North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: FBI tells the public to call their ISP for help
On Thu, 14 Jun 2007, Jack Bates wrote: May I recommend developing an in house method for allowing the customer only access to your servers (web, dns, proxy, etc), and then apply filters for everything else except for tcp/80. If you wanted to be additionally paranoid, you could even allow only established tcp/80 connections back to the customer. I went down that road several times, and there are many issues with what you have described which won't work for how Microsoft distributes its updates and patches; and with the user. Microsoft has enabled Windows with enough features, users can infect their machine with only TCP/80. Please review the archives for details from several years ago, and at some point you will end up needing to violate the written Microsoft licenses. Its not a technical problem (although engineers seem to like to think everything is), its a legal issue with Microsoft's lawyer and licenses.
|