vletoux
commented
3 years ago I’ll be happy if you can describe the high level algorithm (checks to be performed, ms doc, .. ) that you expect to be implemented.
Closed MexHigh closed 2 years ago
vletoux
commented
3 years ago I’ll be happy if you can describe the high level algorithm (checks to be performed, ms doc, .. ) that you expect to be implemented.
MexHigh
commented
3 years ago Ok, will do it until Saturday, thanks
MexHigh
commented
3 years ago WSUS clients can be attacked to perform a local privilege escalation by injecting installation files and instructions into the Windows Update response of the WSUS server with the help of a proxy.
Unprivileged domain users may set a user proxy that is used for this purpose. Since the cumulative updates from September 2020 and January 2021, WSUS clients do not use the user proxy to connect to the server by default. However, it is possible to configure a GPO setting that allows the connection via user proxy as a fallback to the system proxy.
There are tools that can even intercept HTTPS connections, but it is a good idea to enforce HTTPS anyways (due to network related attacks).
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location should not contain http://.
(refers to registry key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\WUServer and HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\UpdateServiceUrlAlternate)Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location should be set to "Only use system proxy for detecting updates (default)".
(refers to registry key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\SetProxyBehaviorForUpdateDetection == 0x0 or not existent)Even though HTTPS makes it harder for attackers to intercept WSUS responses, it it still possible with a specific configuration. HTTPS connections may be intercepted by a proxy that signs the response again with a self-signed certificate after receiving it from the WSUS server. The certificate can be installed in a user cert store so responses from the HTTPS proxy can still be validated.
In the cumulative update of January 2021, Microsoft implemented a certificate pinning mechanism where the certificate served by the WSUS' IIS server is installed in a system cert store specifically for WSUS (WindowsServerUpdateServices) that an unauthenticated user cannot control. Certificates in this store are enforced by default to mitigate HTTPS-intercepting proxy attacks but this pinning mechanism can also be disabled via GPO.
If the WSUS cert store does not contain any certificates, the pinning will not be enforced, too. But I don't know if Pingcastle is able to check which certificates are installed on the client computers.
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location should be unticked (default).
(refers to registry key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection == 0x0 or not existent)WindowsServerUpdateServices (if this is possible)vletoux
commented
3 years ago vletoux
commented
2 years ago First version completed. Can you contact me via support@pingcastle.com to see if the version matches the requirements ? Thanks
I designed 4 rules, whose one is displayed below
Pingcastle does not check for insecure WSUS configurations (like when using HTTP or allowing the usage of a user-defined proxy after the January 2021 cumulative update). WSUS should be configured to use HTTPS and TLS cert pinning.