RE: FW: Unauthorised access
- From: "William Robertson" <william.robertson@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 28 Nov 2002 09:40:41 +0200
Hi Neil
My opinion is the following:
As long as you have enabled the Rule#1 and Rule#2 as mentioned in my
previous post, if the last 2 fields are shown as "-", then that means
that the ISA Server did NOT permit the request as no matching Protocol
Rule and S&C Rule were found to authenticate the request.
So from the log that you included in your post my conclusion is that the
user was not able to surf the NASTY website.
You can of course also confirm this by going to that users workstation
and trying to access the specific website, and then check your logs
again to see what ISA reported.
Cheers
William R.
-----Original Message-----
From: Sullivan, Neil (CALBRIS)
[mailto:Neil.Sullivan@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: 28 November 2002 09:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] FW: Unauthorised access
http://www.ISAserver.org
Bit more context for this one, is looked thru the logs again and this is
the tail end of the log. There are about a dozen or so of these, all
slightly different of course.
To me it seems the ISA returned no page to the user?
Should this have ever hit the logs? The user was resolved - not
anonymous..
IP.IP.IP.IP, Domain\User, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1), -, 9/27/2002, 7:57:27, -, PROXY, -, -, -, 0, 125, 479, 0, -, -,
GET, http://www.nastyurl.com/images/page1_02.jpg, -, -, 12209, -, -, -
Is this correct behaviour?
> -----Original Message-----
> From: Sullivan, Neil (CALBRIS)
> Sent: Thursday, 28 November 2002 4:40 PM
> To: [ISAserver.org Discussion List] (E-mail)
> Subject: Unauthorised access
>
>
> Got a strange problem with an ISA SP1 Cache only server.
>
> Access to the Internet is via Group membership, applied to site and
content rules.
>
> So far so good, been working OK for ages, but now someone has turned
up in the logs who does NOT have access via the group membership.
>
> Furthermore, looking thru the security log, there is no evidence of
this person ever having authenticated with the ISA..
> ISA is set to Authenticate Users, using Basic and Windows
authentication.
>
> Tests have shown that removing a legitimate user from the Group does
remove their access - as it should.
>
> So how does my mystery user get access? It's not via any nested group
membership either.
>
> I'm stuffed if I can find out..
>
> Cheers
> Neil
>
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
