We are trying to figure out how to prevent web proxy clients from sharing their web access to unauthorized users. Basically, unauthorized users are using a web proxy client computer connected to the ISA server as their gateway to the internet. Is there any way to prevent this? Is there a way to obtain the IP addresses of the unauthorized users connecting to the web proxy client?
From: Lebanese in Kuwait
unauthorized users are using a web proxy client computer connected to the ISA server as their gateway to the internet
hi read this first to know the difference between ISA Server CLients :
The SecureNET (SecureNAT) client : A SecureNET client is a machine configured with a default gateway address that allows Internet bound requests to pass through the ISA Firewall. If the SecureNET client is located on the same subnet of the ISA Firewall, then the default gateway address will be IP address of the ISA Firewall’s interface on the same network ID as the client. If the clients are on a remote subnet from the ISA Firewall, then the IP address will be a router interface address that will use route outbound requests through the ISA Firewall. While the “official” name in the ISA Firewall documentation is SecureNAT client, it is more accurately referred to as a SecureNET client because the Network Rule defining the connection between a source and destination network does not have to be a NAT relationship, it could be a Route relationship.
The Firewall Client : The Firewall client is a piece of software that must be installed on the client operating systems (the Firewall client should not be installed on server operating systems and never on the ISA Firewall itself). The Firewall client is a generic Winsock proxy client that intercepts Winsock application network calls and forwards them (remotes them) directly to the ISA Firewall. This enables the Firewall client to be transparent to the network routing infrastructure and does not depend on default gateway or route of last resort configuration on network routers. The only network infrastructure requirement is that the clients have a route to the IP address of the ISA Firewall closest to the client. The Firewall client also enables user authentication for access control and supports secondary connections for complex protocols when there is no Application Filter to provide that support. In contrast, SecureNET clients must have an Application Filter in place to support complex protocols that may require multiple primary and secondary connections.
The Web Proxy Client : The Web proxy client is a machine that has its browser configured to use the ISA Firewall as its Web proxy device. Browser configuration can be done manually, or can be automated using the WPAD protocol and WPAD entries in DHCP and/or DNS. The Web proxy client configuration supports only HTTP, HTTPS, and HTTP tunneled FTP requests and does not support FTP upload, only FTP download. Web proxy clients can authenticate with the ISA Firewall, in contrast to SecureNET clients, which cannot authenticate with the ISA Firewall.
Web proxy clients. We use DHCP and the default gateway is different on each floor in our organization.
Here's the thing. A computer (web proxy client), which is given access to the internet, is running a third party proxy service. Since the web proxy client has a local proxy service running, unauthorized users can connect to the internet through the web proxy client. So basically, the web proxy client serves as the gateway of unauthorized users to the internet. They do not connect directly to the ISA server, they connect to the computer with internet access and proxy service.
Basically, unauthorized users are using a web proxy client computer connected to the ISA server as their gateway to the internet. Is there any way to prevent this?
Yes, but this is not technical but rather managerial task. All the employees in your company should be strongly suggested against allowing others (colleagues and/or friends) to use any corporate resources under their credentials. Everyone should be warned about possible bringing to account for breaking company's IT security measures. Everyone should be aware that it's prohibited to: 1. Hand over your personal login and password to other people. 2. Allow others to work on your computer under your security context. Before leaving you workplace you should lock a PC console or logoff completely from your PC. 3. Install any unapproved software on your computer, including the software that fools and/or breaks company's IT security mechanisms. Ask your company management for the support, it's easy to do when you tell them the risks of breaking or losing valuable information. Unfortunately, it's not so easy to hold your network environment under control. An average PC user is usually actively refuses any attempt to tighten screws. It's an endless and bloody war
Technically, it's possible to prevent users from installing unwanted programs by applying restrictive group policy and limiting users rights on the local machine. But this is not as easy as configuring "just another deny rule" on a border firewall and may have some side effects.
Is there a way to obtain the IP addresses of the unauthorized users connecting to the web proxy client?
"Anonymizer" is the second name of a proxy service. It is a nature of a proxying to hide an actual client address from the requested destination. As a matter of a fact, no one upstream proxy server is able to distinguish between requests from common web proxy client and from downstream proxy server. In your case that means the ISA server has no way to understand if the particular request came from the legitimate web proxy client, or from unauthorized "client of client".
From: MICHIGAN, US
Personally... aklimkin is right. I would close ANY of those back doors. In my company...if you are not going through ISA...you are not getting out. It makes tracking down both performance and most of all security issues much easier. Not only that but if you have a compromised workstation what is really stopping it from using your network to propagate?
Also I would seriously start doing some network research and turn on the Windows firewall. Look into to configuring it via your AD group policies if available. You should be able to block internet connection sharing and some of your other "malicious" activity. As always...test before you roll it out to everybody.
< Message edited by jmilito -- 1.Jul.2007 9:10:37 PM >