Trustwave Research Reveals Cybersecurity Risks Threatening Patient Lives in Healthcare. Learn More

Request a Demo
Trustwave Research Reveals Cybersecurity Risks Threatening Patient Lives in Healthcare. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft Security
Unlock the full power of Microsoft Security
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
Loading...
Loading...

Trustwave Knowledge Base

Home » Knowledgebase » Legacy Products » Secure Web Gateway » Networking » INFO: Microsoft Windows Update Fails If User...

INFO: Microsoft Windows Update Fails If User Authentication/Identification Is Used

Expand / Collapse
Show/Hide Article Tools


  • Description

    Microsoft Windows Update (although whitelisted) fails if user authentication/identification is used.


  • Symptoms

    In an environment where authentication or identification is defined and a user attempts to use Microsoft/Windows Update site, after selecting the hotfixes to install, the site's control starts running and then reports the installation attempt failed.

     


  • Cause
    Windows Update site use an ActiveX control to query and manage downloads from Microsoft.

    This ActiveX is not a fully functional browser, and so does not handle authentication mechanisms (such as NTLM) correctly.

    The reason that the pages are blocked is because whenever the ActiveX is trying to access the web, the authentication fails and the wrong policy is assigned to the user at hand, in such a case the policy that will be used is the one assigned to Unknown Users.

    If the policy that is assigned to Unknown Users is to block all access to the internet, the ActiveX component will  fail to download updates from the update site.


  • Solution

    Since authentication will not work for the Microsoft/Windows Update site, the following options are availlable::

    1. Grant access to windows update to all machines by assigning a policy with limited access to the Unknown Users  group.
    2. Limit access to Windows Update by a combination of Source IP identification and limited access rules .

    Both solutions will require setting up a security policy rule to whitelist the Microsoft/Windows update site.

    For the following examples, this Security Policy will be referred as “The Restricted SP”.

    This can be an existing Security Policy that will be modified or a new Security Policy that will be created specifically for this solution.

    TIP: To identify the URLs to whitelist, you can find the currently blocked URLs in the Web Logs screen of the Policy Server admin web GUI.

    For more information on how to perform the actions described above, please consult the User Manuals .
     
    Solution 1

    Assign The Restricted SP to the Unknown Users.

    Solution 2

    Limiting access by client IP:

    Since we don’t want to lose the identification by username, we will duplicate and change the current Identification Policy and add a rule at the end to identify by client IP.

    Create a new user or user group which will be assigned The Restricted SP, enter the IP ranges for this user group, or add individual users with specific IP addresses.
    An example is given below, for more information on how to perform these actions, consult the User Manuals.

    1. Go to Users -> Users/User Groups.
    2. Right click on the Users/User Group root and select Add Group.
    3. Name the new group (for example: Windows Update only)
    4. Assign the Restricted SP as the Security Policy.
    5. Assign the Logging Policy and HTTPS Policy according to your organization's requirements.
    6. If an IP range is appropriate, fill the table with the relevant IP address range.
    7. Save the new user group.
    8. Right-Click the new user group and select Add User.
    9. Enter a user name.
    10. Fill the table with the assigned IP addresses for this user.
    11. Save the user.
    12. Repeat steps 8-11 for each user that will use Windows Update.
    13. Commit changes.

    Now when you have the Users and Security Policies setup up you will need to create the appropriate Identification Policy.
    Perform the following steps from the policy server web admin GUI:

    1. Go to Administration -> System Settings -> Finjan Devices.
    2. Browse to the Devices -> IP -> Scanning Server -> Authentication.
    3. Note the assign Identification Policy.
    4. Now that you know what is the current Identification Policy, go to Policies -> Identification.
    5. Right-click on the relevant identification policy (from step 3) and select Duplicate Policy.
    6. Enter the name for the new policy (for example: Get User Credentials or IP).
    7. Right click on the new policy and select Add Rule.
    8. Enter the name for the new Rule: Identify Users by Source IP.
    9. Check the checkbox Enable Rule.
    10. Select the Action: Identify by source IP.
    11. Save the policy.
    12. Go to Administration -> System Settings -> Finjan Devices.
    13. Browse to the Devices -> IP -> Scanning Server -> Authentication and click Edit.
    14. Change the Identification Policy to the new policy created in steps 5-11.
    15. Save and Commit the changes.

    Now you have an identification process that first try to perform an identification/authentication handshake (will work with supported browsers), and if  fails will Identify the client using the Source IP (X-Client-IP HTTP Header).
    If the user is browsing from an IP address assigned to the user group using the Restricted SP then the user will have access to the Microsoft/Windows Update site.

    All other users will be treated as Unknown Users.


  • Software Version
    9.0
    9.2


    • This article applies to:
    NG 5000
    NG 6000
    NG 8000
    This article was previously published as:
    Finjan KB 1833

    To contact Trustwave about this article or to request support:

    Rate this Article:
         

    Add Your Comments


    Comment submission is disabled for anonymous users.
    Please send feedback to Trustwave Technical Support or the Webmaster    .


    Execution: 0.031. 8 queries. Compression Disabled.
    Powered by InstantKB.NET