www.infralib.com

www.infralib.com
Please visit my new site http://www.infralib.com for my and other authors' newer posts, articles. We will also have forums, videos, webcasts and etc.

Friday, 15 July 2011

Permissions on WSUS Directories and Registry Keys

Permissions on WSUS Directories and Registry Keys
Troubleshooting Web services often involves checking permissions on related directories and registry keys. The following sections will explain in detail how to check permissions on WSUS Web services directories and registry keys.

The cacls system command

The cacls system command displays or modifies file or directory access control lists (ACLs). The output of this command specifies the level of access (f=full control, w=write, r=read, n=none) and whether or not the access is inherited by subdirectories (OI=this folder and files, CI=this folder and subfolders, IO=does not apply). See the cacls command reference (http://go.microsoft.com/fwlink/?LinkId=81084) for more information.
The WSUS installation creates several Web service directories.
  • WSUSInstallDir\WebServices\apiremoting30 (where WSUSInstallDir is the directory where WSUS has been installed)
  • WSUSInstallDir\WebServices\clientwebservice
  • WSUSInstallDir\WebServices\dssauthwebservice
  • WSUSInstallDir\WebServices\reportingwebservice
  • WSUSInstallDir\WebServices\serversyncwebservice
  • WSUSInstallDir\WebServices\simpleauthwebservice
  • WSUSInstallDir\Inventory
  • WSUSInstallDir\Selfupdate
All of the directories above (except for the self-update directory) should have the following ACLs:
  • NT AUTHORITY\NETWORK SERVICE:(OI)(CI)R
  • BUILTIN\Users:(OI)(CI)R
  • NT AUTHORITY\Authenticated Users:(OI)(CI)R
  • BUILTIN\Administrators:(OI)(CI)F
  • NT AUTHORITY\SYSTEM:(OI)(CI)F
  • The self-update directory should have the following ACLs:
  • BUILTIN\Users:(OI)(CI)R
  • BUILTIN\Administrators:(OI)(CI)F
  • NT AUTHORITY\SYSTEM:(OI)(CI)F

Permissions on WSUS registry keys

The following permissions are set for the registry during WSUS setup.
  • The Users and WSUS Reporters group must have Read access to the \HKLM\Software\Microsoft\Update Services\Server registry key.
  • The following accounts must have Full Control permissions to the \HKLM\Software\Microsoft\Update Services\Server\Setup registry key:
    • Network Service
    • WSUS Administrators
    • Administrators
    • System
Source : http://technet.microsoft.com/en-us/library/cc708487(WS.10).aspx

No comments: