Microsoft Windows Update Fails If User Authentication/Identification Is Used


  • Description

    Microsoft Windows Update (although whitelisted) fails if user authentication/identification is used.


  • Symptoms

    In an environment where authentication or identification is defined and a user attempts to use Microsoft/Windows Update site, after selecting the hotfixes to install, the site's control starts running and then reports the installation attempt failed.

     


  • Cause
    Windows Update site use an ActiveX control to query and manage downloads from Microsoft.

    This ActiveX is not a fully functional browser, and so does not handle authentication mechanisms (such as NTLM) correctly.

    The reason that the pages are blocked is because whenever the ActiveX is trying to access the web, the authentication fails and the wrong policy is assigned to the user at hand, in such a case the policy that will be used is the one assigned to Unknown Users.

    If the policy that is assigned to Unknown Users is to block all access to the internet, the ActiveX component will  fail to download updates from the update site.


  • Solution

    Since authentication will not work for the Microsoft/Windows Update site, the following options are availlable::

    1. Grant access to windows update to all machines by assigning a policy with limited access to the Unknown Users  group.
    2. Limit access to Windows Update by a combination of Source IP identification and limited access rules .

    Both solutions will require setting up a security policy rule to whitelist the Microsoft/Windows update site.

    For the following examples, this Security Policy will be referred as “The Restricted SP”.

    This can be an existing Security Policy that will be modified or a new Security Policy that will be created specifically for this solution.

    TIP: To identify the URLs to whitelist, you can find the currently blocked URLs in the Web Logs screen of the Policy Server admin web GUI.

    For more information on how to perform the actions described above, please consult the User Manuals .
     
    Solution 1

    Assign The Restricted SP to the Unknown Users.

    Solution 2

    Limiting access by client IP:

    Since we don’t want to lose the identification by username, we will duplicate and change the current Identification Policy and add a rule at the end to identify by client IP.

    Create a new user or user group which will be assigned The Restricted SP, enter the IP ranges for this user group, or add individual users with specific IP addresses.
    An example is given below, for more information on how to perform these actions, consult the User Manuals.

    1. Go to Users -> Users/User Groups.
    2. Right click on the Users/User Group root and select Add Group.
    3. Name the new group (for example: Windows Update only)
    4. Assign the Restricted SP as the Security Policy.
    5. Assign the Logging Policy and HTTPS Policy according to your organization's requirements.
    6. If an IP range is appropriate, fill the table with the relevant IP address range.
    7. Save the new user group.
    8. Right-Click the new user group and select Add User.
    9. Enter a user name.
    10. Fill the table with the assigned IP addresses for this user.
    11. Save the user.
    12. Repeat steps 8-11 for each user that will use Windows Update.
    13. Commit changes.

    Now when you have the Users and Security Policies setup up you will need to create the appropriate Identification Policy.
    Perform the following steps from the policy server web admin GUI:

    1. Go to Administration -> System Settings -> Finjan Devices.
    2. Browse to the Devices -> IP -> Scanning Server -> Authentication.
    3. Note the assign Identification Policy.
    4. Now that you know what is the current Identification Policy, go to Policies -> Identification.
    5. Right-click on the relevant identification policy (from step 3) and select Duplicate Policy.
    6. Enter the name for the new policy (for example: Get User Credentials or IP).
    7. Right click on the new policy and select Add Rule.
    8. Enter the name for the new Rule: Identify Users by Source IP.
    9. Check the checkbox Enable Rule.
    10. Select the Action: Identify by source IP.
    11. Save the policy.
    12. Go to Administration -> System Settings -> Finjan Devices.
    13. Browse to the Devices -> IP -> Scanning Server -> Authentication and click Edit.
    14. Change the Identification Policy to the new policy created in steps 5-11.
    15. Save and Commit the changes.

    Now you have an identification process that first try to perform an identification/authentication handshake (will work with supported browsers), and if  fails will Identify the client using the Source IP (X-Client-IP HTTP Header).
    If the user is browsing from an IP address assigned to the user group using the Restricted SP then the user will have access to the Microsoft/Windows Update site.

    All other users will be treated as Unknown Users.


  • Software Version
    9.0
    9.2


  • This article applies to:
    NG 5000
    NG 6000
    NG 8000
    This article was previously published as:
    Finjan KB 1833

    Last Modified 7/29/2009.
    https://support.trustwave.com/kb/KnowledgebaseArticle13568.aspx