I am building a iptables script for a router to block all traffic from and to the machines behind, except a small set of hosts/ports (RDP incoming, DNS outgoing, …). HTTP and HTTPS is blocked.
Internet --- Router with iptables -+- Windows XP
|
+- Windows XP
.
.
Unfortunately with HTTP/S blocked the Windows Updates are failing. I want the Updates to be working and the surfing to be blocked. These are my thoughts:
- Setting up a WSUS/Proxy -> Oversized I think, would like to spare another server
- Getting a list of all Microsoft Update Servers -> Is there any?
- Getting rid of the Asterisks of the technet dns name list somehow and allow these hosts
- Maybe a way to do the HTTP-Filtering in with Windows Firewall and separate by service (Win XP SP3)?
Any other thoughts? Maybe someone has already solved this scenario? What would you recommend?
Thanks in advance
Best Answer
Christopher Wilson provided a pretty good list of URLs above.
I would add that WSUS may not be a big deal in the long run. You will most likely still have to define the router whitelist if the goal is to block internet access and surfiing. However, one of the many reasons to implement WSUS is to minimize the impact on the internet connection by only downloading updates once, not to mention it gives you ultimate control over when and which updates to push to clients.
If you already have a database server laying around adding WSUS to an existing box is not too bad and not too much overhead, depending on the number of clients you have.
My suggestion essentially is that you can utilize the list Chris provided to help build out your block policy but also improve your overall desktop maintenance capabilities all while reducing internet bandwidth requirements.
UPDATE: Microsoft URLs to Whitelist: