question

GanSengLeng-8808 avatar image
0 Votes"
GanSengLeng-8808 asked GanSengLeng-8808 commented

WSUS IIS hardening

hi,

there is a hardening setting in CIS IIS10 2.1 (L1) Ensure 'global authorization rule' is set to restrict access that recommend to remove All Users.

What is the rule to set to allow for? or WSUS must use "Allow All Users"

Thanks and regards

windows-server-iis
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

learn2skills avatar image
0 Votes"
learn2skills answered

Hi @GanSengLeng-8808

Configuring a global Authorization rule that restricts access will ensure inheritance of the
settings down through the hierarchy of web directories; if that content is copied elsewhere,
the authorization rules flow with it. This will ensure access to current and future content is
only granted to the appropriate principals, mitigating risk of accidental or unauthorized
access.
Audit:
At the web site or application level, verify that the authorization rule configured has been
applied:
1. Connect to Internet Information Services (IIS Manager)
2. Select the site or application where Authorization was configured
3. Select Authorization Rules and verify the configured rules were added
To verify an authorization rule specifying no access to all users except the Administrators
group, browse to and open the web.config file for the configured site/application/content:

 <configuration>
  <system.webServer>
  <security>
  <authorization>
 23 | P a g e
  <remove users="*" roles="" verbs="" />
  <add accessType="Allow" roles="administrators" />
  </authorization>
  </security>
  </system.webServer>
 </configuration>

Remediation:
To configure URL Authorization at the server level using IIS Manager:
1. Connect to Internet Information Services (IIS Manager)
2. Select the server
3. Select Authorization Rules
4. Remove the "Allow All Users" rule
5. Click Add Allow Rule…
6. Allow access to the user(s), user groups, or roles that are authorized across all of the
web sites and applications (e.g. the Administrators group)

https://docs.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization#configuring-url-authorization




If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GanSengLeng-8808 avatar image
0 Votes"
GanSengLeng-8808 answered

i have tried adding:
administrators
domain\Domain Users
domain\Domain Admins
NT AUTHORITY\Authenticated Users
Network Service
Local System

but still unable to get clients to successfully connect to WSUS, facing error (0x80244022) or unnable to connect to update services.

Any other rules i need to add to get WSUS working?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamWu-MSFT avatar image
0 Votes"
SamWu-MSFT answered SamWu-MSFT edited

Hi @GanSengLeng-8808

You can try the follwoing steps to slove the 0x80244022 error.

  1. On your WSUS Server, launch the IIS Manager.

  2. Click 'Application Pools' is in the Connections list.

  3. Right-click 'WSUSPool' and select ' Start ' to restart the WSUSPool.


If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GanSengLeng-8808 avatar image
0 Votes"
GanSengLeng-8808 answered GanSengLeng-8808 commented

the memory limit is set 0 which has no limit

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GanSengLeng-8808 You can also try change the "Queue Length" from the default 1,000 to 25,000.

0 Votes 0 ·

hi,

have tried to increase queue length and memory limit but the error is still persistent.

Once i allow "All users" in the .Net authoization rule, clients are able to get updates from WSUS. Anyone have tried other users/groups other than "All Users"??

0 Votes 0 ·