I have a network of 50 servers and 400 users. The servers run Win2k
and Win2k3 and sit behind a firewall. For obvious reasons, I limit
outbound traffic from the servers to the internet. This includes HTTP.
I don't want my servers to be accessible, and I don't want them
accessing any unnecessary external resources.
For example, We've had a flood of trojans in the past few weeks. The
trojans call a server (outbound traffic) via HTTP then download the
virus back in to the network. If I allow all outbound HTTP, then this
opens my servers to being vulnerable.
My problem: I need to update my servers with MS Critical Patches.
This means that I must create outbound rules on my main firewall
allowing
HTTP access to specific URLS or SUBNETS. I've allowed the following
based on the articles I've read in the groups and on MS, but there are
other sites involved as well that are not documented, and the IP
addresses are constantly changing.
activex.microsoft.com
download.windowsupdates.com
crl.microsoft.com
v3stats.windowsupdates.microsoft.com
v4.windowsupdates.microsoft.com
v5.windowsupdates.microsoft.com
207.46.0.0/16
64.4.0.0/16
38.113.0.0/16
64.62.0.0/16
64.152.0.0/16
Does anypne out there have a comprehensive listing of URLS and SUBNETS
that need to be included as destination addresses in an outbound HTTP
firewall policy to make sure that Windows Updates will work
consistently?
Thanks!
Your help is appreciated.
|
Similar Threads
Linear Mode
