Windows Vista Forums

It would be nice if MS could settingle on a single subnet for updates
  1. #1


    Leythos Guest

    It would be nice if MS could settingle on a single subnet for updates

    Started playing with Vista again and had to add 5 different subnet
    ranges in the firewall in order to get Vista updates, so, considering
    Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
    sets of subnets (ranges) needed to allow CAB/EXE and other content from.

    MS, Please pick on /24 range and use it for all of your update sites.

    --



    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

      My System SpecsSystem Spec

  2. #2


    DevilsPGD Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
    <void@nowhere.lan> wrote:

    >Started playing with Vista again and had to add 5 different subnet
    >ranges in the firewall in order to get Vista updates, so, considering
    >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
    >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
    >
    >MS, Please pick on /24 range and use it for all of your update sites.


    Perhaps you should use a larger CIDR range then a /24?

    --
    If quitters never win, and winners never quit,
    what fool came up with, "Quit while you're ahead"?

      My System SpecsSystem Spec

  3. #3


    Leythos Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
    spam_narf_spam@crazyhat.net says...
    > In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
    > <void@nowhere.lan> wrote:
    >
    > >Started playing with Vista again and had to add 5 different subnet
    > >ranges in the firewall in order to get Vista updates, so, considering
    > >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
    > >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
    > >
    > >MS, Please pick on /24 range and use it for all of your update sites.

    >
    > Perhaps you should use a larger CIDR range then a /24?


    I could, but there is no clear sign from MS as to what IP's they are
    using. In many cases the same company that provides their downloads also
    provides other companies downloads in the same block.

    So, maybe MS should pick one subnet, since they can't possibly need more
    than a /24 to provide updates, and publish it for us network admins?

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

      My System SpecsSystem Spec

  4. #4


    Mike Brannigan Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.21126ba36448e41798983d@adfree.Usenet.com...
    > In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
    > spam_narf_spam@crazyhat.net says...
    >> In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
    >> <void@nowhere.lan> wrote:
    >>
    >> >Started playing with Vista again and had to add 5 different subnet
    >> >ranges in the firewall in order to get Vista updates, so, considering
    >> >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
    >> >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
    >> >
    >> >MS, Please pick on /24 range and use it for all of your update sites.

    >>
    >> Perhaps you should use a larger CIDR range then a /24?

    >
    > I could, but there is no clear sign from MS as to what IP's they are
    > using. In many cases the same company that provides their downloads also
    > provides other companies downloads in the same block.
    >
    > So, maybe MS should pick one subnet, since they can't possibly need more
    > than a /24 to provide updates, and publish it for us network admins?
    >
    > --


    You should not be using specific addresses to access any Microsoft service -
    be that activation, downloads etc.
    Microsoft operates a number of layers of protection against various forms of
    Internet based attack that include the rapid changing of IP addresses for
    key services.
    If you try and use specific addresses there is no guarantee that these will
    remain valid for any period of time.
    Maybe you need to reconsider your firewall and blocking strategy some more
    and use either better tools or an alternative strategy for controlling
    access from your network to external services.
    (Blocking IP ranges is not a via solution longterm)

    --

    Mike Brannigan
    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.21126ba36448e41798983d@adfree.Usenet.com...
    > In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
    > spam_narf_spam@crazyhat.net says...
    >> In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
    >> <void@nowhere.lan> wrote:
    >>
    >> >Started playing with Vista again and had to add 5 different subnet
    >> >ranges in the firewall in order to get Vista updates, so, considering
    >> >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
    >> >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
    >> >
    >> >MS, Please pick on /24 range and use it for all of your update sites.

    >>
    >> Perhaps you should use a larger CIDR range then a /24?

    >
    > I could, but there is no clear sign from MS as to what IP's they are
    > using. In many cases the same company that provides their downloads also
    > provides other companies downloads in the same block.
    >
    > So, maybe MS should pick one subnet, since they can't possibly need more
    > than a /24 to provide updates, and publish it for us network admins?
    >
    > --
    >
    > Leythos
    > - Igitur qui desiderat pacem, praeparet bellum.
    > - Calling an illegal alien an "undocumented worker" is like calling a
    > drug dealer an "unlicensed pharmacist"
    > spam999free@rrohio.com (remove 999 for proper email address)



      My System SpecsSystem Spec

  5. #5


    DevilsPGD Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    In message <MPG.21126ba36448e41798983d@adfree.Usenet.com> Leythos
    <void@nowhere.lan> wrote:

    >In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
    >spam_narf_spam@crazyhat.net says...
    >> In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
    >> <void@nowhere.lan> wrote:
    >>
    >> >Started playing with Vista again and had to add 5 different subnet
    >> >ranges in the firewall in order to get Vista updates, so, considering
    >> >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
    >> >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
    >> >
    >> >MS, Please pick on /24 range and use it for all of your update sites.

    >>
    >> Perhaps you should use a larger CIDR range then a /24?

    >
    >I could, but there is no clear sign from MS as to what IP's they are
    >using. In many cases the same company that provides their downloads also
    >provides other companies downloads in the same block.


    Ahh, true enough.

    >So, maybe MS should pick one subnet, since they can't possibly need more
    >than a /24 to provide updates, and publish it for us network admins?


    Perhaps a WSUS server would be more to your needs?

    --
    If quitters never win, and winners never quit,
    what fool came up with, "Quit while you're ahead"?

      My System SpecsSystem Spec

  6. #6


    Steve Riley [MSFT] Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    IP addresses are spoofable, so they are not appropriate for making security
    decisions. Only when you're using IPsec can you do this, because then the
    cryptographic signatures appended to the datagrams provide a mechanism for
    you to trust originating addresses.

    We purposefully change the IP addresses regularly to prevent various kinds
    of attacks.

    Steve Riley
    steve.riley@microsoft.com
    http://blogs.technet.com/steriley


    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.2111cf00343ea0e1989831@adfree.Usenet.com...
    > Started playing with Vista again and had to add 5 different subnet
    > ranges in the firewall in order to get Vista updates, so, considering
    > Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
    > sets of subnets (ranges) needed to allow CAB/EXE and other content from.
    >
    > MS, Please pick on /24 range and use it for all of your update sites.
    >
    > --
    >
    > Leythos
    > - Igitur qui desiderat pacem, praeparet bellum.
    > - Calling an illegal alien an "undocumented worker" is like calling a
    > drug dealer an "unlicensed pharmacist"
    > spam999free@rrohio.com (remove 999 for proper email address)



      My System SpecsSystem Spec

  7. #7


    Leythos Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    In article <1CC1ABE2-E961-4560-B908-38E896689A22@microsoft.com>,
    steve.riley@microsoft.com says...
    > IP addresses are spoofable, so they are not appropriate for making security
    > decisions. Only when you're using IPsec can you do this, because then the
    > cryptographic signatures appended to the datagrams provide a mechanism for
    > you to trust originating addresses.
    >
    > We purposefully change the IP addresses regularly to prevent various kinds
    > of attacks.


    And as a normal measure of security we don't allow unrestricted access
    to the net, we don't allow CAB, EXE, and a bunch of other files via HTTP
    or SMTP. We only allow web access to partner sites and a few white-
    listed sites, this keeps the network secure, along with many other
    measures.

    I tend to enter subnets for the MS update sites, a /24 or a /28
    depending on what I think the range will be, but never just a single IP
    as I know the IP will change in that range.

    What would be nice, since we have never had a hacked customer, is if we
    could have a list of IP ranges used by the different update providers. I
    don't have a problem with MS changing them, but it sure would be nice to
    know what they are so that we can get them in the system.

    As for WSUS - we still need to know what the update sites are, we don't
    even allow the servers to get updates unless it's an approved
    subnet/network.

    Since this is a "security" group, I would think that others would
    commonly block all users from code downloads as a standard practice and
    only allow code downloads from approved site....

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

      My System SpecsSystem Spec

  8. #8


    Mike Brannigan Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.2112eef792c3b8c4989844@adfree.Usenet.com...
    > In article <1CC1ABE2-E961-4560-B908-38E896689A22@microsoft.com>,
    > steve.riley@microsoft.com says...
    >> IP addresses are spoofable, so they are not appropriate for making
    >> security
    >> decisions. Only when you're using IPsec can you do this, because then the
    >> cryptographic signatures appended to the datagrams provide a mechanism
    >> for
    >> you to trust originating addresses.
    >>
    >> We purposefully change the IP addresses regularly to prevent various
    >> kinds
    >> of attacks.

    >
    > And as a normal measure of security we don't allow unrestricted access
    > to the net, we don't allow CAB, EXE, and a bunch of other files via HTTP
    > or SMTP. We only allow web access to partner sites and a few white-
    > listed sites, this keeps the network secure, along with many other
    > measures.
    >
    > I tend to enter subnets for the MS update sites, a /24 or a /28
    > depending on what I think the range will be, but never just a single IP
    > as I know the IP will change in that range.
    >
    > What would be nice, since we have never had a hacked customer, is if we
    > could have a list of IP ranges used by the different update providers. I
    > don't have a problem with MS changing them, but it sure would be nice to
    > know what they are so that we can get them in the system.
    >
    > As for WSUS - we still need to know what the update sites are, we don't
    > even allow the servers to get updates unless it's an approved
    > subnet/network.
    >
    > Since this is a "security" group, I would think that others would
    > commonly block all users from code downloads as a standard practice and
    > only allow code downloads from approved site....
    >
    > --
    >
    > Leythos



    Leythos,

    As I responded in a similar manner to Steve a few hours earlier it is not a
    case of even a range being made public. Microsoft reserve the right to
    alter the IP addresses for all public facing services as and when they see
    fit - publishing specific ranges would pose a threat to the stability of the
    service as this would be simply giving potential attacks a know set of
    ranges they can simple target for DOS or other forms of attack. I realize
    that it would be possible to work out the entire range that the various
    providers of service to Microsoft use and target these but there are many
    and it would make the attack surface potentially significantly larger and an
    attack even easier to detect etc.
    So in short Microsoft is unlikely to make available anything other then the
    public facing DNS name for their services.
    Maybe you should look at alternative approaches to this.
    Consider if you direct your clients to use an internal DNS server that is
    configured to only forward for name resolution (conditional forwarding) only
    names that meet certain criteria such as *.microsoft.com and your other
    white listed sites. This would allow only those sites to be then resolved
    by the DNS servers that you choose to use externally and thus accesses.
    I realize this does not prevent a direct access if someone knows an IP
    address to type into a URL but it is a start while you look at alternative
    strategies.
    If you use a proxy server at the edge of your network you will be able to
    log all access to URLs with in IP address in it and then take appropriate
    action against that member of staff etc..
    --

    Mike Brannigan

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.2112eef792c3b8c4989844@adfree.Usenet.com...
    > In article <1CC1ABE2-E961-4560-B908-38E896689A22@microsoft.com>,
    > steve.riley@microsoft.com says...
    >> IP addresses are spoofable, so they are not appropriate for making
    >> security
    >> decisions. Only when you're using IPsec can you do this, because then the
    >> cryptographic signatures appended to the datagrams provide a mechanism
    >> for
    >> you to trust originating addresses.
    >>
    >> We purposefully change the IP addresses regularly to prevent various
    >> kinds
    >> of attacks.

    >
    > And as a normal measure of security we don't allow unrestricted access
    > to the net, we don't allow CAB, EXE, and a bunch of other files via HTTP
    > or SMTP. We only allow web access to partner sites and a few white-
    > listed sites, this keeps the network secure, along with many other
    > measures.
    >
    > I tend to enter subnets for the MS update sites, a /24 or a /28
    > depending on what I think the range will be, but never just a single IP
    > as I know the IP will change in that range.
    >
    > What would be nice, since we have never had a hacked customer, is if we
    > could have a list of IP ranges used by the different update providers. I
    > don't have a problem with MS changing them, but it sure would be nice to
    > know what they are so that we can get them in the system.
    >
    > As for WSUS - we still need to know what the update sites are, we don't
    > even allow the servers to get updates unless it's an approved
    > subnet/network.
    >
    > Since this is a "security" group, I would think that others would
    > commonly block all users from code downloads as a standard practice and
    > only allow code downloads from approved site....
    >
    > --
    >
    > Leythos
    > - Igitur qui desiderat pacem, praeparet bellum.
    > - Calling an illegal alien an "undocumented worker" is like calling a
    > drug dealer an "unlicensed pharmacist"
    > spam999free@rrohio.com (remove 999 for proper email address)



      My System SpecsSystem Spec

  9. #9


    Leythos Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    In article <C2303C6C-D54B-4B66-AB9F-08B4A4202F31@microsoft.com>,
    Mike.Brannigan@localhost says...
    > So in short Microsoft is unlikely to make available anything other then the
    > public facing DNS name for their services.
    > Maybe you should look at alternative approaches to this.
    > Consider if you direct your clients to use an internal DNS server that is
    > configured to only forward for name resolution (conditional forwarding) only
    > names that meet certain criteria such as *.microsoft.com and your other
    > white listed sites. This would allow only those sites to be then resolved
    > by the DNS servers that you choose to use externally and thus accesses.
    > I realize this does not prevent a direct access if someone knows an IP
    > address to type into a URL but it is a start while you look at alternative
    > strategies.
    > If you use a proxy server at the edge of your network you will be able to
    > log all access to URLs with in IP address in it and then take appropriate
    > action against that member of staff etc..


    Mike, Steve,

    And there lies the problem for security. We already see the rejected
    connections and their names and even the full file path/name, and yes,
    it's easy to add them into the approved list.

    This should be a problem for all users I would think. Where they block
    the downloading of code by their users, completely, but want to allow MS
    Updates to the servers and workstations. In the case of the firewalls we
    have used, most of them on the market, there is no simple means to white
    list your update sites as they keep changing. Yes, we could install a
    proxy server, but that really seems like a waste when the only place we
    have a problem with is MS.

    I understand your reasons, but it's a catch 22, move your stuff around
    to limit your exposure or force customers to either purchase more
    hardware or to allow code to be downloaded from unknown sites.

    I'll stick with watching for the Windows Update failures in the logs and
    manually adding the networks as needed - at least this way our networks
    remain secure.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

      My System SpecsSystem Spec

  10. #10


    Kerry Brown Guest

    Re: It would be nice if MS could settingle on a single subnet for updates

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.2113c25bdf4c48db98984e@adfree.Usenet.com...
    > In article <C2303C6C-D54B-4B66-AB9F-08B4A4202F31@microsoft.com>,
    > Mike.Brannigan@localhost says...
    >> So in short Microsoft is unlikely to make available anything other then
    >> the
    >> public facing DNS name for their services.
    >> Maybe you should look at alternative approaches to this.
    >> Consider if you direct your clients to use an internal DNS server that is
    >> configured to only forward for name resolution (conditional forwarding)
    >> only
    >> names that meet certain criteria such as *.microsoft.com and your other
    >> white listed sites. This would allow only those sites to be then
    >> resolved
    >> by the DNS servers that you choose to use externally and thus accesses.
    >> I realize this does not prevent a direct access if someone knows an IP
    >> address to type into a URL but it is a start while you look at
    >> alternative
    >> strategies.
    >> If you use a proxy server at the edge of your network you will be able to
    >> log all access to URLs with in IP address in it and then take appropriate
    >> action against that member of staff etc..

    >
    > Mike, Steve,
    >
    > And there lies the problem for security. We already see the rejected
    > connections and their names and even the full file path/name, and yes,
    > it's easy to add them into the approved list.
    >
    > This should be a problem for all users I would think. Where they block
    > the downloading of code by their users, completely, but want to allow MS
    > Updates to the servers and workstations. In the case of the firewalls we
    > have used, most of them on the market, there is no simple means to white
    > list your update sites as they keep changing. Yes, we could install a
    > proxy server, but that really seems like a waste when the only place we
    > have a problem with is MS.
    >
    > I understand your reasons, but it's a catch 22, move your stuff around
    > to limit your exposure or force customers to either purchase more
    > hardware or to allow code to be downloaded from unknown sites.
    >
    > I'll stick with watching for the Windows Update failures in the logs and
    > manually adding the networks as needed - at least this way our networks
    > remain secure.
    >



    Use WSUS and only allow the WSUS server to download updates.

    --
    Kerry Brown
    Microsoft MVP - Shell/User
    http://www.vistahelp.ca



      My System SpecsSystem Spec

Page 1 of 3 123 LastLast
It would be nice if MS could settingle on a single subnet for updates problems?

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virtual PC on a different subnet? Virtual Server 3 19 Feb 2010
If connected to subnet xxx.xxx.xxx.xxx then.... Jake VB Script 0 15 Feb 2010
Job posting points to single-click Windows Mobile updates Slimy Vista News 0 14 Apr 2009
Script to run only on a given subnet Glenn VB Script 4 09 Feb 2009
Create a subnet in AD BZP PowerShell 15 15 Sep 2007