Ricky Gao Blog - Enjoy Learning

Windows Proxy Settings and Processing Order

When it comes to Windows application proxy settings, people always confused with IE proxy settings. And when it comes to IE proxy settings, the options processing order is confusing people again.

Apparently Microsoft didn’t documented all of the proxy settings in Windows very clearly, even when you Google around, you may still find difficult to have a full clear picture of the difference proxy settings.

So basically when an Win32 application (traditional Windows applications, usually installed by executing .exe or .msi installer) is requesting for network access, it will go through below order:

———————————————————————————————————————————————————————————————————————————–

  • Apps Has Built-in PROXY Settings

If the Win32 application has built-in proxy settings, it will process first.

image

———————————————————————————————————————————————————————————————————————————–

  • Apps Using WinHTTP PROXY Settings

If the Win32 application is using WinHTTP proxy settings, like below:

    • Windows system process
    • Windows Store apps (Windows 8/8.1/10): This is why sometimes when IE Proxy has already been configured, some of applications still not able to hit Internet, this included both Windows Store apps downloading and launching

image

Unfortunately, there’s no UI available to configure the WinHTTP proxy settings in any of the Windows version, included Windows 10. The netsh command line is the way you can configure the WinHTTP proxy settings.

image

As you can see above, you can always using netsh command to get/import/configure/reset your WinHTTP proxy settings.

———————————————————————————————————————————————————————————————————————————–

  • Apps Using IE (WinINET) Proxy

The IE (WinNET) Proxy is the proxy settings people keep talking and confusing about everyday, especially for the proxy processing order.

1. Dialup/VPN/RAS Proxy (active/connected) Settings

The proxy setting you can see in any Dialup/VPN/RAS active connections, like below

imageimage

2. LAN Proxy Settings

The LAN Proxy Settings has now been duplicated into Windows 8/8.1/10 metro settings UI below.

image

It is the exactly same settings as you can see in IE Proxy settings below

image

The processing order is always following the reading sequence:

a. Automatically detect settings

This setting is ON by default. Windows will try to get the proxy settings from DHCP or DNS if infrastructure supported.

If not available, processing b.

b. Use automatic configuration script

If not available, processing c.

c. Manual Proxy setup

If not available, processing 4.

———————————————————————————————————————————————————————————————————————————–

  • No PROXY

If all of above proxy settings are not available, the application will fall back to direct connection instead

Microsoft: The common configuration for this is to set the PAC file URL to a HTTP:// URL that is only available within your corporate network (e.g. http://proxy/pac.js). That way, the URL is inaccessible from outside your network, so that when you take your device home, the script is not used.

References:

Understanding web proxy configuration

Windows proxy settings explained

How to enable Virtual TPM on Hyper-V

TPM (Trusted Platform Module) is always the must have hardware chips on Windows platform. And VM (Virtual Machine) is always the easiest way for testing.

However, when it comes to specific security testing which rely on TPM, we need to start talk about TPM on VM.

Fortunately most of the virtualization platform today support Virtual TPM, and most of the Virtual TPM does NOT need hardware TPM on host device.

Hyper-v is even free on Windows 10 (Pro or Enterprise edition). so our testing environment now can be as simple as a Windows 10 device with multiple VMs running on it.

In order to enable Virtual TPM, you have to meet the below pre-requisites

1. Hardware support virtualization: almost every single CPU support it today

The host device does NOT need TPM hardware, below is my host machine

image

2. Windows Server 2016 Technical Preview, Windows 10 build 10586 or higher versions

3. WinRM

winrm quickconfig

clip_image002

Enable Virtual TPM

  1. Open a Windows PowerShell as an administrator.
  2. Run the following commands:

————————————————————————————————-

Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Force

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard -Name EnableVirtualizationBasedSecurity -Value 1 -PropertyType DWord –Force

———————————————————————————————————————————————————————————————————

clip_image004

Reboot

Enable VM TPM settings

Settings->Security->Trusted Platform Module

clip_image006

Start VM

Check TPM status

clip_image008

Troubleshooting:

Sometimes above steps still cannot get it working, especially trying to enable on your existing VMs, just try below (thanks to my friend Bryce):

——————————————————————————————————————————

Enable-WindowsOptionalFeature -Feature IsolatedUserMode -Online

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates

$Owner = Get-HgsGuardian -Name ‘Guardian’

$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Set-VMKeyProtector -VMName ‘Windows 10 Enterprise’ -KeyProtector $KeyProtector.RawData

Enable-VMTPM -VMName ‘Windows 10 Enterprise’

Replace ‘Windows 10 Enterprise’ with the name of your VM in hyperV

——————————————————————————————————————————-

More information about Hyper-V Virtual TMP can be found here

By rickygao on April 5, 2016 | HYPER-V, Tech, Windows Client | 2 comments

AD
ADFS
ADRMS
Android
Azure
Certification
Citrix
Cluster