IMHO.... If you have an attacker with the ability to man in the middle on your internal network you got bigger problems that WSUS.
Am I saying WSUS should "never" use SSL? Not at all. What I am saying though is if you aren't using SSL for all of your other IIS server (ConfigMgr included) then why bother with WSUS. From: [email protected] [mailto:[email protected]] On Behalf Of SCCM FUN Sent: Tuesday, August 11, 2015 1:23 PM To: [email protected] Subject: [mssms] WSUS SSL Man in the middle attack I'm terrible when it comes to SSL, just never been able to get my brain wrapped around it. When reading this article about how WSUS if it isn't secured with SSL can be hijacked by a man in the middle attack, they state that the WSUS server contacting MS needs to have SSL enabled. What if you have a CAS that contacts MS, does the primary that also has WSUS need SSL enabled, or since it wont contact MS, enabling SSL isn't needed? https://threatpost.com/manipulating-wsus-to-own-enterprises/114168 What about if you're using SCUP and you need to download the .cab from Adobe, will enabling SSL on the CAS WSUS cause any issues? How have others remediated this? ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
