Rules for blocking automatic windows update

Adam2 · Apr 26, 2008, 9:54 AM

Hi

Can anyone point me in the right direction in regards to blocking automatic windows updates and Symantec Antivirus updates. Those two are using up alot of bandwidth, I already have a plan to manual distribute all updates through 1 machine only as opposed to having everyone connected to the net for the purpose.

Thanks

hoba · Apr 26, 2008, 10:50 AM

Easiest way would probably be to resolve the hostnames that are used for the updates to some wrong IP. You could do that by using the dns forwarder or your local dns server in case you are using not the pfsense for dns.

cmb · Apr 26, 2008, 11:22 PM

That will be difficult to reliably block without using something like squid. If this is a corporate environment, you should use group policy to force your machines to update via WSUS, then you don't have to worry about blocking it. For Symantec, you should be using the central update features in their corporate version and again won't have to worry about blocking it.

Adam2 · Apr 27, 2008, 11:36 AM

Hi hoba, cmb

I've tried the dns forwarder but but that didn't help because am having the samethings in my log this morning.

@cmb Am not on a corporate enviroment so I can't use the group policy. I do however have the squid package installed, how can achive what I want with it?

Many thanks

Cry Havok · Apr 27, 2008, 9:00 PM

Since Adam2 decided the best route was to PM me asking for help, I'll post my comments here:

If you have a question, ask it in the forum. If I have something to add to a thread I will, if I don't then I won't. PMing me asking me to look at a particular thread (unless you're one of the pfSense team, or a mod, in which case I'm assuming you're prompting me for a good reason) will just annoy me.

We will now return you to your previously scheduled insanity…

Adam2 · Apr 28, 2008, 6:35 PM

my apologies Cry Havok, I did not mean to annoy anyone in anyway, it is just that I was simply trying to ask you to look into the thread “when you had time” and also you are one of the experienced users who was online at that time. Besides I hadn’t seen the tagline “If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.”

I hope you understand my situation

Thanks

Cry Havok · Apr 28, 2008, 7:49 PM

It wasn't there before, your PM was the straw that "broke the camel's back" as it were.

Keep in mind that everybody here (with the possible exception of the core team, but I suspect it also applies to them) is giving up their time to help folks like yourself. Acting as if you assume that you're entitled to help, regardless of your intentions, is always going to annoy people. You're only entitled to help if you're paying people for that help.

Back to your question, take a look at the Access Control tab in the proxy configuration. There's a field for blacklisting URLs etc. "All" you have to do is put the appropriate entries in there. You could probably start with something like:

(^|.)update.microsoft.com$
(^|.)windowsupdate.microsoft.com$

If the Symantec updates use a dedicated host then you can do something similar, if you force Symantec through Squid then the logs will tell you if it uses a dedicated update server. You'll probably have to add your download server to the Unrestricted box, or allow it to bypass Squid. You'll also want to ensure that you block direct outbound access to 80/TCP and 443/TCP in the firewall rules tab for the LAN port.

Kris.J · Apr 28, 2008, 8:36 PM

The best practice way to do this, as mentioned above:

1. Setup a WSUS 3.0 server. Download WSUS free here: http://technet.microsoft.com/en-us/wsus/default.aspx

2. Adjust your pfSense firwall rules accordingly to let your fresh WSUS 3.0 server get updates.

3. Setup Group Policy (or deploy a quick registry hack) that configures the Automatic Updates service on all workstations to talk to your WSUS 3.0 server.

I'm seeing a lot of what I call "right tool for the job" sort of stuff here – people asking how to make pfSense do things that are better done another way.

Like trying to turn a 10mm bolt with an adjustable wrench - a 10mm wrench or socket is what you need.

pfSense is not an adjustable wrench, nor is it a 10mm wrench or socket. It's quite a more specialized tool, for very specific applications.

Coming from a Cisco background, I always compare to what I'd do with a PIX. I wouldn't try to do application level filtering in a PIX - so I wouldn't try to do it in pfSense either. That's not what a firewall is for IMO.

Adam2 · Apr 28, 2008, 8:46 PM

thanks alot for your understanding, I will be careful with my future posting.

Am going to do as both of you said and keep you posted on how it goes

Thanks again

kapara · Apr 29, 2008, 9:56 AM

You can also edit the registry to disable Windows Update on a per user basis:

Start regedit.exe on the machine where you want to disable Windows Update.
Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
From the Edit menu, select New, DWORD value.
Enter a name of NoWindowsUpdate, and press Enter.
Double-click NoWindowsUpdate, and set it to 1.
Close regedit.

You don't need to reboot. If the user tries to start Windows Update, the system will display the following error message:

Windows Update was disabled by your system Administrator.

Adam2 · Apr 29, 2008, 7:55 PM

Okay I think the block has taken effect cuz there is no traffic to the restricted address.

@Kapara nice tips I will do that (maybe create a .bat file for that registry tweak) or just disable the automatic update from the GUI