Advertisements

Chapter 3, the Internet Lockdown

Find this post interesting? Do you like interesting things? Maybe you would like my invention, a connectible candle called a WickBrick!

Get one here http://wickbrick.etsy.com/

WickBrick

Chapter 3.0

One of the very first things that a manager will ask you to do is to restrict the Internet for some or all users. The range of options is quite staggering.

A Quick Option 1

A quick and easy way to do some Internet filtering and reporting is to use OpenDNS. http://www.opendns.com/

You create an OpenDNS account and then point your DNS server to use it.

Quick Option 2

Use a hosts files to block unwanted domains.

Semi-Quick Option 3

If you have a one user to one computer setup you could use Ip Sec to block all but Lan traffic or to allow a few sites through.

http://www.petri.co.il/block_internet_but_allow_intranet_with_ipsec.htm

Semi-Quick Option 5

I ran across this once and then spent a long time trying to find it again for this Chapter, so here it is

https://www.moonlightdesign.org/urllock/Main_Page

this install itself as a Browser Helper Object, and can be installed and configured through active directory.

https://www.moonlightdesign.org/urllock/Active_Directory_network_deployment

Semi-Quick Option 6 use a PAC file

http://www.ericphelps.com/security/pac.htm

Semi-Quick Option 7, configure a Dummy proxy server (This only works for Internet Explorer)

Create a Organizational Unit (OU) such as “No Internet” or what ever you like, specifically for the clients. Create a GPO with the same name and link it to the OU.
In the GPO, edit the Proxy Settings under /User Configuration/Windows Settings/Internet Explorer Maintenance/Connection

Set the proxy server IP address and port to a non-existing proxy server. I use the default gateway for my network (IP to my firewall), and then check “Use The Same Proxy Server for all Addresses”.

After doing this, move the AD clients to the OU unit you created and have them log off and back on. This will effectively block Internet browsing.

To keep Local Administrators from changing the proxy server settings after the group policy is applied, you can enable the ‘User config/admin templates/windows components/internet explorer/disable changing proxy settings’
this grays out the option. Or you can disable the entire connection page, or more if you want.

Ok, but what if you have a multisite company and also need to restrict Internet access to only authorized machines (so someone can’t just bring in their laptop and get on the Internet)

That’s why Chapter 3.1 is for!

Chapter 3.1: Creating a full bodied, Internet filtering Infrastructure.

There are a number of steps that are required to make this work, a quick overview of the process goes something like this.

To restrict users from bringing in laptops and having free Internet access you will need to restrict your firewall to only allow outgoing access from a proxy/caching server. The proxy/caching server will authenticate your users against your Active Directory (or some other authenticating means) and if they are a member of the correct group will be allowed to access the Internet. The user will be get the address of the proxy server from a .PAC file, and the .PAC file location will be handed out by the DHCP server.

So lets get started. First things first you need to make a .PAC file (also called a wpad.dat file)

The most valuable thing I can tell you about .PAC files is that if they error out they do so without a peep. I will repeat that, if there is an error your .PAC file will do nothing. They are hard to troubleshoot!

So, get thee to a google code nunnery and download pactester!

http://code.google.com/p/pactester/downloads/list

Another thing I noticed that was extremely annoying was that if I copied and pasted .PAC files from
the Internet I would more often than not get a curly type of quotation mark instead of a straight
quotation mark which would of course break the .PAC file.
(  ” <-Curly is Bad     Straight is Good! -> ”     got it? Good! )

So here is my sample, boring, .PAC file
**********************
function FindProxyForURL(url, host){

if (isPlainHostName(host)) return “DIRECT”;

if (dnsDomainIs(host, “.mydomain.local”)) return “DIRECT”;

if (isInNet(myIpAddress(), “10.1.0.0”, “255.255.0.0”)){
return “PROXY 10.1.1.10:3128; PROXY 10.1.1.11:3128”;}

}

*********************

It illustrates a few things. First thing to note is that the script executes in the order it is written, so if an if statement is true it will execute that line and then exit. This script shows how to point a connection to DIRECT connection if the desired host is a PlainHostName (something like MyServer) or if it has a matching DNS domain such as MyServer.MyDomain.local. Notice that there is a . in front of the host .MyDomain.Local!

To find really good descriptions of PAC Functions please go to http://www.findproxyforurl.com/pac_functions_explained.html

A couple of interest are:

isPlainHostName()

This function will return true if the hostname contains no dots, e.g. http://intranet
Useful when applying exceptions for internal websites, e.g. may not require resolution of a hostname to IP address to determine if local.
Example:
if (isPlainHostName(host)) return “DIRECT”;

dnsDomainIs()
Evaluates hostnames and returns true if hostnames match. Used mainly to match and exception individual hostnames.
Example:
if (dnsDomainIs(host, “.google.com”)) return “DIRECT”;

myIpAddress()
Returns the IP address of the host machine.
Example:
if (isInNet(myIpAddress(), “10.1.1.0”, “255.255.255.0”)) return “DIRECT”;

If you specify two proxy servers quotes go around the whole string like

Return “Proxy proxy1:8080; PROXY Proxy1:8080”

So how do you test your .PAC file, well the first thing you need to do is get thee to a google code nunnery and download pactester! To use it give it a command like

pactester.exe –p proxy.pac –u http://google.com –c 10.1.1.1

and it should give you back the proxy or direct connect or what ever you would expect!

It is also good to use alert lines during testing, for example.
if (isPlainHostName(host))
alert(“direct”)
return “DIRECT”;
Will bring up an alert if you made a direct connection.

Another way to test it is to open up Internet Explorer, Tools, Internet Options, Connections tab, LAN Settings, check the check box and point it to the location of your pac file. The file path will look like file://c:/proxy.pac

Ok, now that you verified that the proxy.pac file works like you want, you now need to deploy it. There are a number of ways to do so but I am going to pick the laziest. Create a file share on a file server somewhere and place your .PAC on it.

Now to test it, point your your browser to the .PAC file using this filepath (four slashes)

file:////file-server/files/proxy.pac (a start, run should also bring up the file) clear your cache and cookies, and close and then open IE if all goes well it should load your .PAC file.

Now we have a .PAC file and have verified that it works and given it a network location we need some way for our clients to use it. Once easy way that it can be distributed is through DHCP. If you have a server 2003 DHCP server then you need to add it as an option. To do so

Windows 2003 DHCP:
1. Click Start > Programs > Administrative Tools and then click DHCP.
2. In the console tree, right-click on the DHCP server, click Set Predefined Options, and then click Add.
3. In Name type: WPAD.
4. In Code type: 252.
5. In Data type select String, and then click OK.
6. In String, type URL of PAC file in format: file:////file-server/files/proxy.pac
7. Right-click Server options and click Configure Options.
8. Confirm that the Option 252 option is selected.
Once created we must then enable the option for a DHCP scope.
1. Click Start > Programs > Administrative Tools and then click DHCP.
Right-click Scope Options and then click Configure Options.
2. Click Advanced, and then in Vendor Class, click Standard Options.
3. In Available Options, select the 252 Proxy Autodiscovery option and click OK.

Ok, we have our PAC, and our DHCP server set to serve it out. But we don’t have a proxy server! Once again you have lots of options, you could install a linux squid box or even download a squid virtual appliance. But since I’m lazy and have lots of 2003 servers through out the enterprise I decided to go the windows squid proxy route. (Linux people will probably think I’m crazy)

Downloading and installing squid on windows is fairly easy, getting it configured requires a bit more work!

Download squid from here http://squid.acmeconsulting.it/

At the moment it is version 2.7 http://squid.acmeconsulting.it/download/dl-squid.html

If you want your life to be easy then extract everything to c:\squid (so the bin path will be c:\squid\bin)

Otherwise read this how to install squid in the non default path

Open up the command prompt, cd to c:\squid\sbin

Type squid -i and hit enter to install it as a service.

In windows explorer navigate to C:\squid\etc. Rename the four files in there so that the .default extensions are removed from all of them.

Type squid -z to create the squid cache directories.

Now you can start the squid service with the defaults. (either start, run, services.msc or net start squid at the command prompt)

If you have your .PAC file working correctly, if you browse somewhere you should see entries in the access.log located in C:\squid\var\logs\access.log

Now comes the truly fun part, authenticating a user against active directory.

So to do any configuration you need to edit the c:\squid\etc\squid.conf file. When you first open it up most of it is commented out. If you are in Active directory it would be good to add (around line 4667)

Append_domain .yourdomain.local

(This will allow an internal computer name to be able to be resolved without the domain extension (your PAC file should take care of this, but just in case) (remember the dot at the beginning of yourdomain)

In order to authenticate using Active Directory you need to add the lines.

Around line 293

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 10

This says to use the mswin_ntlm_auth.exe as a helper program and spawn 10 versions of it.

Next around line 597 we add

external_acl_type AD_global_group %LOGIN c:/squid/libexec/mswin_check_ad_group.exe –G

This says use an external access control list type of active directory global group, using the mswin_check_ad_group.exe program and the –G flag means to use an active directory domain.

After acl CONNECT method CONNECT (around line 631) we are going to create our main acl add :

acl ProxyUsers external AD_global_group INTERNETUSERS

This is our access control list named ProxyUsers and it is defined by the external AD_global_group and it is every member of the Active Directory Group INTERNETUSERS

Our next ACL is (set your subnet appropriately)

acl password proxy_auth REQUIRED src 10.1.0.0/16

this states that for acl password we are required to use proxy authority and the source (src) of the packets must come from the 10.1.0.0/16 subnet

the last thing is on line 665 add a http_access line of

http_access allow password ProxyUsers

this states that we should allow users that satisfy the password and ProxyUsers parameters so, basically use proxy authentication of the AD variety, they must come from the 10.1.0.0/16 subnet and belong to the INTERNETUSERS group in order to go out on the proxy.

Basically it combines the password ACL and the ProxyUsers ACL

There is great documentation on ACL here http://www.visolve.com/squid/squid24s1/access_controls.php

and here http://wiki.squid-cache.org/SquidFaq/SquidAcl

The basic explanation of an ACL is

An access list rule consists of an allow or deny keyword, followed by a list of ACL element names.
An access list consists of one or more access list rules.

Access list rules are checked in the order they are written. List searching terminates as soon as one of the rules is a match.

If a rule has multiple ACL elements, it uses AND logic. In other words, all ACL elements of the rule must be a match in order for the rule to be a match. This means that it is possible to write a rule that can never be matched. For example, a port number can never be equal to both 80 AND 8000 at the same time.
To summarise the acl logics can be described as:
http_access allow|deny acl AND acl AND …
OR
http_access allow|deny acl AND acl AND …
OR

If none of the rules are matched, then the default action is the opposite of the last rule in the list. Its a good idea to be explicit with the default action. The best way is to use the all ACL. For example:
http_access deny all

Blocking Sites

In order to allow us to block a site we need to add a few lines to our squid.conf

First, after our previous acl (acl password proxy_auth REQUIRED src 10.1.0.0/16)

Add a line that says,

acl blockedurl url_regex -i “c:/squid/etc/blockedurl.txt”

this is a url block list, so in other words if the url contains one of these words it will not make it through.

Then add

acl blockeddomains dstdomain -i “c:/squid/etc/blockeddomains.txt”

this is a domain block list, for example if it contains hotmail.com the hotmail.com domain will be blocked. These are a little more ‘expensive’ of a block since they require a dns lookup.

So create two text files c:/squid/etc/blockedurl.txt and c:/squid/etc/blockeddomains.txt

In blockeddomains.txt lets add Slashdot.org

Run the c:\squid\etc\reloadconfig.bat and then try to surf to slahsdot.org it will be denied.

reloadconfig.bat consits of (and needs to be created)

**************

cd \
cd squid\sbin
squid -n Squid -k reconfigure
pause

*****

Back to chapter 2 https://michaelellerbeck.com/2009/01/09/the-perfect-corporate-xp-workstation-install/

Advertisements

2 Responses

  1. […] with Squid Proxy on windows here https://michaelellerbeck.com/2009/04/14/chapter-3-the-internet-lockdown/ (very fun!) Possibly related posts: (automatically generated)Redhat DHCP ConfigurationLinux DHCP […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: