1712. One or more of the files required to restore your computer to its previous state could not be found.  Restoration will not be possible."

• Anonymous
  June 12, 2012
  I had to rebuild my WSUS server after installing KB272011. Just a heads up. Take a snapshot of the Wsus server before installing this. I could roll back at all...

• Anonymous
  June 12, 2012
  Thanks for breaking our WSUS. Errors 12012, 13042, 12002, 12032, 12022, 12042, 12052 - all for free with this "fix".

• Anonymous
  June 12, 2012
  Wsus Server crashed . Error ( mmc has detected an error in a snap-in and will unload it )

• Anonymous
  June 13, 2012
  Install update via download, not via wsus

• Anonymous
  June 13, 2012
  My WSUS Server became corrupted as well! I manually downloaded the WSUS update and ran the executable. The WSUS app had to be removed and reinstalled. The databases were rebuilt from scratch (including our 3rd party updates via SolarWinds Patch Manager). This is definitely a notable issue that is occurring for a lot of folks.

• Anonymous
  June 13, 2012
  Now that I have installed the update, WSUS won't start.  The application log is full of SQL errors like: (Event 33002) Access to module dbo.spReturnStateMachineTransitionEventLogEntriesFromError is blocked because the signature is not valid. Access to module dbo.spConfiguration is blocked because the signature is not valid.

• Anonymous
  June 13, 2012
  KB2720211 was a disaster here also. Looks like an inability to connect to the DB after the reboot. What fun..

• Anonymous
  June 14, 2012
  The comment has been removed

• Anonymous
  June 14, 2012
  The problem that I ran across is the installer just doesn't work correctly.  I had to manually extract a DLL file, a CER file, and a SQL file and place them in the appropriate location on my machine and then re-run the patch for it to correctly install.  Before, I was getting a ton of errors about not accepting the signed files.  Look at the response from chucker2. social.technet.microsoft.com/.../e918a191-ef6d-4c4b-b83a-7a4ae20a5217

• Anonymous
  June 19, 2012
  We have applied the update to several of our SCCM servers (with a SUP) and the update appears to have broken the update services service as it refuses to start now.  Those servers are now throwing wsus sync errors back to the primary.   Not looking forward to 20+ boxes to reinstall.....

• Anonymous
  June 20, 2012
  For those running into "issues" with or after installing KB2720211 see blogs.technet.com/.../wsus-kb272011-common-issues-encountered-and-how-to-fix-them.aspx

• Anonymous
  July 08, 2012
  thank you http://www.kodes.com Hiphop, Rap, Ceza, sagopa, Kolera http://www.gekkog.com Hiphop, Rap, Gekko G http://www.maskanimasyon.com Animasyon

• Anonymous
  March 19, 2013
  Thanks you comment's room www.cinselsohbetchat.org

• Anonymous
  February 18, 2014
  This is a collection of the top Microsoft Support solutions to the most common issues experienced using

• Anonymous
  December 10, 2014
  Sigh, problem hit me with SCCM 2007 after installing October 2014 patches. WSUS didn't syncronize anymore with error messages "The given certificate chain has not Microsoft Root CA signed root" and "The server certificate did not comply with the following policy: CertificateChainPolicy". After I installed both paches synchronization started working again. Wonder, what changed with October 2014 updates...

• Anonymous
  October 10, 2015
  Thank you for sharing this fine article. Keep up the good works.
  dizi fragmanlari http://www.trbolumfragman.com

• Anonymous
  March 19, 2016
  http://www.seodanismanlik.net/htaccess-ile-sef-url-yapimi-2.html
  http://www.seodanismanlik.net/seoya-baslangic-ipuclari.html
  http://www.seodanismanlik.net/altin-degerinde-icerik-hazirlama-teknikleri.html
  http://www.seodanismanlik.net/adim-adim-anahtar-kelimeler.html
  http://www.seodanismanlik.net/wpseo-eklentisi-ve-faydalari.html
  http://www.seodanismanlik.net/seo-meta-eklentisi.html
  http://www.seodanismanlik.net/seo-kelimesinin-gizli-anlami.html
  http://www.seodanismanlik.net/microsoftdan-sok-aciklama-arama-sonuclarini-calmadik.html
  http://www.seodanismanlik.net/google-adsense-odeme-degisikligi-iban-ve-bic.html
  http://www.seodanismanlik.net/google-seo-icin-avantajlar.html
  http://www.seodanismanlik.net/site-gelecegi-ve-kazanc-mantigimiz.html
  http://www.seodanismanlik.net/toplist-backlink-mantigi.html
  http://www.seodanismanlik.net/css3-sayesinde-ozellik-farki.html
  http://www.seodanismanlik.net/image-slider-ile-otomatik-olcekleme.html
  http://www.seodanismanlik.net/htaccess-ile-sef-url-yapimi.html
  http://www.seodanismanlik.net/turkce-webmaster-araci-wmaraci.html
  http://www.seodanismanlik.net/seo-danismanligi-diye-kandirilmayin.html
  http://www.seodanismanlik.net/wp-sayfa-uzantilarinizi-html-yapma-eklentisi.html
  http://www.seodanismanlik.net/sosyal-medya-ve-internet-nereye-gidiyor.html
  http://www.seodanismanlik.net/fb-com-8-5-milyon-dolara-satildi.html
  http://www.seodanismanlik.net/sahte-oyun-siteleri-tehlike-saciyor.html
  http://www.seodanismanlik.net/google-da-kacinci-siradayim.html
  http://www.seodanismanlik.net/gov-ve-edu-backlink-bulmanin-yollari-kaliteli-backlink.html
  http://www.seodanismanlik.net/sitemap-ne-kadar-onemlidir.html
  http://www.seodanismanlik.net/google-sandbox-nedir.html
  http://www.seodanismanlik.net/arama-motoru-optimizasyonu.html
  http://www.seodanismanlik.net/referanslarimiz
  http://www.seodanismanlik.net/hizmetler
  http://www.seodanismanlik.net/backlink