I integrated a small http server in my software distribution, intended to allow access to my installed application from the customer's LAN.
Right now, the customer has to manually update the firewall's list of trusted applications. I want to either open a hole in the firewall at install-time, or to ensure that the firewall prompts the user to allow my web server as a trusted application, able to receive inbound traffic.
Any solution should work with the built-in Windows Firewall at minimum.
Suggestions?
I would start out by reading up on the following sections on MSDN. This should give you enough background to know what you need. In short you could be looking to talk to the INetFwMgr COM object.
XP
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366453%28v=vs.85%29.aspx
Vista or later INetFwPolicy2
http://msdn.microsoft.com/en-us/library/windows/desktop/ff956124(v=vs.85).aspx
Related
We have a product which relies on a thin client installed on users machine. We make an ajax get request to a domain pointing to local host which has a real ssl. This fails in edge, works in every other browser including IE11. Note that same works if there is no ssl involved. It also works on Windows 10 Home edition.
Adding a datatype, content-type or request method does not resolve this. Only way to fix this seems to be running following command.
CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
If this is expected behavior, can someone explain why microsoft would block this on a enterprise version but it works on home edition ?
Microsoft Edge, and Windows 10 apps in general, use AppContainer Isolation:
Isolating the application from network resources beyond those
specifically allocated, AppContainer prevents the application from
'escaping' its environment and maliciously exploiting network
resources. Granular access can be granted for Internet access,
Intranet access, and acting as a server.
Your thin-client is running on win10 enterprise edge against an intranet ssl service (localhost), so access is by default restricted by this mechanism. With the command
CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
you are disabling network isolation on that host for the loopback network adapter (localhost) for MS Edge so your app client (and any other locally sourced app) can run on it without restriction against any localhost service.
This fails in edge, works in every other browser including IE11.
They clearly wanted to improve the default security policy of previous versions. It's never too late, MS :) There is actually an Enhanced Protected Mode (EPM) that could prevent your app from running on IE too. Chrome has its Google Chrome Sandbox that can also be tuned like this. Safari and Firefox also have sand-boxing features although I am not familiar with their particularities.
Note that same works if there is no ssl involved.
Typically, if you are using ssl is because you are dealing with sensitive data and/or a critical service. If you are not it is ok to be more lax. Again, just a matter of security policy.
It also works on Windows 10 Home edition. If this is expected behavior, can someone explain why microsoft would block this on a enterprise version but it works on home edition?
Enterprise versions of any product are known to be more restrictive since their target users are more security concerned (IT people typically don't want to expose their company's intranet payroll db service to external attackers, and things like that). Also, in this case the default behavior can be easily defined/altered by experts on the IT department (check out domain security policies) so it's better to leave the default settings to "paranoid" mode and let the experts tweak according to the company's needs.
Note there are other mechanisms at work when you are running a thin client on the browser that make this kind of protection redundant (same domain policy, XSS protection and so on). Nevertheless one can never be too safe: There are ways to work around those defenses such as Self-XSS that require isolation between the browser and the local network to avoid compromising the system. In the end, less exposed surface means less attack vectors, so isolation is good if you can afford it :)
I have a server which runs Windows Server 2008 R2 Standard. I have admin rights and I can login through Remote Desktop Connection and access the server.
I wanted to create an account so that my office staff can access (restricted access) and only from office systems. I do not want access from any other location.
Is it possible ?
Thanks,
GR
There are several ways to lock down and secure the RDP services of a particular machine. As with most local services and GPO settings Windows is quite good at making it easy to tailor permissions based on user(s), computer(s) and by group(s).
First off I would personally add RDP permissions on a per user basis, rather than giving staff members one central login to use. There are several reasons for this, mostly down to ease of use and system security.
In the "System Properties" of the Windows Server, I assume you've ticked the box to allow a RDP connection to the server. - Just under that there's a checkbox you should tick in order to only allow connections with NLA (Network Level Authentication). Proceed to "Select Users" and choose the staff you wish to give RDP permissions too.
I'm going to assume that your RDP connection is working as you've stated that you're able to connect, we'll leave local RDP GPO settings and initial Windows Firewall configuration, please leave a comment if you'd like me to include it.
In the Windows Firewall for the server on the exceptions tab, edit the settings for Remote Desktop Connection. Click "Change Scope" and tick the box that says "My Nntwork (subnet) only".
This will only allow RDP connections from local machines within the servers subnet (office machines) and connections from the users you specified earlier on (Office staff).
As for the restricted access part, short of making a new local limited user on the server there's not much you can do to protect everything.
I hope this clears it up for you.
I want to configure internet option via remote for windows 8. For example, I some pcs have two accounts, say admin,user. All pc connected via LAN with a server. How do I disable and enable internet from centralized server for only those users who have logged in via 'user' account? I asked for windows 8 machines.
The best way would be some kind of Centralized authentication and authorization.
Like the Microsoft ActiveDirectory, or An OpenLDAP Server.
Next you would need a proxy server where every program/user has tho authenticate to open up a new Connection to the outside world.
Another approach could be some kind of captive portal on your router (pfsense does this pretty easy and fast) for authentication.
This could also be paired with a centralized user management oder just local users.
Local Users (on every machine) have the problem that none of the settings and properties, such as passwords, could be synchronized and have to be set by hand on every machine.
Our development team has spent countless hours setting up our individual Windows PCs to work with the corporate network. We work in a large company with tons of bureaucracy involved, which includes network access.
Youtube, Twitter, Facebook, and many programming/forums websites are blocked due to faulty filtering settings, so are many other useful sites for coding.
To get this policy fixed will take months. We are trying to use Ruby Gems, SVN, and GIT, and many other command line tools that won't work due to network restrictions.
Question: Is there a way to socksify the entire Windows environment, so we don't have to individually set the proxy for each individual app?
Our environment is Windows XP.
Thanks,
-John
San Jose, California
Most applications on Windows that use sockets, go through the standard WinInet stack. Setting a proper proxy for Internet Explorer actually sets it for the whole WinInet stack as well, so it should work for other apps as well.
Note however, that you need to explicitly open the Advanced dialog for the proxy settings in IE and uncheck the Use same proxy for all protocols checkbox to be able to enables SOCKS support. Otherwise, the proxy settings only affect couple of protocols, so you would still need to configure your tools to use http: instead of tool-specific protocols like svn:.
If one of you can share his or her net access from home and can operate a PC there as a "server", then you can set up a HTTP tunnel using SSH. See details here: http://www.buzzsurf.com/surfatwork/ or google "how to bypass firewalls at work".
I've heard that you can, during installation, add an exception for your app to give permission for it to access the internet through the firewall.
Anyone know how to do this?
The alternative in many cases is to suggest that users disable the firewall entirely or ok the prompt Windows raises when your server ports begin to listen. Both of these are bad options: one risks leaving the machine open to anything and the other trains them to approve security prompts uncritically.
You could easily have your applications add and remove themselves as firewall exceptions. They could even disable/enable the firewall, a really bad idea. But it's usually a better idea to add and remove exceptions as part of install/uninstall operations.
One place where Microsoft describes the process is Windows Firewall for Game Developers.
If your security is so poor you rely on a software firewall alone for protection you can always set "no exceptions" mode on the firewall. Of course this reduces your users to passive consumers of Internet services, à la broadcast television reception.