RE: Unauthorised access
- From: "William Robertson" <william.robertson@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 28 Nov 2002 08:57:29 +0200
Hi Neil
1) Check your WEB Proxy logs for the Rule#1 and Rule#2 fields. This will
show you which Protocol Rule and S&C Rule your mystery user used to
access the web. (Enable these fields under Monitoring Config, Logs, WEB
Proxy Service, Fields.
2) Just confirm that the "Ask unauthenticated users for identification"
option is selected under the "Outgoing WEB Requests" tab
3) As for removing someone from an access group, you will need to
restart the WEB Proxy service for this to work immediately as ISA seems
to take it's time to synchronise with the Win2K AD when you add/remove
someone from an access group.
If there is one thing that I have learned it is that there is always a
reason for someone being granted access to the web, you just have to
find which rules were used, and then find out how he had access to that
rule.
One last thing, you may also want to check your FIREWALL log because I
have seen in the past that some users will surf the web via the Firewall
Client, and if you have told the HTTP Redirector to NOT forward requests
to the WEB Proxy service, then I think users will be able to surf the
web anonymously (I think).
Cheers
William R.
-----Original Message-----
From: Sullivan, Neil (CALBRIS)
[mailto:Neil.Sullivan@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: 28 November 2002 08:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Unauthorised access
http://www.ISAserver.org
Got a strange problem with an ISA SP1 Cache only server.
Access to the Internet is via Group membership, applied to site and
content rules.
So far so good, been working OK for ages, but now someone has turned up
in the logs who does NOT have access via the group membership.
Furthermore, looking thru the security log, there is no evidence of this
person ever having authenticated with the ISA..
ISA is set to Authenticate Users, using Basic and Windows
authentication.
Tests have shown that removing a legitimate user from the Group does
remove their access - as it should.
So how does my mystery user get access? It's not via any nested group
membership either.
I'm stuffed if I can find out..
Cheers
Neil
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
