Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1104 Views 2 Replies Latest reply: Jan 27, 2014 8:26 AM by jebeling RSS
jebeling Newcomer 28 posts since
Nov 15, 2010
Currently Being Moderated

Dec 15, 2011 12:15 PM

Impersonation Ruleset for Administrative Troubleshooting

I've had a couple customers ask me how to enhance/automate their troubleshooting when an end user observes a block that they weren't expecting. The Site Review ruleset that is posted here: Re: Block Page - Email Link - add URL and other good info is a good start, but if an administrator follows the link in the received email they might not get the same rules applied (because the administrator is using a different username and is a member of different groups) and the site might behave differently through MWG. The attached zip contains rulesets to help with this challenge. Note that the impersonation ruleset currently only resets the usernames and user groups. If there are other criteria (for example source IP) used in your rulesets to determine action, you will need to modify the rulesets accordingly.

 

 

This ruleset 1) allows authenticated users that match the Impersonation Users list (administrators) to impersonate any other user (and get the same reaction from MWG) without needing the end user's password and 2) automatically generates a rule trace of the request. The rulesets are designed for an AD/NTLM environment but could be adapted for straight LDAP, or Kerberos. Users in the Impersonation Users list can impersonate another user for 2 minutes following a request that adds the parameter impersonate=<username> to any URL.

   

The ruleset is supplemented by a logging rule that preserves the integrity of the access log and creates a separate log that includes the original user name and the impersonated user name. Also included in the zip is a modified version of the Site Review ruleset that adds the requesting user's email address, and groups, as well as a link already configured to enable impersonation. Zip file also includes README.txt with installation instructions.Note that the readme is still pretty rough and may contain errors. If anyone uses it to install, I’d like feedback on how it could be improved.

 

 

Rule Sets
Impersonate_v2
[This ruleset allows users in the Impersonation Users list to impersonate other users for a time period determined by the Impersonate PDStorage settings. Default is 2 minutes. Impersonation is triggered by adding the URL parameter impersonate=<username> to the URL, where <username> is the username to be impersonated. If you wish to reset the impersonation prior to the end of the PDStorage setting, simply add the parameter with the username set to "clearimp" (without quotes). This ruleset is designed to work with MS AD LDAP. Don't forget to customize the Authentication Engine settings (Get LDAP Groups for Username) to match your environment. Ruleset designed and tested with AD only, many rules will need to be tweaked for other environments.]
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: Authentication.IsAuthenticated equals true
2: AND Authentication.UserName is in list Impersonation Users
3: AND (URL.HasParameter("impersonate") equals true
4: OR PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage> does not equal "")
Set Up Impersonation
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledTurn Rule Tracing On by Default
1: (URL.HasParameter("tracing") equals false
2: AND PDStorage.GetUserData.String("ImpTracing")<Impersonate PDStorage> matches on)
3: OR URL.GetParameter("tracing") does not match off
ContinueEnable RuleEngine Tracing
PDStorage.AddUserData.String("ImpTracing","on")<Impersonate PDStorage>
Turn on rule tracing unless URL parameter tracing equals off
EnabledClear Impersonation
1: URL.HasParameter("impersonate") equals true
2: AND URL.GetParameter("impersonate") equals "clearimp"
Stop Rule SetSet User-Defined.Impersonate = false
PDStorage.DeleteUserData("ImpUser")
PDStorage.DeleteUserData("ImpGroups")
PDStorage.DeleteUserData("ImpTracing")
Set boolean flag and clear PDStorage
EnabledSet Impersonation Equal True
Always
ContinueSet User-Defined.Impersonate = trueSet boolean flag for easy use elsewhere and for logging and troubleshooting
EnabledSet Impersonate User From URL Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.ImpersonateUser = URL.GetParameter("impersonate")
PDStorage.AddUserData.String("ImpUser",User-Defined.ImpersonateUser)<Impersonate PDStorage>
Pull user to impersonate from URL Parameter and save to PDStorage
EnabledSet Impersonate User From PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet User-Defined.ImpersonateUser = PDStorage.GetUserData.String("ImpUser")<Impersonate PDStorage>Get user to impersonate from PDStorage
EnabledSave Original User and Set New Username
Always
ContinueSet User-Defined.OriginalUser = Authentication.UserName
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Save the original user and impersonated user for use in logging. Set Authentication.Username and Authentication.RawUserName for use in impersonation.
EnabledSet New Groups from PDStorage
1: URL.HasParameter("impersonate") equals false
ContinueSet Authentication.UserGroups = PDStorage.GetUserData.List.String("ImpGroups")<Impersonate PDStorage>If the impersonate parameter does not exist, then groups must be stored in PDStorage. Get them!
EnabledSet New Groups from Base64 Encoded Groups Parameter
1: URL.HasParameter("groups") equals true
ContinueSet Authentication.UserGroups = String.ToStringList(String.Base64Decode(URL.GetParameter("groups")),",","")The modified site review ruleset will send the original groups base64 encoded as part of the impersonate URL. This can be used to make sure you are using the exact same groups as the original request.
EnabledSet New Groups by LDAP lookup
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
ContinueSet Authentication.UserGroups = Authentication.GetUserGroups<Get LDAP User Groups For Username>
Set Authentication.UserName = User-Defined.ImpersonateUser
Set Authentication.RawUserName = User-Defined.ImpersonateUser
Set Authentication.Usergroups by looking up groups in LDAP. LDAP settings use samaccountname=%u for a filter and %u comes from Authentication.RawUsername. This process has the undesired effect of replacing Authentication.Username with the LDAP fully qualified username. To correct that, Authentication.Username is reset to User-defined.ImpersonateUser
EnabledAdd Group From addgroup Parameter
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND URL.HasParameter("addgroup") equals true
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,URL.GetParameter("addgroup"))Edit and enable this rule if you want to add a group to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
DisabledAdd Domain Users to LDAP Group List if No Group Match in Service Group List
1: URL.HasParameter("impersonate") equals true
2: AND URL.HasParameter("groups") equals false
3: AND Authentication.UserGroups none in list Service Groups List
ContinueSet Authentication.UserGroups = List.OfString.Append(Authentication.UserGroups,"Domain Users")Edit and enable this rule if you want to conditionally add groups to the group list. Note that the LDAP lookup against AD does not return the primary group which is Domain Users by default
EnabledSet PDStorage ImpGroups if Impersonate Parameter Present
1: URL.HasParameter("impersonate") equals true
ContinuePDStorage.AddUserData.List.String("ImpGroups",Authentication.UserGroups)<Impersonate PDStorage>Set PDStorage ImpGroups to match groups so that all requests that are part of the page will also be handled as if they were made by the user being impersonated. Length of time for impersonation is determined by the PDStorage setting (Impersonation PDStorage). Default is two minutes for ruleset.
Clear URL Parameters
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
Always
EnabledRuleActionEventsComments
EnabledRemove Tracing Parameter
1: URL.HasParameter("tracing") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("tracing"),regex((\S+)),"tracing=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the tracing parameter so that site operation is unaffected.
EnabledRemove Groups Parameter
1: URL.HasParameter("groups") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("groups"),regex((\S+)),"groups=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the groups parameter so that site operation is unaffected.
EnabledRemove addgroup Parameter
1: URL.HasParameter("addgroup") equals true
2: AND URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("addgroup"),regex((\S+)),"addgroup=\1 ")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the addgroup parameter so that site operation is unaffected.
EnabledRemove Impersonate Parameter
1: URL.HasParameter("impersonate") equals true
ContinueSet User-Defined.URL_Param_Search_String = String.ReplaceFirstMatch(URL.GetParameter("impersonate"),regex((\S+)),"imperson ate=\1")
Set User-Defined.List_Position = List.OfString.Find(URL.Parameters,User-Defined.URL_Param_Search_String)
Set URL.Parameters = List.OfString.Erase(URL.Parameters,User-Defined.List_Position)
Remove the impersonate parameter so that site operation is unaffected.

 


 

 

 

Impersonate Log ruleset creates an impersonate.log logfile and fills it with entries that look like this:

 

[11/Mar/2011:15:33:00 +0000] "Administrator_as_jebeling" 192.168.197.112 403 "GET http://www.playboy.com/ HTTP/1.1" "Pornography" "Minimal Risk" "" 0 "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15" "" "10"

 

The ruleset should be placed before the rule that writes the standard access log so that the access log reports the actual authenticated user.

  

Rule Sets

Impersonate Log

Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
1: User-Defined.Impersonate equals true

Enabled

Rule

Action

Events

Comments

Enabled

Write Impersonate Log and Reset Original Username
Always

Continue

Set User-Defined.logLine =
     DateTime.ToWebReporterString +
     " "" +
     User-Defined.OriginalUser +
     "_as_" +
     Authentication.UserName +
     "" " +
     String.ReplaceIfEquals(IP.ToString(Client.IP),"","-") +
     " " +
     String.ReplaceIfEquals(Number.ToString(Response.StatusCode),"","-") +
     " "" +
     Request.Header.FirstLine +
     "" " +
     """ +
     List.OfCategory.ToString(URL.Categories(MostRecent)) +
     "" "" +
     URL.ReputationString(MostRecent) +
     "" "" +
     MediaType.ToString(MediaType.FromHeader) +
     "" " +
     String.ReplaceIfEquals(Number.ToString(Body.Size),"","-") +
     " "" +
     Header.Get("User-Agent") +
     "" "" +
     List.OfString.ToString(Antimalware.VirusNames(MostRecent)) +
     "" "" +
     Number.ToString(Block.ID) +
     """ +
     String.CRLF
FileSystemLogging.WriteLogEntry(User-Defined.logLine)<Impersonate Log Configuration>
Set Authentication.UserName = User-Defined.OriginalUser

Track impersonations in separate log. Access log should report original username for accuracy

 

Modified Site Review - Note that this also requires changes to the block pages so that parameters are properly passed from the original block page.

 

Rule Sets
SiteReview with Impersonation Link
[Rule Set to manage the submission of a Site Review. Put this near the top of the Rule Sets, before any other URL filtering. Added user email address to submission if authenticated. Won't work if not after authentication. Needs to do LDAP lookup using "Get Email Address" authentication settings.]
Enabled
Applies to Requests: True / Responses: False / Embedded Objects: False
1: URL.Path equals "/mwg-internal/sitereview"
EnabledRuleActionEventsComments
EnabledSiteReview:Display Submission Page
1: URL.Path equals "/mwg-internal/sitereview"
2: AND URL.HasParameter("request") equals true
Block<SiteReviewRequest>This redirects to the SiteReviewRequest.html page to enter comments.
EnabledGet email Address and Restore Groups and Username
1: URL.HasParameter("submit") equals true
2: AND Authentication.IsAuthenticated equals true
ContinueSet User-Defined.Groups = Authentication.UserGroups
Set User-Defined.Username = Authentication.UserName
Set User-Defined.email = List.OfString.ToString(Authentication.GetUserGroups<Get Email address>)
Set Authentication.UserGroups = User-Defined.Groups
Set Authentication.UserName = User-Defined.Username
EnabledSiteReview:Create Email Subject
1: URL.Path equals "/mwg-internal/sitereview"
2: AND URL.HasParameter("submit") equals true
ContinueSet User-Defined.SiteReviewSubject =
     "Site Review Request" +
     " User: " +
     String.Base64Decode(URL.GetParameter("user"))
Generate the Subject of the Site Review Email
EnabledSiteReview:Create Email Body
1: URL.Path equals "/mwg-internal/sitereview"
2: AND URL.HasParameter("submit") equals true
ContinueSet User-Defined.SiteReviewBody =
     "Site Review Request" +
     String.CRLF +
     String.CRLF +
     "URL: " +
     String.Base64Decode(URL.GetParameter("url")) +
     String.CRLF +
     "Block Reason: " +
     String.Base64Decode(URL.GetParameter("blockres")) +
     String.CRLF +
     "Categories: " +
     String.Base64Decode(URL.GetParameter("categories")) +
     String.LF +
     String.CRLF +
     "User: " +
     String.Base64Decode(URL.GetParameter("user")) +
     " (" +
     IP.ToString(Client.IP) +
     ")" +
     String.CRLF +
     "User Email: " +
     User-Defined.email +
     String.CRLF +
     "Groups: " +
     String.Base64Decode(URL.GetParameter("groups")) +
     String.LF +
     String.CRLF +
     "Comments:" +
     String.CRLF +
     URL.GetParameter("comments") +
     String.CRLF +
     String.CRLF +
     "Date Generated: " +
     DateTime.ToISOString +
     String.CRLF +
     "Rule: " +
     String.Base64Decode(URL.GetParameter("rule")) +
     String.CRLF +
     "Gateway: " +
     System.HostName
Generate the body of the Site Review Email
EnabledAdd Impersonate Link to Email Body for URLs with Parameters
1: URL.Path equals "/mwg-internal/sitereview"
2: AND URL.HasParameter("submit") equals true
3: AND String.Base64Decode(URL.GetParameter("url")) matches *=*
ContinueSet User-Defined.SiteReviewBody =
     User-Defined.SiteReviewBody +
     String.CRLF +
     String.CRLF +
     "Click this link to impersonate user and access the URL: " +
     String.Base64Decode(URL.GetParameter("url")) +
     "&impersonate=" +
     String.Base64Decode(URL.GetParameter("user")) +
     "&groups=" +
     URL.GetParameter("groups") +
     String.CRLF
EnabledAdd Impersonate Link to Email Body for URLs without Parameters
1: URL.Path equals "/mwg-internal/sitereview"
2: AND URL.HasParameter("submit") equals true
3: AND String.Base64Decode(URL.GetParameter("url")) does not match *=*
ContinueSet User-Defined.SiteReviewBody =
     User-Defined.SiteReviewBody +
     String.CRLF +
     String.CRLF +
     "Click this link to impersonate the user and access the URL: " +
     String.Base64Decode(URL.GetParameter("url")) +
     "?impersonate=" +
     String.Base64Decode(URL.GetParameter("user")) +
     "&groups=" +
     URL.GetParameter("groups") +
     String.CRLF
EnabledSiteReview:Send Email Notification
1: URL.Path equals "/mwg-internal/sitereview"
2: AND URL.HasParameter("submit") equals true
ContinueEmail.Send("helpdesk@company.local",User-Defined.SiteReviewSubject,String.ReplaceAll(User-Defined.SiteReviewBody,"+"," "))<SiteReviewSMTPServer>ToDo: Make sure the SMTP configuration is set to your Email server, Make sure the Email Recipient is set properly.
EnabledSiteReview:Request Submitted
1: URL.Path equals "/mwg-internal/sitereview"
2: AND URL.HasParameter("submit") equals true
Block<SiteReviewSubmitted

 

Message was edited by: jebeling on 9/14/11 7:41:58 AM CDT

 

Message was edited by: jebeling on 12/15/11 12:11:45 PM CST

 

Message was edited by: jebeling on 12/15/11 12:15:44 PM CST
Attachments:

More Like This

  • Retrieving data ...

Bookmarked By (2)