sexta-feira, 30 de setembro de 2016

Microsoft - Como bloquear/limitar o Windows Update - tá dificil!

If you are performing decryption on your Firewall, you must not decrypt the Microsoft Updates traffic if you wish to allow such traffic.

The older versions of Microsoft Update, AKA Windows Update, did not verify the certificate used to sign communications.   The current version does.   There is not parity across the Microsoft platforms.  Windows 7 verifies less than Windows 10 does.  Windows 7's behaviour has change significantly since it was first released.   Windows 10 and Server 2012R2 URLs that are not used by Windows 7.   Just because you get Windows 7 working doesn't mean Server 2012R2 wil work too.

The current version of Microsoft Update uses a private signing key.   Microsoft began using a root CA which is not trusted by anything other  than Microsoft Update.   They rotate this key.   This service only trusts traffic signed with these keys.    This means that the Microsoft Update traffic which is decrypted by the Palo Alto Firewall is rejected by Microsoft Update.

To see if this is happening to you, do this:
(Note, this could be a breaking process.  If you update online after never having done so, you get a newer version of the update client.   This version adds additional certificate checks which may break future checks.)

  1.  Open up your Windows Update screen.   One way to do this is: Click on Start / Run. Type in %windir%\system32\wuauclt.exe /ShowWindowsUpdate and press enter. The Windows Update screen will display.
  2. Do these next steps even if the screen shows that Windows is up to date as this indicator is not always correct.
  3. If you have the option, select Check online for updates from Microsoft Update.   If you don't see this, then take whichever option you have to check online for updates.   If you check for upodates managed by your system administrator then you will not trigger this problem.  If you are on a different OS, then take the options on that OS to check online for updates.
  4. Wait for this process to complete.   If you have no errors, you might not have this specific problem.
  5. Look at the detailed logs.  Click on Start/run type in %windir%\notepad.exe and press enter.  Open file %windir%\windowsupdate.log  Look at the bottom of the log file.   If you see messages like those below in your log, you likely have this issue.   

How do you fix this?   Don't decrypt Microsoft Update traffic.   How do you do that?  It depends on which PanOS you are running, which features you have enabled, which URL filter you may be running and many other factors.    What we are doing is we use a local WSUS Microsoft Update server and point all our clients to that.   Then that servers IP address is set static, and has a rule which allows all traffic with no decryption.  

What does not work?
  • Adding the Microsoft certificate to the Palo Alto Firewall and specifying it as a certificate not to decrypt.  The certificates change too frequently.
  • Whitelisting IP addresses from decryption.    The DNS for many of these URLs expires in a matter of minutes and changes very frequently.   The IP address you receive from DNS is likely not the one the PC next to you will receive.  
  • Whitelisting entire netblocks.  There are many different netblocks in use.   If you go this route, you might as well turn off decryption except for specific sites.   This is because you will be whitelisting much more than just Microsoft Update servers.
  • ***  This doesn't work:  set shared ssl-decrypt ssl-exclude-cert "" , set shared ssl-decrypt ssl-exclude-cert "" ,
    set shared ssl-decrypt ssl-exclude-cert "" ... etc.   This might work once for you, but it is not a valid fix.   There are an enourmous number of URLs in use.   Microsoft uses many DNS cnames.   The FQDN you see might not be the same one the PA detects in use.   With SNI common place now, this becomes even more true. Currently, my machine is cnaming the update URL to   Microsoft also makes use of generic CDNs domains.  There are too many of these to whitelist for whitelisting to be a viable option.

I would appriciate Palo Alto Networks creating a document explaining how to create a rule which will detect traffic which is from the Windows Update software, allow it, and do not decrypt it.   While this might be a catch 22,  this issue must be solved.  

WARNING: Send failed with hr = 80072f8f.
SendRequest failed with hr = 80072f8f. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>
WinHttp: SendRequestUsingProxy failed for <>. error 0x80072f8f
WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072f8f
WinHttp: SendRequestToServerForFileInformation failed with 0x80072f8f
WinHttp: ShouldFileBeDownloaded failed with 0x80072f8f
Library download error. Error 0x80072f8f. Will retry. Retry Counter:0


0 comentários: