[unisog] WindowsUpdate hole (was MS04-007/011 scanner)
JAzze at mail.fairfield.edu
Thu May 6 12:40:20 GMT 2004
> -----Original Message-----
> From: Clarke Morledge [mailto:chmorl at wm.edu]
> Sent: Tuesday, May 04, 2004 11:31 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] WindowsUpdate hole (was MS04-007/011 scanner)
> On 4 May 2004, Daniel Bidwell wrote:
> > Does anyone have a netreg dns configuration what will let
> > work? I would like to allow windowsupdate to work from the
> > zone.
> I really don't know how netreg could be made to work with
> this, but I know
> the general problem involved with WindowsUpdate. This is a lengthy
> response :-(, but this is a complicated problem. However, I give it
> because I'd LOVE to hear about anyone who has come up with a
> good solution
> (I'm stuck right now)!
I'm not sure whether you guys are using CMU's NetReg or Southwestern's,
but we've also been struggling with allowing Windows Update (and access
to Symantec's site) while blocking everything else. We have a fairly
crude, but functional, system set up using conditional DNS forwarding on
a Windows 2003 box. (I believe this is known as "selective forwarding"
in the BIND world. Windows 2000 DNS does not have this feature.)
Quarantined systems are given the conditional forwarder as their DNS
server. This box tests the quarantined systems' DNS queries against a
list of domains (which we spent a long time tweaking):
If the quarantined system's query is for a host that lives in one of the
listed namespaces, the query is passed on to one of our "real" DNS
servers. If the quarantined system is asking about any other namespace,
the query gets forwarded to our "broken" DNS server, and the user ends
up at our redirect web page.
I'm sure you can think of obvious holes in this system, but it works for
the majority of our quarantined users.
Network Support Specialist
More information about the unisog