What ACL to allow Windows Update without browsing

Unanswered Question
May 3rd, 2007
User Badges:

About 1/2 the PCs in my company should not have the ability to browse. I want them to be able to run windows update. Google gave me lots to look at. But, I can't find a list of IPs complete enought to work. I figure someone (many someones) must have done this before. What ACLs are necessary to get Windows Update to work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
laurent.geyer Tue, 05/08/2007 - 15:13
User Badges:

I really doubt you will ever come across a complete list of those servers. Compiling and publishing such a list would undoubtedly invite nefarious activity.

Here are a couple of things you might want to look at alternatively.

1. Build a web proxy and use a combination of authentication and access control list to restrict outbound access.

2. Use N2H2 based URL filtering, your PIX/ASA should have built in support for it.

3. Build your own WSUS server that lives on a dmz network that all workstations can talk to.

hetteldorf Wed, 05/09/2007 - 04:47
User Badges:

Plan on setting up a WSUS server, but was hoping for a quick temporary fix. I guess quick and dirty and security don't mix.

Thanks for the info.

hetteldorf Mon, 05/14/2007 - 08:00
User Badges:

Looks like that should work. If not then WSUS is the only real answer.


laurent.geyer Mon, 05/14/2007 - 08:05
User Badges:

I'm not quite sure how that helps. The link doesn't include a list of hosts that you could use to restrict TCP/80,443 access to.


This Discussion