hi,
there is a hardening setting in CIS IIS10 2.1 (L1) Ensure 'global authorization rule' is set to restrict access that recommend to remove All Users.
What is the rule to set to allow for? or WSUS must use "Allow All Users"
Thanks and regards
hi,
there is a hardening setting in CIS IIS10 2.1 (L1) Ensure 'global authorization rule' is set to restrict access that recommend to remove All Users.
What is the rule to set to allow for? or WSUS must use "Allow All Users"
Thanks and regards
Configuring a global Authorization rule that restricts access will ensure inheritance of the
settings down through the hierarchy of web directories; if that content is copied elsewhere,
the authorization rules flow with it. This will ensure access to current and future content is
only granted to the appropriate principals, mitigating risk of accidental or unauthorized
access.
Audit:
At the web site or application level, verify that the authorization rule configured has been
applied:
1. Connect to Internet Information Services (IIS Manager)
2. Select the site or application where Authorization was configured
3. Select Authorization Rules and verify the configured rules were added
To verify an authorization rule specifying no access to all users except the Administrators
group, browse to and open the web.config file for the configured site/application/content:
<configuration>
<system.webServer>
<security>
<authorization>
23 | P a g e
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="administrators" />
</authorization>
</security>
</system.webServer>
</configuration>
Remediation:
To configure URL Authorization at the server level using IIS Manager:
1. Connect to Internet Information Services (IIS Manager)
2. Select the server
3. Select Authorization Rules
4. Remove the "Allow All Users" rule
5. Click Add Allow Rule…
6. Allow access to the user(s), user groups, or roles that are authorized across all of the
web sites and applications (e.g. the Administrators group)
If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.
i have tried adding:
administrators
domain\Domain Users
domain\Domain Admins
NT AUTHORITY\Authenticated Users
Network Service
Local System
but still unable to get clients to successfully connect to WSUS, facing error (0x80244022) or unnable to connect to update services.
Any other rules i need to add to get WSUS working?
You can try the follwoing steps to slove the 0x80244022 error.
On your WSUS Server, launch the IIS Manager.
Click 'Application Pools' is in the Connections list.
Right-click 'WSUSPool' and select ' Start ' to restart the WSUSPool.
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
the memory limit is set 0 which has no limit
Hi @GanSengLeng-8808 You can also try change the "Queue Length" from the default 1,000 to 25,000.
hi,
have tried to increase queue length and memory limit but the error is still persistent.
Once i allow "All users" in the .Net authoization rule, clients are able to get updates from WSUS. Anyone have tried other users/groups other than "All Users"??
7 people are following this question.