[unisog] WindowsUpdate hole (was MS04-007/011 scanner)

Norman Elton wnelto at net.wm.edu
Wed May 5 20:57:40 GMT 2004

This is the approach we're taking. It's all "in development", but it 
seems to work. Here's how we're allow people to get Windows Update...

DHCP hands out a lease with a gateway that points to a Linux box router.

The router allows DNS queries to pass through to our campus DNS server. 
This way, when you contact "www.google.com", the name resolves to the 
correct Google IP address.

The router redirects all web traffic to the local Squid process. Squid 
is configured to run transparently, so it analyzes everything "inline". 
It doesn't cache anything. An external program (SquidGuard) works with 
Squid to scrape the incoming requests, and redirect any 
non-windows-update traffic to a local webpage.

This approach works, since Squid/SquidGuard filters based on the HTTP 
request hostname rather than the IP address, or even DNS hostname. For 
the moment, we're allowing traffic to *.microsoft.com and *.akamai.com. 
We'll experiment with these later.

On other gotcha... Once Windows Update gets going, it starts using 
HTTPS rather than HTTP. Unfortunately, HTTPS also encrypts the 
hostname, so SquidGuard can't figure it out. We're allowing the router 
to pass all HTTPS traffic uninterrupted.

I realize this is somewhat dense. Let me know if you have any questions,


Norman Elton
Information Technology - Network Engineering
College of William & Mary

On May 5, 2004, at 11:35 AM, Tom Laermans wrote:
> If you want to have proxying for all your workstations without even
> touching the clients it can be done with transparent proxying, squid
> supports this.
> Tom
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list