Announcement

Collapse
No announcement yet.

WSUS and security settings

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • WSUS and security settings

    In one of infrastructure, domain security policy does not allow users to install software and hardware. In result, computers are able to download updates from WSUS but they are not able to install those updates as users are not member of local admin as well as they do not have rights or permission to install softwares or hardwares. Is there any way, we can allow only updates from WSUS to be installed on computer and not allowing user to install any hardware or softwares.

  • #2
    Re: WSUS and security settings

    A fairly full discussion here:
    http://social.technet.microsoft.com/...2-f03737433b81

    I know much of it relates to Win7 but there is some information about WinXP settings further down

    btw, what OS are you using?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: WSUS and security settings

      Thanks for your reply Ossian. I will look this article and see if I would get solution there.
      The clients are running windows xp prof sp2 and servers are windows 2000, 2003 and one Red hat server.

      Comment


      • #4
        Re: WSUS and security settings

        I read the whole article. It does not got workaround or solution what I am looking for. My problem is that Users are not member of local admin group and they are not allowed to install any softwares or hardwares on their machines. Allowing users to install softwares may led to security and virus infection risk. We are finding ways to allow windows update to be installed on those systems via WSUS. I am thinking to run windows update and BITS service as local admin. I will post my result soon. If any one has same scenario how did they allow windows update to work without giving domain users extra permissions and rights

        Comment


        • #5
          Re: WSUS and security settings

          in win XP users don't need to be local admins for WSUS to work, set your WSUS settings in group policy to download and install updates automatically and that is all you need to do.

          Comment


          • #6
            Re: WSUS and security settings

            Yep - agree with hazey.

            In our installation I schedule the WSUS server to download the updates and use GPO to schedule their installation. Users cannot install updates, but the updates are installed at the scheduled time automatically. The GPO settings also allow you to control restart parameters - you can set it so that restarts are not automatic (reduces the gnashing of teeth by your users).
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: WSUS and security settings

              Humm.. it means it is something else that has been stopping clients to download updates. For testing, today I have approved few update on WSUS and schedule client to download and install them on Friday. I will test on Friday to see that things are working correctly or not.

              Comment


              • #8
                Re: WSUS and security settings

                Setting up WSUS via GPO usually requires careful configuration.

                Here are some referneces:

                http://technet.microsoft.com/en-us/l...39(WS.10).aspx

                http://technet.microsoft.com/en-us/l...20(WS.10).aspx

                These will lead you to other documents that may also be useful.
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  Re: WSUS and security settings

                  After a long research and testing, i found that users should be granted backup file and directories, debug program, restore file and directories, manage audit and security logs and take owner ship of files and directories on local machines for installing updates pushed via WSUS server. If users do not have these permissions on local pc, the updates will be downloaded from WSUS but never get installed on machines. These security settings can be granted via group policy.
                  Please update if you find some thing more or you not agreed.

                  Comment


                  • #10
                    Re: WSUS and security settings

                    I have to say this is different to every WSUS installation I have done, and suggests something odd is up with your network.

                    As long as the GPO is set to "automatically download and install" the updates I have never had to grant additional permissions to standard user accounts (when set to notify, more permissions are required).

                    By granting permissions on log files, your users can erase them and with take ownership they can get access to other users profiles, hence to confidential files in them. Beware!
                    Last edited by Ossian; 20th May 2010, 08:12.
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: WSUS and security settings

                      Here's how it is setup in our office.

                      Don't need to assign extra permissions to anyone.
                      Attached Files
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment


                      • #12
                        Re: WSUS and security settings

                        yup Blood. My gp settings are very similar as the snap shots you provided. But I had to grant permissions I mentioned in my previous post. Ossain is right. But my users do not save their documents in their local pc. Every thing should be saved on network servers so I am safe with securty threats Ossain mentioned.

                        Comment


                        • #13
                          Re: WSUS and security settings

                          Ah, the voice of hope over experience
                          Tom Jones
                          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                          PhD, MSc, FIAP, MIITT
                          IT Trainer / Consultant
                          Ossian Ltd
                          Scotland

                          ** Remember to give credit where credit is due and leave reputation points where appropriate **

                          Comment

                          Working...
                          X