2 Replies Latest reply: Jan 27, 2014 8:26 AM by jebeling RSS

    Impersonation Ruleset for Administrative Troubleshooting

    jebeling

      I've had a couple customers ask me how to enhance/automate their troubleshooting when an end user observes a block that they weren't expecting. The Site Review ruleset that is posted here: Re: Block Page - Email Link - add URL and other good info is a good start, but if an administrator follows the link in the received email they might not get the same rules applied (because the administrator is using a different username and is a member of different groups) and the site might behave differently through MWG. The attached zip contains rulesets to help with this challenge. Note that the impersonation ruleset currently only resets the usernames and user groups. If there are other criteria (for example source IP) used in your rulesets to determine action, you will need to modify the rulesets accordingly.

       

       

      This ruleset 1) allows authenticated users that match the Impersonation Users list (administrators) to impersonate any other user (and get the same reaction from MWG) without needing the end user's password and 2) automatically generates a rule trace of the request. The rulesets are designed for an AD/NTLM environment but could be adapted for straight LDAP, or Kerberos. Users in the Impersonation Users list can impersonate another user for 2 minutes following a request that adds the parameter impersonate=<username> to any URL.

         

      The ruleset is supplemented by a logging rule that preserves the integrity of the access log and creates a separate log that includes the original user name and the impersonated user name. Also included in the zip is a modified version of the Site Review ruleset that adds the requesting user's email address, and groups, as well as a link already configured to enable impersonation. Zip file also includes README.txt with installation instructions.Note that the readme is still pretty rough and may contain errors. If anyone uses it to install, I’d like feedback on how it could be improved.

       

       

      Rule Sets
      Impersonate_v2
      [This ruleset allows users in the Impersonation Users list to impersonate other users for a time period determined by the Impersonate PDStorage settings. Default is 2 minutes. Impersonation is triggered by adding the URL parameter impersonate=<username> to the URL, where <username> is the username to be impersonated. If you wish to reset the impersonation prior to the end of the PDStorage setting, simply add the parameter with the username set to "clearimp" (without quotes). This ruleset is designed to work with MS AD LDAP. Don't forget to customize the Authentication Engine settings (Get LDAP Groups for Username) to match your environment. Ruleset designed and tested with AD only, many rules will need to be tweaked for other environments.]
      Enabled
      Applies to Requests: True / Responses: False / Embedded Objects: False
      1: Authentication.IsAuthenticated equals true
      2: AND Authentication.UserName is in list Impersonation Users
      3: AND (URL.HasParameter("impersonate") equals true
      4: OR PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage> does not equal "")
      Set Up Impersonation
      Enabled
      Applies to Requests: True / Responses: True / Embedded Objects: True
      Always
      EnabledRuleActionEventsComments
      EnabledTurn Rule Tracing On by Default
      1: (URL.HasParameter("tracing") equals false
      2: AND PDStorage.GetUserData.String("ImpTracing")<Impersonate PDStorage> matches on)
      3: OR URL.GetParameter("tracing") does not match off
      ContinueEnable RuleEngine Tracing
      PDStorage.AddUserData.String("ImpTracing","on")<Impersonate PDStorage>
      Turn on rule tracing unless URL parameter tracing equals off
      EnabledClear Impersonation
      1: URL.HasParameter("impersonate") equals true
      2: AND URL.GetParameter("impersonate") equals "clearimp"
      Stop Rule SetSet User-Defined.Impersonate = false
      PDStorage.DeleteUserData("ImpUser")
      PDStorage.DeleteUserData("ImpGroups")
      PDStorage.DeleteUserData("ImpTracing")
      Set boolean flag and clear PDStorage
      EnabledSet Impersonation Equal True
      Always
      ContinueSet User-Defined.Impersonate = trueSet boolean flag for easy use elsewhere and for logging and troubleshooting
      EnabledSet Impersonate User From URL Parameter
      1: URL.HasParameter("impersonate") equals true
      ContinueSet User-Defined.ImpersonateUser = URL.GetParameter("impersonate")
      PDStorage.AddUserData.String("ImpUser",User-Defined.ImpersonateUser)<Impersonate PDStorage>
      Pull user to impersonate from URL Parameter and save to PDStorage
      EnabledSet Impersonate User From PDStorage
      1: URL.HasParameter("impersonate") equals false
      ContinueSet User-Defined.ImpersonateUser = PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage>Get user to impersonate from PDStorage
      EnabledSave Original User and Set New Username
      Always
      ContinueSet User-Defined.OriginalUser = Authentication.UserName
      Set Authentication.UserName = User-Defined.ImpersonateUser
      Set Authentication.RawUserName = User-Defined.ImpersonateUser
      Save the original user and impersonated user for use in logging. Set Authentication.Username and Authentication.RawUserName for use in impersonation.
      EnabledSet New Groups from PDStorage
      1: URL.HasParameter("impersonate") equals false
      ContinueSet Authentication.UserGroups = PDStorage.GetUserData.List.String("ImpGroups")<Impersonate PDStorage>If the impersonate parameter does not exist, then groups must be stored in PDStorage. Get them!
      EnabledSet New Groups from Base64 Encoded Groups Parameter
      1: URL.HasParameter("groups") equals true
      ContinueSet Authentication.UserGroups = String.ToStringList(String.Base64Decode(URL.GetParameter("groups")),",","")The modified site review ruleset will send the original groups base64 encoded as part of the impersonate URL. This can be used to make sure you are using the exact same groups as the original request.
      EnabledSet New Groups by LDAP lookup
      1: URL.HasParameter("impersonate") equals true
      2: AND URL.HasParameter("groups") equals false
      ContinueSet Authentication.UserGroups = Authentication.GetUserGroups<Get LDAP User Groups For Username>
      Set Authentication.UserName = User-Defined.ImpersonateUser
      Set Authentication.RawUserName = User-Defined.ImpersonateUser
      Set Authentication.Usergroups by looking up groups in LDAP. LDAP settings use samaccountname=%u for a filter and %u comes from Authentication.RawUsername. This process has the undesired effect of replacing Authentication.Username with the LDAP fully qualified username. To correct that, Authentication.Username is reset to User-defined.ImpersonateUser
      EnabledAdd Group From addgroup Parameter
      1: URL.HasParameter("impersonate") equals true
      2: AND URL.HasParameter("groups") equals false
      3: AND URL.HasParameter("addgroup") equals true
      ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,URL.GetParameter("addgroup"))Edit and enable this rule if you want to add a group to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
      DisabledAdd Domain Users to LDAP Group List if No Group Match in Service Group List
      1: URL.HasParameter("impersonate") equals true
      2: AND URL.HasParameter("groups") equals false
      3: AND Authentication.UserGroups none in list Service Groups List
      ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,"Domain Users")Edit and enable this rule if you want to conditionally add groups to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
      EnabledSet PDStorage ImpGroups if Impersonate Parameter Present
      1: URL.HasParameter("impersonate") equals true
      ContinuePDStorage.AddUserData.List.String("ImpGroups",Authentication.UserGroups)<Impersonate PDStorage>Set PDStorage ImpGroups to match groups so that all requests that are part of the page will also be handled as if they were made by the user being impersonated. Length of time for impersonation is determined by the PDStorage setting (Impersonation PDStorage). Default is two minutes for ruleset.
      Clear URL Parameters
      Enabled
      Applies to Requests: True / Responses: True / Embedded Objects: True
      Always
      EnabledRuleActionEventsComments
      EnabledRemove Tracing Parameter
      1: URL.HasParameter("tracing") equals true
      2: AND URL.HasParameter("impersonate") equals true
      ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("tracing"),regex((\S+)),"tracing=\1")
      Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
      Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
      Remove the tracing parameter so that site operation is unaffected.
      EnabledRemove Groups Parameter
      1: URL.HasParameter("groups") equals true
      2: AND URL.HasParameter("impersonate") equals true
      ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("groups"),regex((\S+)),"groups=\1")
      Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
      Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
      Remove the groups parameter so that site operation is unaffected.
      EnabledRemove addgroup Parameter
      1: URL.HasParameter("addgroup") equals true
      2: AND URL.HasParameter("impersonate") equals true
      ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("addgroup"),regex((\S+)),"addgroup=\1 ")
      Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
      Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
      Remove the addgroup parameter so that site operation is unaffected.
      EnabledRemove Impersonate Parameter
      1: URL.HasParameter("impersonate") equals true
      ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("impersonate"),regex((\S+)),"imperson ate=\1")
      Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
      Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
      Remove the impersonate parameter so that site operation is unaffected.

       


       

       

       

      Impersonate Log ruleset creates an impersonate.log logfile and fills it with entries that look like this:

       

      [11/Mar/2011:15:33:00 +0000] "Administrator_as_jebeling" 192.168.197.112 403 "GET http://www.playboy.com/ HTTP/1.1" "Pornography" "Minimal Risk" "" 0 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15" "" "10"

       

      The ruleset should be placed before the rule that writes the standard access log so that the access log reports the actual authenticated user.

        

      Rule Sets

      Impersonate Log

      Enabled
      Applies to Requests: True / Responses: True / Embedded Objects: True
      1: User-Defined.Impersonate equals true

      Enabled

      Rule

      Action

      Events

      Comments

      Enabled

      Write Impersonate Log and Reset Original Username
      Always

      Continue

      Set User-Defined.logLine =
           DateTime.ToWebReporterString +
           " "" +
           User-Defined.OriginalUser +
           "_as_" +
           Authentication.UserName +
           "" " +
           String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
           " " +
           String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
           " "" +
           Request.Header.FirstLine +
           "" " +
           """ +
           List.OfCategory.ToString(URL.Categories(MostRecent)) +
           "" "" +
           URL.ReputationString(MostRecent) +
           "" "" +
           MediaType.ToString(MediaType.FromHeader) +
           "" " +
           String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
           " "" +
           Header.Get("User-Agent") +
           "" "" +
           List.OfString.ToString(Antimalware.VirusNames(MostRecent)) +
           "" "" +
           Number.ToString(Block.ID) +
           """ +
           String.CRLF
      FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Impersonate Log Configuration>
      Set Authentication.UserName = User-Defined.OriginalUser

      Track impersonations in separate log. Access log should report original username for accuracy

       

      Modified Site Review - Note that this also requires changes to the block pages so that parameters are properly passed from the original block page.

       

      Rule Sets
      SiteReview with Impersonation Link
      [Rule Set to manage the submission of a Site Review. Put this near the top of the Rule Sets, before any other URL filtering. Added user email address to submission if authenticated. Won't work if not after authentication. Needs to do LDAP lookup using "Get Email Address" authentication settings.]
      Enabled
      Applies to Requests: True / Responses: False / Embedded Objects: False
      1: URL.Path equals "/mwg-internal/sitereview"
      EnabledRuleActionEventsComments
      EnabledSiteReview:Display Submission Page
      1: URL.Path equals "/mwg-internal/sitereview"
      2: AND URL.HasParameter("request") equals true
      Block<SiteReviewRequest>This redirects to the SiteReviewRequest.html page to enter comments.
      EnabledGet email Address and Restore Groups and Username
      1: URL.HasParameter("submit") equals true
      2: AND Authentication.IsAuthenticated equals true
      ContinueSet User-Defined.Groups = Authentication.UserGroups
      Set User-Defined.Username = Authentication.UserName
      Set User-Defined.email = List.OfString.ToString(Authentication.GetUserGroups<Get Email address>)
      Set Authentication.UserGroups = User-Defined.Groups
      Set Authentication.UserName = User-Defined.Username
      EnabledSiteReview:Create Email Subject
      1: URL.Path equals "/mwg-internal/sitereview"
      2: AND URL.HasParameter("submit") equals true
      ContinueSet User-Defined.SiteReviewSubject =
           "Site Review Request" +
           " User: " +
           String.Base64Decode(URL.GetParameter("user"))
      Generate the Subject of the Site Review Email
      EnabledSiteReview:Create Email Body
      1: URL.Path equals "/mwg-internal/sitereview"
      2: AND URL.HasParameter("submit") equals true
      ContinueSet User-Defined.SiteReviewBody =
           "Site Review Request" +
           String.CRLF +
           String.CRLF +
           "URL: " +
           String.Base64Decode(URL.GetParameter("url")) +
           String.CRLF +
           "Block Reason: " +
           String.Base64Decode(URL.GetParameter("blockres")) +
           String.CRLF +
           "Categories: " +
           String.Base64Decode(URL.GetParameter("categories")) +
           String.LF +
           String.CRLF +
           "User: " +
           String.Base64Decode(URL.GetParameter("user")) +
           " (" +
           IP.ToString(Client.IP) +
           ")" +
           String.CRLF +
           "User Email: " +
           User-Defined.email +
           String.CRLF +
           "Groups: " +
           String.Base64Decode(URL.GetParameter("groups")) +
           String.LF +
           String.CRLF +
           "Comments:" +
           String.CRLF +
           URL.GetParameter("comments") +
           String.CRLF +
           String.CRLF +
           "Date Generated: " +
           DateTime.ToISOString +
           String.CRLF +
           "Rule: " +
           String.Base64Decode(URL.GetParameter("rule")) +
           String.CRLF +
           "Gateway: " +
           System.HostName
      Generate the body of the Site Review Email
      EnabledAdd Impersonate Link to Email Body for URLs with Parameters
      1: URL.Path equals "/mwg-internal/sitereview"
      2: AND URL.HasParameter("submit") equals true
      3: AND String.Base64Decode(URL.GetParameter("url")) matches *=*
      ContinueSet User-Defined.SiteReviewBody =
           User-Defined.SiteReviewBody +
           String.CRLF +
           String.CRLF +
           "Click this link to impersonate user and access the URL: " +
           String.Base64Decode(URL.GetParameter("url")) +
           "&impersonate=" +
           String.Base64Decode(URL.GetParameter("user")) +
           "&groups=" +
           URL.GetParameter("groups") +
           String.CRLF
      EnabledAdd Impersonate Link to Email Body for URLs without Parameters
      1: URL.Path equals "/mwg-internal/sitereview"
      2: AND URL.HasParameter("submit") equals true
      3: AND String.Base64Decode(URL.GetParameter("url")) does not match *=*
      ContinueSet User-Defined.SiteReviewBody =
           User-Defined.SiteReviewBody +
           String.CRLF +
           String.CRLF +
           "Click this link to impersonate the user and access the URL: " +
           String.Base64Decode(URL.GetParameter("url")) +
           "?impersonate=" +
           String.Base64Decode(URL.GetParameter("user")) +
           "&groups=" +
           URL.GetParameter("groups") +
           String.CRLF
      EnabledSiteReview:Send Email Notification
      1: URL.Path equals "/mwg-internal/sitereview"
      2: AND URL.HasParameter("submit") equals true
      ContinueEmail.Send("helpdesk@company.local",User-Defined.SiteReviewSubject,String.ReplaceAll(User-Defined.SiteReviewBody,"+"," "))<SiteReviewSMTPServer>ToDo: Make sure the SMTP configuration is set to your Email server, Make sure the Email Recipient is set properly.
      EnabledSiteReview:Request Submitted
      1: URL.Path equals "/mwg-internal/sitereview"
      2: AND URL.HasParameter("submit") equals true
      Block<SiteReviewSubmitted

       

      Message was edited by: jebeling on 9/14/11 7:41:58 AM CDT

       

      Message was edited by: jebeling on 12/15/11 12:11:45 PM CST

       

      Message was edited by: jebeling on 12/15/11 12:15:44 PM CST
        • 1. Re: Impersonation Ruleset for Administrative Troubleshooting
          jebeling

          Please note that PDstorage timeouts are currently (7.3.0 and earlier at a minimum)  “inactivity timeouts”, meaning only if the pdstorage value is not checked (…has…. Property) or read (…get…property) for the amount of time specified in the timeout, it will expire.Otherwise it will live forever. This means that once you set impersonate, it may not clear after the PDStorage timeout (default 2 minutes) if requests are continually being made by the original user id. This could happen if multiple browsers or clients are using the same credentials, or if some web page or web app is continuously updating itself, or if the timeout was extended significantly from the default of 2 minutes.

           

          This problem should be entirely avoidable by only using impersonate when the original user is logged on to only one machine with a single browser session in a single tab.

           

          However, if this problem does occur, it is recommended that the administrative user shuts down all browsers and any apps using HTTP through MWG, and then starts a new browser session with a single window to a static web page for example www.mcafee.com. Then, make a request for that webpage with the clearimp parameter, for example http://www.mcafee.com?impersonate=clearimp

          • 2. Re: Impersonation Ruleset for Administrative Troubleshooting
            jebeling

            Updated readme to clarify.