Disabling the "CONNECT" Method

Discussion:

(too old to reply)

murawai101

2006-06-21 01:48:01 UTC

Hi
I have run a scan against my ISA servers from internal as they are single
nic proxies only (not firewalls) and I have found they are vunerable to the
"connect" method. Does anyone know how to disbale this? See below from scan.
THREAT:
The HTTP server or the HTTP proxy server accepts the "CONNECT" method.
IMPACT:
By exploiting this vulnerability, unauthorized Internet users may be able to
connect to your entire internal network using the "CONNECT" method. This can
also be used by attackers to create tunnels through proxies which support
this method since such hops are difficult to traceback.
SOLUTION:
Reconfigure your server to disable this method or restrict its access.

Nathan B [MSFT]

2006-06-21 11:40:46 UTC

Permalink

You should be able to do this with the HTTP Filter, as described in
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx.

You may want to check what all of the implications of blocking this method
are, or try it in a lab or limited production environment.
--
Nathan Bigman
ISA Server Product Team

Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Post by murawai101
Hi
I have run a scan against my ISA servers from internal as they are single
nic proxies only (not firewalls) and I have found they are vunerable to the
"connect" method. Does anyone know how to disbale this? See below from scan.
The HTTP server or the HTTP proxy server accepts the "CONNECT" method.
By exploiting this vulnerability, unauthorized Internet users may be able to
connect to your entire internal network using the "CONNECT" method. This can
also be used by attackers to create tunnels through proxies which support
this method since such hops are difficult to traceback.
Reconfigure your server to disable this method or restrict its access.

unknown

2006-06-21 13:31:51 UTC

Permalink

Post by murawai101
By exploiting this vulnerability, unauthorized Internet users may be able to
connect to your entire internal network using the "CONNECT" method. This can
also be used by attackers to create tunnels through proxies which support
this method since such hops are difficult to traceback.

Think about that for a minute. To me, that is just one of those "the sky is
falling, we're all going to die" warnings. If they are going to "connect
to your entire internal network" then they have to get to the proxy to do
it,...however the proxy is on the internal network with a single nic,...so
they have to be on the internal network to get to the ISA,...so if they are
already on the internal network to get to the ISA, why to they need the ISA
to get to the internal network?

The CONNECT method is used for HTTPS, as far as I know "no connect" = "no
HTTPS". ISA forces all HTTPS to only be able to run on port 443 to mitigate
weaknesses in CONNECT. So if you are going to "tunnel somewhere" with
CONNECT using ISA then the destination would have to be listening on 443
which would mean it is a web server running a secure site with
https,...which makes it pretty tough to "connect to your entire internal
network".

I'd be more worried about writing a simple check for a simple store purchase
since my name, address, phone number, drivers license number, bank account
number, and bank routing number are all there right on the check in plain
sight.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

murawai101

2006-06-21 22:34:01 UTC

Permalink

I looks like it is only my down stream ISA servers that seem vunerable to
this attack. My downstream servers webchain to my two ISA servers in my main
office (which connect out tot he internet). Could this be beacuse the
downstream servers are webchaining? The configuration for everything else is
pretty much the same.

unknown

2006-06-21 22:49:55 UTC

Permalink

I don't consider the alert to be even worth worrying about. Those alerts
and their descriptions are in some cases the opinion of the particular
programmer that wrote the tool or that particular part of the tool.

But that is my opinion.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Post by murawai101
I looks like it is only my down stream ISA servers that seem vunerable to
this attack. My downstream servers webchain to my two ISA servers in my main
office (which connect out tot he internet). Could this be beacuse the
downstream servers are webchaining? The configuration for everything else is
pretty much the same.

Continue reading on narkive:

Search results for 'Disabling the "CONNECT" Method' (Questions and Answers)

replies

I have 2 connection both having internet. How to select and choose IE's connecting method?

started 2008-06-09 17:58:15 UTC

internet

replies

why do things connected wireless to my internet randomly disconnect?

started 2009-10-23 15:31:00 UTC

computer networking

replies

teracom wi-fi modem disabling?