Solved

Stop IIS from being used as a proxy

Posted on 2013-10-25
12
295 Views
Last Modified: 2013-11-18
We have two IIS sites on two different servers that host Exchange OWA and ADFS.  We noticed a lot of traffic from our network and determined that on a remote computer you can put in the IP address and port of those two IIS servers into the computers proxy settings and it works as a proxy to browse any website on the internet.

How can we block this traffic?
0
Comment
Question by:sjohnson_Aerosim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 19

Expert Comment

by:strivoli
ID: 39600359
Which port is set on the computers proxy settings?
Is this port bound to IIS?
0
 

Author Comment

by:sjohnson_Aerosim
ID: 39600403
Port 80 and yes it is bound to IIS, we tested this by changing the port in IIS to 8080 then the attacker can no longer connect on port 80 but can on 8080.
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39600681
Since this seams very strange I must ask again with an example (I must be sure I understood properly). I'm outside your LAN and your IIS responds to the public IP aaa.bbb.ccc.ddd. If I put aaa.bbb.ccc.ddd on my computer's proxy settings I will be able to browse the Internet using your server? If this is it: the public IP I will expose (http://whatismyipaddress.com/), will be yours public IP or mine?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:sjohnson_Aerosim
ID: 39600706
Your example is correct and the public IP will be mine.
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39600723
I'm afraid you are infected. Or even worse your system is a zombie.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39600734
Which version of IIS is this? It has to be an old one.

Simon.
0
 

Author Comment

by:sjohnson_Aerosim
ID: 39600758
I am going to run virus scans on it now and the version is IIS8.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39600820
IIS 8? So we are talking about Windows 2012?

I expect someone has installed everything under IIS in roles and features, rather than just the specific requirements for Exchange.

It may well be best to stop Exchange, remove IIS completely and reinstall it.

Simon.
0
 

Author Comment

by:sjohnson_Aerosim
ID: 39612327
It appears we have narrowed the issue to a problem with our Barracuda Web Filter 410.  They are currently working on the issue.
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39612739
That sounds very strange. You wrote that after changing IIS's port from 80 to 8080 you could use it as a proxy pointing to 8080 instead of 80.
How does the Barracuda act as a proxy (for outside and unauthenticated users) and changes it's behavior as soon as IIS changes it's listening port?
I sincerely hope you have found the origin of the issue but I suspect it isn't the Barracuda.
0
 

Accepted Solution

by:
sjohnson_Aerosim earned 0 total points
ID: 39642104
Barracuda has confirmed that it is a bug with their software.  We are using the Web Filter inline so all traffic is goes through it and for whatever reason it is allowing people to proxy off open ports.  This will be fixed in the next update around Jan 1st, 2014 and in the meantime we made exceptions for the servers affected so it doesn't look at any of the traffic.
0
 

Author Closing Comment

by:sjohnson_Aerosim
ID: 39655994
We tested and confirmed this is the solution.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses
Course of the Month3 days, 19 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question