Detecting unauthorized access with Microsoft Proxy Server
Keep watch for intruders through some of the built-in Proxy Server settings in Microsoft BackOffice.
When it comes to protecting your network from Internet users with malicious intent, many administrators rely on expensive third-party software for their Internet firewall. However, if you have a copy of Microsoft BackOffice, you already have a copy of the Microsoft Proxy Server. In this article, we'll introduce you to Proxy Server. We'll then go on to explain some options you can use to configure it to act as an effective Internet firewall.
What is Proxy Server?
How does Proxy Server work?
If you're using static IP addresses, you can use ipconfig to see the TCP/IP configuration as the Windows server sees it. The information displayed isn't simply a regurgitation of what's inserted into the TCP/IP properties sheet--rather, it's a way to tell if Windows has accepted the address that you've used.
By default, ipconfig lists the IP address, subnet mask, and default gateway of each network adapter. If you require more detailed information, you can use the /all switch after the ipconfig command. Doing so will cause the ipconfig program to display more detailed information, such as the MAC address of each network card, and an indication of whether the address was provided by a DHCP server.
Like every other Internet firewall, a Proxy Server must have two NIC cards. One NIC card connects to your Internet connection; the other connects to a hub that links the server to the rest of your network. As such, the Proxy Server acts as a router that moves traffic back and forth between your local network and the Internet.
Because of the insecure nature of the Internet, only certain types of traffic should be able to move across the router. For example, you'd never want anyone who's trying to illegally access your network from across the Internet to get the IP address of any of your servers. Therefore, the Proxy Server hides every IP address on your network--except for its own--from the Internet. When a computer on your network needs to access an Internet resource, it contacts the Proxy Server. The Proxy Server then connects to the desired resource using its own IP address. Once the resource has been acquired, the requested information is routed back to the computer that originally requested it. And because no internal IP addresses ever reach the outside world, you can save money by using bogus IP addresses on every computer except for the Proxy Server.
Just as you don't want people on the Internet to find out the IP addresses of your servers, you don't want them to be able to snoop around on your network. To prevent this type of access, you must configure Proxy Server to disable all TCP/IP ports except ones needed.
When you initially set up your Proxy Server, it's safe to say that you'll do everything you can to make your proxy firewall secure. But how do you know if someone is trying to break in to your network, and what can you do about such an attempt?
You can easily accomplish intruder detection through some of the built-in Proxy Server settings. To adjust these settings, open Microsoft Management Console and load the appropriate snap-in. Proxy Server has three types of proxy agent: Web Proxy, Winsock Proxy, and Socks Proxy. Although these proxy agents control different areas of routing, the configuration options they contain are almost identical. Space restrictions prevent me from discussing each area in detail, so I'll use Winsock Proxy for my example. Just keep in mind that to have a truly secure Proxy Server, you must secure all three types of proxy agents.
To take a closer look at some of the security options, navigate to Console Root|Internet Information Server|your server|Winsock Proxy. Right-click on Winsock Proxy and select Properties from the resulting context menu. When you do, you'll see the Winsock Proxy Service properties sheet. Click the Security button on the Service tab to open the Security properties sheet. It contains several tabs that can be used to enhance network security, as long as the Proxy Server has direct Internet access. For example, you can use the Domain Filters tab to enable domain filtering. By doing so, you can either grant or deny access to all domains except the ones you specify.
The next step in determining whether anyone makes an attempt at accessing your network is to select the Alerting tab, which lets you trigger an alert based on various conditions (such as a rejected packet or a protocol violation). You can send the alert message via e-mail, or you can add the alert to the Windows NT event log. After establishing such settings, you can keep an eye out for these conditions. One or two isolated attempts probably don't mean anything--however, if you detect multiple attempts, you'll need to do something about it.
Disabling unnecessary protocols
|"Although users can be given unlimited access to protocols, I strongly recommend denying access to any protocol that your users don't require for their jobs. "|
One way of protecting your network if you detect an attack is to disable all TCP/IP ports and protocols that aren't absolutely necessary, including inbound and outbound protocols. To do so, return to the Winsock Properties sheet and select the Permissions tab. The Permissions tab contains a drop-down list of every protocol that Proxy Server knows about. To control which users are allowed to use a protocol, select a protocol from the drop-down list and click Edit. Although you can grant all your users unlimited access by using the Unlimited Access option, I strongly recommend denying access to any protocol that your users don't require for their jobs.
Adding and removing protocols
The next area that you should look at is the Protocols tab, which lists every protocol Proxy Server knows about. You can use this tab to add protocols or remove existing protocols. You can also change the port assignments for any given protocol. To do so, simply select the protocol and click Edit to display the protocol's initial connection port. You'll also see a list of port numbers that are allowed for inbound and outbound connections. I recommend disabling any inbound ports that aren't necessary. If you're feeling brave, you can get rid of unwanted protocols altogether. Whatever you decide to do, though, just be sure to make a backup first or to write down the settings you've changed--just in case you accidentally remove a required port or protocol, or if you need to use a specific port or protocol in the future. //
Brien M. Posey is an MCSE who works as a freelance writer and as the Director of Information Systems for a national chain of health care facilities. His past experience includes working as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.