RE: Forcing MSIE to re-authenticate with proxy each time it starts

From: Armistead, Jason <>
Date: Wed, 06 Aug 1997 20:29:01 -0400

Thanks David for your reply

The considerations are as follows:

1. Yes. ACLs with time values could be used to block after hours access,
but we're serving presently as a cache for the whole of our Australian
WAN (remote sites don't have hardware for a cache - yet). That doesn't
help with preventing cached passwords during normal work time though.

2. Since we're not running internal DNS yet, and since there is an
upstream proxy that goes through the firewall to the Internet proper,
users turning the proxy off couldn't get anywhere at all. We can always
force our local Cisco router to only accept packets destined for the
upstream proxy/firewall that come from our cache and Intranet web
servers, and not from any old PC. Probably also a similar approach from
the upstream proxy configuration too.

Besides, our users are not that sophisticated that they could work it
out for themselves. We don't divulge the upstream proxy IP address to

3. Using Netscape is not an option when compared with what amounts to
being "freeware" in the form of MSIE. Netscape is only used on our Unix
workstations, because of the lack of a Microsoft product (and because we
do have license for that many users....)


Jason Armistead

>From: David Richards[]
>Sent: Thursday, 7 August 1997 9:19
>To: Armistead, Jason
>Subject: Re: Forcing MSIE to re-authenticate with proxy each time it starts
> I believe one of the acl's that can be used is a time value, so
>for simple time manipulation, you could use that.
> You could make it so that no-one can access the internet outside
>of normal working hours....... But then there is the problem of your
>manager working back????
> Can the "undesirable users" bypass the proxy?? i.e. Turn proxies
> Just a thought.
>David Richards Ph: +61 7 3864 4354
>Network Programmer Fax: +61 7 3864 5272
>Computing Services e-mail:
>Queensland University of Technology
>On Wed, 6 Aug 1997, Armistead, Jason wrote:
>> Hi
>> I'm using Squid 1.1.11 on Solaris 2.5.1 with the acl_proxy_auth_patch
>> 1.1.11 applied (and compiled in).
>> All Internet access from our site has to be approved by management,
>> hence the use of Proxy Authorisation ACLs.
>> I want to force MSIE (Microsoft Internet Explorer) users to not be able
>> to cache their Proxy Authenticate username/password combos in their
>> password file (username.PWL in C:\WINDOWS), so they can't select the
>> "Save this password in your password list" box.
>> Basically this is to prevent after hours access to the proxy server by
>> people who could otherwise just allow MSIE to use an authenticated users
>> password information to gain access. e.g. night-shift factory workers
>> with an appetite for XXX rated materials using the day shift bosses
>> computer.
>> I also want to make sure that each day when MSIE is started, the "real"
>> user has to make a conscious effort to enter his/her credentials before
>> the Proxy will let them gain access.
>> Has anyone developed such functionality in the form of a patch/hack ?
>> I was thinking of adding to the PROXY_AUTH_ERR_MSG an extra part in the
>> realm which contains some sort of changing realm info e.g. part of the
>> date returned by asctime such as "Wed Aug 6", or simply "Aug 6". That
>> would force at least 1 years worth of different realm challenges to the
>> browser. Maybe I'd issue a different challenge after "normal" hours of
>> 5pm, to catch out any after hours "sneaks". So far I've got half of it
>> together and it seems to work.
>> Of course, there is a problem in that MSIE stores cached passwords in
>> the username.PWL file in C:\WINDOWS, and this has a tendency to grow
>> each time a new realm is presented. (They seem to have worked out the
>> security issues in relation to cracking passwords). Does anyone know if
>> the PWL file automatically "expires" and purges old passwords that
>> haven't been used for more than a certain period ? That would be nice,
>> and would save me worrying about some hideous undocumented Win 95
>> limitation. Maybe I could write a program along the lines of the
>> PWLedit program that Microsoft throws into the Admin\Apptools\Pwledit
>> directory of the Win95 CD-ROM ? Any suggestions welcome !!!!
>> Maybe I'm paranoid, but I don't want legitimate users suddenly having
>> log files which reveal apparent breaches of our Internet guidelines
>> policy, only to find out they aren't responsible at all......
>> Regards
>> Jason Armistead
>> >
Received on Wed Aug 06 1997 - 17:41:31 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:36:02 MST