cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4034
Views
0
Helpful
5
Replies

What ACL to allow Windows Update without browsing

hetteldorf
Level 1
Level 1

About 1/2 the PCs in my company should not have the ability to browse. I want them to be able to run windows update. Google gave me lots to look at. But, I can't find a list of IPs complete enought to work. I figure someone (many someones) must have done this before. What ACLs are necessary to get Windows Update to work?

5 Replies 5

laurent.geyer
Level 1
Level 1

I really doubt you will ever come across a complete list of those servers. Compiling and publishing such a list would undoubtedly invite nefarious activity.

Here are a couple of things you might want to look at alternatively.

1. Build a web proxy and use a combination of authentication and access control list to restrict outbound access.

2. Use N2H2 based URL filtering, your PIX/ASA should have built in support for it.

3. Build your own WSUS server that lives on a dmz network that all workstations can talk to.

Plan on setting up a WSUS server, but was hoping for a quick temporary fix. I guess quick and dirty and security don't mix.

Thanks for the info.

h.parsons
Level 3
Level 3

Although this is for WSUS you could try these sites:

http://technet2.microsoft.com/windowsserver/en/library/9d55bda5-9eb9-46d2-a204-62034936eb131033.mspx?mfr=true

Go to the link : Configure the Firewall Between the WSUS Server and the Internet

Looks like that should work. If not then WSUS is the only real answer.

Thanks.

I'm not quite sure how that helps. The link doesn't include a list of hosts that you could use to restrict TCP/80,443 access to.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: