A little off topic, but I've seen where people nuke apps via GPO based on the digital cert the app was signed with. One of the sys admins here in Charleston showed me the trick. Since the same cert was used to sign most Google apps, one GPO borked all the Google apps, like Google Earth and Google Uploader, etc. It was REALLY slick.
John Wilson Sent from my iPhoneOn Dec 3, 2009, at 1:07 PM, "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> wrote:
Yeah, but you COULD set “deny” permissions on the .exe via GPO. That would work.tFrom: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Thursday, December 03, 2009 9:47 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...Yeah, that one I remembered.. *grin* Always looking for new ways to do things though!I experimented with the new Server 2008 GPO to delete files also (was seeing if I could delete their contraband executable), but that didn’t work out very good.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)Sent: Thursday, December 03, 2009 12:33 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...Yeah…. Just making sure you knew about that option as well as heade r inspection.tFrom: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Thursday, December 03, 2009 9:26 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore... In the Firewall Client settings? Did that already.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)Sent: Thursday, December 03, 2009 12:18 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... You can block the .exe as well…From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Thursday, December 03, 2009 9:10 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...That is where I thought it was, must have missed that setting during the transfer, I’ll read up on the signatures.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Thursday, December 03, 2009 12:00 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...I use the signature option on the HTTP configuration to do that, I’m kind of busy now, but let me see if I find out some document about it.If not just do a search on the web, about using signature to block firefox on ISA, and that will lead you to block other browsers as well.Regards Diego R. Pietruszka MIS - Shift Manager MSC (USA) - Interlink Transport Technologies Direct Phone: (908)605-4147From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Thursday, December 03, 2009 11:53 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...So how are you going about blocking non-IE browsers? I know there was a discussion on that a few years ago, and I had done that at that time, but apparently those are the settings that didn’t get cop ied over when I rebuilt my ISA server this summer. If I recall, it had something to do with blocking port 80 and forcing everyone throu gh the proxy, along with some tag identification.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Thursday, December 03, 2009 7:53 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... Then why you don’t block firefox.I had a similar case here with the developers, looks like Visual Studio or some software they use to write code have a kind of embedded browser, not sure how that work, but the point is, using that thing on some way, they were able to avoid websense. So I block that “browser” from being able to browse internet. I’m actually allowing just IE as browser.Regards Diego R. Pietruszka MIS - Shift Manager MSC (USA) - Interlink Transport Technologies Direct Phone: (908)605-4147From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Thursday, December 03, 2009 7:34 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...The categorization of proxy sites actually pretty good in Websense. With SurfControl the kids would sit down at a computer when they got into class and the first thing they’d do is a Google search for prox y sites and go through the list and usually within a minute they’d f ind one that wasn’t blocked. With Websense, I don’t think they’ve been able to find one at all using that technique and pretty much given up on that. Now that they cannot use that method anymor e, they’re starting to bring in software on their flash drives to tr y and get around the filtering (hence the HTTPS block). They found a loophole with Firefox last month (the default policies in Websens e), so within a week I found copies of Firefox installed on every co mputer they could find.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Thursday, December 03, 2009 7:00 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... I mean a “proxy avoidance” site, no a proxy server. Regards Diego R. Pietruszka MIS - Shift Manager MSC (USA) - Interlink Transport Technologies Direct Phone: (908)605-4147From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)Sent: Wednesday, December 02, 2009 9:28 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... How does Websense determine if the connection is to a proxy? tFrom: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Wednesday, December 02, 2009 5:30 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...Hmm, I would suggest you to re-enable HTTPS for the students, then filter the proxy avoidance category using the websense configuration options, and then do an analysis of the traffic to see if they are really reaching any proxy site after all that is in place.By that way you will keep using the authentication, the filtering by categories and the statistics of internet use.If you have the budget to move to the software you really like, go for that option, but if this what you have to use no matter what, then I would try to have both (websense and ISA) working on the better possible way together.Bye Diego Sent from my IphoneFrom: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan [DBall@xxxxxxxxxxx]Sent: Wednesday, December 02, 2009 7:45 PM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...Well, after thinking about this for a day or so, I’ve come to the co nclusion that creating custom protocols in Websense is simply not pr actical. We have waaaaaaay too many websites that would need enteri ng. So, I think the best route would be to utilize the ISA server p olicies for websites that we can “trust”, and access these directly, without authentication.There are two ways I can think of off the top of my head on how to do this:1. Create an ISA Firewall Policy Rule with a list of addresses that are allowed access without authentication. Benefits: Simple list to maintain, no configuration needed in Websense. Drawbacks: All “unauthenticated” web requests still go through Websense, but hit the default policy. The default policy would then have to be ch anged to allow everything. If I can find a way to verify all legiti mate requests are hitting the other policies in Websense, then this is a feasible solution. Problem: Verifying that all users are auth enticated in Websense.2. Utilize the bypass firewall option in the ISA Network configuration. Benefits: Websense completely out of the picture, as the add-in web filter “should not” kick in for those requests, and the Websense Default Policy can be more restrictive. Drawbacks: List is a bit more difficult to maintain. Problem: This scenario is untested, unsure of outcome and/or how well it would scale.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Wednesday, December 02, 2009 3:34 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...OK, let see how I have it configure, I know you have to be extremely more careful with students than any company user, but anyway.Our users are limited to a list of allowed sites, so no much comparison there, these poor guys have cero fun on the web.1- Our developers, that is another story and for them I’m using the a protocol where proxy websites are being filtered. Anyway and because of course Websense is far from being perfect, we do monitor the internet activity and I catch so far 1 proxy avoidance website n ot being detected for Websense.2- Well, I completely agree that is not the most flexible software out there for individual permissions, but I would if there is no other option adjust the way how you are filtering your users. I would for example create just a bunch of categories (for example: students, teachers, administration, IT) and make the users members of any of those groups and then give permission to users by making them member of the different internet access groups. How many groups can you have? 20, then you will need 20 policies. That probably mean, you will have to change the way how you are working, but I guess is going to be easier on the long run. Now, if you are on an organization, where user 1 needs this access, user 2 another and so on, then you have a problem and then yes, I would look to another product.I know the unauthenticated users problem, that is why, I’m not allow ing internet access without authentication. Unless you come from th e wireless network, in which case they have their own policy and ISA rule.Regarding the amount of servers, I have 1 which is my ISA CSS, on where the websense policy server is running (I was needing that server anyway), and then I installed the filtering service on each ISA server acting as a proxy (I was needing them as well for ISA). So I’m not having a problem of additional servers needed for websens e, yes of course more traffic, services running on the box and stuff like that.I don’t want to sound like a websense vendor, don’t misunderstand me. I was told you will have to use websense and I’m learning to dea l with it, maybe there are better software out there but I can tell you how I survived and things are working pretty good.Regards Diego R. PietruszkaFrom: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Wednesday, December 02, 2009 2:55 PM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...Well, it pertains to the ISA server, so it is still relevant… *grin* I have two basic groups of users, one for students and one for st aff. The students group is locked down pretty tight, while the sta ff one allows normal web browsing but blocks the clearly naughty or dangerous places.I’m running into two main issues:1. Students are not allowed HTTPS, as there are tons of proxy programs out there that look for this and utilize it to bypass all filtering. To bypass this for one particular site requires the creation of a custom protocol on port 443 for a specific IP address. Hence, to block numerous websites requires numerous custom protocols.2. The policies in Websense follow the old *nix style security, where you can create a policy for one group but if there is one user that requires one tiny modification you have to duplicate the entire security policy, remove the user from that group, and apply the custom policy to that one user. Then, if you need to make a change for “all” users, you have to go through each and every policy individually and make that same change, becaus e they are essentially duplicates of each other.Because of the way the Websense security is handled, I have to make the “default” group the same as the Student filtering or block it entirely. Otherwise, any “unauthenticated” user will have zero filtering, which totally defeats the purpose of the filtering in the first place… That then leaves the ISA firewall policies out of the equation because any ISA rule that would normally allow traffic thr ough unfiltered would then hit the Websense “default” filtering policy, making it infinitely more difficult to use this program effe ctively.So… Now instead of one program, which ran on the ISA server, I now h ave to have three servers to do the same job with extremely less gra nular control. We are definitely regretting the decision to switch to Websense!From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Wednesday, December 02, 2009 1:10 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...Hey, sorry I know this is now a websense list, but what are you trying to filter exactly ? a group of websites for a group of users? What else?I mean, I have about 2000 users here and I’m doing all the job with 4 protocols, and that allows me to meet the requirements of Managers , VPs, regular users, developers, etc.Of course I assume you have it install integrated with ISA, is that right?Regards Diego R. Pietruszka MIS - Shift Manager MSC (USA) - Interlink Transport Technologies Direct Phone: (908)605-4147From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Wednesday, December 02, 2009 11:05 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...I will agree with you on how well it works, but as for usability I will rank it extremely low (okay, maybe even lower than that). I was seriously tempted to install the old SurfControl last week because I was getting so ticked at Websense. It (SurfControl) may have been a buggy product, but it was infinitely more configurable than Websense will ever be.We have it up and working now after many hours of having an engineer doing most of the work (I get the impression they definitely do not like ISA servers). But, after the first couple days of having it running “properly” I already have a big list of websites that need to be “allowed” through the filtering again. After yet another session with the engineer yesterday afternoon it appears tha t I now have to define a custom protocol for each and every one of t hose websites to allow them through. Well, it’s either that or open the HTTPS protocol up to everyone with no restrictions (their unoff icial recommendation).I’m going to do some experimenting with it a bit today to see if I c an do a different workaround instead of their recommended methods. Now that I know how it works relatively intimately, it’s time to hac k it apart! *grin*From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Wednesday, December 02, 2009 7:57 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...It is hard to have it working correctly but when you have it, is a good product, believe me, I’m using it since several years ago.The easiest way to see if websense is your problem, since your uploader cannot show the message blocking messages, is to do a network capture as Jim said, and you will see the connection to the websense service on the right port right away. Another way is to use the logmonitor on websense server while testing the uploading (which is believe is a waste of money ;-) , sorry I had to add the comment).That happen to me several times, when you are using a none HTTP browser, so you app failed without any apparent reason, and we always forgot the monitoring options on websense.Regards Diego R. PietruszkaFrom: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Wednesday, December 02, 2009 7:36 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...Thanks, that clears it up a bit, now I know what to look for. Yes, we are using authentication on outbound traffic and I have a strong suspicion that Websense has something to do with this issue. We are becoming less enamored with it daily, and I have spent countless hours with their tech support in the last few weeks.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Jim HarrisonSent: Wednesday, December 02, 2009 1:04 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore... No; there is no rule allowing the request as specified.Don’t worry about rules that disallow specific commands or headers; you would see those rules quoted.The protocol quoted is in lowercase, which indicates a CERN proxy request.Are you forcing authentication on the outbound traffic?The request is not coming from the browser, but the “image uploader”, which may have authentication issues (cant’ tell from a single log entry).A Netmon capture could tell you…From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Tuesday, December 01, 2009 11:52 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...I can see that… There is no rule allowing http from localhost to loc alhost so it fails (somehow I don’t think such a rule would resolve the issue though). Subsequent Googling on those topics didn’t shed any light on it either. Is this a Facebook App error or something on my end?From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Jim HarrisonSent: Tuesday, December 01, 2009 1:16 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...The destination IP will be the ISA internal IP, because this is a CERN proxy request.Regardless, this request was denied because there is no firewall policy that would allow it (thus quoting the default rule).From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan [DBall@xxxxxxxxxxx]Sent: Tuesday, December 01, 2009 7:22 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...Hmmmmmm….. I don’t see anything changed on the Internal Network configuration (same it has been for months), and that destination IP is the ISA server itself.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Jim HarrisonSent: Tuesday, December 01, 2009 10:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...The request was denied by the default rule; indicating that you have no policy that allows this request.Interestingly enough, the request was identified as being destined for the “internal” network.This tells me that unless you deployed ISA in a single-net configuration you or someone you shouldn’t trust has been playing wi th the internal network definition.From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Tuesday, December 01, 2009 6:50 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Re: Uploads to Facebook don't work anymore...Oh, I agree, that is only the tip of that looming iceberg… But, like I said, my obvious answer to “do it from home” wasn’t acceptable, so I have to figure out how to get it working again… *si gh*From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGRSent: Tuesday, December 01, 2009 9:45 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Uploads to Facebook don't work anymore...The fact that ISA or something else is not allowing the upload don’t worry me too much, what is incredible here is:Do the taxpayer on your school district knows that the school district is using money for somebody to be able to upload pictures to facebook? amazingRegards Diego R. Pietruszka MIS - Shift ManagerFrom: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- bounce@xxxxxxxxxxxxx] On Behalf Of Ball, DanSent: Tuesday, December 01, 2009 9:27 AM To: 'isalist@xxxxxxxxxxxxx' Subject: [isalist] Uploads to Facebook don't work anymore...In the last couple of weeks, something changed (no idea what), and now people inside our network can no longer upload pictures to Facebook. The upload application seems to be working, then crashes at the end. (Of course, the obvious solution of doing it from home is unacceptable… *grumble*)I looked on the ISA server (ISA 2006), and this is the error message where it dies:Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL0.0.0.0 Image Uploader Yes Proxy SERVERNAME http://www.facebook.com/editalbum.php?&aid=349361&add=1&created=1# 10.20.1.10 TCP - - - Req ID: 0e8e449f - - - 12/1/2009 2:12:02 PM 0 1 4310 639014 12202 The ISA Server denied the specified Uniform Resource Locator (URL). 0x4 0xa80 Web Proxy Filter 12/1/2009 9:12:02 AM 10.20.1.1 8080 http Denied Connection Default rule 10.20.6.117 DOMAIN \username Internal Internal POST http://upload.facebook.com/photos_upload.php?created_album=1&aid=349361&id=504175590The traffic is hitting the default rule for some reason (which is why it is dying), but the protocol is http, which “should” be able to make it through.-------------------------------------------------- Dan Ball Network and Systems Technician Marquette Area Public Schools 1103 West College Avenue Marquette, MI 49855 E-Mail: dball@xxxxxxxxxxx Phone: (906)225-5779 Fax: (906)225-5377 --------------------------------------------------
