Microsoft Update

Microsoft Update

am 01.10.2007 05:42:00 von georgedschneider

Currently we have our web server compleley locked down by only allowing the
web server to get out to needed websites by adding a rule to the
router/firewall acl. I can't seem to find a way to allow access to microsoft
updtae which would need to be allowed by IP address. Can someone tell me the
ip addresses or range i can specify on my router to allow this for the web
server.

Re: Microsoft Update

am 02.10.2007 07:24:52 von Ken Schaefer

Does your router support DNS names as ACLs? or only IP addresses?

Alternatively, have you looked at hosting a WSUS server internally - that
way your client machines (e.g. your IIS server) would just get their updates
from a local server.

Cheers
Ken

"George Schneider" wrote in message
news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com...
> Currently we have our web server compleley locked down by only allowing
> the
> web server to get out to needed websites by adding a rule to the
> router/firewall acl. I can't seem to find a way to allow access to
> microsoft
> updtae which would need to be allowed by IP address. Can someone tell me
> the
> ip addresses or range i can specify on my router to allow this for the web
> server.

Re: Microsoft Update

am 03.10.2007 02:36:09 von Roger Abell

When Windows Update was first starting out I raised this same
item with Microsoft for the very same reason. Bottom line is that
to date there is no listing of IPs (to my awareness) and there is not
likely to be one (two main reasons: security - don't advertise what
you do not want DoS deluged; and, the IPs change and are also
dependent on where in the world one is as there are multiple
feeds and these are outsourced to well-connected providers).
On servers that need to visit Microsoft Update I have a normally
not enabled rule that allows outbound tcp 80 and 443, and if there
is not already one that allows inbound on the same ports. This
rule is enabled for the 10 minutes less or more that is needed,
and then returned to its normal, not enabled state.

Roger

"George Schneider" wrote in message
news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com...
> Currently we have our web server compleley locked down by only allowing
> the
> web server to get out to needed websites by adding a rule to the
> router/firewall acl. I can't seem to find a way to allow access to
> microsoft
> updtae which would need to be allowed by IP address. Can someone tell me
> the
> ip addresses or range i can specify on my router to allow this for the web
> server.

Re: Microsoft Update

am 05.10.2007 01:45:00 von georgedschneider

Thats the long term solution to setup a wsus internally and the problem
ceases to exist. In the immediate future is i've had to create an acl to
allow 80 and 443 in and out on established connections when I'm ready to
update.

As far as I know the ACL's on cisco routers/firewalls only support IP.

"Ken Schaefer" wrote:

> Does your router support DNS names as ACLs? or only IP addresses?
>
> Alternatively, have you looked at hosting a WSUS server internally - that
> way your client machines (e.g. your IIS server) would just get their updates
> from a local server.
>
> Cheers
> Ken
>
> "George Schneider" wrote in message
> news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com...
> > Currently we have our web server compleley locked down by only allowing
> > the
> > web server to get out to needed websites by adding a rule to the
> > router/firewall acl. I can't seem to find a way to allow access to
> > microsoft
> > updtae which would need to be allowed by IP address. Can someone tell me
> > the
> > ip addresses or range i can specify on my router to allow this for the web
> > server.
>
>

Re: Microsoft Update

am 05.10.2007 01:47:01 von georgedschneider

I've done a similar thing as well creating an acl that to allow this then
remove it when i'm done. I understand Microsoft's reasoning but it makes it
real hard for security if er completly lock something down and only specifc
access. I guess this is there way of forcing the issue with wsus.

"Roger Abell [MVP]" wrote:

> When Windows Update was first starting out I raised this same
> item with Microsoft for the very same reason. Bottom line is that
> to date there is no listing of IPs (to my awareness) and there is not
> likely to be one (two main reasons: security - don't advertise what
> you do not want DoS deluged; and, the IPs change and are also
> dependent on where in the world one is as there are multiple
> feeds and these are outsourced to well-connected providers).
> On servers that need to visit Microsoft Update I have a normally
> not enabled rule that allows outbound tcp 80 and 443, and if there
> is not already one that allows inbound on the same ports. This
> rule is enabled for the 10 minutes less or more that is needed,
> and then returned to its normal, not enabled state.
>
> Roger
>
> "George Schneider" wrote in message
> news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com...
> > Currently we have our web server compleley locked down by only allowing
> > the
> > web server to get out to needed websites by adding a rule to the
> > router/firewall acl. I can't seem to find a way to allow access to
> > microsoft
> > updtae which would need to be allowed by IP address. Can someone tell me
> > the
> > ip addresses or range i can specify on my router to allow this for the web
> > server.
>
>
>

Re: Microsoft Update

am 05.10.2007 03:44:11 von Roger Abell

I actually think it is such that MS would just as soon it could be
otherwise, but again, management of what is outsourced is not
something they can constrain and still get the volume/scale.

Roger

"George Schneider" wrote in message
news:621D58D4-87EA-4975-AC96-26ED1C174130@microsoft.com...
> I've done a similar thing as well creating an acl that to allow this then
> remove it when i'm done. I understand Microsoft's reasoning but it makes
> it
> real hard for security if er completly lock something down and only
> specifc
> access. I guess this is there way of forcing the issue with wsus.
>
> "Roger Abell [MVP]" wrote:
>
>> When Windows Update was first starting out I raised this same
>> item with Microsoft for the very same reason. Bottom line is that
>> to date there is no listing of IPs (to my awareness) and there is not
>> likely to be one (two main reasons: security - don't advertise what
>> you do not want DoS deluged; and, the IPs change and are also
>> dependent on where in the world one is as there are multiple
>> feeds and these are outsourced to well-connected providers).
>> On servers that need to visit Microsoft Update I have a normally
>> not enabled rule that allows outbound tcp 80 and 443, and if there
>> is not already one that allows inbound on the same ports. This
>> rule is enabled for the 10 minutes less or more that is needed,
>> and then returned to its normal, not enabled state.
>>
>> Roger
>>
>> "George Schneider" wrote in message
>> news:D49DBF14-0D4D-4A24-9652-C2A1CD428435@microsoft.com...
>> > Currently we have our web server compleley locked down by only allowing
>> > the
>> > web server to get out to needed websites by adding a rule to the
>> > router/firewall acl. I can't seem to find a way to allow access to
>> > microsoft
>> > updtae which would need to be allowed by IP address. Can someone tell
>> > me
>> > the
>> > ip addresses or range i can specify on my router to allow this for the
>> > web
>> > server.
>>
>>
>>