Solved

WPAD File on External Web Server

Posted on 2009-05-12
10
502 Views
Last Modified: 2012-05-06
Is it safe and what the potential security risks of storing my proxy WPAD.dat file on an external web server?  I don't have an internal one to host this file and I don't want to add an internal web server just for this purpose.
0
Comment
Question by:ibidata
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 10

Expert Comment

by:lanboyo
ID: 24370537
It will need to resolve as wpad.DOMAIN_SUFFIX_IN_SEARCH_ORDER.TLD for the pc to find it. You could secure that url by ip access lists perhaps.

I don't know of any .pac javascript processing vulnerabilities, but controlling your browser wouldn't be too hard at that point...
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24372565
Question is: what for?

If it's for some laptops, totally disconnected from your company network, they don't need this WPAD/PAC file to be available. They are probably directly connected to the Internet when they're outside
Remember that the failsafe behaviour of "proxy autodetection" is: if the wpad.server/wpad.dat file is not found => direct connection

If it's because your only choice is to store this file on your only web server, available internally as well as externally, you might set up virtual hosts (apache) or "sites" (iis) to restrict access if possible

About the risk:
The only risk might be to let someone know some details about your internal network; IP ranges, some hosts names ? depending on what's in your wpad.dat file

Give us some more detail if needed
0
 

Author Comment

by:ibidata
ID: 24373747
The reason what for is because we don't currently have an internal web server and I want to lock down port 80/443 on our firewall LAN -> WAN so they must use the proxy to get out on the Internet.  I also want it to be automatic so that visitors who connect to our network and are given an IP via DHCP will also be routed through the proxy.  

I tried putting the WPAD file on a file share with Everyone having read access and then use DHCP option 252 to notify the clients of the location but it doesn't appear to be working for workstations not on the domain.  So I'm left with putting a WPAD DNS record and having them get the automatic proxy information that way.

I hope that answers your questions and gives you a little more information.  Thanks for your help.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 7

Expert Comment

by:mchkorg
ID: 24373778
Ok, all we've said is still true
Unless your wpad.dat file has valuable information inside (I don't think so), you can make it available everywhere
Maybe you can restrict the destination IP on server side to restrict it to your company gateway
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24373838
The risk is as stated external users could see information on your subnets, proxy exceptions and proxy server ips. Also is they are able to compromise the server they could give your users a list their own proxy servers and trick them into downloading whatever they desired, compromising all civilization. Somewhat far fetched though..

0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24374005
lanboyo: Hopefully he won't allow any outgoing connection on any port (and certainly not 80, 3128 and so on) from his internal network, except to that specfic web server. The rest must go through his [transparent] proxy
So even with a compromised wpad.dat, one won't get anywhere...

it's only a question of seeing ip ranges, host names and so on
now, having only one external web server, I do believe this user will only have one subnet, like 192.168, some host names, like proxy.hiscompany.com. No big deal
0
 

Author Comment

by:ibidata
ID: 24374315
How will workstations that are not a part of our domain get the proxy information?  Will that be through DHCP or DNS?  Does the DHCP option 252 and/or DNS method work for both IE and firefox?
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 125 total points
ID: 24375491
1) if your dhcp (I'm not talking of option 252) gives them an address+a DNS server
2) and if they are able to get to your wpad web server from there
=> you'll just have to tell them to set their browsers to "proxy auto-detection" and that's all

About point 2) : I'm thinking about possible network restrictions if these people are on separated vlan, separated ip range and so on
Usuaully, you just want them to be able to talk to your proxy to get outside, nothing more


"proxy auto-detection" works fine with firefox, IE (and every browser I guess)
If server is found => the PAC file applies
 If not => the browser tries a direct access
 You just have to configure all these browsers with proxy auto-detection. Via GPO if possible (there is a specific sourceforge project for firefox+GPO - I didn't test)
If your proxy is configured as transparent (meaning, all outgoing trafic to port 80 is redirect via your main firewall to your proxy port), it'll work even if you don't activate anything in your browser's proxy settings - https won't work

ok ?
look here too, I already explained some things about WPAD: http://www.experts-exchange.com/Networking/Protocols/DHCP/Q_24343652.html

regards
0
 
LVL 10

Expert Comment

by:lanboyo
ID: 24396953
Solution is true, however there are some caveots.

Dhcp option 252 is pretty hit and miss in my experience.

If a pc has downloaded a proxy.dat file in the past, and autodiscovery fails, it will use the osl one.
There are ssl solutions for proxying.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 24398913
I didn't see this behaviour in my last tests (I was checking the proxy logs when the WPAD was forced to be able unavailable)
Maybe it's depending on the browser (and version)

Regards
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
HP network exams 3 62
Network setup between buildings 4 61
How can I tell if drop outs to server are due to network or a bottle neck? 3 49
Problems with VPN 4 28
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question