Security

Security Overview
Web Proxy Security
WinSock Proxy Security
Securing Your Network

Security Overview

Microsoft Proxy Server provides a secure gateway between your private network and the Internet. As a network administrator, you can use the default configuration to set up Microsoft Proxy Server quickly. Once the server is installed, you can enable Windows-based clients on your private network to access Internet services without risking the security of your private network. You can closely administer Microsoft Proxy Server services to grant or deny access to users, services, ports, or domains you that you specify.

When Microsoft Proxy Server is first installed, Internet users are prevented from connecting to your private network by:

• Disabling IP forwarding on the server   IP forwarding (IP routing) normally allows packets to be forwarded on the internal network. By disabling this feature for the server, all connections must be placed remotely by using the Microsoft Proxy Server.

• Denying listening on inbound service ports   This prevents Internet users from initiating connections on any service ports you do not specifically enable inbound access to.

Web Proxy Security

About Web Proxy Security
Setting Access Control for the Web Proxy Service
How Anonymous Logon Works
How Basic Authentication Works
How Windows NT Challenge/Response Authentication Works

About Web Proxy Security

The Web Proxy service uses the same password authentication options for client requests as those allowed by the WWW service of Internet Information Server (IIS).

A client logon request occurs whenever a client request is forwarded to a Server using IIS or Microsoft Proxy Server. The logon process is used to determine if the client is allowed or denied access to a resource on the server requested by the client. An authentication is a server mechanism used to validate users when processing logon requests. An authentication can be as simple as assigning and encoding a password for the user or it can involve several secure and encrypted process communications between the client and server.

In addition to the options for authenticating users, Web Proxy offers the option to enable or disable access control. For simplified management of the Web Proxy service, you can disable access control. This is useful if anonymous user access is all that is needed for users on your network. For management of individual users on your network, access control can be enabled so that you can fully administer individual security for each user on your network.

When access control is enabled, Web Proxy clients on your network are verified by using a combination of Web Proxy service permissions and the password authentication settings applied for IIS services. The password authentication options for IIS users include the following:

• Anonymous Logon   This is a standard way to provide a single guest user account that is assigned reading and browsing privileges only. This account allows shared access for all users who request published documents on an Internet server.

• Basic Authentication   This is a standard way to validate HTTP users by using encoded clear-text passwords and user names. This type of authentication is specified in HTTP standards established by the World Wide Web Consortium (W3C) and the Conseil Europeen pour la Recherche Nucleair (CERN).

• Challenge/Response Authentication   This is a secure standard for validating clients that Microsoft has developed. This type of authentication is very secure and uses encryption to transmit security information. It can be enabled for client browsers that support this level of authentication, such as Internet Explorer 3.0.

Authentication is set within the Service property sheet of the WWW service of IIS. The option to enable or disable access control for Web Proxy is set within the Permissions property sheet of the Web Proxy service. Both of these services are configured by using Internet Service Manager.

Setting Access Control for the Web Proxy Service

You can use Web Proxy access control to select whether to administer service permissions individually by user, or allow all users to use the Web Proxy service. When access control is enabled, verification is done on each Web Proxy request to determine if the user has appropriate permissions assigned for the type of service being requested. When access control is disabled, the Web Proxy service ignores user permission settings, and all requests are accepted. For more information on how to set access control for Web Proxy, see “Configuring the Web Proxy Service.”

How Anonymous Logon Works

Anonymous logon is a method that uses a standard logon account to provide guest access to resources on the Internet. To establish anonymous logon, a user account is first created and assigned limited privileges on a server. In standard TCP/IP, the user name for this account is “anonymous.” “Anonymous” is entered at a server logon prompt. The server will then prompt for an e-mail name be entered as a logon password. Once the user has completed the “anonymous” logon, rights granted are typically read-only access to limited sets of files and directories.

When Server is first installed with Internet Information Server (IIS), IIS creates a default anonymous user account named IUSR_computername, where computername is the NetBIOS name for the server. This account is allowed permissions by default to the Web Proxy service. This user does not need to be assigned further user permissions in the Web Proxy service properties to enable anonymous logon for proxy users.

The IIS WWW service provides three authentication check boxes: Allow Anonymous, Basic (Clear-Text), and Challenge/Response. If you select Allow Anonymous without also selecting one of the other types of authentication, the following occurs:

• The Web Proxy service services all user requests
• All included items on the Permissions property sheet are disabled; Web Proxy service ignores these settings.

Warning   If anonymous logon is allowed, all client applications use it. To force proxy users to log on with an account and password, disable anonymous logon. You can still grant unrestricted access to the Web Proxy service by disabling access control in the Permissions property sheet.

To enable anonymous logon to Microsoft Proxy Server

1. From Internet Service Manager, double-click the computer name next to the WWW service.

   The WWW Service Properties window is displayed.

2. Click the Allow Anonymous check box in the Password Authentication section to select it.

3. Click Apply, and then click OK. 
   
   

How Basic Authentication Works

What is Basic Authentication?
Enabling Basic Authentication

What is Basic Authentication?

Basic authentication is a standard HTTP mechanism that sends and receives user information as clear text. (The term clear text indicates data is transmitted as clearly readable text characters rather than binary bit-streamed information, which is not text-formatted.) Passwords and user names are encoded but not encrypted in this type of authentication.

Basic authentication is used by Web Proxy service when:

• The Basic (Clear Text) check box is selected on the Service property sheet in WWW service properties.
• The server and client are both enabled to use Challenge/Response authentication.
• The client request could not be processed by using anonymous logon account.
• The Enable Access Control check box on the Permissions property sheet for the Web Proxy service properties is selected.

In basic authentication, the client is responsible for prompting the user for user name and password credentials. The credentials are then encoded and sent to the server. The user name must be an account on the computer running IIS or in a trusted domain of that computer. When using a trusted domain account, the user name must contain the domain name in the following format.

username=domain\account

Warning   User credentials can be decoded easily by using widely available utilities (such as UUdecode). For some client types, such as UNIX-based Web clients, basic authentication is the only available means of establishing password-required access to Web published document files. If you allow access from the Internet to Microsoft Proxy Server or another Windows NT-based server on your private network, HTTP basic authentication offers poor security.

If you need to support other client types that are not Windows-based, you should consider a supplementary encryption method. If your network supports only Windows-based clients, you should use a more secure authentication mechanism that supports link encryption, such as Challenge/Response authentication.

Enabling Basic Authentication

To enable basic authentication, create a local group and grant it permission to use a Web Proxy protocol (FTP, Gopher, or HTTP, or Secure). Users are then granted access by assigning each user membership in this local group. To create and modify groups and user accounts, use User Manager for Domains. For more information, see your documentation for .

To enable basic authentication for use with Microsoft Proxy Server

There are two ways to enable basic authentication. Use the following simple procedure to require basic authentication for all users. You can also use the complex procedure to allow anonymous logon for specific users and require basic authentication for all other users.

Simple:

1. From Internet Service Manager, double-click the computer name next to the WWW service.

2. Select the Basic (Clear Text) check box in the Password Authentication section.

3. Clear the Challenge/Response check box.

4. Clear the Allow Anonymous check box.

5. Click Apply, then click OK.

6. Double-click the computer name next to the Web Proxy service.

7. Click the Permissions tab.

8. Set access control for users.

   To allow all users rights to all Web Proxy services (FTP, Gopher, WWW, Secure), clear the Enable Access Control check box.

   To set limited user access to Web Proxy services, select the Enable Access Control check box. If you enable access control, you will need to assign user permissions for access rights to each service. For information about assigning permissions, see “Configuring the Web Proxy Service.”

9. Click Apply, and then click OK.
   
   

Complex:

1. From Internet Service Manager, double-click the computer name next to the WWW service.

2. Select the Basic (Clear Text) check box in the Password Authentication section.

3. Clear the Challenge/Response check box.

4. Select the Allow Anonymous check box.

5. Click Apply, and then click OK.

6. Double-click the computer name next to the Web Proxy service.

7. Click the Permissions tab.

8. Select the Enable Access Control check box.

9. Add users to permissions lists for Web Proxy services (FTP Read, Gopher, WWW, Secure).

   For information about assigning permissions, see “Configuring the Web Proxy Service.”

10. Add the IUSR_computername user to permissions lists for Web Proxy services that will allow anonymous use.

11. Click Apply, and then click OK.

How Challenge/Response Authentication Works

What is Challenge/Response Authentication?
Enabling Challenge/Response Authentication

What is Challenge/Response Authentication?

Challenge/Response authentication is a security mechanism. Unlike basic authentication, which forwards user names and passwords as clear-text from client to server, Challenge/Response authentication follows a more complex process that requires multiple communications between the client and server. Microsoft Internet Explorer 3.0 supports Challenge/Response authentication with Microsoft Proxy Server.

Challenge/Response authentication works within the security model to provide a transparent logon procedure for clients. In a challenge-and-response sequence, the client computer uses its established user logon information to identify itself to the server. The user is not prompted to enter these user credentials. Instead, the information is available after the user first logs on to a Windows NT-based computer.

Challenge/Response authentication only works where the client and server computers are located in the same or trusted domains.

Enabling Challenge/Response Authentication

To enable Challenge/Response authentication for Web Proxy

There are two ways to enable Challenge/Response authentication.Use the following simple procedure to require Challenge/Response authentication for all users. You can also use the complex procedure to allow anonymous logon for specific users and require Challenge/Response authentication for all other users.

Simple:

1. From Internet Service Manager, double-click the computer name next to the WWW service.

2. Select the Challenge/Response check box in the Password Authentication section.

3. Clear the Allow Anonymous check box.

4. Click Apply, and then click OK.

5. Double-click the computer name next to the Web Proxy service.

6. Click the Permissions tab.

7. Set access control for users.

   To allow all users access to Web Proxy services (FTP, Gopher, WWW, Secure), clear the Enable Access Control check box.

   To set limited user access to Web Proxy services, select the Enable Access Control check box. If you enable access control, you need to assign user permissions for access rights to each service. For information about assigning permissions, see “Configuring the Web Proxy Service.”

8. Click Apply, and then click OK.

Complex:

1. From Internet Service Manager, double-click the computer name next to the WWW service.

2. Select the Challenge/Response check box in the Password Authentication section.

3. Clear the Basic (Clear Text) check box.

4. Select the Allow Anonymous check box.

5. Click Apply, and then click OK.

6. Double-click the computer name next to the Web Proxy service.

7. Click the Permissions tab.

8. Select the Enable Access Control check box.

9. Add users to permissions lists for Web Proxy services (FTP Read, Gopher, WWW, Secure).

   For information about assigning permissions, see “Configuring the Web Proxy Service.”

10. Add the IUSR_computername user name to permissions lists for Web Proxy services that will allow anonymous use.

11. Click Apply, and then click OK.

For Challenge/Response authentication to be used, the Web browser for each client must support it. Currently, Microsoft Internet Explorer 3.0 is the only browser that supports this option with Microsoft Proxy Server. For more information, on enabling Web Proxy service for clients using Internet Explorer 2.0 or later, see “Setting Up Clients.” 

WinSock Proxy Security

How WinSock Proxy Security Works
Setting Access Control for WinSock Proxy
Assigning Permissions for WinSock Proxy Users
Considerations for WinSock Proxy Security

How WinSock Proxy Security Works

The WinSock Proxy service provides secure communication between your network and remote Internet computers that support Windows Sockets applications. It uses Challenge/Response authentication to authenticate all users (when access control is enabled).

Also, to enhance security you can use WinSock Proxy as an IP application gateway for IPX networks. This allows IPX/SPX clients on an internal network to access TCP/IP resources on an external network. An application level proxy uses two separate service connections: an IPX connection on the internal network between the WinSock Proxy server and client, and an IP connection between the WinSock Proxy server and a remote server on the Internet. Because separate connections and different routing protocols are used on the internal and external networks, the risk of outside intrusion is reduced. Only the computer running Microsoft Proxy Server is visible to other Internet servers.

Note   WinSock Proxy and Multi-Protocol Routing (MPR), a routing service provided with Server 4.0, use different methods for handling network communications and establishing IPX-to-IP connectivity.

The WinSock Proxy service uses application-level proxy over two separate virtual circuits. MPR uses protocol conversion processes where multiple routing protocols are in use (also known as tunneling) to communicate over a single virtual circuit.

Setting Access Control for WinSock Proxy

You can use WinSock Proxy access control to select whether to administer service permissions individually by user, or allow all users to use the WinSock Proxy service.

• When access control is enabled, verification is done on each WinSock Proxy request to determine if each user has appropriate permissions assigned for the type of protocol service being requested. You can control which application ports can be used and who can use them. Protocol port access for inbound and outbound connections and the ability to set user permissions by protocol allow you to restrict use of Windows Sockets applications between your network and the Internet. WinSock services, such as RealAudio, VDOLive, and Enliven protocols, can be administered to allow only specific users access through WinSock Proxy.

• When access control is disabled, the WinSock Proxy service does not verify users. In this case, any user permissions have no effect, and user permission settings are ignored. Access to all WinSock Proxy server ports and protocols is possible for valid users on the server computer.

For more information on setting access control for the WinSock Proxy service, see “Configuring the WinSock Proxy Service.”

Assigning Permissions for WinSock Proxy Users

Use the Permissions property sheet of the WinSock Proxy Service Properties window in Internet Service Manager to set permissions for WinSock Proxy users. For more information, see “Configuring the WinSock Proxy Service.”

Considerations for WinSock Proxy Security

When Modifying the Local Address Table
When Setting Port Protocol Permissions
When Setting TCP/IP Properties for Network Adapter Cards
When Running Microsoft Proxy Server in a Workgroup

When Modifying the Local Address Table

For security reasons, consider the following carefully when you are modifying the LAT:

• Do not add IP addresses for any devices connected to the same physical cabling segment used by the external network adapter card.

  This prevents possible connection leaks between the external and internal network, and requires all interconnection between external and internal clients to be established active security settings configured on the computer running Microsoft Proxy Server.

• Check that IP addresses for the server’s adapter cards are correctly stated for the LAT.

  If two or more network adapter cards are installed for the Microsoft Proxy Server, only IP addresses for cards connected to the internal network segment should be listed or included in the LAT. All cards used for connecting to the external segment should not be present in the LAT.

For more information on the LAT or how to modify it, see “Server Administration.”

When Setting Port Protocol Permissions

Ports serviced by WinSock Proxy are used by various TCP/IP applications for inbound or outbound connections. By default, inbound access is disabled for protocols that provide administrative access, such as Telnet or FTP.

Warning   Some TCP/IP applications that use TCP to transport data, such as Telnet and FTP, use clear text to send and receive user and password information. This information can be seen by others on the Internet. If you intend to use the Internet to pass discrete information between your network and other networks, you should implement further levels of encryption for your data.

If you choose to allow inbound access for these types of applications to your network from the Internet, be careful to:

• Set remote account restrictions in User Manager for Domains carefully.
• Enable access control for WinSock Proxy to specify and limit user permissions to the WinSock Proxy service.
• Do not use the Unlimited Access option to grant remote users permissions to WinSock Proxy service.

In most cases, remote Internet users should use restricted accounts that assign guest logon access or read-only file access on the server. Also, by enabling access control, permissions that are set for each defined WinSock Proxy protocol are applied to all users.

Warning   Do not provide Internet users the Unlimited Access option. When assigned, this option allows a user full control to use any protocols or ports with WinSock Proxy service, including those that are not defined. For this reason, be cautious in assigning this permissions option to users.

When Setting TCP/IP Properties for Network Adapter Cards

Server 4.0 provides additional advanced options for securing TCP/IP networking, which can be used to provide further security for your network. Because WinSock Proxy service port options are set at a higher level (the application layer) and TCP/IP networking properties are set at a lower level (the network and transport layer), settings for TCP/IP Protocol Properties take precedence when enabling port access.

For more information on how to configure advanced security options for TCP/IP networking with Microsoft Proxy Server, see “Server Administration.” 

When Running Microsoft Proxy Server in a Workgroup

When the server running Microsoft Proxy Server is installed as part of a workgroup and is not part of a domain, the following considerations are in effect for configuring WinSock Proxy service access control:

• If the server is running the WinSock Proxy service with access control enabled, use User Manager to create an account on the server for each user who will be accessing the Internet through that server. Use User Manager to place those users in user groups, and then use Internet Service Manager to grant appropriate WinSock Proxy permissions to each group.

• If the server is running the WinSock Proxy service with access control disabled, users can access the server by using the server’s special Everyone account.

Securing Your Network

Restricting Inbound Access From the Internet
Restricting Outbound Access From Your Network

Microsoft Proxy Server offers default security that is probably sufficient to protect your network from outside intruders. In some installations, you may want more security to further protect your network from an anticipated intrusion.

The following sections discuss further considerations when restricting access to your local network from users on the Internet, and also from users located on other separate networks within your organization.

Restricting Inbound Access From the Internet

About Default Inbound Security From the Internet
Domain Planning Considerations

About Default Inbound Security From the Internet

When Microsoft Proxy Server is first installed, your network is secured from external users on the Internet in two ways: by disabling IP forwarding on the server and by disabling listening on inbound service ports.

IP forwarding is a TCP/IP routing feature of Server. If IP forwarding is enabled, Microsoft Proxy Server forwards all IP connection requests received on any of the server network ports. To prevent default forwarding of all IP requests, IP forwarding must be disabled.

With IP forwarding disabled, Microsoft Proxy Server sets network boundaries and controls IP traffic between the two server network ports. This configuration forces all connections between both network ports to be managed through either the Web Proxy service or WinSock Proxy service.

By disabling listening on inbound service ports, Internet users are prevented from initiating connections on any application service ports you do not specifically grant users permissions to use.

Domain Planning Considerations

In many cases, the preferred way to install Microsoft Proxy Server is to make it a stand-alone server in your current domain. However, if you have multiple domain servers within a larger private network, you can also consider setting up Microsoft Proxy Server as a Primary Domain Controller (PDC) within its own domain.

To install a new domain for Microsoft Proxy Server, set a single one-way trust relationship to another domain on your private network. In this relationship, the domain used for Microsoft Proxy Server is the trusting domain and another internal domain is specified as the trusted domain.

If there is an intrusion, having a separate domain limits access to the Microsoft Proxy Server. This is because no internal Windows NT-based servers trust the domain used for Microsoft Proxy Server. If other proxy servers are added, they can be included within the domain created for use with Microsoft Proxy Server.

For more information on setting trust relationships and understanding domains, see your documentation for Server.

Restricting Outbound Access From Your Network

Overview of Outbound Access Security Options
Filtering Access By DNS Domain Name
Filtering Access By IP Address
Using Groups to Assign Internal User Permissions

Overview of Outbound Access Security Options

This section covers considerations for securing access from your private network to other networks. Whether you are setting restrictions to the Internet or other networks in your organization, the same options are useful. These include setting domain filters and assigning user permissions to limit access by users on your network to another network.

When setting domain filters, both the Web Proxy and WinSock Proxy services can be set to have a default policy that grants or denies access to specific Domain Naming System (DNS) domains or IP addresses. You can then list exceptions to the policy.

Filters that are set for either service are applied for both the Web Proxy and WinSock Proxy services. Filtering can be set using the service properties for either service.

For user permissions, settings are specific to each service, and permissions must be set separately for the Web Proxy and WinSock Proxy services.

Filtering Access By DNS Domain Name

For both Web Proxy and WinSock Proxy services, outbound access can be restricted to Internet sites by setting filtering options for this purpose. Filtering can be applied to exclude access to a single computer, a group of computers, or entire DNS domain names that are reachable on the Internet by users on your network.

In most cases when establishing filtered access to remote Internet sites, applying filtering based on DNS domain names for specific sites will provide the best option for several reasons.

First, filtering by specified IP addresses may not work effectively because there may be several IP addresses answering to a given domain name. If you pick one address, you will miss the other addresses that mirror the same server content. Also, in some networks, IP addresses may be dynamically assigned by using Bootstrap Protocol (BOOTP) or dynamic host configuration protocol (DHCP) services. Where this occurs, the remote server’s IP address may change.

Filtering Access By IP Address

If you are managing a large private network that uses TCP/IP but does not connect to the Internet, you may find it more convenient to precisely filter access by entering specific IP addresses.

Although DNS filtering is simpler to manage and generally preferred where available, listing individual IP addresses for filtering is a valid option where DNS naming services are not managed on your network, and your private network uses static IP addressing.

Using Groups to Assign Internal User Permissions

When assigning permissions for the WinSock Proxy and Web Proxy services, it is recommended that you first use User Manager to create user groups for each common set of permissions that will be needed by users on your network. For most networks, this will greatly reduce the amount of time spent administering individual user permissions.

Groups can be created to manage and authorize Internet access for users selectively. Permissions by service for Web Proxy clients can include permission rights to use FTP, Gopher, HTTP, and Secure Sockets Layer (SSL) connections. To better understand how groups can be used in this way, it is useful to look at some examples of managing permissions with user groups.

For example, if you need to simplify assigning service permissions for each user to FTP, Gopher, and WWW services, you could create a group named Proxies and add this group to the permission rights listing for each of these three services using the Web Proxy service property sheet in Internet Service Manager. In the future, to provide individual users proxy access for all of these Internet protocol services, you would then only need to add each user once as a member to the Proxies group using the User Manager for Domains.

The same concept could apply for other service permissions by user that you want to create. Suppose you have a group of users that need to use SSL connections for access to the World Wide Web (WWW). For security reasons, these connections are not to use the default HTTP service port, port 80. By creating a group named Secure Proxies and adding this group permission rights to the Secure service in Internet Service Manager, you could add each user as a member to the Secure Proxies group.

For WinSock Proxy service users, protocol permissions can be managed by using the same strategy. If, for example, you wanted to assign a small group of users on your network access to real-time audio and video transmission, you could create a group AV Enabled and assign this group permission rights for RealAudio and VDOLive protocols by using the Permissions property sheet for WinSock Proxy service properties. Each multimedia user could then be provided access simply by being added to the AV Enabled group.

© 1996 by Microsoft Corporation. All rights reserved.