Allowing Windows Update Servers while blocking all other HTTP/HTTPS
Christopher Wilson provided a pretty good list of URLs above.
I would add that WSUS may not be a big deal in the long run. You will most likely still have to define the router whitelist if the goal is to block internet access and surfiing. However, one of the many reasons to implement WSUS is to minimize the impact on the internet connection by only downloading updates once, not to mention it gives you ultimate control over when and which updates to push to clients.
If you already have a database server laying around adding WSUS to an existing box is not too bad and not too much overhead, depending on the number of clients you have.
My suggestion essentially is that you can utilize the list Chris provided to help build out your block policy but also improve your overall desktop maintenance capabilities all while reducing internet bandwidth requirements.
UPDATE: Microsoft URLs to Whitelist:
- windowsupdate.microsoft.com
- .update.microsoft.com
- download.windowsupdate.com
- redir.metaservices.microsoft.com
- images.metaservices.microsoft.com
- c.microsoft.com
- www.download.windowsupdate.com
- wustat.windows.com
- crl.microsoft.com
- sls.microsoft.com
- productactivation.one.microsoft.com
- ntservicepack.microsoft.com
Related videos on Youtube
02 : 55
01 : 54 : 44
03 : 55
03 : 45
02 : 17
krissi
Updated on September 18, 2022Comments
-
krissi almost 2 years
I am building a iptables script for a router to block all traffic from and to the machines behind, except a small set of hosts/ports (RDP incoming, DNS outgoing, ...). HTTP and HTTPS is blocked.
Internet --- Router with iptables -+- Windows XP | +- Windows XP . .Unfortunately with HTTP/S blocked the Windows Updates are failing. I want the Updates to be working and the surfing to be blocked. These are my thoughts:
- Setting up a WSUS/Proxy -> Oversized I think, would like to spare another server
- Getting a list of all Microsoft Update Servers -> Is there any?
- Getting rid of the Asterisks of the technet dns name list somehow and allow these hosts
- Maybe a way to do the HTTP-Filtering in with Windows Firewall and separate by service (Win XP SP3)?
Any other thoughts? Maybe someone has already solved this scenario? What would you recommend?
Thanks in advance
-
Haseeb Mohamed about 12 years
windowsupdate.microsoft.com.update.microsoft.comdownload.windowsupdate.comredir.metaservices.microsoft.comimages.metaservices.microsoft.comc.microsoft.comwww.download.windowsupdate.comwustat.windows.comcrl.microsoft.comsls.microsoft.comproductactivation.one.microsoft.comntservicepack.microsoft.com
-
krissi about 12 yearsUnfortunately there is no windows server at all in range, I would have to set up a new VM and install everything :( I forgot to mention in the first place, the ESX is in a datacenter with plenty of unused inclusive traffic. I will try Christopher Wilsons list and get back to WSUS when there are more some clients. Thanks for your answer, Brent
-
krissi about 12 yearsWell, I hit some problems, because the hostnames are resolving to multiple addresses, etc. Too complex to be reliable I think. I switched to the WSUS solution and exposed an existing wsus server to these specific hosts.