Solved

Users/Clients communicating with www.download.windowsupdate.com even though policy points them at WSUS server

Posted on 2012-03-15
6
1,049 Views
Last Modified: 2012-03-16
Recently we configured a new Sonicwall NSA device which allows us to monitor our Internet traffic in more detail.

One of the things I have noticed is that  quite frequently our users are communicating with the Windows update website at www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

We have in place a policy to force the clients to get updates from our local WSUS server, so I am not sure why this is happening.

Fortunatly the sonicwall device is blocking access to the website, but my concern is that the client PC's are attempting to connect/download/install the updates in the background when the user is not logged on.

(It is important that we control Windows updates ourselves)

example of sonicwall message
0
Comment
Question by:stalbansschool
  • 4
  • 2
6 Comments
 

Author Comment

by:stalbansschool
ID: 37724000
I think I have half answered this question myself with a little more research.

I now see that www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Points to Microsoft's Certificate Trust List.

Are people able to provide me with a bit more information about this file?  

What is envoking the download of this file?

Do my users need to access this link to download it?  (currently if I log on as a user and go directly to this link it is blocked by our sonicwall device)
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 37726827
this behavior can occur if the Update Root Certificates component is turned on and the computer cannot connect to the Windows Update server on the Internet. The Update Root Certificates component automatically updates trusted root-certificate authorities from the Microsoft Update server at regular intervals.

To resolve this behavior, you must connect to the Internet or turn off the Update Root Certificates component. To turn off the Update Root Certificates component, follow these steps:
In Control Panel, double-click Add/Remove Programs.
Click Add/Remove Windows Components.
Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.

Or, by using a GPO turn off the option.
Computer Configuration – Administrative Templates – System – Internet Communication Settings
"Turn off Automatic Root Certificates Update”
but consider the problems by not updating your CA's


WSUS do have (double check as my memory start to fade ) root cert update
Update for Root Certificates for Windows XP and windows 7  (KB931125) (2 seperate update)
0
 

Author Comment

by:stalbansschool
ID: 37728952
great, thank you for your comment.

So please can I just confirm, if I switch off this option using GPO, WSUS should handle the update?

WHat envokes this behaviour?  Is it when the user opens Internet Explorer?

Is there any harm in unblocking access to this website?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 36

Expert Comment

by:Jian An Lim
ID: 37728964
again, microsoft design it to download every couple of days just in case WSUS do not kicks in.
it is design to work even without WSUS.

so if you have WSUS, then that download become redundant because you always keep your root cert update to do (that means if you really did that)
0
 

Author Comment

by:stalbansschool
ID: 37728980
great answer, thank you very much
0
 

Author Closing Comment

by:stalbansschool
ID: 37728982
perfect answer, explained excellently
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now