Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (12)

Proxy Violator - C# - Disable GPO Enforced Proxy Server without Administrative Permissions

By , 25 Mar 2008
 

Target Audience

  • Networking / Security professionals
  • System Admins
  • The curious

Concepts Covered

  • Connecting to and manipulating the registry
  • A *Glaring* hole in the Windows GPO implementation

Introduction

First of all, let me say that the use of this program can violate any terms of service or usage policies that are in place at your organization. Please seek permission prior to use, and use this program for testing/proof-of-concept only.

Background

This program was written to demonstrate that even in a Windows domain where Internet Explorer settings are locked down with a GPO, even a basic user ('users' group) can override the GPO setting that forces the use of a proxy server. This can be useful if you are on a public computer that uses a proxy server to filter URLs. This program cannot bypass filtering that uses WCCP or the like to redirect Web traffic at the gateway.

Using the Code

This code is really very simple. All that is required, is that you change a registry setting in the HKEY_CURRENT_USER hive. (ntuser.dat in the user's profile) All users have the rights to write to this hive, as it stores only the logged in user's settings. This holds true even if the GUI settings are inaccessible due to GPO lock down. Since there is so little code required, I have included the whole application's source: 

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using Microsoft.Win32;

namespace proxyViolater
{
    public partial class Form1 : Form
    {
        bool alert = false;
        public Form1()
        {
            InitializeComponent();
            checkProxy();
            alert = true;
        }

    //check the state of the proxy settings
    //
    //
        private void checkProxy()
        {
            //check the registry for the 'ProxyEnable' value
            RegistryKey proxy = Registry.CurrentUser.OpenSubKey(
        "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", true);

            //the possible values are 1 - enabled, or 0 - disabled
            int enabled = int.Parse(proxy.GetValue("ProxyEnable").ToString());

            //update the GUI
            if (enabled == 1)
            {
                lblStatus.ForeColor = Color.Red;
                lblStatus.Text = "Enabled";
            }
            else
            {
                lblStatus.ForeColor = Color.Green;
                lblStatus.Text = "Disabled";
            }
        }

    //Enable the proxy server
    //
    //
        private void btnEnable_Click(object sender, EventArgs e)
        {
            //connect to the registry and enable the proxy
            RegistryKey cUser = Registry.CurrentUser.OpenSubKey(
        "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", true);
            cUser.SetValue("ProxyEnable", 1);
            checkProxy();
        }

    //Disable the proxy server
    //
    //
        private void btnDisable_Click(object sender, EventArgs e)
        {
            //connect to the registry and disable the proxy
            RegistryKey cUser = Registry.CurrentUser.OpenSubKey(
        "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", true);
            cUser.SetValue("ProxyEnable", 0);
            checkProxy();
        }

    //Monitor the label that is update on proxy change
    //
    //
        private void lblStatus_TextChanged(object sender, EventArgs e)
        {
            //alert the user to restart the browser after every proxy change event.
            if (alert)
            {
                MessageBox.Show("Please restart all open browsers for 
                        proxy change to take effect.");
            }
        }

    //Check for proxy changes every 5 seconds
    //
    //
        private void timer1_Tick(object sender, EventArgs e)
        {
            //check to see if the GPO refresh interval has changed the setting back
            checkProxy();
        }
    }
}

Points of Interest

It seems like a pretty big hole to me. Let me know if any of you can think of a workaround that would block this behavior using integrated Windows or Active Directory methods.

History

  • 25th March, 2008 - Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 xExTxCx
United States United States
Member
No Biography provided

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First Prev Next
GeneralMy vote of 1membersarah-gee-7 Jan '09 - 1:37 
it is sh*t
Sign In·View Thread·Permalink
GeneralRe: My vote of 1memberxExTxCx2 Jul '09 - 9:15 
Well thank you for your well thought out and insightful comments. You are a credit to the code project community.
Sign In·View Thread·Permalink
Generalchange proxy settings without having to restart IEmemberHoàng Lê Minh24 Sep '08 - 19:07 
Can you change your code to changing proxy setting without having to restart IE
 
Thanks Smile | :)
Sign In·View Thread·Permalink
GeneralNot a security hole.membertalley25 Mar '08 - 13:38 
I recommend reading this article:
Shell policy is not the same as security
http://blogs.msdn.com/oldnewthing/archive/2008/01/31/7337160.aspx[^]
 
So it is not "A *Glaring* hole in the Windows GPO implementation.".
 
WBR,
tallicska
Sign In·View Thread·Permalink
GeneralRe: Not a security hole.memberxExTxCx25 Mar '08 - 14:00 
talley wrote:
I recommend reading this article:
Shell policy is not the same as security
http://blogs.msdn.com/oldnewthing/archive/2008/01/31/7337160.aspx[^]
 
So it is not "A *Glaring* hole in the Windows GPO implementation.".
 
WBR,
tallicska

 
I agree, in principal. In practice, I think that you might be quite surprised at the lack of "security" on most of the K12 networks. I also agree that shell policy is not security, because if you block execution of "firefox.exe", a user can rename the file to "firefox1.exe" and execute the program anyway. The point that I was trying to make is that in an environment like K12, where (in many cases) security was a half-baked afterthought, someone could execute a program like this and invalidate the settings that are enforced by group policy. I understand that there are apps out there such as Faronics AntiExecutable that permit only "trusted" code to execute, but features like these aren't included with Windows. This could theoretically be patched by changing the permissions on the reg key to allow write to System and administrators only, but it doesn't work like that. Also, as stated above, you could circumvent the problem entirely by setting up a transparent proxy. In my opinion, this is a security hole that could be patched, alleviating the need to pay (possibly thousands) for a solution that works.
 
Brian
Sign In·View Thread·Permalink
GeneralRe: Not a security hole.membertalley25 Mar '08 - 14:28 
In practice, you should decide what do you want to achive.
 
a) disable the proxy settings dialog
b) secure and enforce proxy settings
 
when going with b) you should:
- deny execution of custom applications and apply a)
OR
- revoke writing permissions for relevant registry keys.
 
You can also mix these. Remember, modifying GUI behavior has nothing to do with system security.
 
Also note that complaining about "firefox circumvents proxy settings!" is inappropiate. Why should Windows go after all custom program and patch them so they behave? They have all their custom policy and security settings, use those.
 
WBR,
talley
Sign In·View Thread·Permalink
GeneralRe: Not a security hole.memberxExTxCx25 Mar '08 - 14:47 
I think that you missed my point... I do not nor will I ever advocate "Windows going after" programs that work. My point, is that GPOs are the defacto for limiting access to the UI and certain functionality in a windows domain environment. There are hardware and software solutions that do a MUCH better job. When ABC school decides that they need a server and join all of their workstations to the domain, they don't always have the budget or knowledge to secure things. They know that they need to do some form of web filtering to maintain CIPA compliance.
 
Our company offers URL/Content filtering. The most common way that clients choose to implement this has been to use GPOs. So... Back to the question that I asked originally; is there a way (using built-in windows tools) to block this? If the answer is no, how can this not be a security flaw?
 
Brian
Sign In·View Thread·Permalink
GeneralRe: Not a security hole.membertalley26 Mar '08 - 11:47 
I think You are the one still missing the point.
 
GPO -> modifies GUI and misc. behavior.
 
If you want more security, then:
 
a) use software restriction policy
b) use MS ISA server
c) setup network/firewall restrictions on the network gateway
d) google etc
 
Trying to solve this problem with only GPOs is like trying to stop all kinds of intrusion (like spying, burglary, social stealth and so on) with only a dog.
 
talley
Sign In·View Thread·Permalink
QuestionRegistry value change???memberTom Maloney25 Mar '08 - 11:02 
All this code does is changing 1 well-known registry value. right?
Sign In·View Thread·Permalink
AnswerRe: Registry value change???memberxExTxCx25 Mar '08 - 11:09 
Tom Maloney wrote:
All this code does is changing 1 well-known registry value. right?

 

 
Interestingly enough, yes. That is why I find it hard to believe that M$ has not patched this yet. I noticed this after responding to another user about adding a proxy changing function to this app: http://www.codeproject.com/KB/dotnet/NetProfiles.aspx
 
I created the GPOs in question and found that you can indeed bypass any GUI locking that the GPO setup. I understand that the code itself is not too interesting, but the implications in the education (k-12) sector are profound. This registry change is not blocked by the GPO and can cause a school to no longer be CIPA compliant. D'Oh! | :doh:
 
Brian
Sign In·View Thread·Permalink
GeneralRe: Registry value change???memberRMan3268325 Mar '08 - 11:19 
It seems to me if you can run an arbitrary program in the first place, this becomes somewhat of a moot issue, as the arbitrary program could be Opera or Firefox (Or even Lynx under Cygwin), and those would gladly ignore this setting.
 
The better option for preventing this is to run a transparent proxy, with all web traffic being routed to that through firewall rules.
Sign In·View Thread·Permalink
GeneralRe: Registry value change???memberxExTxCx25 Mar '08 - 11:22 
Agreed. I mention this because I work in education. About 90% of the clients that I support use a GPO to set the proxy and block the UI. Most also setup Explorer Blocked Execution to prevent shell execution of the popular browsers. The remaining 10% seem to be doing things the right way.
 
Brian
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 25 May '13 - 10:44Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
Disables GPO enforced proxy server, even if the GPO locks the GUI
Type Article
Licence CPOL
First Posted 25 Mar 2008
Views 54,153
Downloads 567
Bookmarked 20 times
Top News

Old Japanese Man Creates Amazing Art Using Excel (Wait, Excel?)

Get the Insider News free each morning.
Related Videos
jQuery - 0408 Disabling Animations
Enabling and Disabling Rotation
SOCKS Proxy + SSL Tunnel
Push and Run .NET Code on Remote Machine
Emit Proxy
TFS Proxy Efficiency Testing
Protect non-.NET Assets Using a .NET Reverse Proxy with Forms Authentication and ISAPI
Dynamic/Transparent Proxy using DynamicProxy.NET
Dynamic Proxy Creation Using C# Emit
Introducing Investigo: Using a Proxy DLL and embedded HTTP server for DirectX9 Performance Analysis, Debugging and Automated Performance Testing.
Fast, Scalable, Streaming AJAX Proxy - continuously deliver data from across domains
How to make your Web Reference proxy URL dynamic
A Pure .NET Single Instance Application Solution
Working with SQL Server Logins
Debugging SSL on Both iOS Devices and Simulators with Man-in-the-middle Proxies
SQL Server Agent Proxy
Exploring Caching in ASP.NET
Introduction to .NET Web Services
SwitchNetConfig - Laptop users, quickly switch network and proxy configuration in different places
CAsyncSocketEx - Replacement for CAsyncSocket with proxy and SSL support
CAsyncProxySocket - CAsyncSocket derived class to connect through proxies
Introducing the LinFu Framework, Part I - LinFu.DynamicProxy: A Lightweight Proxy Generator
Permalink | Advertise | Privacy | Mobile
Web02 | 2.6.130523.1 | Last Updated 25 Mar 2008
Article Copyright 2008 by xExTxCx
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid