Integrate the Digital Vault with a Windows Patch server (WSUS)

This topic describes how to integrate the Vault with a Windows Patch server, Windows Server Update Services (WSUS) to apply Windows security updates on a regular basis.

Overview

You can integrate the Vault with a Windows Server Update Services (WSUS) server, which handles the installation of Microsoft Windows security patches that are provided by your organization's IT department or system administrator.

We recommend applying Microsoft updates on a monthly basis.

If you integrate the the Vault with a WSUS server, we recommend hardening the WSUS server according to the following guidelines:

  • Make sure your WSUS server is configured for Microsoft Security best practices.

  • Use a dedicated WSUS server to update the Vault. If this isn't possible, create a WSUS-dedicated computer group for updates with the relevant updates for the Vault.

  • Configure WSUS to work with HTTPS and a certificate.

  • Use the actual WSUS IP address (don't use a DNS).

  • Ensure that the connection between the WSUS server and the Vault is disabled when not applying actual updates. The CyberArk Vault installation package includes WSUS scripts for this purpose.

Installing updates may require multiple restarts of the Vault server, which will result in server downtime.

There are two steps to perform the integration:

  1. Configure the WSUS integration

  2. Download and install updates

Prerequisites

Make sure that you have met the following requirements:

  • The Vault is not a member of the domain.

  • The Vault is hardened according to CyberArk's Security standards. For more information, see Security Fundamentals and Digital Vault Security Standard.

  • If you use DNS records for the WSUS server, you must manually add them to the Vault's hosts file.

  • There is network access between the Vault and the WSUS server. For more information, see Microsoft Windows Server - Configure WSUS.

  • The WSUS server certification chain is installed on the Vault Server Operating System trust store.

WSUS configuration

Make sure that you have the following products and updates before you configure WSUS.

Products

  • Windows Server 2019

  • Windows Server 2016

Classifications best practices

  • Critical updates

  • Definition updates

  • Security updates

  • Update Rollups

Optional classifications

  • Feature Packs

  • Service Packs

  • Updates

Configure the WSUS integration

This section describes how to set up and configure the Vault and the WSUS server to download and install Windows security updates. You configure the WSUS integration only once, unless the environment or WSUS configuration has changed.

Step 1: Copy the WSUS scripts to the Vault machine

All the scripts required to configure and update monthly Microsoft security patches are included in the PAM - Self-Hosted installation package, in the WSUS folder.

Before you copy the WSUS scripts, review the scripts and their usage.

Script

Usage

OpeningServices.ps1

Unhardens mandatory services for installation.

ConfigureWSUS.ps1

Configures the WSUS server details in the registry.

DownloadUpdatesFromWSUS.ps1

Downloads the necessary updates from the WSUS server for the pre-configured WSUS server port, and for up to two additional custom ports.

InstallUpdates.ps1

Installs the downloaded updates from the WSUS server.

ClosingServices.ps1

Hardens the Windows services on the Vault server.

To copy the WSUS scripts to the Vault machine:
  • Copy the WSUS folder from the Vault installation folder to a folder on the Vault machine.

Step 2: Configure the Vault server and the WSUS server

Use the ConfigureWSUS.ps1 script to configure the Vault server and the WSUS server.

  1. Open Powershell as an administrator: Right-click Powershell and select Run as Administrator.

  2. Go to the WSUS folder on the Vault server.

  3. Run the ConfigureWSUS.ps1 script with the required URL of the WSUS server:

    ConfigureWSUS.ps1 https://<WSUS IP Address>:<WSUS Port>

    https://10.10.10.10:8531

Download and install updates

Before you download and install updates, make sure you have completed the tasks in Configure the WSUS integration .

We recommend that you install updates on a monthly basis.

  • We recommend that you perform this task in the shortest possible amount of time. During this task, the hardening and security of the Vault is reduced so that you can install the updates.

  • After you finish installing the updates, Harden the Windows services to keep the Vault server secure.

Step 1: Unharden the Windows services to install updates

The following procedure unhardens Windows services on the Vault server.

  1. Open Powershell as an administrator: Right-click Powershell and select Run as Administrator.

  2. Go to the WSUS folder on the Vault machine.

  3. Run the OpeningServices.ps1 script.

    The message, "Windows Update services are enabled", appears.

Step 2: Download and install the Microsoft security updates

This step connects to the WSUS server, downloads security updates to the Vault server, and installs the security updates on the Vault server.

  1. Open Powershell as an administrator: Right-click Powershell and select Run as Administrator.

  2. Go to the WSUS folder on the Vault machine.

  3. Do one of the following to download the security updates:

    • Run the DownloadUpdatesFromWSUS.ps1 script to download updates from the pre-configured WSUS server port.

    • Run the DownloadUpdatesFromWSUS.ps1 script and specify up to two additional custom ports in the script:

      DownloadUpdatesFromWSUS.ps1 [port] [port]

  4. Do one of the following to install the security updates:

    • Run the InstallUpdates.ps1 script to install the downloaded updates.

    • Run the InstallUpdates.ps1 script and specify up to two additional custom ports in the script:

      InstallUpdates.ps1 [port] [port]

  5. Reboot the Vault server to apply the Windows updates.

  6. Repeat steps 3-6 until all security updates have been downloaded to the Vault server and the message, "No updates found", appears.

Step 3: Harden the Windows services

The following process hardens the Windows services on the Vault server.

  1. Open Powershell as an administrator: Right-click Powershell and select Run as Administrator.

  2. Go to the WSUS folder on the Vault machine.

  3. Run the ClosingServices.ps1 script to harden the Windows services on the Vault server.

  4. Reboot the Vault server.

FAQs