Vista - It would be nice if MS could settingle on a single subnet for updates

Started playing with Vista again and had to add 5 different subnet
ranges in the firewall in order to get Vista updates, so, considering
Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
sets of subnets (ranges) needed to allow CAB/EXE and other content from.

MS, Please pick on /24 range and use it for all of your update sites.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
<void@nowhere.lan> wrote:

>Started playing with Vista again and had to add 5 different subnet
>ranges in the firewall in order to get Vista updates, so, considering
>Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
>sets of subnets (ranges) needed to allow CAB/EXE and other content from.
>
>MS, Please pick on /24 range and use it for all of your update sites.

Perhaps you should use a larger CIDR range then a /24?

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?

In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
spam_narf_spam@crazyhat.net says...
> In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
> <void@nowhere.lan> wrote:
>
> >Started playing with Vista again and had to add 5 different subnet
> >ranges in the firewall in order to get Vista updates, so, considering
> >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
> >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
> >
> >MS, Please pick on /24 range and use it for all of your update sites.
>
> Perhaps you should use a larger CIDR range then a /24?

I could, but there is no clear sign from MS as to what IP's they are
using. In many cases the same company that provides their downloads also
provides other companies downloads in the same block.

So, maybe MS should pick one subnet, since they can't possibly need more
than a /24 to provide updates, and publish it for us network admins?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.21126ba36448e41798983d@adfree.Usenet.com...
> In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
> spam_narf_spam@crazyhat.net says...
>> In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
>> <void@nowhere.lan> wrote:
>>
>> >Started playing with Vista again and had to add 5 different subnet
>> >ranges in the firewall in order to get Vista updates, so, considering
>> >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
>> >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
>> >
>> >MS, Please pick on /24 range and use it for all of your update sites.
>>
>> Perhaps you should use a larger CIDR range then a /24?
>
> I could, but there is no clear sign from MS as to what IP's they are
> using. In many cases the same company that provides their downloads also
> provides other companies downloads in the same block.
>
> So, maybe MS should pick one subnet, since they can't possibly need more
> than a /24 to provide updates, and publish it for us network admins?
>
> --

You should not be using specific addresses to access any Microsoft service -
be that activation, downloads etc.
Microsoft operates a number of layers of protection against various forms of
Internet based attack that include the rapid changing of IP addresses for
key services.
If you try and use specific addresses there is no guarantee that these will
remain valid for any period of time.
Maybe you need to reconsider your firewall and blocking strategy some more
and use either better tools or an alternative strategy for controlling
access from your network to external services.
(Blocking IP ranges is not a via solution longterm)

--

Mike Brannigan
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.21126ba36448e41798983d@adfree.Usenet.com...
> In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
> spam_narf_spam@crazyhat.net says...
>> In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
>> <void@nowhere.lan> wrote:
>>
>> >Started playing with Vista again and had to add 5 different subnet
>> >ranges in the firewall in order to get Vista updates, so, considering
>> >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
>> >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
>> >
>> >MS, Please pick on /24 range and use it for all of your update sites.
>>
>> Perhaps you should use a larger CIDR range then a /24?
>
> I could, but there is no clear sign from MS as to what IP's they are
> using. In many cases the same company that provides their downloads also
> provides other companies downloads in the same block.
>
> So, maybe MS should pick one subnet, since they can't possibly need more
> than a /24 to provide updates, and publish it for us network admins?
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

In message <MPG.21126ba36448e41798983d@adfree.Usenet.com> Leythos
<void@nowhere.lan> wrote:

>In article <ld2ga3dbln975na5c46gogpoc0sd9vgfot@4ax.com>,
>spam_narf_spam@crazyhat.net says...
>> In message <MPG.2111cf00343ea0e1989831@adfree.Usenet.com> Leythos
>> <void@nowhere.lan> wrote:
>>
>> >Started playing with Vista again and had to add 5 different subnet
>> >ranges in the firewall in order to get Vista updates, so, considering
>> >Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
>> >sets of subnets (ranges) needed to allow CAB/EXE and other content from.
>> >
>> >MS, Please pick on /24 range and use it for all of your update sites.
>>
>> Perhaps you should use a larger CIDR range then a /24?
>
>I could, but there is no clear sign from MS as to what IP's they are
>using. In many cases the same company that provides their downloads also
>provides other companies downloads in the same block.

Ahh, true enough.

>So, maybe MS should pick one subnet, since they can't possibly need more
>than a /24 to provide updates, and publish it for us network admins?

Perhaps a WSUS server would be more to your needs?

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?

IP addresses are spoofable, so they are not appropriate for making security
decisions. Only when you're using IPsec can you do this, because then the
cryptographic signatures appended to the datagrams provide a mechanism for
you to trust originating addresses.

We purposefully change the IP addresses regularly to prevent various kinds
of attacks.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley


"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2111cf00343ea0e1989831@adfree.Usenet.com...
> Started playing with Vista again and had to add 5 different subnet
> ranges in the firewall in order to get Vista updates, so, considering
> Win XP, Office XP, 2003, 2007, Vista, Servers, etc.. I have about 15
> sets of subnets (ranges) needed to allow CAB/EXE and other content from.
>
> MS, Please pick on /24 range and use it for all of your update sites.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

In article <1CC1ABE2-E961-4560-B908-38E896689A22@microsoft.com>,
steve.riley@microsoft.com says...
> IP addresses are spoofable, so they are not appropriate for making security
> decisions. Only when you're using IPsec can you do this, because then the
> cryptographic signatures appended to the datagrams provide a mechanism for
> you to trust originating addresses.
>
> We purposefully change the IP addresses regularly to prevent various kinds
> of attacks.

And as a normal measure of security we don't allow unrestricted access
to the net, we don't allow CAB, EXE, and a bunch of other files via HTTP
or SMTP. We only allow web access to partner sites and a few white-
listed sites, this keeps the network secure, along with many other
measures.

I tend to enter subnets for the MS update sites, a /24 or a /28
depending on what I think the range will be, but never just a single IP
as I know the IP will change in that range.

What would be nice, since we have never had a hacked customer, is if we
could have a list of IP ranges used by the different update providers. I
don't have a problem with MS changing them, but it sure would be nice to
know what they are so that we can get them in the system.

As for WSUS - we still need to know what the update sites are, we don't
even allow the servers to get updates unless it's an approved
subnet/network.

Since this is a "security" group, I would think that others would
commonly block all users from code downloads as a standard practice and
only allow code downloads from approved site....

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2112eef792c3b8c4989844@adfree.Usenet.com...
> In article <1CC1ABE2-E961-4560-B908-38E896689A22@microsoft.com>,
> steve.riley@microsoft.com says...
>> IP addresses are spoofable, so they are not appropriate for making
>> security
>> decisions. Only when you're using IPsec can you do this, because then the
>> cryptographic signatures appended to the datagrams provide a mechanism
>> for
>> you to trust originating addresses.
>>
>> We purposefully change the IP addresses regularly to prevent various
>> kinds
>> of attacks.
>
> And as a normal measure of security we don't allow unrestricted access
> to the net, we don't allow CAB, EXE, and a bunch of other files via HTTP
> or SMTP. We only allow web access to partner sites and a few white-
> listed sites, this keeps the network secure, along with many other
> measures.
>
> I tend to enter subnets for the MS update sites, a /24 or a /28
> depending on what I think the range will be, but never just a single IP
> as I know the IP will change in that range.
>
> What would be nice, since we have never had a hacked customer, is if we
> could have a list of IP ranges used by the different update providers. I
> don't have a problem with MS changing them, but it sure would be nice to
> know what they are so that we can get them in the system.
>
> As for WSUS - we still need to know what the update sites are, we don't
> even allow the servers to get updates unless it's an approved
> subnet/network.
>
> Since this is a "security" group, I would think that others would
> commonly block all users from code downloads as a standard practice and
> only allow code downloads from approved site....
>
> --
>
> Leythos


Leythos,

As I responded in a similar manner to Steve a few hours earlier it is not a
case of even a range being made public. Microsoft reserve the right to
alter the IP addresses for all public facing services as and when they see
fit - publishing specific ranges would pose a threat to the stability of the
service as this would be simply giving potential attacks a know set of
ranges they can simple target for DOS or other forms of attack. I realize
that it would be possible to work out the entire range that the various
providers of service to Microsoft use and target these but there are many
and it would make the attack surface potentially significantly larger and an
attack even easier to detect etc.
So in short Microsoft is unlikely to make available anything other then the
public facing DNS name for their services.
Maybe you should look at alternative approaches to this.
Consider if you direct your clients to use an internal DNS server that is
configured to only forward for name resolution (conditional forwarding) only
names that meet certain criteria such as *.microsoft.com and your other
white listed sites. This would allow only those sites to be then resolved
by the DNS servers that you choose to use externally and thus accesses.
I realize this does not prevent a direct access if someone knows an IP
address to type into a URL but it is a start while you look at alternative
strategies.
If you use a proxy server at the edge of your network you will be able to
log all access to URLs with in IP address in it and then take appropriate
action against that member of staff etc..
--

Mike Brannigan

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2112eef792c3b8c4989844@adfree.Usenet.com...
> In article <1CC1ABE2-E961-4560-B908-38E896689A22@microsoft.com>,
> steve.riley@microsoft.com says...
>> IP addresses are spoofable, so they are not appropriate for making
>> security
>> decisions. Only when you're using IPsec can you do this, because then the
>> cryptographic signatures appended to the datagrams provide a mechanism
>> for
>> you to trust originating addresses.
>>
>> We purposefully change the IP addresses regularly to prevent various
>> kinds
>> of attacks.
>
> And as a normal measure of security we don't allow unrestricted access
> to the net, we don't allow CAB, EXE, and a bunch of other files via HTTP
> or SMTP. We only allow web access to partner sites and a few white-
> listed sites, this keeps the network secure, along with many other
> measures.
>
> I tend to enter subnets for the MS update sites, a /24 or a /28
> depending on what I think the range will be, but never just a single IP
> as I know the IP will change in that range.
>
> What would be nice, since we have never had a hacked customer, is if we
> could have a list of IP ranges used by the different update providers. I
> don't have a problem with MS changing them, but it sure would be nice to
> know what they are so that we can get them in the system.
>
> As for WSUS - we still need to know what the update sites are, we don't
> even allow the servers to get updates unless it's an approved
> subnet/network.
>
> Since this is a "security" group, I would think that others would
> commonly block all users from code downloads as a standard practice and
> only allow code downloads from approved site....
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

In article <C2303C6C-D54B-4B66-AB9F-08B4A4202F31@microsoft.com>,
Mike.Brannigan@localhost says...
> So in short Microsoft is unlikely to make available anything other then the
> public facing DNS name for their services.
> Maybe you should look at alternative approaches to this.
> Consider if you direct your clients to use an internal DNS server that is
> configured to only forward for name resolution (conditional forwarding) only
> names that meet certain criteria such as *.microsoft.com and your other
> white listed sites. This would allow only those sites to be then resolved
> by the DNS servers that you choose to use externally and thus accesses.
> I realize this does not prevent a direct access if someone knows an IP
> address to type into a URL but it is a start while you look at alternative
> strategies.
> If you use a proxy server at the edge of your network you will be able to
> log all access to URLs with in IP address in it and then take appropriate
> action against that member of staff etc..

Mike, Steve,

And there lies the problem for security. We already see the rejected
connections and their names and even the full file path/name, and yes,
it's easy to add them into the approved list.

This should be a problem for all users I would think. Where they block
the downloading of code by their users, completely, but want to allow MS
Updates to the servers and workstations. In the case of the firewalls we
have used, most of them on the market, there is no simple means to white
list your update sites as they keep changing. Yes, we could install a
proxy server, but that really seems like a waste when the only place we
have a problem with is MS.

I understand your reasons, but it's a catch 22, move your stuff around
to limit your exposure or force customers to either purchase more
hardware or to allow code to be downloaded from unknown sites.

I'll stick with watching for the Windows Update failures in the logs and
manually adding the networks as needed - at least this way our networks
remain secure.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2113c25bdf4c48db98984e@adfree.Usenet.com...
> In article <C2303C6C-D54B-4B66-AB9F-08B4A4202F31@microsoft.com>,
> Mike.Brannigan@localhost says...
>> So in short Microsoft is unlikely to make available anything other then
>> the
>> public facing DNS name for their services.
>> Maybe you should look at alternative approaches to this.
>> Consider if you direct your clients to use an internal DNS server that is
>> configured to only forward for name resolution (conditional forwarding)
>> only
>> names that meet certain criteria such as *.microsoft.com and your other
>> white listed sites. This would allow only those sites to be then
>> resolved
>> by the DNS servers that you choose to use externally and thus accesses.
>> I realize this does not prevent a direct access if someone knows an IP
>> address to type into a URL but it is a start while you look at
>> alternative
>> strategies.
>> If you use a proxy server at the edge of your network you will be able to
>> log all access to URLs with in IP address in it and then take appropriate
>> action against that member of staff etc..
>
> Mike, Steve,
>
> And there lies the problem for security. We already see the rejected
> connections and their names and even the full file path/name, and yes,
> it's easy to add them into the approved list.
>
> This should be a problem for all users I would think. Where they block
> the downloading of code by their users, completely, but want to allow MS
> Updates to the servers and workstations. In the case of the firewalls we
> have used, most of them on the market, there is no simple means to white
> list your update sites as they keep changing. Yes, we could install a
> proxy server, but that really seems like a waste when the only place we
> have a problem with is MS.
>
> I understand your reasons, but it's a catch 22, move your stuff around
> to limit your exposure or force customers to either purchase more
> hardware or to allow code to be downloaded from unknown sites.
>
> I'll stick with watching for the Windows Update failures in the logs and
> manually adding the networks as needed - at least this way our networks
> remain secure.
>


Use WSUS and only allow the WSUS server to download updates.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca