|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Microsoft UpdateCurrently we have our web server compleley locked down by only allowing the
web server to get out to needed websites by adding a rule to the router/firewall acl. I can't seem to find a way to allow access to microsoft updtae which would need to be allowed by IP address. Can someone tell me the ip addresses or range i can specify on my router to allow this for the web server. Does your router support DNS names as ACLs? or only IP addresses?
Alternatively, have you looked at hosting a WSUS server internally - that way your client machines (e.g. your IIS server) would just get their updates from a local server. Cheers Ken Show quoteHide quote "George Schneider" <georgedschneider@news.postalias> wrote in message news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com... > Currently we have our web server compleley locked down by only allowing > the > web server to get out to needed websites by adding a rule to the > router/firewall acl. I can't seem to find a way to allow access to > microsoft > updtae which would need to be allowed by IP address. Can someone tell me > the > ip addresses or range i can specify on my router to allow this for the web > server. Thats the long term solution to setup a wsus internally and the problem
ceases to exist. In the immediate future is i've had to create an acl to allow 80 and 443 in and out on established connections when I'm ready to update. As far as I know the ACL's on cisco routers/firewalls only support IP. Show quoteHide quote "Ken Schaefer" wrote: > Does your router support DNS names as ACLs? or only IP addresses? > > Alternatively, have you looked at hosting a WSUS server internally - that > way your client machines (e.g. your IIS server) would just get their updates > from a local server. > > Cheers > Ken > > "George Schneider" <georgedschneider@news.postalias> wrote in message > news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com... > > Currently we have our web server compleley locked down by only allowing > > the > > web server to get out to needed websites by adding a rule to the > > router/firewall acl. I can't seem to find a way to allow access to > > microsoft > > updtae which would need to be allowed by IP address. Can someone tell me > > the > > ip addresses or range i can specify on my router to allow this for the web > > server. > > When Windows Update was first starting out I raised this same
item with Microsoft for the very same reason. Bottom line is that to date there is no listing of IPs (to my awareness) and there is not likely to be one (two main reasons: security - don't advertise what you do not want DoS deluged; and, the IPs change and are also dependent on where in the world one is as there are multiple feeds and these are outsourced to well-connected providers). On servers that need to visit Microsoft Update I have a normally not enabled rule that allows outbound tcp 80 and 443, and if there is not already one that allows inbound on the same ports. This rule is enabled for the 10 minutes less or more that is needed, and then returned to its normal, not enabled state. Roger Show quoteHide quote "George Schneider" <georgedschneider@news.postalias> wrote in message news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com... > Currently we have our web server compleley locked down by only allowing > the > web server to get out to needed websites by adding a rule to the > router/firewall acl. I can't seem to find a way to allow access to > microsoft > updtae which would need to be allowed by IP address. Can someone tell me > the > ip addresses or range i can specify on my router to allow this for the web > server. I've done a similar thing as well creating an acl that to allow this then
remove it when i'm done. I understand Microsoft's reasoning but it makes it real hard for security if er completly lock something down and only specifc access. I guess this is there way of forcing the issue with wsus. Show quoteHide quote "Roger Abell [MVP]" wrote: > When Windows Update was first starting out I raised this same > item with Microsoft for the very same reason. Bottom line is that > to date there is no listing of IPs (to my awareness) and there is not > likely to be one (two main reasons: security - don't advertise what > you do not want DoS deluged; and, the IPs change and are also > dependent on where in the world one is as there are multiple > feeds and these are outsourced to well-connected providers). > On servers that need to visit Microsoft Update I have a normally > not enabled rule that allows outbound tcp 80 and 443, and if there > is not already one that allows inbound on the same ports. This > rule is enabled for the 10 minutes less or more that is needed, > and then returned to its normal, not enabled state. > > Roger > > "George Schneider" <georgedschneider@news.postalias> wrote in message > news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com... > > Currently we have our web server compleley locked down by only allowing > > the > > web server to get out to needed websites by adding a rule to the > > router/firewall acl. I can't seem to find a way to allow access to > > microsoft > > updtae which would need to be allowed by IP address. Can someone tell me > > the > > ip addresses or range i can specify on my router to allow this for the web > > server. > > > I actually think it is such that MS would just as soon it could be
otherwise, but again, management of what is outsourced is not something they can constrain and still get the volume/scale. Roger Show quoteHide quote "George Schneider" <georgedschneider@news.postalias> wrote in message news:621D58D4-87EA-4975-AC96-26ED1C174130@microsoft.com... > I've done a similar thing as well creating an acl that to allow this then > remove it when i'm done. I understand Microsoft's reasoning but it makes > it > real hard for security if er completly lock something down and only > specifc > access. I guess this is there way of forcing the issue with wsus. > > "Roger Abell [MVP]" wrote: > >> When Windows Update was first starting out I raised this same >> item with Microsoft for the very same reason. Bottom line is that >> to date there is no listing of IPs (to my awareness) and there is not >> likely to be one (two main reasons: security - don't advertise what >> you do not want DoS deluged; and, the IPs change and are also >> dependent on where in the world one is as there are multiple >> feeds and these are outsourced to well-connected providers). >> On servers that need to visit Microsoft Update I have a normally >> not enabled rule that allows outbound tcp 80 and 443, and if there >> is not already one that allows inbound on the same ports. This >> rule is enabled for the 10 minutes less or more that is needed, >> and then returned to its normal, not enabled state. >> >> Roger >> >> "George Schneider" <georgedschneider@news.postalias> wrote in message >> news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com... >> > Currently we have our web server compleley locked down by only allowing >> > the >> > web server to get out to needed websites by adding a rule to the >> > router/firewall acl. I can't seem to find a way to allow access to >> > microsoft >> > updtae which would need to be allowed by IP address. Can someone tell >> > me >> > the >> > ip addresses or range i can specify on my router to allow this for the >> > web >> > server. >> >> >> 
Other interesting topics
Client certificate beginners help!
IUSR_myserver and deny write Windows Integrated and the domain name Why doesn't ASP.NET 2.0 use the Network Service account IIS/Virtual directory/UNC and domain account basic auth with url redirection in WINXP IIS 5.1 <add domainName="[clientmachine]" allowed="true" /> Disabling the SSLv2 protocol Updating a web server Security problems in non domain environment |
|||||||||||||||||||||||
