Security: Whitelist WSUS server

About whitelist
All applications within the whitelist can be executed, those that are not within the whitelist cannot be executed. One of the scenarios of malicious file being inadvertently downloaded by the user, this file downloaded cannot be executed since it is not within the whitelist.

The whitelist application used for this post is McAfee Application Control aka McAfee Solidifier, this is a very easy to use application, the only difficult part is to manually add applications to the whitelist and manually add updaters to the whitelist, however this is simplified by McAfee with its finetune.bat.

Checklist
Here is the checklist of what should be done before whitelist and during whitelist.

1. Scan the server/workstation thoroughly, preferably use different vendor antivirus scanners and rootkits scanner to ensure the machine is free from virus or other malicious files (zero day cannot be detected btw)

2. Use finetune.bat to add U-WindowsUpdate, A-McAfee and E-WSUSServer, these three are updaters for windows update, WSUS synchronization and McAfee Virus Scan.

C:\Program Files\McAfee\Solidcore>finetune.bat add E-WSUSServer
*****ADDING solidifier CUSTOMIZATIONS*****

Adding solidifier rules for Windows Server Update Services2.0 sp1...


Rules added sucessfully.

WARNING! Reboot your system before proceeding further as some rules take
effect only on system restart.

C:\Program Files\McAfee\Solidcore>finetune.bat add A-McAfee
*****ADDING solidifier CUSTOMIZATIONS*****

Adding solidifier rules for Mcafee.



Rules added sucessfully.

WARNING! Reboot your system before proceeding further as some rules take
effect only on system restart.

3. Solidify the C volume. Solidify means to whitelist the volume/file/directories. If you do not specify volumes or folders or files, by default sadmin will solidify all volumes that is available in your computer if this is not what you want you should specify explicitly for example sadmin so c:\

C:\Program Files\McAfee\Solidcore>sadmin so
Password:
Solidifying volume C:\
00:09:09: Total files scanned 72308, solidified 28002

C:\Program Files\McAfee\Solidcore>

4. Set McAfee Application Control password.

C:\Program Files\McAfee\Solidcore>sadmin passwd
New Password:
Retype Password:
Password changed.

5. Backup the windows server, or create restore point if you are using Windows 7.

6. Enable McAfee Application control.

C:\Program Files\McAfee\Solidcore>sadmin enable
Password:
McAfee Solidifier will be enabled without Memory Protection on service restart.
Memory Protection will be available on next reboot.

C:\Program Files\McAfee\Solidcore>

7. Reboot the machine.

Advertisements
This entry was posted in Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s