Problems Authorizing Windows Updates

Problems Authorizing Windows Updates
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Problems Authorizing Windows Updates Will 03-23-2008
Posted by Will on March 24, 2008, 9:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Will wrote, On 23/03/08 17:53:
>>> Am Sun, 23 Mar 2008 00:33:12 -0700 schrieb Will:
>>>
>>>> I'm having some problems with firewall authorizations for Windows
>>>> Update
>>>> access in a DMZ. In general, I have had good luck getting access to
>>>> Windows Update when you authorize passage of HTTP, HTTPS, and FTP to
>> these
>>>> networks:
>>>>
>>>> 131.107.0.0 / 16
>>>> 207.46.0.0 / 16
>>>> 64.4.0.0 / 18
>>>> 65.52.0.0 / 14
>>>>
>>>> In addition, I normally authorize these URLs for both http: and https:
>>>>
>>>> *.microsoft.com
>>>> windowsupdate.microsoft.com
>>>> *.windowsupdate.microsoft.com
>>>> download.windowsupdate.com
>>>>
>>>> The problem I am having is that occasionally the DNS name
>>>> "download.windowsupdate.com" resolves to some IPs on a huge network
>>>> from
>> the
>>> Why don't you use a proxy?
>>
>> We use NAT on the firewall for all outgoing connections, and a proxy
>> isn't
>> going to improve much on that. The thing we are trying to prevent is
>> the
>> ability to reach unauthorized IPs by any means. If Windows Update has
>> download.windowsupdate.com resolving to half the Internet, you end up
>> having
>> to open up through the firewall outgoing connections to a lot of hosts
>> that
>> could be used to control a compromised host or to further the compromise.
>
> Set up rules so that only the proxy can access anything on ports 80 and
> 443 then the proxy can be set to only allow access to specific URLs. Then
> the only way they can access anything the proxy does not allow is by
> poisoning your DNS or accessing through some other port you have left open
> on the firewall.

The most secure solution would be if Microsoft published a list of networks
and IPs it wants to use for download.windowsupdate.com. I guess that won't
happen.

I guess you are right the only other solution is to rely on URLs correctly
passing the target hostname in the URL, and firewall rules focus on the
URLs. As you mention you are vulnerable to a DNS redirection by poisoning
the cache. I'll work out something a little more secure than relying on
just the URL but in general I know where I need to go and thanks.

--
Will



Similar ThreadsPosted
PCanywhere/Microsoft updates causing problems! December 7, 2005, 8:02 am
Windows Updates: Firewall setting for outbound traffic February 18, 2005, 10:05 am
Re: problems using different different FTP port with windows firewall January 3, 2008, 2:40 pm
Re: problems using different different FTP port with windows firewall January 4, 2008, 3:13 am
problems with the Windows Update site & Zone Alarm August 5, 2005, 5:41 pm
Authorizing Zonealarm to Allow DHCP Server July 23, 2005, 7:01 pm
Kerio updates December 1, 2004, 11:29 pm
ZA blocks my winxp updates. September 24, 2005, 6:32 pm
Allitcertkiller.com has all new updates than Testking.co.uk January 19, 2007, 1:28 am
ZoneAlarm: risk of not getting the continuous updates? July 5, 2006, 12:18 am

The site map in XML format XML site map

Contact Us | Privacy Policy