Blocking incoming/outgoing except MS Updates?


  1. Posts : 420
    Windows 10 1803
       #1

    Blocking incoming/outgoing except MS Updates?


    I have a rig that I use for backups of all my devices, a desktop running windows 10. What is A way, or the best way, to limit its connectivity to the LAN, and to MS Updates, and effectively block everything else? searching around the web, I see a number of similar queries, but not good answers.

    perhaps I better do it through the router? in this case netgear R7000. the 'server' has static ip...
      My Computer


  2. Posts : 8,057
    windows 10
       #2

    A simple way is to remove the default gateway from the network setting then nothing can get out then use then use the router CMD to give a route to ms updates only
      My Computer


  3. Posts : 822
    Microsoft Windows 10 Pro 64-bit
       #3

    You can do this but first you will have to find out the correct URL's for Windows update that you need to add to your HOSTS file. Once you do the changes below you will not have any connectivity except for the changes you make in the HOSTS file.

    I did this on a Win 7 machine but all versions of Windows should behave the same way, I had to use another OS so I could write this to the forum.

    In My example I only want my computer to connect to example.com so once I found the IP I did this.

    Open your network adapters and set a static IP with all the correct settings for your subnet.

    In my case it looks like this:
    Blocking incoming/outgoing except MS Updates?-ipv4.jpg

    and set the DNS server to 127.0.0.1 leave the secondary empty.

    Now open your HOSTS file usually located at C:\Windows\System32\drivers\etc\ (I use notepad++ It just works without a fuss)

    My edited HOSTS file (I added 93.184.216.34 example.com at the bottom)

    Code:
    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    
    # localhost name resolution is handled within DNS itself.
    #    127.0.0.1       localhost
    #    ::1             localhost
    
    93.184.216.34 example.com
    I had to do a bit command line foo to get the IP of example.com before I made the changes to the network adapter using the command nslookup example.com
    Code:
    >nslookup  example.com
    Server:  pi10
    Address:  192.168.200.10
    
    Non-authoritative answer:
    Name:    example.com
    Addresses:  2606:2800:220:1:248:1893:25c8:1946
              93.184.216.34
    After making the above changes you will have to run the command below to flush out you cached DNS entries or it will take awhile for the changes to work
    Code:
    ipconfig /flushdns
    I do not know what URL Microsoft update uses you will have to figure that out yourself DNSQuerySniffer v1.65 from NirSoft may help you with that or the netstat command.

    Just be aware that this is by no means a secure way to lock down a computer, but for a home user with a computer that friends or family do not tinker with it will be fairly safe.

    Also be aware that Microsoft has probably many thousands of update servers and at anytime the IP you pick may go down unexpectedly.
    Last edited by Digital Life; 02 Jan 2018 at 19:27.
      My Computer


  4. Posts : 822
    Microsoft Windows 10 Pro 64-bit
       #4

    You may be in for a bigger job than you think, I went threw my DNS server logs for the last 4 or 5 months and found what I think might be related to Windows update

    Code:
    000055-1.l.windowsupdate.com
    000092-1.l.windowsupdate.com  ## URL's like these can grow into the 
    000100-1.l.windowsupdate.com  ## millions if they want
    000797-1.l.windowsupdate.com
    000855-1.l.windowsupdate.com
    000e57-1.l.windowsupdate.com
    000eed-1.l.windowsupdate.com
    00108b-1.l.windowsupdate.com
    001194-1.l.windowsupdate.com
    0015fa-1.l.windowsupdate.com
    001a22-1.l.windowsupdate.com
    001a95-1.l.windowsupdate.com
    001d24-1.l.windowsupdate.com
    001d8d-1.l.windowsupdate.com
    001de9-1.l.windowsupdate.com
    00208f-1.l.windowsupdate.com
    0023dc-1.l.windowsupdate.com
    0024ca-1.l.windowsupdate.com
    002545-1.l.windowsupdate.com
    00254c-1.l.windowsupdate.com
    0026a2-1.l.windowsupdate.com  ## End of millions
    
    appexmapsappupdate.blob.core.windows.net
    au.download.windowsupdate.com
    catalog.update.microsoft.com
    ctldl.windowsupdate.com
    definitionupdates.microsoft.com
    download.microsoft.com
    download.windowsupdate.com
    ds.download.windowsupdate.com
    fe2.update.microsoft.com
    sls.update.microsoft.com
    updates.push.services.mozilla.com
    windowsupdate.microsoft.com
    windowsupdate.microsoft.com.local
    www.catalog.update.microsoft.com
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:41.
Find Us




Windows 10 Forums