Security Considerations for Updates Publisher
System Center Updates Publisher requires that both the user who installs the tool, and the users who perform various actions within the tool, have the appropriate security configured. Digital certificates are required to publish catalogs to an update server and for client computers to scan for the updates in the catalog. Review the following sections to ensure that the minimum security has been configured for the Updates Publisher.
Installation
The user who initiates the Updates Publisher installation must be a member of the local Administrators group or Setup will fail.
Configuring a Remote Publishing Tool Database
If a remote database is configured, there are steps that are required before installing Updates Publisher. First, create the database on a remote computer running SQL Server and then configure the user account permissions. For more information, see How to Create the Updates Publisher Database.
Configuring the Firewall on a Remote Publishing Tool Database
When connecting to a remote Updates Publisher database that has a firewall enabled, you must configure the firewall to allow access to the instance of the Microsoft SQL Server Database Engine. The default instance listens on TCP port 1433. Named instances are configured for dynamic ports, which mean they connect to an available port when the SQL Server service is started. When connecting to a named instance through a firewall, configure the Database Engine to listen on a specific port, so that the appropriate port can be opened in the firewall.
Warning
Opening ports in your firewall can leave your server exposed to malicious attacks. Be sure to understand firewall systems before opening ports.
To assign a TCP/IP port number to the SQL Server Database Engine
In SQL Server Configuration Manager, in the tree pane, expand SQL Server 2005 Network Configuration, expand Protocols for <instance name>, and then double-click TCP/IP.
In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses appear in the format IP1, IP2, up to IPAll. One of these addresses is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP address on the computer. Identify the IP address that you want to configure.
If the TCP Dynamic Ports dialog box contains 0, indicating the Database Engine is listening on dynamic ports, delete the 0.
In the IPn Properties area box, in the TCP Port box, type the port number you want this IP address to listen on, and then click OK.
In the tree pane, click SQL Server 2005 Services.
In the details pane, right-click SQL Server (<instance name>), and then click restart to stop and restart SQL Server service.
After you have configured SQL Server to listen on a specific port, you must open that port on the firewall.
Using Updates Publisher
After the Updates Publisher has been installed, users can start the console, perform all Updates Publisher actions, with the exception of publishing catalogs to an update server, and access catalogs and log files if the following requirements are met:
The user must have a SQL login created on the publishing tool database (mscuptdb) and be assigned System_Center_Updates_Publisher_User database role membership rights.
The user must have, by default, Read and Execute, List, Read, Write, and Modify file system rights on the installation folder, %ProgramFiles%\System Center Updates Publisher.
Full control permissions must be assigned to the HKLM\Software\Microsoft\PublishingTool registry key for the user to change the publishing tool data source or perform publishing to the update server.
The user must have access to the source location for software updates catalogs to successfully import them into Updates Publisher.
Low-rights users
The Updates Publisher provides the following to better support low-rights users:
The Updates Publisher log files are stored in the temporary folder for the logged on user, %TEMP%.
The Updates Publisher settings are user-specific and copied to the local Application Data folder for the user, %APPDATA%.
Software updates catalogs are exported to the %USERPROFILE%\My Documents\My Catalogs folder, by default.
Publishing Software Update Catalogs
To publish software update catalogs to an update server, the user must have administrative rights on the update server, otherwise the updates will fail to publish.
Port Settings for the Update Server
The port used when connecting to the update server must be specified on the Update Server tab of the Settings dialog box. Use the HTTP port number if SSL is not used and the HTTPS port number if the Use Secure Sockets Layer (SSL) when communicating with the update server setting is enabled. The default HTTP port is 80 and the default HTTPS port is 443. Check the update server configuration to verify which port should be used. For more information about configuring the update server port settings, see How to Configure the Update Server.
Certificate Requirements for the Update Server and Updates Publisher Computer
The update server and a certificate to sign the software updates that are published to the update server must also be configured in the Update Server tab of the Settings dialog box before catalogs can be published to the update server. The certificate must then be copied to the Trusted Publishers certificate store, and Trusted Root Certification Authorities certificate store if a self-signed certificate is used, on the update server. The certificate must also be copied to the certificate store on the Updates Publisher computer if it is remote from the update server. There are several methods for adding the certificates to the appropriate certificate stores. For more information about configuring the update server settings and specifying the digital certificate, see How to Configure the Update Server. For more information about adding the digital certificate to the appropriate certificate stores on the update server and Updates Publisher computer, see How to Configure the Digital Certificate on the Update Server.
Security for Client Computers
The Windows Update Agent (WUA) on client computers requires the digital certificate used to sign the published catalog before installing an update and a Group Policy to allow signed content from an intranet Microsoft update service location.
Certificates Requirements
The WUA on client computers verifies the digital certificate that was used to sign the catalog is in the Trusted Publishers store on the client computer. If the certificate is not located, WUA will scan for the updates from the catalog, but will fail to install them. If a self-signed certificate was used when publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate. For more information about adding the digital certificate to client computers, see How to Configure the Digital Certificate on Client Computers.
Group Policy Requirements
The Allow signed content from intranet Microsoft update service location Group Policy must be enabled on client computers for the WUA to accept updates signed by publishers other than Microsoft when the update is from an intranet Microsoft update services location. When this policy setting is enabled, WUA will accept updates received through an intranet location if the updates are signed in the Trusted Publishers store on the local computer. For more information about configuring this Group Policy, see How to Configure Group Policy on Client Computers.
See Also
Tasks
How to Configure the Update Server
How to Configure the Digital Certificate on Client Computers
How to Configure the Digital Certificate on the Update Server
How to Configure Group Policy on Client Computers
How to Create the Updates Publisher Database