Thanks to it you can safety update Windows servers deployed in DMZs without allowing them to reach the Internet as web clients.
This is particularly important for two reasons:
- in case someone can hijack Windows Updates sites your servers are eventually taken
- if you authorize servers to run HTTP requests outside, you won't probabily notice an hacking on them when the attacker used an HTTP reverse shell to remotely control your machine
So having a dedicated WSUS in the DMZ is a good thing. But how can we protect that WSUS from being attacked?
Once upon a time Microsoft sent SUS updating CDs to customers for free. Then one day this opportunity simply disappeared from the site. I guess sending physical CDs for free was a bit unpratical...
Today Microsoft goes back that way but offers monthly ISO images of SUS/WSUS updating CDs. This is even better!
So you can download them at will without delivery risks, and eventually map them on virtual machines without burninng, if you works with virtual datacenters.
Obviouly the monthly CD can also be used to update single Windows boxes, without restrictions.
You can download it here.
0 comments:
Post a Comment