Restricting some sites in Internet Explorer

Posted on April 14th, 2009

When it comes to providing Internet Explorer access from a Citrix Server, trying to lock it down can be tricky.

Sure, there are various Group Policy settings that can be applied to lockdown the application, but the most common question is providing some kind of lockdown to where users are able to browse to. You may want to allow external Internet browsing, for example, but block some sites. The same may happen for internal Intranet sites and block some sites that rely heavily on plug ins or whatever other reason supplied.

In the past the only real way to provide this type of lockdown would be have a dedicated proxy server or rule base that would provide a white and black list of sites. Depending on the availablity of such a process, this may or may not be possible in the environment you are working in. You may also have a different white and black list for different Citrix application silos so this would need a seperate proxy or rule base for each environment.

Another way to lockdown some access is to add sites to the trusted sites or the Restricted Sites list. This can be set up by Group Policy but is a hastle to maintain because adding or removing sites from the list relies on other factors; such as editing the Group Policy from a machine that is already configured with the right settings as it will try and suck in local machine settings as soon as you try and edit it. From experience, this is a real pain and can easily become mis-configured with the wrong settings if someone edits it from the wrong computer. This also doesn’t full block the site, it only blocks the execution of scripts from the site in question. So, if the site runs a script on page launch it will be blocked from running and access to the site will be denied. This clearly doesn’t apply to all sites so even adding a site to the Restricted Sites zone doesn’t guarantee it being blocked.

There is a third way

Internet Explorer can use an automatic configuration script or a .pac file to provide it with configuration options. Typically this is used to supply IE with the proxy server address automatically. With a bit of additional programing this can be used to provide the exact result required.

The .pac file is just a text file with Javascript functions and can be configured to provide this lockdown. The configuration can be set to return different Proxy server addresses based on the URL being accessed. So, for example, if a site is ‘blocked’ the .pac file can be configured to return a non-existent proxy server address (or no proxy address at all) and then the site can not be accessed.

The following expressions are useful.

This is the expression required for this to work:

function FindProxyForURL(url, host)

To match the URL and return a direct Proxy method. This would be the same as adding the site to the ‘do not use proxy server for addresses beginning with:’ option. In the case of external sites, returning a direct method of access is great because the browser will never find the site and time-out very quickly.

if (shExpMatch(url, “*.facebook.com/*”)) return “DIRECT”;

In the case of a blocked internal site, returning a direct method of access is of no use as all computers are on the same network and the browser will still find the site. Instead you will need to return a fake Proxy server that does not exist on the network. The browser will time-out while trying to find this procy and IE will not find the site. The browser will not time-out immediately, however, and it will appear to take 30secs.

if (shExpMatch(url, “*://Intranet/*”)) return “PROXY 10.10.10.10:1010″;

The first wild card will lock down http and https access.The second wild card is deliberately placed after the "/" otherwise it can lockdown too many sites. Placing the second wild-card here would, however, mean that you would need to enter the URL twice – once as just the name and once for the fqdn also.

These can all be combined to provide the lockdown required.

Here is a sample ie.pac file.

// Restricted sites list

// v1.0

// Richard Parmiter

function FindProxyForURL(url, host)

{

  //set the ip address of the proxy into a variable named proxy

  var proxy = "PROXY proxyserver.fqdn.local:80";

//list of all restricted sites as shown

//return "DIRECT" for external sites as is quicker for the browser to time out

//

if (shExpMatch(url, "*.facebook.com/*")) return "DIRECT";

if (shExpMatch(url, "*.youtube.com/*")) return "DIRECT";

//return "PROXY 10.10.10.10:1010" for internal sites

//

if (shExpMatch(url, "*://internalsite1/*")) return "PROXY 10.10.10.10:1010";

if (shExpMatch(url, "*://internalsite1.fqdn.local/*")) return "PROXY 10.10.10.10:1010";

if (shExpMatch(url, "*://192.168.100.100/*")) return "PROXY 10.10.10.10:1010";

if (shExpMatch(url, "*://192.168.100.101/path/url*")) return "PROXY 10.10.10.10:1010";

//Bypass proxy for local addresses

//

if (isPlainHostName(host)) return "DIRECT";

else

return proxy;

}

This file is setting a variable above of the correct server address and has a catch all statement at the end ot return this variable if the URL doesn’t match any of the above statements.

The ‘is PlainHostName’ varibale is applied to any URL that does not include a “.” in it. This is the same as ticking the option “Bypass proxy server for local addresses”.

This ie.pac file can be referenced in two ways. Either configure the relevant Group Policy entry to point to it or poke in the relevant Registry setting at logon using logon scripts, as shown:

RegWrite Array(“HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”,”AutoConfigURL”,”http://Internalwebsite.fqdn.local/restrictedsites/ie.pac”,”REG_SZ”)

In this case the ie.pac file is located on an internal web site, but it can also be referenced by a file share or local file (i.e. \\uncpath\ie.pac or c:\ie.pac)

Voila..  Happy URL restricting..

Tags: .pac, auto configuration, how to, ie, ie.pac, Internet Explorer, lockdown, proxy, restriction, url
Filed under Windows 2003 | 3 Comments »

Types of memory usage

Posted on April 3rd, 2009

When running edgesight reports or looking into server memory usage, the following types of memory are listed:

• Virtual
• Private
• Working set

In looking into a particular issue, I wanted to determine exactly what these different types are and this is what I found.

Virtual

Virtual Bytes is the total size of the non-free pages in a process’ virtual address space. This includes private, image and mapped pages (reserverd and committed pages).

Private

Private Bytes is the total size of the private pages that are not shared.

Working set

The working set of a program is a collection of those pages in its virtual address space that have been recently referenced. It includes both shared and private data. The shared data includes pages that contain all instructions your application executes, including those in your DLLs and the system DLLs. As the working set size increases, memory demand increases.

This is the overall ‘memory usage‘ figure.

Useful links

• sysinternals
• Crayon Metaphor
• msdn (working set description)
• msdn (forum)
• Google groups

Tags: committed, description, edgesight, memory, private, virtual, working set
Filed under Windows 2003 | No Comments »

Kerberos MaxTokenSize value

Posted on March 23rd, 2009

Windows enumerates the groups the users is a member of to determine which Group Policies to apply. If the user is a member of too many groups (from testing around 165), this enumeration fails and no group policy is applied.

The default setting on Windows 2003 x64 servers is 12000 for the Kerberos MaxTokenSize entry. This is not enough for large environments.

Changing this entry to the maximum available (65535) resolves the issue and enables all the user groups to be enumerated and the correct group policies applied.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxTokenSize”=dword:0000ffff

The server will need a reboot.

Tags: group policy, Kerberos, maxtokensize
Filed under Windows 2003 | 2 Comments »

Regedit Favorites

Posted on December 16th, 2008

During an average day I spend a great deal of time in the Registry Editor (regedit.exe) and have done for the last 10 years or so and today I discovered a new fetaure I was completly unaware of.

The ability to add favorites to regedit

How to add a favorite:

• Browse to the relevant key

• Click Favorites Menu | Add to favorites

• Enter the name (i.e. HKLM – Run Key

• Now, wherever you are in the registry, select the favorites menu and your favorite to jump straight to that location

How simple is that!

The favorites are saved to the following location

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

As I move around different environments, with different profiles, I can create a quick reg file of the favorites I wan’t so on a new environment I can run the reg file before loading regedit to pre-populate these favorites.

Simple huh!

From the archives of – “well, I never knew that”

Tags: favorites, favourites, regedit, tip, well I never knew that
Filed under Windows 2003 | 2 Comments »

How to create special folders

Posted on December 12th, 2008

How to create special folders in Windows 2003 (and XP)

Right click | New | folder

ActiveX Cache Folder.{88C6C381-2E85-11D0-94DE-444553540000}
Briefcase.{85BBD920-42A0-1069-A2E4-08002B30309D}
Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}
Desktop.{00021400-0000-0000-C000-000000000046}
Dial-Up Networking.{992CFFA0-F557-101A-88EC-00DD010CCC48}
Fonts.{BD84B380-8CA2-1069-AB1D-08000948F534}
Inbox.{00020D75-0000-0000-C000-000000000046}
Internet Cache Folder.{7BD29E00-76C1-11CF-9DD0-00A0C9034933}
Internet Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}
Internet Explorer.{871C5380-42A0-1069-A2EA-08002B30309D}
Internet Mail.{89292102-4755-11CF-9DC2-00AA006C2B84}
Internet News.{89292103-4755-11CF-9DC2-00AA006C2B84}
Microsoft Outlook.{00020D75-0000-0000-C000-000000000046}
My Documents.{450d8fba-ad25-11d0-98a8-0800361b1103}
My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Network Neighborhood.{208D2C60-3AEA-1069-A2D7-08002B30309D}
Offline Web Pages.{F5175861-2688-11d0-9C5E-00AA00A45957}
Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}
Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}
Scheduled Tasks.{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
Shell Favorite Folder.{1A9BA3A0-143A-11CF-8350-444553540000}
Shortcut.{00021401-0000-0000-C000-000000000046}
Subscriptions.{F5175861-2688-11d0-9C5E-00AA00A45957}
The Internet.{FBF23B42-E3F0-101B-8488-00AA003E56F8}
The Microsoft Network.{00028B00-0000-0000-C000-000000000046}
The Microsoft Windows 95 Product Team!.{869DADA0-42A0-1069-A2E7-08002B30309D}
User Internet History.{FF393560-C2A7-11CF-BFF4-444553540000}
Web Folders.{BDEADF00-C265-11d0-BCED-00A0C90AB50F}
FTP Folders.{63da6ec0-2e98-11cf-8d82-444553540000}

Right click | New | Shortcut (Windows 2003)

shell:Administrative Tools
shell:AppData
shell:CD Burning
shell:Cache
shell:Common Administrative Tools
shell:Common AppData
shell:Common Desktop
shell:Common Documents
shell:Common Programs
shell:Common Start Menu
shell:Common Startup
shell:Common Templates
shell:CommonPictures
shell:CommonVideo
shell:ConnectionsFolder
shell:ControlPanelFolder
shell:Cookies
shell:Desktop
shell:Favorites
shell:Fonts
shell:History
shell:InternetFolder
shell:Local AppData
shell:LocalizedResourcesDir
shell:My Music
shell:My Pictures
shell:My Video
shell:NetHood
shell:Personal
shell:PrintHood
shell:PrintersFolder
shell:Profile
shell:ProgramFiles
shell:Programs
shell:Recent
shell:RecycleBinFolder
shell:ResourceDir
shell:SendTo
shell:Start Menu
shell:Startup
shell:System
shell:SystemX86
shell:Templates
shell:Windows

Right click | New | Shortcut (Windows 2003)

shell:AddNewProgramsFolder
shell:Administrative Tools
shell:AppData
shell:AppUpdatesFolder
shell:CD Burning
shell:CSCFolder
shell:Cache
shell:ChangeRemoveProgramsFolder
shell:Common Administrative Tools
shell:Common AppData
shell:Common Desktop
shell:Common Documents
shell:Common Programs
shell:Common Start Menu
shell:Common Startup
shell:Common Templates
shell:CommonDownloads
shell:CommonMusic
shell:CommonPictures
shell:CommonVideo
shell:ConflictFolder
shell:ConnectionsFolder
shell:Contacts
shell:ControlPanelFolder
shell:Cookies
shell:CredentialManager
shell:CryptoKeys
shell:Default Gadgets
shell:Desktop
shell:Downloads
shell:DpapiKeys
shell:Favorites
shell:Fonts
shell:Gadgets
shell:GameTasks
shell:Games
shell:History
shell:InternetFolder
shell:Links
shell:Local AppData
shell:LocalAppDataLow
shell:LocalizedResourcesDir
shell:MAPIFolder
shell:My Music
shell:My Pictures
shell:My Video
shell:MyComputerFolder
shell:NetHood
shell:NetworkPlacesFolder
shell:OEM Links
shell:Original Images
shell:Personal
shell:PhotoAlbums
shell:Playlists
shell:PrintHood
shell:PrintersFolder
shell:Profile
shell:ProgramFiles
shell:ProgramFilesCommon
shell:ProgramFilesCommonX86
shell:ProgramFilesX86
shell:Programs
shell:Public
shell:PublicGameTasks
shell:Quick Launch
shell:Recent
shell:RecycleBinFolder
shell:ResourceDir
shell:SampleMusic
shell:SamplePictures
shell:SamplePlaylists
shell:SampleVideos
shell:SavedGames
shell:SearchHomeFolder
shell:Searches
shell:SendTo
shell:Start Menu
shell:Startup
shell:SyncCenterFolder
shell:SyncResultsFolder
shell:SyncSetupFolder
shell:System
shell:SystemCertificates
shell:SystemX86
shell:Templates
shell:TreePropertiesFolder
shell:UserProfiles
shell:UsersFilesFolder
shell:Windows

Enjoy!

Tags: create, folder, shell, shortcut, special folders, windows
Filed under Windows 2003, Windows 2008 | 2 Comments »