Announcement

Collapse
No announcement yet.

WSUS and security settings

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ahmer_sahab
    started a topic WSUS and security settings

    WSUS and security settings

    In one of infrastructure, domain security policy does not allow users to install software and hardware. In result, computers are able to download updates from WSUS but they are not able to install those updates as users are not member of local admin as well as they do not have rights or permission to install softwares or hardwares. Is there any way, we can allow only updates from WSUS to be installed on computer and not allowing user to install any hardware or softwares.

  • Ossian
    replied
    Re: WSUS and security settings

    Ah, the voice of hope over experience

    Leave a comment:


  • ahmer_sahab
    replied
    Re: WSUS and security settings

    yup Blood. My gp settings are very similar as the snap shots you provided. But I had to grant permissions I mentioned in my previous post. Ossain is right. But my users do not save their documents in their local pc. Every thing should be saved on network servers so I am safe with securty threats Ossain mentioned.

    Leave a comment:


  • Blood
    replied
    Re: WSUS and security settings

    Here's how it is setup in our office.

    Don't need to assign extra permissions to anyone.
    Attached Files

    Leave a comment:


  • Ossian
    replied
    Re: WSUS and security settings

    I have to say this is different to every WSUS installation I have done, and suggests something odd is up with your network.

    As long as the GPO is set to "automatically download and install" the updates I have never had to grant additional permissions to standard user accounts (when set to notify, more permissions are required).

    By granting permissions on log files, your users can erase them and with take ownership they can get access to other users profiles, hence to confidential files in them. Beware!
    Last edited by Ossian; 20th May 2010, 08:12.

    Leave a comment:


  • ahmer_sahab
    replied
    Re: WSUS and security settings

    After a long research and testing, i found that users should be granted backup file and directories, debug program, restore file and directories, manage audit and security logs and take owner ship of files and directories on local machines for installing updates pushed via WSUS server. If users do not have these permissions on local pc, the updates will be downloaded from WSUS but never get installed on machines. These security settings can be granted via group policy.
    Please update if you find some thing more or you not agreed.

    Leave a comment:


  • Blood
    replied
    Re: WSUS and security settings

    Setting up WSUS via GPO usually requires careful configuration.

    Here are some referneces:

    http://technet.microsoft.com/en-us/l...39(WS.10).aspx

    http://technet.microsoft.com/en-us/l...20(WS.10).aspx

    These will lead you to other documents that may also be useful.

    Leave a comment:


  • ahmer_sahab
    replied
    Re: WSUS and security settings

    Humm.. it means it is something else that has been stopping clients to download updates. For testing, today I have approved few update on WSUS and schedule client to download and install them on Friday. I will test on Friday to see that things are working correctly or not.

    Leave a comment:


  • Blood
    replied
    Re: WSUS and security settings

    Yep - agree with hazey.

    In our installation I schedule the WSUS server to download the updates and use GPO to schedule their installation. Users cannot install updates, but the updates are installed at the scheduled time automatically. The GPO settings also allow you to control restart parameters - you can set it so that restarts are not automatic (reduces the gnashing of teeth by your users).

    Leave a comment:


  • hazey
    replied
    Re: WSUS and security settings

    in win XP users don't need to be local admins for WSUS to work, set your WSUS settings in group policy to download and install updates automatically and that is all you need to do.

    Leave a comment:


  • ahmer_sahab
    replied
    Re: WSUS and security settings

    I read the whole article. It does not got workaround or solution what I am looking for. My problem is that Users are not member of local admin group and they are not allowed to install any softwares or hardwares on their machines. Allowing users to install softwares may led to security and virus infection risk. We are finding ways to allow windows update to be installed on those systems via WSUS. I am thinking to run windows update and BITS service as local admin. I will post my result soon. If any one has same scenario how did they allow windows update to work without giving domain users extra permissions and rights

    Leave a comment:


  • ahmer_sahab
    replied
    Re: WSUS and security settings

    Thanks for your reply Ossian. I will look this article and see if I would get solution there.
    The clients are running windows xp prof sp2 and servers are windows 2000, 2003 and one Red hat server.

    Leave a comment:


  • Ossian
    replied
    Re: WSUS and security settings

    A fairly full discussion here:
    http://social.technet.microsoft.com/...2-f03737433b81

    I know much of it relates to Win7 but there is some information about WinXP settings further down

    btw, what OS are you using?

    Leave a comment:

Working...
X