Access Denied: Using Windows Update with IP Security Policies

Using IP packet filtering to lock down your system can prevent you from downloading Microsoft updates. Here's how to work around the problem.

ITPro Today

May 16, 2004

2 Min Read
ITPro Today logo in a gray background | ITPro Today

After reading the Windows Web Solutions article "IPSec Packet Filtering," September 2002, http://www.winnetmag.com, InstantDoc ID 25935, about implementing IP Security (IPSec) packet filters to protect Web servers, I blocked all traffic at my test server, then created exception rules to allow incoming packets to TCP ports 80 (HTTP), 20 and 21 (FTP), and 3389 (Terminal Services) and to let the server send packets back to clients. No other ports are open, and I feel much more secure. However, Windows Update no longer works. When I try to browse to http://windowsupdate.microsoft.com, Microsoft Internet Explorer (IE) fails to connect. How can I keep my system locked down but still let it download Microsoft updates?

Setting up an IP security policy like the one described above prohibits not only incoming packets but also outgoing packets unless they're explicitly allowed. Although static filters (such as those in IP security policies) are great for controlling connections to inbound ports, they don't work well for outgoing connections because client-side port numbers are numerous and unpredictable. This drawback is why stateful inspection firewalls are so important. As powerful as they are, IP security policies fall short in this area because they aren't stateful.

You have at least one alternative: You can create an exception rule in your IP security policy that lets you communicate through port 80 to http://windowsupdate.microsoft.com. Or, if you can upgrade to Windows Server 2003, you can use its built-in firewall to solve your problem.

The first alternative involves creating a filter that looks for inbound packets that have the windowsupdate.microsoft.com source address and source port TCP 80. Then, create a rule that allows traffic through that filter. Configure the rule to include mirror image packets (i.e., outgoing packets to http://windowsupdate.microsoft.com and destination port TCP 80), and you'll be able to download updates from that Web site. However, be aware that this approach opens you up to incoming connections through any port on your server if the attacker can spoof packets to look like they come from http://windowsupdate.microsoft.com.

If you run Windows 2003, you can solve your problem simply by enabling Internet Connection Firewall (ICF) or RRAS's Basic Firewall, depending on which edition of Windows 2003 you have. Evidently, you use IP security policies only for their packet-filtering ability, not for IPSec communications. ICF and Basic Firewall let you easily implement that filtering functionality while letting your computer make outgoing Web requests. First, enable ICF or Basic Firewall. Configure the firewall to publish your public TCP ports 80, 20, 21, and 3389, then disable your current IP security policy. Your private ports will still be blocked, but because ICF and Basic Firewall are both stateful inspection firewalls, your server can make outgoing Web requests.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like