,
I am more than happy to help. There are really three solution steps here,
following the principle of least privilege:
A. The trusted zone for Windows Update should be a separate one in your
firewall and:
1. Only have one trusted sites zone, and include only the following 3
websites:
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://download.windowsupdate.com
2. Remove all specific IP addresses and any ranges, as these change
without notice.
B. Because of the Exception list in so many of these firewalls, there should
be an exception object or zone, and it should perfectly mirror the trusted
zone spelled out in "A".
C. Make sure your firewall allows, at least to the zones above, Win32
Generic Service and ActiveX controls. This will be required soon for
Windows 2000 and Windows Server 2003 machines, which right now are using the
v4.windowsupdate.microsoft.com website.
This should work consistently for you, barring any other restrictions.
Please reply back to this newsgroup and let me know whether or not you were
successful.
Sincerely,
Pat Walters [MSFT]
<> wrote in message
news: ups.com...
> I've been hammering on this problem for a long time, and there does not
> to be a real solution for me. Hopefully someone from this group, maybe
> an employee from Microsoft can help out.
>
> I have a network of 50 servers and 400 users. The servers run Win2k
> and Win2k3 and sit behind a firewall. For obvious reasons, I limit
> outbound traffic from the servers to the internet. This includes HTTP.
> I don't want my servers to be accessible, and I don't want them
> accessing any unnecessary external resources.
>
> For example, We've had a flood of trojans in the past few weeks. The
> trojans call a server (outbound traffic) via HTTP then download the
> virus back in to the network. If I allow all outbound HTTP, then this
> opens my servers to being vulnerable.
>
> My problem: I need to update my servers with MS Critical Patches.
> This means that I must create outbound rules on my firewall allowing
> HTTP access to specific URLS or SUBNETS. I've allowed the following
> based on the articles I've read in the groups and on MS, but there are
> other sites involved as well that are not documented, and the IP
> addresses are constantly changing.
>
> activex.microsoft.com
> download.windowsupdates.com
> crl.microsoft.com
> v3stats.windowsupdates.microsoft.com
> v4.windowsupdates.microsoft.com
> v5.windowsupdates.microsoft.com
>
> 207.46.0.0/16
> 64.4.0.0/16
> 38.113.0.0/16
> 64.62.0.0/16
> 64.152.0.0/16
>
> Does anypne out there have a comprehensive listing of URLS and SUBNETS
> that need to be included as destination addresses in an outbound HTTP
> firewall policy to make sure that Windows Updates will work
> consistently?
>
> Thanks!
>
>
> Your help is appreciated.
>
Similar Threads
Linear Mode
