What ACL to allow Windows Update without browsing

hetteldorf · ‎05-03-2007

About 1/2 the PCs in my company should not have the ability to browse. I want them to be able to run windows update. Google gave me lots to look at. But, I can't find a list of IPs complete enought to work. I figure someone (many someones) must have done this before. What ACLs are necessary to get Windows Update to work?

laurent.geyer · ‎05-08-2007

I really doubt you will ever come across a complete list of those servers. Compiling and publishing such a list would undoubtedly invite nefarious activity.

Here are a couple of things you might want to look at alternatively.

1. Build a web proxy and use a combination of authentication and access control list to restrict outbound access.

2. Use N2H2 based URL filtering, your PIX/ASA should have built in support for it.

3. Build your own WSUS server that lives on a dmz network that all workstations can talk to.

hetteldorf · ‎05-09-2007

Plan on setting up a WSUS server, but was hoping for a quick temporary fix. I guess quick and dirty and security don't mix.

Thanks for the info.

h.parsons · ‎05-11-2007

Although this is for WSUS you could try these sites:

http://technet2.microsoft.com/windowsserver/en/library/9d55bda5-9eb9-46d2-a204-62034936eb131033.mspx?mfr=true

Go to the link : Configure the Firewall Between the WSUS Server and the Internet

hetteldorf · ‎05-14-2007

Looks like that should work. If not then WSUS is the only real answer.

Thanks.

laurent.geyer · ‎05-14-2007

I'm not quite sure how that helps. The link doesn't include a list of hosts that you could use to restrict TCP/80,443 access to.