1

There seems to be a piece of software, related to Microsoft Proxy, called "MSP Client" - which i assume stands for Microsoft Proxy Client.

Of course it doesn't have to be a piece of software, MSP Client could be the client that is using MSP.

But what is this software? Is it something that is intalled as a protocol or service on a network adapter, and intercepts all traffic destined for the internet and transparently routes it through a a proxy server - but first using the Windows credentials of the user making the TCP request to see if they're allowed to use the internet?

My real question comes down to: how is Microsoft Proxy able to know who i am, based on a TCP socket open request? i.e. if i try to connect to a TCP server, Proxy is able to inject itself between, and know who am. Then my attempts to make a TCP sockets connection, e.g.:

>telnet torrent.consonto.com 6881

can succeed or fail depending if i am allowed access.

My confusion comes from the fact that a TCP socket connect doesn't contain any NT identification information. How is Windows able to know it's "me"?

Ian Boyd
  • 5,293
  • 14
  • 60
  • 82

2 Answers2

2

The Microsoft Proxy client (now called the Microsoft Firewall Client) shims into the Windows Sockets subsystem and implements a "backchannel" protocol between your client and the Microsoft Proxy (today ISA Server) server computer. Additional metadata about your security context is sent along with new connection requests such that the server "knows who you are". This is really kind of devious on Microsoft's part, and a fairly neat use of the "layered" nature of network protocols. It does get you wondering, doesn't it, how a TCP socket can have security-related metadata... heh heh...

Sniff the traffic coming off a machine with the Microsoft Proxy Client installed and you'll see TCP connections getting tunneled through the Microsoft Proxy client's backchannel connection to the Proxy / ISA server. (You'll see the plaintext data of your TCP conversation, but the converstion will be between your client and the ISA server.)

There's a fairly elaborate configuration mechanism that can control the proxy client's behaviour and allow some connections to be initiated directly on the wire versus over the backchannel to the Proxy / ISA server.

It is awfully odd to be seeing a Microsoft Proxy client installed on a machine in 2009. If the executable says that's what it is, though, then it's distinctly possible.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Actually what makes me really wonder more si why people think this is so smart. 10 years ago many commercial firewalls had a client for the additional metadata (WHO ARE YOU, USER?) which allows you to for example define internet access policies based - transparently - on user identity, not an IP address. These days many people think that the level of security a Linux firewall gives you is godo enough. Note: for HTTP you can handle this different, but the issue is really with "any software using socks", not a specific protocol. – TomTom Dec 15 '10 at 14:36
1

What is the actual name of the executable? Microsoft Proxy Server was released in 1997 and ran on Windows NT 4.0, so the odds of you running into it now are pretty low. The current version is ISA server, which does come with an ISA Server client, but it is not referred to as MSP client (the actual executable is FwcMgmt.exe).

Sean Earp
  • 7,227
  • 3
  • 36
  • 38
  • FwcMgmt.exe is the firewall client management UI, to pick a nit. FwcAgent.Exe is the background task, running as LOCAL_SERVICE by default. – Evan Anderson Jul 08 '09 at 15:54
  • You're right :) I was assuming that the question came from finding something called "MPS Client" running in task manager, although it is hard to tell from the original question. – Sean Earp Jul 08 '09 at 15:59