Automatic Updates security concern

[rusga]

Hi,

Is there any way of setting the AU repository so it never uses https (tcp
443) and only uses http (tcp 80)?
Or, it uses only admin allowed update servers?

This might be a bit strange, but on a highly security strict LAN with
content filtering proxy (as in this case), this imposes a security risk
since https doesn't permit content parsing. Meaning that tcp 443 rules
*must* be set at the routers/firewalls and so, default configured http
clients (browsers on out-of-the box installs for instance) end up rendering
content that they weren't suposed to.

Thank you,
rusga

 

[Roger Abell [MVP]]

If you run WSUS then you can use group policy to configure
your machines' autoupdate client to use only your WSUS
servers. If those servers are not configured to support SSL
on tcp 443 then the update clients will be forced to use tcp
80 (in policy you would point them to http://yourWsus not
to https://yourWsus)

"rusga" <only@newsgroup> wrote in message
news:ODi76aqMIHA.6060@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> Is there any way of setting the AU repository so it never uses https (tcp
> 443) and only uses http (tcp 80)?
> Or, it uses only admin allowed update servers?
>
> This might be a bit strange, but on a highly security strict LAN with
> content filtering proxy (as in this case), this imposes a security risk
> since https doesn't permit content parsing. Meaning that tcp 443 rules
> *must* be set at the routers/firewalls and so, default configured http
> clients (browsers on out-of-the box installs for instance) end up
> rendering
> content that they weren't suposed to.
>
> Thank you,
> rusga
>
>

 

[rusga]

Roger, sorry for the lag and thanks for the reply.

Had to find time to read about what a WSUS server is -)

Is that the only way to do it? No registry hacks?

Seems a bit of an administrative overload and target prone for poisoning a
whole LAN.

Also, isn't that a way of bypassing MS's responsability on clean update
sources?

Thank you,
rusga

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:O0$9tnyMIHA.4880@TK2MSFTNGP03.phx.gbl...
> If you run WSUS then you can use group policy to configure
> your machines' autoupdate client to use only your WSUS
> servers. If those servers are not configured to support SSL
> on tcp 443 then the update clients will be forced to use tcp
> 80 (in policy you would point them to http://yourWsus not
> to https://yourWsus)
>
> "rusga" <only@newsgroup> wrote in message
> news:ODi76aqMIHA.6060@TK2MSFTNGP05.phx.gbl...
> > Hi,
> >
> > Is there any way of setting the AU repository so it never uses https
(tcp
> > 443) and only uses http (tcp 80)?
> > Or, it uses only admin allowed update servers?
> >
> > This might be a bit strange, but on a highly security strict LAN with
> > content filtering proxy (as in this case), this imposes a security risk
> > since https doesn't permit content parsing. Meaning that tcp 443 rules
> > *must* be set at the routers/firewalls and so, default configured http
> > clients (browsers on out-of-the box installs for instance) end up
> > rendering
> > content that they weren't suposed to.
> >
> > Thank you,
> > rusga
> >
> >
>
>