This post if from Jeff, who put it into our discussion board, but it is so good, that it just makes sense to be in the blog. Thanks to Jeff for putting this info together:

 

 

 

I've had a couple customers ask me how to enhance/automate their troubleshooting when an end user observes a block that they weren't expecting. The Site Review ruleset that is posted here: Re: Block Page - Email Link - add URL and other good info is a good start, but if an administrator follows the link in the received email they might not get the same rules applied (because the administrator is using a different username and is a member of different groups) and the site might behave differently through MWG. The attached zip contains rulesets to help with this challenge. Note that the impersonation ruleset currently only resets the usernames and user groups. If there are other criteria (for example source IP) used in your rulesets to determine action, you will need to modify the rulesets accordingly.

 

 

This ruleset 1) allows authenticated users that match the Impersonation Users list (administrators) to impersonate any other user (and get the same reaction from MWG) without needing the end user's password and 2) automatically generates a rule trace of the request. The rulesets are designed for an AD/NTLM environment but could be adapted for straight LDAP, or Kerberos. Users in the Impersonation Users list can impersonate another user for 2 minutes following a request that adds the parameter impersonate=<username> to any URL.

 

The ruleset is supplemented by a logging rule that preserves the integrity of the access log and creates a separate log that includes the original user name and the impersonated user name. Also included in the zip is a modified version of the Site Review ruleset that adds the requesting user's email address, and groups, as well as a link already configured to enable impersonation. Zip file also includes README.txt with installation instructions.Note that the readme is still pretty rough and may contain errors. If anyone uses it to install, I’d like feedback on how it could be improved.

 

 

Rule Sets
Impersonate_v2
[This ruleset allows users in the Impersonation Users list to impersonate other users for a time period determined by the Impersonate PDStorage settings. Default is 2 minutes. Impersonation is triggered by adding the URL parameter impersonate=<username> to the URL, where <username> is the username to be impersonated. If you wish to reset the impersonation prior to the end of the PDStorage setting, simply add the parameter with the username set to "clearimp" (without quotes). This ruleset is designed to work with MS AD LDAP. Don't forget to customize the Authentication Engine settings (Get LDAP Groups for Username) to match your environment. Ruleset designed and tested with AD only, many rules will need to be tweaked for other environments.]
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: Authentication.IsAuthenticated equals true
2: AND Authentication.UserName is in list Impersonation Users
3: AND (URL.HasParameter("impersonate") equals true
4: OR PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage> does not equal "")
Set Up Impersonation
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledTurn Rule Tracing On by Default
1: (URL.HasParameter("tracing") equals false
2: AND PDStorage.GetUserData.String("ImpTracing")<Impersonate PDStorage> matches on)
3: OR URL.GetParameter("tracing") does not match off
ContinueEnable RuleEngine Tracing
PDStorage.AddUserData.String("ImpTracing","on")<Impersonate PDStorage>
Turn on rule tracing unless URL parameter tracing equals off
EnabledClear Impersonation
1: URL.HasParameter("impersonate") equals true
2: AND URL.GetParameter("impersonate") equals "clearimp"
Stop Rule SetSet User-Defined.Impersonate = false
PDStorage.DeleteUserData("ImpUser")
PDStorage.DeleteUserData("ImpGroups")
PDStorage.DeleteUserData("ImpTracing")
Set boolean flag and clear PDStorage
EnabledSet Impersonation Equal True
Always
ContinueSet User-Defined.Impersonate = trueSet boolean flag for easy use elsewhere and for logging and troubleshooting
EnabledSet Impersonate User From URL Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.ImpersonateUser = URL.GetParameter("impersonate")
PDStorage.AddUserData.String("ImpUser",User-Defined.ImpersonateUser)<Impersonate PDStorage>
Pull user to impersonate from URL Parameter and save to PDStorage
EnabledSet Impersonate User From PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet User-Defined.ImpersonateUser = PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage>Get user to impersonate from PDStorage
EnabledSave Original User and Set New Username
Always
ContinueSet User-Defined.OriginalUser = Authentication.UserName
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Save the original user and impersonated user for use in logging. Set Authentication.Username and Authentication.RawUserName for use in impersonation.
EnabledSet New Groups from PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet Authentication.UserGroups = PDStorage.GetUserData.List.String("ImpGroups")<Impersonate PDStorage>If the impersonate parameter does not exist, then groups must be stored in PDStorage. Get them!
EnabledSet New Groups from Base64 Encoded Groups Parameter
1: URL.HasParameter("groups") equals true
ContinueSet Authentication.UserGroups = String.ToStringList(String.Base64Decode(URL.GetParameter("groups")),",","")The modified site review ruleset will send the original groups base64 encoded as part of the impersonate URL. This can be used to make sure you are using the exact same groups as the original request.
EnabledSet New Groups by LDAP lookup
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
ContinueSet Authentication.UserGroups = Authentication.GetUserGroups<Get LDAP User Groups For Username>
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Set Authentication.Usergroups by looking up groups in LDAP. LDAP settings use samaccountname=%u for a filter and %u comes from Authentication.RawUsername. This process has the undesired effect of replacing Authentication.Username with the LDAP fully qualified username. To correct that, Authentication.Username is reset to User-defined.ImpersonateUser
EnabledAdd Group From addgroup Parameter
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND URL.HasParameter("addgroup") equals true
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,URL.GetParameter("addgroup"))Edit and enable this rule if you want to add a group to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
DisabledAdd Domain Users to LDAP Group List if No Group Match in Service Group List
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND Authentication.UserGroups none in list Service Groups List
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,"Domain Users")Edit and enable this rule if you want to conditionally add groups to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
EnabledSet PDStorage ImpGroups if Impersonate Parameter Present
1: URL.HasParameter("impersonate") equals true
ContinuePDStorage.AddUserData.List.String("ImpGroups",Authentication.UserGroups)<Impersonate PDStorage>Set PDStorage ImpGroups to match groups so that all requests that are part of the page will also be handled as if they were made by the user being impersonated. Length of time for impersonation is determined by the PDStorage setting (Impersonation PDStorage). Default is two minutes for ruleset.
Clear URL Parameters
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledRemove Tracing Parameter
1: URL.HasParameter("tracing") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("tracing"),regex((\S+)),"tracing=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the tracing parameter so that site operation is unaffected.
EnabledRemove Groups Parameter
1: URL.HasParameter("groups") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("groups"),regex((\S+)),"groups=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the groups parameter so that site operation is unaffected.
EnabledRemove addgroup Parameter
1: URL.HasParameter("addgroup") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("addgroup"),regex((\S+)),"addgroup=\1 ")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the addgroup parameter so that site operation is unaffected.
EnabledRemove Impersonate Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("impersonate"),regex((\S+)),"imperson ate=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the impersonate parameter so that site operation is unaffected.

 


 

 

 

Impersonate Log ruleset creates an impersonate.log logfile and fills it with entries that look like this:

 

[11/Mar/2011:15:33:00 +0000] "Administrator_as_jebeling" 192.168.197.112 403 "GET http://www.playboy.com/ HTTP/1.1" "Pornography" "Minimal Risk" "" 0 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15" "" "10"

 

Rule Sets

Impersonate Log

Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
1: User-Defined.Impersonate equals true

Enabled

Rule

Action

Events

Comments

Enabled

Write Impersonate Log and Reset Original Username
Always

Continue

Set User-Defined.logLine =
     DateTime.ToWebReporterString +
     " "" +
     User-Defined.OriginalUser +
     "_as_" +
     Authentication.UserName +
     "" " +
     String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
     " " +
     String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
     " "" +
     Request.Header.FirstLine +
     "" " +
     """ +
     List.OfCategory.ToString(URL.Categories(MostRecent)) +
     "" "" +
     URL.ReputationString(MostRecent) +
     "" "" +
     MediaType.ToString(MediaType.FromHeader) +
     "" " +
     String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
     " "" +
     Header.Get("User-Agent") +
     "" "" +
     List.OfString.ToString(Antimalware.VirusNames(MostRecent)) +
     "" "" +
     Number.ToString(Block.ID) +
     """ +
     String.CRLF
FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Impersonate Log Configuration>
Set Authentication.UserName = User-Defined.OriginalUser

Track impersonations in separate log. Access log should report original username for accuracy

 

Modified Site Review


 

Rule Sets
Impersonate_v2
[This ruleset allows users in the Impersonation Users list to impersonate other users for a time period determined by the Impersonate PDStorage settings. Default is 2 minutes. Impersonation is triggered by adding the URL parameter impersonate=<username> to the URL, where <username> is the username to be impersonated. If you wish to reset the impersonation prior to the end of the PDStorage setting, simply add the parameter with the username set to "clearimp" (without quotes). This ruleset is designed to work with MS AD LDAP. Don't forget to customize the Authentication Engine settings (Get LDAP Groups for Username) to match your environment. Ruleset designed and tested with AD only, many rules will need to be tweaked for other environments.]
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: Authentication.IsAuthenticated equals true
2: AND Authentication.UserName is in list Impersonation Users
3: AND (URL.HasParameter("impersonate") equals true
4: OR PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage> does not equal "")
Set Up Impersonation
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledTurn Rule Tracing On by Default
1: (URL.HasParameter("tracing") equals false
2: AND PDStorage.GetUserData.String("ImpTracing")<Impersonate PDStorage> matches on)
3: OR URL.GetParameter("tracing") does not match off
ContinueEnable RuleEngine Tracing
PDStorage.AddUserData.String("ImpTracing","on")<Impersonate PDStorage>
Turn on rule tracing unless URL parameter tracing equals off
EnabledClear Impersonation
1: URL.HasParameter("impersonate") equals true
2: AND URL.GetParameter("impersonate") equals "clearimp"
Stop Rule SetSet User-Defined.Impersonate = false
PDStorage.DeleteUserData("ImpUser")
PDStorage.DeleteUserData("ImpGroups")
PDStorage.DeleteUserData("ImpTracing")
Set boolean flag and clear PDStorage
EnabledSet Impersonation Equal True
Always
ContinueSet User-Defined.Impersonate = trueSet boolean flag for easy use elsewhere and for logging and troubleshooting
EnabledSet Impersonate User From URL Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.ImpersonateUser = URL.GetParameter("impersonate")
PDStorage.AddUserData.String("ImpUser",User-Defined.ImpersonateUser)<Impersonate PDStorage>
Pull user to impersonate from URL Parameter and save to PDStorage
EnabledSet Impersonate User From PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet User-Defined.ImpersonateUser = PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage>Get user to impersonate from PDStorage
EnabledSave Original User and Set New Username
Always
ContinueSet User-Defined.OriginalUser = Authentication.UserName
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Save the original user and impersonated user for use in logging. Set Authentication.Username and Authentication.RawUserName for use in impersonation.
EnabledSet New Groups from PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet Authentication.UserGroups = PDStorage.GetUserData.List.String("ImpGroups")<Impersonate PDStorage>If the impersonate parameter does not exist, then groups must be stored in PDStorage. Get them!
EnabledSet New Groups from Base64 Encoded Groups Parameter
1: URL.HasParameter("groups") equals true
ContinueSet Authentication.UserGroups = String.ToStringList(String.Base64Decode(URL.GetParameter("groups")),",","")The modified site review ruleset will send the original groups base64 encoded as part of the impersonate URL. This can be used to make sure you are using the exact same groups as the original request.
EnabledSet New Groups by LDAP lookup
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
ContinueSet Authentication.UserGroups = Authentication.GetUserGroups<Get LDAP User Groups For Username>
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Set Authentication.Usergroups by looking up groups in LDAP. LDAP settings use samaccountname=%u for a filter and %u comes from Authentication.RawUsername. This process has the undesired effect of replacing Authentication.Username with the LDAP fully qualified username. To correct that, Authentication.Username is reset to User-defined.ImpersonateUser
EnabledAdd Group From addgroup Parameter
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND URL.HasParameter("addgroup") equals true
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,URL.GetParameter("addgroup"))Edit and enable this rule if you want to add a group to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
DisabledAdd Domain Users to LDAP Group List if No Group Match in Service Group List
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND Authentication.UserGroups none in list Service Groups List
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,"Domain Users")Edit and enable this rule if you want to conditionally add groups to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
EnabledSet PDStorage ImpGroups if Impersonate Parameter Present
1: URL.HasParameter("impersonate") equals true
ContinuePDStorage.AddUserData.List.String("ImpGroups",Authentication.UserGroups)<Impersonate PDStorage>Set PDStorage ImpGroups to match groups so that all requests that are part of the page will also be handled as if they were made by the user being impersonated. Length of time for impersonation is determined by the PDStorage setting (Impersonation PDStorage). Default is two minutes for ruleset.
Clear URL Parameters
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledRemove Tracing Parameter
1: URL.HasParameter("tracing") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("tracing"),regex((\S+)),"tracing=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the tracing parameter so that site operation is unaffected.
EnabledRemove Groups Parameter
1: URL.HasParameter("groups") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("groups"),regex((\S+)),"groups=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the groups parameter so that site operation is unaffected.
EnabledRemove addgroup Parameter
1: URL.HasParameter("addgroup") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("addgroup"),regex((\S+)),"addgroup=\1 ")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the addgroup parameter so that site operation is unaffected.
EnabledRemove Impersonate Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("impersonate"),regex((\S+)),"imperson ate=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the impersonate parameter so that site operation is unaffected.