Skip to main content

NAC WSUS Requirement Type

Background:

New to 4.1.1, WSUS Requirements gives NAC Appliance administrators the ability to seamlessly integrate with local WSUS servers or utilize Microsoft Servers to ensure users are up to date on their microsoft service packs and patches.

Configuring WSUS Requirements:

The following are a list of options when configuring a WSUS Requirement:

  • Update Validation source - This involves checking to see if a particular client machine is up to date with patches. This check can be done against the WSUS server itself OR against Cisco rulesets.
    • Cisco Rules - In this case, the new “WSUS Server Update services” requirement needs to be mapped to the standard Cisco rule sets such as XP_hotfixes etc. Standard registry scans will be performed on the client machine based on these rule sets.
    • WSUS Server - In this case, the CCA Agent makes an API call to the WSUS Agent on the client machine to check compliance. Since our rule set is not used here (direct interaction between WSUS client and server, no need to map the Rule set to the requirement.
  • Update Installation source - This involves remediating the user after we have established that he/she is non-compliant. The remediation can be done either from local WSUS servers OR against WindowsUpdate
    • WSUS Servers - Download and Install the patches from the local WSUS servers.
    • Windows Update - Download and install patches from Microsoft Windows Update website
  • Update Installation type - This involves deciding what type of hotfixes should be downloaded and installed from the chosen source.
    • Express - This option installs the same Windows updates as would be available from the Windows Update application "Express" option. (For example, the Windows "Express" option may include just Critical and Important security updates or could call for installing an entire service pack update.)
    • Custom - Use this setting and the associated dropdown menu to install updates based on their severity by choosing Critical, Medium, or All from the associated dropdown menu. If you select Critical only the most severe/critical Windows updates are installed; selecting Medium means all updates (except for those classified as "low severity" by Microsoft) are installed; selecting All means that all of the currently available Windows Updates are installed, regardless of severity.
    • Upgrade to Latest OS Service Pack - automatically install the latest service pack available for the user's operating system.
  • UI Experience - This setting controls what the end user sees when the Updates are being installedlist of options when
    • Show UI - The Windows Update UI (showing that patches are being installed) is displayed to user
    • No UI: Updates are done silently and user does not see any UI that shows updates are being installed
Figure 1 - Configuring a WSUS Requirement

Notes on configuring WSUS Requirements:
  • Validation against WSUS server may take between 10-15 seconds
  • Make sure Access is opened to WSUS server or Windows update server in the temporary role (depending on what is being used)
  • Make sure that the client PC can talk to the WSUS server on port 80/443. These are the ports client machine uses to talk to WSUS server
  • WSUS updates may take long. So, it is important to set the Session Timer for the temporary role long enough to allow enough time for the updates to complete.
  • In order to support Windows Server Update Services operations, client machines must have version 5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.
  • If there are update errors, see C:\Windows\Windows Update.log or C:\Windows\WindowsUpdate.log.
  • To see if you have a Local WSUS server configured go to HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and the "WUServer" key will have the server listed.
Summary:

 WSUS Requirements are a great new best practice method to ensure Microsoft is truly up to date.

Sources: 4.1(2) CAM Admin Guide; Whats New 4.1(1)
Labels:

Comments

  1. DavidNovember 26, 2008 at 4:07 PM

    Jamie,

    Page 11-17 of the cam416ug.pdf states that under the "optional" enforce choice for WSUS requirement, the client machine does not have to meet the requirement for the user to proceed or have network access. But this seems to contradict another statement on page 11-15 which states that "Cisco recommends making the WSUS requirement "Optional" so that WSUS remediation takes place as a background process on the client machine." Assuming that I have set up an "Optional" WSUS requirement, does this mean that if the client doesn't have some of the Microsoft patches, does this mean that the CAA on the workstation will still tell the Windows Update agent to phone home to the WSUS server to get the "optional" updates.

    ReplyDelete

Post a Comment

Popular posts from this blog

Cisco Zero Trust Architecture

 As a follow up to the previous post around Zero Trust Architecture , Cisco has been delivering zero trust architectures for customers for many years. With the platform approach provided by Cisco Zero Trust organizations gain better visibility across users, devices, containers, networks, and applications, verifying their security states with every access request. Adopting this model provides a balance between security and usability. Security teams can make it harder for attackers to collect what they need (user credentials, network access, and the ability to move laterally), and users can get a consistent and more productive security experience, regardless of where they’re located, what endpoints they’re using, or whether their applications are on-premises or in the cloud. Cisco Zero Trust provides a comprehensive approach to securing all access across applications and environment, from any user, device and location. It protects the workforce , workloads and workplac...
6 comments
Read more

Why are Virtual Private Networks and Software Defined Perimeters mutually exclusive?

Increased remote work, vulnerabilities popping up and the #killthevpn movement has the cyber security industry laser focused on the transition from VPN to SDP. Let’s start with an acceptable definition of SDP from Wikipedia: “Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted.” I hope we all can agree that the “ground truth" of SDP is valid and any organizations will benefit by adopting SDP architecture and principals(including Zero Trust). How is a Remote Access VPN any different than the “Client-to-gateway” deployment model defined for SDP? “In the client-to-gateway implementation, one or more servers are protected behind an Accepting SDP Host such that the Accepting SDP Host acts as a gateway between ...
5 comments
Read more

Cisco Releases Idenity Services Engine (AKA ISE)

Introduction After years of innovation around Network Access Control, Cisco has released its next generation NAC solution: Identity Services Engine. ISE is combines existing loosely coupled devices AAA, profiling, posture and guest management - in single, scalability appliance. As part of the Cisco TrustSec solution and Cisco’s SecureX architecture for Borderless Networks, the Cisco Identity Service Engine provides a centralized policy engine for business relevant policy definition and enforcement. This policy work horse enables centralized, coordinated policy creation and consistent policy enforcement across the entire corporate infrastructure, from head office to branch office. ISE Features & Benefits Visibility: Single Platform & Pane of Glass - Let IT see who and what is on the network for advanced discovery and troubleshooting Dynamically collects & consolidates endpoint information to make adaptive policy decisions based on ‘context’ Integrates functions previously d...
5 comments
Read more