[unisog] WindowsUpdate hole (was MS04-007/011 scanner)

Azze, Jason JAzze at mail.fairfield.edu
Thu May 6 12:40:20 GMT 2004


> -----Original Message-----
> From: Clarke Morledge [mailto:chmorl at wm.edu] 
> Sent: Tuesday, May 04, 2004 11:31 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] WindowsUpdate hole (was MS04-007/011 scanner)
> 
> On 4 May 2004, Daniel Bidwell wrote:
> 
> > Does anyone have a netreg dns configuration what will let 
> widowsupdate
> > work?  I would like to allow windowsupdate to work from the 
> registration
> > zone.
> 
> Daniel,
> 
> I really don't know how netreg could be made to work with 
> this, but I know
> the general problem involved with WindowsUpdate.  This is a lengthy
> response :-(, but this is a complicated problem.  However, I give it
> because I'd LOVE to hear about anyone who has come up with a 
> good solution
> (I'm stuck right now)!
[snip]

I'm not sure whether you guys are using CMU's NetReg or Southwestern's,
but we've also been struggling with allowing Windows Update (and access
to Symantec's site) while blocking everything else. We have a fairly
crude, but functional, system set up using conditional DNS forwarding on
a Windows 2003 box. (I believe this is known as "selective forwarding"
in the BIND world. Windows 2000 DNS does not have this feature.)

Quarantined systems are given the conditional forwarder as their DNS
server. This box tests the quarantined systems' DNS queries against a
list of domains (which we spent a long time tweaking):

akadns.com
akadns.net
akamai.com
akamai.net
download.windowsupdate.com
microsoft.com
msft.com
msft.net
nsatc.com
nsatc.net
ntservicepack.microsoft.com
symantec.com
windows.com
windows.net
windowsupdate.com
windowsupdate.microsoft.com
windowsupdate.net
wustat.windows.com

If the quarantined system's query is for a host that lives in one of the
listed namespaces, the query is passed on to one of our "real" DNS
servers. If the quarantined system is asking about any other namespace,
the query gets forwarded to our "broken" DNS server, and the user ends
up at our redirect web page.

I'm sure you can think of obvious holes in this system, but it works for
the majority of our quarantined users.

Best,
Jason

-- 
Jason Azze
Network Support Specialist
Fairfield University



More information about the unisog mailing list