I don’t understand why this person is using network controls to deny access to Microsoft services. There’s plenty of reason to allow Windows update to download outside of some corporate VPN (especially for remote users, why use bandwidth over the VPN?) when you control which updates are installed via WSUS.
I by no means mean any ill will to the author, and appreciate the post, but I do feel critical of the approach.
I would have to understand the why more than is apparent in this blogpost to sympathize. Especially when this configuration is for another person as mentioned at the top. Are they aware of all rules being applied? This sounds like a home environment, which to me signals that these rules would have also killed updates for personal devices, potentially leaving them vulnerable. If you truly need control over Windows Update like this, you should be using the controls exposed to you (WSUS, group policy, etc.)
If it’s a choice that the end user has made, acknowledging that domains used by Windows are being blocked by a firewall and this may cause erratic or nonfunctioning behavior for Windows I see no problem.
It is likely my own experiences and opinions, but I personally believe this is using the wrong tool for the job, using a sledgehammer to drive a screw. I’ve had to deal with things like this at my work, with firewall rules being completely invisible to end users, and it just costs money and causes frustration at something that can be completely transparent and easy to access.
Honestly it feels a little like blog posts I read titled “X software is full of bugs” and then the first line is “so I installed X on my custom Arch Linux setup…”. Sure, not ideal, but the conclusion might not quite match the playing field.
I'm confused. Who put those domains used by Windows Update in the router DNS blocklist? Is it the author since he said he configured it? If so, why is he blaming the user's employer company for it? And did he put them in to block Windows updates on purpose like he said he wanted to at the end? Wouldn't that block Windows Updates on all computers at home for that user?
Why would a large company want to route what could be gigabytes of Windows updates per computer through the corporate VPN for 100K+ employees thereby slowing down the corporate VPN introduce lag into remote desktop connections and VOIP calls/screenshares, and potentially paying a lot more in bandwidth fees?
Windows updates (some? Not all?) come down over port 80. That rubs security folks the wrong way.
There is extra validation (chiefly, digital signatures) which protect against MITM attacks, but some still think the bandwidth is worth the risk mitigation.
Ah, did not realize! A year back I was exposed to a white paper under NDA explaining the security posture. Also, the PM's had mentioned changes were underway.
Normally it is not under my purview, hence why I did not realize the recent change.
> Not forcing microsoft.com and windowsupdate.com to use the corporate VPN sure seems like an oversight to me.
I imagine that some enterprises don’t want or need to have that data traversing their VPNs, it’s not sensitive data and their networks are probably busy enough with back to back teams calls.
And it uses direct public access to microsofts cdn to push updates set via polices in intune or memcm. It could be the case here and it's usually used by msft customers to avoid clogging vpn with patching bandwidth
> This time I looked at Web Blocking, the blocking of domains accessed with HTTP and HTTPS.
Anyone knows how this works, especially for HTTPS? I imagine it doesn't MiTM TLS so SNI..?
> The disadvantage of DNS is that it blocks one computer at a time. It can not block facebook.com the way Web Blocking does. With DNS you have to block abc.facebook.com and def.facebook.com and anything.you.want.facebook.com individually.
This isn't true. You can block domains with arbitrary rules - what you're looking for here is easy enough in any DNS server I ever worked with. Maybe there is such a limitation with this particular interface but that distinction should be clear.
SNI is part of the Client Hello part of TLS, (it's needed so the server can decide the appropriate SSL certificate to reply with), and since this happens at start of TLS handshake, it's transmitted in plaintext.
Many Firewalls (and even my ISP), terminates the connection here if the domain is the blocklist. Since it's part of SSL negotiation, and unrelated to the actual HTTP query, in some cases you can find another (non blocked site) on the same server, send that SNI for TLS handshake, and then do the http request on the correct host to bypass stuff like this. (This technique is called domain fronting [1]). Unfortunately big CDNs like Cloudflare stopped allowing this because it's non-standard.
There is a proposal for Encrypted Client Hello (and therefore Encrypted SNI) being worked on right now: draft-ietf-tls-esni-14 [2], till then using VPN/Web proxies are the only effective way of getting around these restrictions.
Yeah, not sure how this would work over HTTPS without proxy or rogue cert.
With proxy, you can use HTTP CONNECT proxy : computer provides domain (SNI) and proxy can make allow/deny decision. If allowed, establishes a blind tunnel where packets flow without further inspection.
I’m currently using a tplink wireless router running as AP mode (since I have another Linux box as the home gateway), but it would filter out all ipv6 router advertisement packets which entirely breaks ipv6 stateless configuration. Before this, I was using another netgear router that would randomly drop ICMP pings.
The packed “features” in nowadays home routers really annoys me. I wish there’s some cheap “dumb wireless AP” products that does nothing other than switching packets.
> I wish there’s some cheap “dumb wireless AP” products that does nothing other than switching packets.
I don't know how cheap you are talking about... but TP-Link has their Omada line-up of devices, including WiFi 6 AP's that are just that, access points. No router, no filtering, just SSID's and ability to drop traffic onto various VLAN's (with radius for auth if you want).
They are fantastic. They are rock solid and since they don't do anything but be an AP they are never rebooted or run out of memory for state tracking and the like.
GL.iNet Cirrus (GL-AP1300). Runs forked OpenWRT out of the box but you can flash it with a clean upstream as well.
(Some other of their devices have issues when running vanilla OpenWRT - this particular model seems fine so far)
If you want even more "dumb" and DIY you could look at something like a PCEngines APU or similar, but it sounds like you want to spend less time and effort on your APs, not more.
I am surprised about everyone recommending TP-Link. They used to be decent but I have recently helped people set up some of their more recent models and they're atrocious- especially but not only Deco. All kinds of issues and weird behavior (I recall one with dozens of pages over multiple years in their support forum, with no fix in sight)
In particular, across the range they go more towards "intelligent"/"smart"/cloud+app for management, which is the opposite of what parent is asking for. TP-Link is one of the worst offenders here - going the Ubiquiti direction but poorly executed. Any OpenWRT/DD-WRT/Linux compatibility is accidental.
Ubiquiti Unifi AC Pro is also nice on its own. IIRC it works without using any of their software and can be managed through web. I guess it may not classify as cheap, though.I don't have any experience with their AP Lite,maybe it's worth a look as well?
> I’m currently using a tplink wireless router running as AP mode
This is the problem right there. Don't buy consumer network equipment. It is tempting because it is cheap but I personally always end up regretting it. Spend a bit more for the entry-level business line and keep your sanity.
TP-link actually has a pretty decent line of small business switches and APs.
> I've got an optiplex box running OpenBSD thats gonna get a PCI wireless card thrown in it when I get around to it.
Have you actually looked in to this path? 802.11ac support is basically brand new in OpenBSD and the drivers that support it don't support HostAP mode.
In general the state of WiFi support across the BSD multiverse is pretty poor. I've wanted to be able to use pfSense/OpnSense boxes as all-in-one devices for years but it's always been so bad that it's better to just use a dedicated Linux device as the WAP.
That card was old (and didn't support ac anyways), but I had it on hand so figured I'd try it. I've been too busy recently to properly research purchasing a new wireless card for this thing so far, though from what you've said I may wind up having to do something else. Maybe Alpine on this box, or a dedicated wireless AP.
I'm not saying it can't work, in fact up to 802.11n apparently works perfectly fine with the right hardware, but it's 2022 and 802.11ac is now "the past" with 802.11ax/WiFi6 as the current standard. As far as I'm aware none of the BSDs have any support for 802.11ax.
If you want to build a BSD box that can also do wireless and don't really care about performance there's nothing wrong with that, but if your goal is something that functionally compares to retail hardware you're going to want to stick to Linux.
Looking at it, I think I'm gonna use one of the numerous pi 3 b+'s I have sitting around as an AP and keep the OpenBSD box as a router.
As you've probably realized by now, I'm new to wireless networking. Do you know of any good resources off the top of your head to better learn? I've been DDG/Googling for stuff as I need it, but there's still a lot of unknown unknowns here for me.
> Looking at it, I think I'm gonna use one of the numerous pi 3 b+'s I have sitting around as an AP and keep the OpenBSD box as a router.
If you have the hardware around then yeah, that should at least give you a basic level of 802.11ac support. It's still going to be limited though because the USB-based ethernet can only do 300ish megabits per second.
I like Ubiquiti's UniFi line. They're easy to work with in stock form and their stock firmware is based on OpenWRT so it's easy to flash them to a fully open configuration if you want.
> Do you know of any good resources off the top of your head to better learn? I've been DDG/Googling for stuff as I need it, but there's still a lot of unknown unknowns here for me.
Unfortunately I do not, I've just built up knowledge organically over years of messing with WiFi.
Is that still true? I got one semi-recently and there was no way to change the firmware. And the previous one required some trickery.
Edit: I think DD-WRT won't get support for newer broadcom devices, and OpenWrt has no meaningful support for broadcom at all? On top of some issues with firmware locks from TP-link directly.
Maybe they made 300 models, or 500? I don't know. I have three in my house, all of which have 2.4 and 5GHz radios working in OpenWRT, connected by gig-e backhauls.
Uhh why would a large corp spend the money on windows update bandwidth when they could just split the traffic? Not sure about this article. Issue was on the enduser.
I disabled Windows Updates two years ago, right after I installed Windows 10. Never gonna turn them on. Fuck you Microsoft. Read too many horror stories. Not updating. Dont ask me.
Windows Updates introduce telemetry features and I don't allow my gaming PC network access to Microsoft. In my mind, the risk of them collecting my personal information is greater than the possibility of a "major security hole" being exploited, and even if it were, the data is limited to something totally inconsequential. As an additional measure, I reinstall the OS several times per year, but only allow updates before I use the computer for the first time.
Windows 10 has had telemetry since its initial release. You don't avoid it just by not installing updates. If you're really so concerned about security and privacy, then why not just use Linux?
Reminds me of the pro-vaccine memes likening vaccines to seat belts. An incompatible, overly-simplified emotive analogy for both vaccines and windows updates. It's almost like you believe your world to be threatening and dangerous without Microsoft's software rules to keep you safe.
It is because there is decades of history of unpatched devices being used as vectors for ddos, entrypoints for horizontal movements inside a secure networks etc.
If you pay attention to the Ukrainian conflict, you will see that the cyber-warfare is going strong (especially in the energy sector), and the internet is indeed a 'threatening' place. Just because you don't consider yourself an interesting target doesn't mean you won't be compromised.
Yes it's unfortunate that MS packages both bug fixes and 'features' in their update process. But as other comments have said, it is better then to migrate away from Windows to another OS which you can keep up to date.
There are many layers to a good defense, but for a regular consumer, simply keeping devices up to date is a low effort way of reducing attack surface area.
I wouldn't run any unpatched device with internet access, be it windows, linux, anything.
I recommend the book "This Is How They Tell Me the World Ends: The Cyberweapons" for a non-technical but interesting read about this topic.
> "I wouldn't run any unpatched device with internet access"
You wouldn't go Sunday driving without a helmet. Got it.
It's not a binary game, patched vs unpatched. Safe vs falling down a cliff. Otherwise every piece of software is in either an unpatched state, or discontinued. As soon as you patch software, it's now in an unpatched state relative to the next patch/product update which is a certain event.
If Grandma leaves her old Windows 95 PC exposed to the internet, we might use scary language like "cyber-warfare" and "internet is threatening" to help convince Grandma to upgrade. But the difference between a modern system patched only a few months ago or last year and "today" is only a bunch of unlikely exploitable edge cases, and a whole lot of product update gunk.
Typical patch notes: "possible code injection when unlikely event A happens at the same time as unlikely event B.".
Things that bring regular consumers undone in the world of online mishaps, are manual blunders like having their email hacked, or believing the person on the phone who says they're from Microsoft. Patches don't help with the most common pain points.
Just because Microsoft wants "60 days" to be the most you can go without updating Windows, doesn't mean that 90 days or 180 or 360 days is some kind of industry-agreed threat to the internet. Being "unpatched" beyond the rigid rules you've subscribed to, is not a dilemma worth linking to books about cyberweapons.
> As soon as you patch software, it's now in an unpatched state relative to the next patch/product update which is a certain event.
Why do you bother taking showers? You're just going to start getting dirty again as soon as you get out.
> But the difference between a modern system patched only a few months ago or last year and "today" is only a bunch of unlikely exploitable edge cases, and a whole lot of product update gunk.
> Typical patch notes: "possible code injection when unlikely event A happens at the same time as unlikely event B.".
This isn't true. A lot of new vulnerabilities are easily exploitable.
Because our bodies accumulate and generate dirt over time which needs washing off. Software doesn't accumulate dirt or generate problems over time, so your analogy doesn't fit.
> This isn't true.
We are not playing "who knows the truth", we're having a discussion. What I said is not false. The vast majority of typical patch notes detail vulnerabilities which can happen only when certain variables align. "Easily exploitable" may be true, provided certain other unlikely conditions are met, such as the attacker already gaining access to your system in order to exploit said vulnerability. This is not a "seat belts" vs "no seat belts" risk. I maintain that the risk from not embracing whatever tech giant's update ideology is commanded, is overstated most of the time compared to other risks people face online.
You are focused too much on Microsoft and the individual user. The concepts are applicable to any device from any manufacture. The book I linked is about the evolution and history of network spread malware such as bots. It discusses about how security was always an afterthought during the start of the millennium, and how at a certain point basically every device was running some malware. Then collectively the industry and the government finally started to understand the nature of the beast and introduced security hardening best practices.
This is continuing today, and the increased knowledge sharing has industries working together to fight the problem. Even the US government has learned from e.g. google and started to move to 0-trust network architecture: https://www.whitehouse.gov/briefing-room/presidential-action...
Automatic updates are one of the biggest enablers of stopping automatic spreading of malware. The Mirai botnet for example had a large capacity knocked out thanks to Deutsche Telekom responding and force updating their network devices which were vulnerable attack vectors. Unfortunately there are a lot of devices out there which are out of support or have no updates available (i.e. internet of shit), which remain a constant problem.
Automatic updates are the industry standard, because the days an patched or unpatched device is a threat to the internet is 0. This doesn't mean patching is futile. It still greatly reduces the available attack surface, and also helps protect other devices.
You should also be aware the when 0-day gets patched, they often happen silently. e.g. Linux will obfuscate it's commit message, because if they say 'e.g. fix really bad 0 day', then immediately that 0-day becomes public knowledge and will be exploited even more before the patch is live and propagated to the systems. Same in release notes, so people don't diff the binary to discover what the attack vector was. Just because it's not loudly announced, doesn't make it not real.
So please do your minimum part to practice network hygienic if you want to participate. It is not a 'dilemma', it is polite behavior for a greater goal.
Please stop selling me Microsoft automatic updates. I'm not buying.
Doesn't mean I never update. It means I control the updates on my terms, not on those of commercially motivated, privacy-invading faceless tech giants with agendas far beyond the scope of network hygiene.
I use a cheap smartphone. It works fine but gets no more updates. According to your position in this debate, I should abandon that unhygienic phone, and pay the protection money for a fresh plastic box of rare earth metals, for the greater good.
I'm not sure why you're invested in replying to me about this topic. Most general PC users already have automatic updates on. You should be ecstatic about that.
Behavior modification and reinforcement tactics used by software vendors to get people to do things, is real. Overstating the threat of security risks if people fail to update in a given time frame, is one of the tactics used to get people to install, upgrade, buy, renew, etc.
I apply updates on some things without much delay, such as specific software I trust/respect. Other times I will never update, such as my e-bike where I modified the firmware for certain reasons which are my business. There are valid reasons why people delay or decline updates.
It's disappointing you believe embracing automatic updates is tied to ethical use of the internet. The implication of that idea, is that update-urgency is never exploited by those pushing the updates. We're even seeing "updates for the sake of updates" coming through, as Apple will reportedly delist apps that haven't seen an update in awhile.
Okay I'm done on this topic! Updates! Ugh... I turn them off and edit group policies etc to put a stop to the blatant turf-war on who gets to run the show in my house.
> I use a cheap smartphone. It works fine but gets no more updates. According to your position in this debate, I should abandon that unhygienic phone, and pay the protection money for a fresh plastic box of rare earth metals, for the greater good.
It's definitely not right that you have to do that, but the fact is that today, being secure means you do have to. In the ideal world, manufacturers would have to either provide security fixes for way longer, or open up their devices to the point that other people can do it for them.
> It's disappointing you believe embracing automatic updates is tied to ethical use of the internet. The implication of that idea, is that update-urgency is never exploited by those pushing the updates.
Do you consider it ethical for your computer to knowingly be part of a botnet? And of course Microsoft abuses automatic updates, but the solution to that isn't getting rid of automatic updates; it's getting rid of Microsoft (e.g., switching to Linux or something).
So scan your PC for malware. If none are found and your machine is running fine, you don't need to panic about updates until you're good and ready to install updates.
The problem with blind loyalty to Microsoft updates on their terms, is they can micro-tweak the compliance rules over time. One day you may find you can't use your own PC unless you sign in to Microsoft, upload photo ID, then enter the code they sent your phone. Don't worry, the data you provide Microsoft is shared only with trusted partners.
I by no means mean any ill will to the author, and appreciate the post, but I do feel critical of the approach.
I would have to understand the why more than is apparent in this blogpost to sympathize. Especially when this configuration is for another person as mentioned at the top. Are they aware of all rules being applied? This sounds like a home environment, which to me signals that these rules would have also killed updates for personal devices, potentially leaving them vulnerable. If you truly need control over Windows Update like this, you should be using the controls exposed to you (WSUS, group policy, etc.)
If it’s a choice that the end user has made, acknowledging that domains used by Windows are being blocked by a firewall and this may cause erratic or nonfunctioning behavior for Windows I see no problem.
It is likely my own experiences and opinions, but I personally believe this is using the wrong tool for the job, using a sledgehammer to drive a screw. I’ve had to deal with things like this at my work, with firewall rules being completely invisible to end users, and it just costs money and causes frustration at something that can be completely transparent and easy to access.