Solved

WPAD File on External Web Server

Posted on 2009-05-12
10
493 Views
Last Modified: 2012-05-06
Is it safe and what the potential security risks of storing my proxy WPAD.dat file on an external web server?  I don't have an internal one to host this file and I don't want to add an internal web server just for this purpose.
0
Comment
Question by:ibidata
  • 5
  • 3
  • 2
10 Comments
 
LVL 10

Expert Comment

by:lanboyo
Comment Utility
It will need to resolve as wpad.DOMAIN_SUFFIX_IN_SEARCH_ORDER.TLD for the pc to find it. You could secure that url by ip access lists perhaps.

I don't know of any .pac javascript processing vulnerabilities, but controlling your browser wouldn't be too hard at that point...
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
Question is: what for?

If it's for some laptops, totally disconnected from your company network, they don't need this WPAD/PAC file to be available. They are probably directly connected to the Internet when they're outside
Remember that the failsafe behaviour of "proxy autodetection" is: if the wpad.server/wpad.dat file is not found => direct connection

If it's because your only choice is to store this file on your only web server, available internally as well as externally, you might set up virtual hosts (apache) or "sites" (iis) to restrict access if possible

About the risk:
The only risk might be to let someone know some details about your internal network; IP ranges, some hosts names ? depending on what's in your wpad.dat file

Give us some more detail if needed
0
 

Author Comment

by:ibidata
Comment Utility
The reason what for is because we don't currently have an internal web server and I want to lock down port 80/443 on our firewall LAN -> WAN so they must use the proxy to get out on the Internet.  I also want it to be automatic so that visitors who connect to our network and are given an IP via DHCP will also be routed through the proxy.  

I tried putting the WPAD file on a file share with Everyone having read access and then use DHCP option 252 to notify the clients of the location but it doesn't appear to be working for workstations not on the domain.  So I'm left with putting a WPAD DNS record and having them get the automatic proxy information that way.

I hope that answers your questions and gives you a little more information.  Thanks for your help.
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
Ok, all we've said is still true
Unless your wpad.dat file has valuable information inside (I don't think so), you can make it available everywhere
Maybe you can restrict the destination IP on server side to restrict it to your company gateway
0
 
LVL 10

Expert Comment

by:lanboyo
Comment Utility
The risk is as stated external users could see information on your subnets, proxy exceptions and proxy server ips. Also is they are able to compromise the server they could give your users a list their own proxy servers and trick them into downloading whatever they desired, compromising all civilization. Somewhat far fetched though..

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
lanboyo: Hopefully he won't allow any outgoing connection on any port (and certainly not 80, 3128 and so on) from his internal network, except to that specfic web server. The rest must go through his [transparent] proxy
So even with a compromised wpad.dat, one won't get anywhere...

it's only a question of seeing ip ranges, host names and so on
now, having only one external web server, I do believe this user will only have one subnet, like 192.168, some host names, like proxy.hiscompany.com. No big deal
0
 

Author Comment

by:ibidata
Comment Utility
How will workstations that are not a part of our domain get the proxy information?  Will that be through DHCP or DNS?  Does the DHCP option 252 and/or DNS method work for both IE and firefox?
0
 
LVL 7

Accepted Solution

by:
mchkorg earned 125 total points
Comment Utility
1) if your dhcp (I'm not talking of option 252) gives them an address+a DNS server
2) and if they are able to get to your wpad web server from there
=> you'll just have to tell them to set their browsers to "proxy auto-detection" and that's all

About point 2) : I'm thinking about possible network restrictions if these people are on separated vlan, separated ip range and so on
Usuaully, you just want them to be able to talk to your proxy to get outside, nothing more


"proxy auto-detection" works fine with firefox, IE (and every browser I guess)
If server is found => the PAC file applies
 If not => the browser tries a direct access
 You just have to configure all these browsers with proxy auto-detection. Via GPO if possible (there is a specific sourceforge project for firefox+GPO - I didn't test)
If your proxy is configured as transparent (meaning, all outgoing trafic to port 80 is redirect via your main firewall to your proxy port), it'll work even if you don't activate anything in your browser's proxy settings - https won't work

ok ?
look here too, I already explained some things about WPAD: http://www.experts-exchange.com/Networking/Protocols/DHCP/Q_24343652.html

regards
0
 
LVL 10

Expert Comment

by:lanboyo
Comment Utility
Solution is true, however there are some caveots.

Dhcp option 252 is pretty hit and miss in my experience.

If a pc has downloaded a proxy.dat file in the past, and autodiscovery fails, it will use the osl one.
There are ssl solutions for proxying.
0
 
LVL 7

Expert Comment

by:mchkorg
Comment Utility
I didn't see this behaviour in my last tests (I was checking the proxy logs when the WPAD was forced to be able unavailable)
Maybe it's depending on the browser (and version)

Regards
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
gns3 with layer 3 switch 6 30
VMware NSX version 6.2.2 upgrade 6.2.4 6 47
Cisco VSS or VCP on GNS3 or IOU 3 27
RDP Sonicwall 8 22
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now