How to block ALL MS IP ADDRESSES???

[microsoftsucks6662002]

Anyone know how I can get a list of all the
IP address ranges MS owns, including Passport
addresses???

I want to set up our company router to block
all traffic to and from those addresses.

I know whois returns some DNS info, but how
can I find the class A range etc the MS owns?

[voidmain]

www.arin.net can get you a list of address blocks that MS owns (and you know where to look in www.netcraft.com you can use that info in combination with www.arin.net to help in your search).  That probably will not get you the detail broken down on what Passport servers are assinged.  The best way is to just do an "nslookup" for whatever server you want the IP address for, then plug that number into www.arin.net and get the IP block owner.

[iancom]

I'm more concerned about allowing the use of MS Passport services to become prevalent amongst our user base... there are too many 'legitimate' reasons that Microsoft sites would still need to be accessed by some users - particularly poor first/second line support people who have to trawl through the 'knowledge' base attempting to find out how to fix the desktop PC's (usually unsuccessfully - REBOOT!).

I've got the following on our IPCHAINS based firewall:

ipchains -A input -p tcp -d 65.52.0.0/13 --dport 443 -j DENY
ipchains -A input -p tcp -d 64.4.0.0/17 --dport 443 -j DENY

This permits all normal http traffic to Microsoft sites but will not allow (as far as I'm aware) any user to log on to or sign up for a Passport account.

Of course the more people that do this the more Microsoft will try and counter it by changing their IP ranges as often as possible (a moving target is harder to hit...) in the same way the doubleclick.net already seem to do. You'll have to keep a close eye on what ranges they're currently using to keep it effective.

I usually don't subscribe to this method of boycotting - basically it should be the END-USER's choice to avoid using the service. This is the sort of trick that Microsoft would try - remember recently they briefly experimented with locking all MSN sites down so they could only be accessed with IE?

However, I really do see Passport as a major threat to security, privacy and portability and want to avoid as far as possible allowing my users to become dependent upon 'services' such as this.

Anyone else have any thoughts on this method of boycotting?

[voidmain]

Heh heh, that's clever, no SSL to MS.  Hey, an easier way is to do it based on name, but that would require you to run a proxy server (Squid) and run all your people through the proxy.  You can restrict access to passport.microsoft.com (if that's what it's called).  I force all my home PCs to go through squid by restricting all outbound port 80 traffic at my firewall box (using ipchains).  Only allow port 80 traffic from the Squid proxy.

[iancom]

I thought about doing it through Squid (I've already got a Squid cache running though it's not set up as transparent) but this method was easier to implement, if not to maintain and has the added advantage that it doesn't come back immediately with any error reports... it just hangs there and eventually comes back with a browser 'site unavailable' or similar.

Not that I would ever outright lie to my users but at least to start with, most simply assume that M$'s server's are down. Makes it that much more likely that they will will not complain to me but switch to another non-MS service for webmail etc and also then use that at home.

On another Passport related note, I was until recently on this awful Technet mailing list from M$  (since beta-testing ME. I know. Sorry.) and to unsubscribe yourself from the list you are directed to a M$ webpage where YOU MUST GET A PASSPORT ID TO UNSUBSCRIBE!

They do provide a secondary email method of unsubscribing, I'm not accusing them of spamming... but this does go to show the extent they are going to to make sure that they get everyone they can signed up to Passport whether they like it or not.

Did anyone else notice that it's incredibly difficult to disable Messenger on XP without signing up for Passport? (And we all saw last week just how secure that turned out to be.)

Let's hope the general public wake up to the dangers presented by this before it's too late.

[voidmain]

Heh heh, I was on a similar mailing list from them and ended up sending a message to their customer support email address stating that if they didn't take my fucking name out of their database and remove me from all their mailing lists I was going to sue them.  It's amazing how fast I got a reply from customer support and how quickly the emails stopped.