Block all IP traffice save for Windows Updates

The network is the forum.

Moderators: Steel, notfred

Block all IP traffice save for Windows Updates

Postposted on Mon Jan 16, 2012 9:05 pm

Over the weekend I finally got my new Windows Home Server up and running. The great thing about it is that it's got a ton of functionality, but that makes setting it up all the more hard ;).

The home server has the ability to connect to the internet to have all sorts of "personal cloud" like behavior, but I'm not ready for that (yet). Ideally, I'd like to block all IP traffic save for windows updates, but I'm having trouble figuring out the best way (meaning most efficient, and most safe). So should I:

  • Setup Windows Firewall to do this except for Windows Update
  • Stop IP traffic at the router level except for Windows Update
  • Turn off the IP traffic entirely at the server level and just remind myself to check for updates monthly

The last one is definitely the easiest, but isn't the most interesting (and I'm not 100% on how to do the other two, so it would be a learning experience). What do you guys think?
Ryhadar
Gerbil XP
Silver subscriber
 
 
Posts: 384
Joined: Tue Oct 21, 2008 9:51 pm

Re: Block all IP traffice save for Windows Updates

Postposted on Sun Jan 22, 2012 11:46 pm

Sounds like a terrible solution to a non-existent problem. If you are behind NAT, you shouldn't be worrying about open ports within your internal network*. If your network isn't secure, then there are far easier/better ways to secure it before you attempt to harden devices.

*If there is an application/service that provides remote access AND is enabled AND uses uPnP AND your router suppors uPnP AND has it enabled AND you don't have a strong password in place, then you should worry. Rectifying any of these conditions is easier than playing IP whack-a-mole.
#182 TT: 13/DNVT, Precedence: Flash Override. Switch: Node Center. MSE forever.
Contingency
Gerbil Jedi
 
Posts: 1531
Joined: Sat Jun 19, 2004 4:03 pm
Location: al.us

Re: Block all IP traffice save for Windows Updates

Postposted on Mon Jan 23, 2012 2:06 am

I agree. If you don't want to use those "personal cloud" services yet you should be able to turn them off from WHS console. Is this security driven or bandwidth cap driven? Windows Update you definitely can configure to "never check" but you run the risk of forgetting a critical patch. I set at "remind me of updates" so there is a little bit bandwidth involved.

If you have no need to do remote desktop over WHS and the web sharing stuff, most definitely turn those services off and hopefully IIS will not be running amok. But without port-forwarding behind NAT there is really not much the WHS server "leaks" to the public internet.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24289
Joined: Mon May 24, 2004 2:19 am

Re: Block all IP traffice save for Windows Updates

Postposted on Mon Jan 23, 2012 7:48 am

I suppose you guys are right. This was a security driven decision, but I usually set windows to "Alert me, but don't download or install". I ultimately did block all IP traffic on the WHS box at the router level and set a scheduled task to remind me of updates on the router level, just to be safe for the time being. Though as you're saying (and I'm reading elsewhere) WHS does a very good job of keeping things secure by default.

I'm just of the mindset that running any windows box connected to the internet without A/V is taboo. I can't be bothered to buy an A/V solution for WHS when I can just block it from the internet for free when I don't use any of the online features (yet).

Anyway, thanks for the feedback.
Ryhadar
Gerbil XP
Silver subscriber
 
 
Posts: 384
Joined: Tue Oct 21, 2008 9:51 pm

Re: Block all IP traffice save for Windows Updates

Postposted on Mon Jan 23, 2012 9:33 am

Ryhadar wrote:I'm just of the mindset that running any windows box connected to the internet without A/V is taboo.
Unless you are running your own programs on the WHS box (it is usually headless and you just use it for file sharing and media serving, right?), even if the files you put on there are infected it is just "dumb" storage. When you access the file(s) from your own box then the antirvirus scanner on it should go to work. You have it installed on your own day-to-day box, right?

axeman wrote:You can't install MSE on WHS?
No, it is considered a server product (v1 = Server 2003, 2011 = Server 2008 R2). Look at this thread for details.
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24289
Joined: Mon May 24, 2004 2:19 am

Re: Block all IP traffice save for Windows Updates

Postposted on Mon Jan 23, 2012 10:57 am

i agree with everyone on this since its WHS there is no reason to block the internet from it. and if you don't want the remote access feature turned on do the following open the Dashboard > click Server Settings> Remote Access > click turn off if it says turn on then its already disabled. but if you're that set on block internet traffic then go to windows firewall and block all incoming traffic on port 80 and 443
MCP MCDST MCSA MCTS MCITP
A+ Net+
Intel Core i7-950 Intel DX58SO Mobo 6GB Corsair XMS3 Tri-Channel BFG Geforce 260 GTX
2x 160GB Seagate HDs RAID 0 2x 500GB WD RE3 HDs RAID 0
Built 40K+ systems and still counting
EV42TMAN
Gerbil
 
Posts: 38
Joined: Fri Jun 10, 2011 11:50 am

Re: Block all IP traffice save for Windows Updates

Postposted on Mon Jan 23, 2012 12:46 pm

EV42TMAN wrote:i agree with everyone on this since its WHS there is no reason to block the internet from it. and if you don't want the remote access feature turned on do the following open the Dashboard > click Server Settings> Remote Access > click turn off if it says turn on then its already disabled. but if you're that set on block internet traffic then go to windows firewall and block all incoming traffic on port 80 and 443

Nowadays who isn't running behind a NAT router/firewall?
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24289
Joined: Mon May 24, 2004 2:19 am

Re: Block all IP traffice save for Windows Updates

Postposted on Mon Jan 23, 2012 1:45 pm

Well, there is some grain of sanity behind the wish to cut all ports to Internet for a server that might hold private financial data and that like.

Servers are sort-of secure by default, but there are tons of gotchas... Windows server has RDC disabled by default, but remote registry enabled by default. Connect to remote registry, change setting, shutdown -r -m //someserver, and you have the RDC enabled. And so on. Windows 7 homegroup is configured to be on by default, mark the network inside your routed network as home or office network, script kiddie cracks the WAP and your files are toast. UPNP - enabled on all consumer routers by default, apps like Skype will kick and create their own server as soon as they see they have a connection.

And honestly, security settings on all modern machines are hard enough that rarely anyone knows how to handle them.

I hate this cloud thing, it should be opt-in, not opt-out.
Core 2 Duo E6300, MSI P45 NEO-F, Club 3D GTX 260, 4Gb DDR2-800Mhz, Audigy X-Fi Fatal1ty Champ1on ed., 0.5Tb+1Tb Seagate Barracuda 7200.12, 630W AXP, Samsung SyncMaster BX2450, ViewSonic VP171b
Madman
Minister of Gerbil Affairs
 
Posts: 2317
Joined: Tue Apr 01, 2003 4:55 am
Location: Latvia

Re: Block all IP traffice save for Windows Updates

Postposted on Mon Jan 23, 2012 9:47 pm

Madman wrote:I hate this cloud thing, it should be opt-in, not opt-out.

^ this.
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7359
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI


Return to Networking

Who is online

Users browsing this forum: No registered users and 1 guest