![]() I don't have much hands-on with Windows Firewall. ![]() I've not checked on Windows 10, and not investigated any further with Windows 7 sorry.Ĭlick to expand.Got it. These obviously aren't covered in the lists so I assume either there's trick to use Microsoft update servers directly or more firewall rules would be needed to cover local akamai IP's? *shrug* ![]() On my Windows 7 machine many update related DNS queries resolve to akamai CDN addresses within my ISP's network or nearby countries. Once you have that information you can check the IP against the list linked to by wat0114 to see if there's an issue with your rules or whether the address is missing from the list. You can then search for the IP in DNSQuerySniffer (you may need to flush DNS cache before testing) to find the associated domain name queried which should give you a good idea as to it's purpose and whether it relates to Windows updates. The firewall log should hopefully show you which outgoing connection attempts were blocked and the destination IP's. If you want to investigate on your own you could try enabling Windows firewall logs: With reg tweaks this can be done without needing a domain and can serve multiple PC's.Ĭlick to expand.As mentioned previously, this is not a solution I use so may be more helpful here. It's no quick fix but would mean svchost would never need to connect to the internet for updates at all, only the LAN. If you want to go completely overkill and can get hold of Windows Server you could roll your own WSUS server either as a physical machine or a virtual one (requires a lot of HD space). ![]() If you go the MS public IP's route, you may find powershell helps to bulk create/remove rules: If you're serious about restricting svchost outbound access then you need to be willing to put in a little research/work along the way as you're working against the OS unfortunately. They created a wrapper service which allows many libraries and third party applications to send/receive via the same exe but provided little way to differentiate between this traffic. Click to expand.BITS is used for more than just windows updates, so blindly allowing all BITS traffic to all destinations without knowing the content of a BITS job won't help with security.Īs you're probably aware, issues around controlling svchost outbound access are as a result of Microsoft's design. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |