none
WSUS updates question

    Pergunta

  • We have a lot of our clients automatically going to sites javadl-esd-secure.oracle.com  and ctldl.windowsupdate.com  and eating up connections on our proxy appliance causing some major issues. I know these two sites are used by IE to go to it to check for revoke certificates. I would like to block the sites, but was wondering if the root authority windows updates for certificates contained all new certificates and revoke certificates or just new certificates?

    Or what happened if I disabled the IE Advanced tab setting and uncheck the revoke certificates option. Would that reduce the connections to the two sites above? Is their a certificate revoke list we can download monthly from microsoft and install it on all workstations using group policies?

    sexta-feira, 19 de julho de 2013 02:08

Respostas

  • We have a lot of our clients automatically going to sites javadl-esd-secure.oracle.com  and ctldl.windowsupdate.com  and eating up connections on our proxy appliance causing some major issues. I know these two sites are used by IE to go to it to check for revoke certificates. I would like to block the sites, but was wondering if the root authority windows updates for certificates contained all new certificates and revoke certificates or just new certificates?

    Or what happened if I disabled the IE Advanced tab setting and uncheck the revoke certificates option. Would that reduce the connections to the two sites above? Is their a certificate revoke list we can download monthly from microsoft and install it on all workstations using group policies?

    I would think that blocking certificate revocation sites is a very bad idea. Furthermore, I'm quite intrigued with the idea that checking for a certificate revocation is "eating up connections ... causing ... major issues". Also, you'd think that since the content on the revocation site probably doesn't change that often ... it ought to be getting cached in your proxy appliance. I'd be more concerned with why the content isn't cached, rather than shutting down the multitudes of clients that are being forced past the proxy server to get the revocation list.

    What happens if you disable the certificate revocation functionality? Quite possibly your clients fail to recognize that they have a compromised certificate, and they get infected themselves. Researching why this new methodology is in place may shed some important understanding on the matter.

    KB931125 may or may not contain certificate revocation lists, but as far as Microsoft is concerned (and apparently Oracle, as well), CRLs are deprecated and no longer being used to revoke current certificates. If a machine connects to the Internet, it needs to be able to query for revocations; if a machine does not connect to the Internet, the cert revocations are probably irrelevant.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    sexta-feira, 19 de julho de 2013 13:46
    Moderador
  • We investigated the issue and it is people windows 7 workstations hitting the windows updates website multiples times a day for some reason when they are all setup to go through the wsus server to receive windows updates. So why would clients workstations randomly be going to the ctldl.windowsupdate.com and windowsupdates.com websites multiple times a day ?

    So, the first thing would be to confirm that these clients really ARE configured to use a local WSUS server. Reviewing the WindowsUpdate.log to confirm that the connection requests are not directly a result of Windows Update activity would be a good starting point.

    Second, to understand that there are many things that leverage the Windows Update Agent and would normally get updates direct from Microsoft, not WSUS, unless WSUS is properly configured to provide them. The most likely cause here is Definition Updates for Windows Defender.

    A third thing I would speculate is that if the connection attempts are happening multiple times a day, that perhaps the connection attempts are actually *failing*, which is why they continue.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    sexta-feira, 19 de julho de 2013 17:35
    Moderador

Todas as Respostas

  • We have a lot of our clients automatically going to sites javadl-esd-secure.oracle.com  and ctldl.windowsupdate.com  and eating up connections on our proxy appliance causing some major issues. I know these two sites are used by IE to go to it to check for revoke certificates. I would like to block the sites, but was wondering if the root authority windows updates for certificates contained all new certificates and revoke certificates or just new certificates?

    Or what happened if I disabled the IE Advanced tab setting and uncheck the revoke certificates option. Would that reduce the connections to the two sites above? Is their a certificate revoke list we can download monthly from microsoft and install it on all workstations using group policies?

    I would think that blocking certificate revocation sites is a very bad idea. Furthermore, I'm quite intrigued with the idea that checking for a certificate revocation is "eating up connections ... causing ... major issues". Also, you'd think that since the content on the revocation site probably doesn't change that often ... it ought to be getting cached in your proxy appliance. I'd be more concerned with why the content isn't cached, rather than shutting down the multitudes of clients that are being forced past the proxy server to get the revocation list.

    What happens if you disable the certificate revocation functionality? Quite possibly your clients fail to recognize that they have a compromised certificate, and they get infected themselves. Researching why this new methodology is in place may shed some important understanding on the matter.

    KB931125 may or may not contain certificate revocation lists, but as far as Microsoft is concerned (and apparently Oracle, as well), CRLs are deprecated and no longer being used to revoke current certificates. If a machine connects to the Internet, it needs to be able to query for revocations; if a machine does not connect to the Internet, the cert revocations are probably irrelevant.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    sexta-feira, 19 de julho de 2013 13:46
    Moderador
  • Can you just not create a rule not to log such sites, if thats what you mean, I have a similar issue and we use TMG and have rules not to log certain unccessary sites.
    sexta-feira, 19 de julho de 2013 15:14
  • It is not the fact that it logs the site, the main issue is our web appliance is only able to handle about 300 web request per x amount of seconds and it is going over that causing the system to be dramatically slow at times.

    We investigated the issue and it is people windows 7 workstations hitting the windows updates website multiples times a day for some reason when they are all setup to go through the wsus server to receive windows updates. So why would clients workstations randomly be going to the ctldl.windowsupdate.com   and windowsupdates.com websites multiple times a day ?

    sexta-feira, 19 de julho de 2013 16:28
  • We investigated the issue and it is people windows 7 workstations hitting the windows updates website multiples times a day for some reason when they are all setup to go through the wsus server to receive windows updates. So why would clients workstations randomly be going to the ctldl.windowsupdate.com and windowsupdates.com websites multiple times a day ?

    So, the first thing would be to confirm that these clients really ARE configured to use a local WSUS server. Reviewing the WindowsUpdate.log to confirm that the connection requests are not directly a result of Windows Update activity would be a good starting point.

    Second, to understand that there are many things that leverage the Windows Update Agent and would normally get updates direct from Microsoft, not WSUS, unless WSUS is properly configured to provide them. The most likely cause here is Definition Updates for Windows Defender.

    A third thing I would speculate is that if the connection attempts are happening multiple times a day, that perhaps the connection attempts are actually *failing*, which is why they continue.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    sexta-feira, 19 de julho de 2013 17:35
    Moderador