Share via

Request for IIS Module and Configuration Dependencies – WSUS

Han Htoon Aung 0 Reputation points
2025-10-19T10:40:39.2733333+00:00

Dear Microsoft Support,

We are preparing to implement IIS hardening on our Windows Server 2025 following the CIS Benchmark for IIS 10.0.

The server hosts Windows Server Update Services (WSUS), and before applying the hardening configuration, we would like to confirm which IIS modules, authentication methods, and components are required for WSUS to function properly.

Could you please advise on:

  1. Required IIS modules and features (e.g. WebDAV, BITS Server Extensions, Static Content, etc.).

Required authentication settings (Anonymous, Windows, etc.).

Supported TLS versions and cipher suites for WSUS communication.

Any known issues or exceptions when applying CIS IIS hardening.

Environment details:

Windows Server 2025

IIS 10.0

WSUS role installed via Server Manager

Co-hosted services: SEPM and Omnidefend

The goal is to ensure the hardening process does not disrupt WSUS synchronization or client update functionality.Dear Microsoft Support,

We are preparing to implement IIS hardening on our Windows Server 2025 following the CIS Benchmark for IIS 10.0.

The server hosts Windows Server Update Services (WSUS), and before applying the hardening configuration, we would like to confirm which IIS modules, authentication methods, and components are required for WSUS to function properly.

Could you please advise on:

Required IIS modules and features (e.g. WebDAV, BITS Server Extensions, Static Content, etc.).

Required authentication settings (Anonymous, Windows, etc.).

Supported TLS versions and cipher suites for WSUS communication.

Any known issues or exceptions when applying CIS IIS hardening.

Environment details:

Windows Server 2025

IIS 10.0

WSUS role installed via Server Manager

Co-hosted services: SEPM and Omnidefend

The goal is to ensure the hardening process does not disrupt WSUS synchronization or client update functionality.

Windows for business | Windows Server | Devices and deployment | Install Windows updates, features, or roles
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Brian Huynh (WICLOUD CORPORATION) 2,340 Reputation points Microsoft External Staff Moderator
    2025-11-28T02:09:21.4333333+00:00

    Hello,

    Since you are co-hosting services (SEPM), applying these settings requires precision to avoid service disruption. Here are the specific requirements for WSUS:

    1. Required IIS Modules and Features

    • Common HTTP Features: Static Content, Default Document, HTTP Errors.
    • Application Development: ASP.NET 4.8, .NET Extensibility 4.8, ISAPI Extensions, ISAPI Filters.
    • Performance: Dynamic Content Compression.
    • Management Tools: IIS Management Console, IIS 6 Management Compatibility (WMI Compatibility is often required for WSUS post-install tasks).
    • Important: Ensure WebDAV is uninstalled or disabled on the WSUS website, as it conflicts with WSUS handlers.

    2. Required Authentication Settings WSUS requires a mixed configuration based on the virtual directory:

    • Anonymous Authentication: Required for the WSUS Administration root site and specifically the Content virtual directory (so clients can download updates).
    • Windows Authentication: Required for the API and Service virtual directories (e.g., ApiRemoting30, ClientWebService, DssAuthWebService, ServerSyncWebService, SimpleAuthWebService).

    3. Supported TLS Versions and Cipher Suites

    • Protocols: WSUS on Windows Server 2025 supports TLS 1.2 and TLS 1.3. You should disable TLS 1.0 and 1.1.
    • Cipher Suites: Use standard, high-security suites (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384). Ensure your client endpoints support the suites you enforce.

    4. Known CIS Hardening Exceptions for WSUS Strict adherence to CIS benchmarks will break WSUS if you do not make these specific exceptions:

    • Request Filtering (Double Escaping): CIS recommends setting allowDoubleEscaping to False. For WSUS, you must set allowDoubleEscaping to True in the system.webServer/security/requestFiltering section. If blocked, clients cannot download Delta updates or files containing the + character.
    • Max Allowed Content Length: Ensure the request limits are high enough to handle large update packages if you are pushing custom updates.

    Note on Co-hosted Services: Since you are hosting SEPM and Omnidefend, apply IIS hardening settings at the Site level (specifically the WSUS Administration site) rather than the Server level where possible. Global hardening may inadvertently break the components often used by SEPM.

    I am happy to follow up if you run into specific errors during the implementation.

    If the information provided is helpful, please acknowledge it by clicking "Accept Answer". This will help other community members find this solution.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.