Results 1 to 4 of 4

Thread: IIS 5 access times

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    IIS 5 access times

    I've been searching for a solution and I can't find one. I know with IIS that you can create access rules based on ip addresses, ip ranges, and domains.

    What I want to do is set permission based on time of day.

    Scenario:

    I have a certain Windows Server Update Services server that I use to deploy updates to a couple of remote offices. Those line speeds are HORRIBLE becasue that is the only service available in the area. It is good enough for business traffic, but when the workstations start downloading updates, the network chokes.

    I have scheduled those workstations to install updates at night during off peak hours. However, the workstations still download the updates regarless of scheduled install time. I've been having to go in and deny access to the address range and then allow it later in the evening.

    I'd like to do the following:

    1. Deny access to the update server from certain ip ranges during certain hours.

    OR

    2. Create a script of some sort to modify the IIS access rules to allow/deny traffic. Then schedule that script to allow/deny access at different times.

    Can this be done? If so, how?

    I've also thought about running the Windows Update Service as a specific user and denying access to that user during certain hours. I have not tested that and not sure if it'd work. I could then schedule the service to start and stop at certain hours.

    I'd prefer to do this on the server side if possible.

    Any insight or ideas are welcome.

    Thanks in advance.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    I don't know any way of doing that on a web server, but I do recall that some firewall software/cache software will do that sort of thing. Our squid cache will certainly do that, needs some setting up though.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I was considering setting up a spare cisco router that I had laying around and using the Time-Based ACLs on that. Unfortunately, the only spare cisco router that I have at the time is a personal one. If worse comes to worse, I'll donate it for a couple of months until they get their scheduled line upgrades. (I can't wait!)

    That brings me to another thought... I have that specific WSUS server running in VMWare. I might be able to create another VMware session of a linux server (ipcop maybe?) and use the iptables time rules... It's more work than I had originally wanted... but not too bad.

    http://www.cyberciti.biz/tips/iptabl...me-of-day.html
    http://www.cisco.com/en/US/products/...basedtimerange

    Ahha! Maybe use IPCop with the "BlockOutTraffic" or BOT add on...
    http://www.ipcop.org
    http://blockouttraffic.de/

    If m$ were not so restrictive on their licensing... I'd just copy the WSUS to another VMware session and give it a different server name, point the clients to that just run that during the hours I want... but I won't be able to get authorization to spend the $ on another m$ sever license at this time.

    I was hoping for a "quick fix".... I wasn't really looking for "work" on Friday...
    Last edited by phishphreek; March 16th, 2007 at 01:31 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I know it doesn't really answer the initial question but that is one of the main reasons that I really don't like WUS/SUS... SMS is by far a better package for managing distribution of updates to workstations in various geographical regions and at different times. You can control when the advertisements go to the PCs to start downloading the patches, and you can schedule when the patches will actually kick off and start to install.

    Free does not always mean good. Even though the GNU people will argue that with you.

Similar Threads

  1. Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability
    By Spyder32 in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: May 27th, 2008, 01:17 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Securing 2000 Pro
    By akachuckie in forum The Security Tutorials Forum
    Replies: 8
    Last Post: February 24th, 2005, 01:47 AM
  4. Classes – Access Control, Constructors and Overloads
    By cntfind80 in forum Other Tutorials Forum
    Replies: 2
    Last Post: February 17th, 2005, 05:45 PM
  5. bypassing an access list
    By deadpaperplate in forum Non-Security Archives
    Replies: 2
    Last Post: October 10th, 2001, 03:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •