Applying the most recent security updates is a security best practice. Microsoft System Center Configuration Manager 2007 can make it easier to apply software updates to computers in your organization. However, there are some best practices to help prevent attackers from hijacking the software update infrastructure.

Security Best Practices

Do not change the default permissions on software update packages    By default, software update packages are set to allow administrators full control and users read access. Changing these permissions could allow an attacker to add, remove, or delete software updates.

Control access to the download location for software updates    The SMS Provider computer account and the user who will actually download the software updates to the download location both require write access to the download location. Restrict access to the download location to reduce the risk of attackers tampering with the software updates source files in the download location.

Use UTC for evaluating deployment times    If you use local time instead of UTC, users could potentially delay installation of software updates by changing the time zone on their computers.

Follow best practices for securing WSUS    For information about securing WSUS, including adding Active Directory authentication and SSL, see

If your site is in native mode, in addition to performing the typical steps for configuring SSL on the WSUS server, you must enable SSL on some additional virtual roots to support Configuration Manager 2007 native mode. For more information, see Planning for the Software Update Point Installation.

Enable CRL checking    By default, the certificate revocation list (CRL) is not checked when verifying the signature on software updates. Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check. For the procedure, see How to Enable CRL Checking for Software Updates.

If the software update point is configured in a perimeter network, configure the site server to retrieve the data from the site system    By default, site systems push their data back to the site server. A site system can be configured to require the site server to pull the data instead, which allows great control of the ports and permissions required for the data transfer. The setting Allow only site server initiated data transfers from this site system applies to the entire site system and all site system roles configured on it.

If you must deploy software updates to SMS 2003 clients, run the Inventory Tool for Microsoft Updates on a primary site server that is highest in the hierarchy    While it is not required to install the Inventory Tool for Microsoft Updates on the central server, you should always install it on the highest site that clients report to. If the scan tool is installed on a primary site lower in the hierarchy, the sites higher in the hierarchy are not able to report on the software updates.

Configure WSUS to use a custom web site    When installing WSUS on the software update point, you have the option to use the existing IIS Default Web site or to create a custom WSUS 3.0 Web site. You should create a custom Web site for WSUS so that Internet Information Services (IIS) hosts the WSUS 3.0 services in a dedicated virtual Web site instead of sharing the same Web site used by the other Configuration Manager 2007 site systems or other applications. For more information, see Planning for the Software Update Point Installation.

Enable BITS 2.5 for the site and the distribution points    When software updates install on clients, the source files are first downloaded to the cache on the client computer and then installed. If BITS is enabled on the distribution point, disconnection from the network while software updates are downloading does not cause the deployment to fail because BITS resumes the download, starting where it was interrupted, the next time the client has network access. If BITS is not enabled on the distribution point and a network problem occurs while downloading software update files, the software update installation fails, which could leave the client vulnerable to attack.

Privacy Information

Software updates scans your client computers to determine which software updates you require, and then sends that information back to the site database. During the software updates process, Configuration Manager 2007 might transmit information between clients and servers that identify the computer and logon accounts.

Configuration Manager 2007 maintains state information about the software distribution process. State information is not encrypted during transmission or storage. State information is stored in the site database and deleted by the database maintenance tasks. No state information is sent back to Microsoft.

The use of Configuration Manager 2007 software updates to install software updates on client computers might be subject to software license terms for those updates, which is separate from the Software License Terms for Configuration Manager 2007. You should always review and agree to the Software Licensing Terms prior to installing the software updates using Configuration Manager 2007.

Configuration Manager 2007 does not implement software updates by default and requires several configuration steps before information is collected. Before configuring software updates, consider your privacy requirements.

See Also