Detecting Internet Facing Servers

FatScottishGuy · May 14, 2025, 12:26pm

I really hope someone can just give me a pre-made solution for this

I have tried this…

if {exists file "C:\BigFixTemp\netcheck.ps1"}
    delete "C:\BigFixTemp\netcheck.ps1"
endif

if {exists file "C:\BigFixTemp\netcheck.txt"}
    delete "C:\BigFixTemp\netcheck.txt"
endif

delete __Download\netcheck.ps1
createfile until EOF
try {{
    $wc = New-Object System.Net.WebClient
    $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
    $wc.DownloadString("http://www.google.com") | Out-Null
    "Total Success" | Out-File -FilePath "C:\BigFixTemp\netcheck.txt" -Encoding ASCII
} catch {{
    "Failed" | Out-File -FilePath "C:\BigFixTemp\netcheck.txt" -Encoding ASCII
}
EOF
copy __createfile C:\BigFixTemp\netcheck.ps1
waithidden {pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry)} -executionpolicy remotesigned -File "C:\BigFixTemp\netcheck.ps1"

It works but the problem is that an individual user on the endpoint may well have a proxy set and thus they have access to the internet so this would never detect that.

The other problem is that the proxy a user might have set - may not even work so I can’t just assume that by having a proxy configured they have access to the internet.

I’m really hoping someone has had this issue before and can help?

JasonWalker · May 14, 2025, 1:41pm

I’m a bit confused on what you’re trying to do. Are you trying to verify the system has Internet access, or verify that it does not?

If you’re trying to block Internet access, the best way is going to be controlling the network. Firewalls, Proxies, IDS, IPS. In second place would be EDR tools, your antivirus, CrowdStrike, CarbonBlack, etc. As a last option I’d consider managing host-based firewall rules with BigFix actions.

If you’re trying to prove that Internet access is working, you should track the expected proxies for any given environment and use those proxies in your test. Then you might also consider checking the user’s registry hives to verify their proxy is set the way you expect.

Even if you have the script execute in the user’s context (using ‘override wait’ options), the user may have different proxies configured for different browsers, shell environment, WinSock, etc. and you might have to consider “which” user-configured proxy to try. Instead, I think you should maintain the list of what proxies the user should be using, and if they change that proxy, they could well break themselves. (Even better is to configure the proxy for them, with Fixlets )

FatScottishGuy · May 14, 2025, 1:48pm

Sorry, I wasn’t very clear with the “what” of my request

Essentially I’m trying to find any servers that are internet facing - so have access to the internet at any level.

I considered looking at the proxy side of things but figured that could be exhaustive as they might be using a pac file or IP addresses or fqdn - it could be a huge list to verify against and then I’d need to trawl through everywhere to see if they had it configured anywhere.

DerrickD · May 14, 2025, 2:12pm

I setup a simple BigFix PowerShell Task that attempts a port 443 connection. It works for internet or internal sites, but would not catch every edge case. For example, FireFox can be setup with a Proxy connection, etc.

$testConnection = Test-NetConnection -ComputerName www.google.com -Port 443

If ($testConnection.TcpTestSucceeded){
    return 0
    }
else {
    throw 1
}

JasonWalker · May 14, 2025, 2:56pm

If you’re assuming unauthenticated proxy access, I’d probably iterate through a list of proxies and try the downloads on each.
There’s probably a way in PowerShell to configure proxy for the connection, but I’m not familiar enough with that.
Based on some of my notes I think the PowerShell could loop through several statements like this to iterate through different proxies:

Invoke-WebRequest -Proxy <http://proxy.ip:8080> <https://sync.bigfix.com/cgi-bin/bfgather/bessupport>

I’ve done that with ‘curl’ though. You can use commands like

curl -S -f -k https://www.google.com

curl -S -f -k --proxy http://proxy:8080 https://www.google.com

curl -S -f -k --proxy http://proxy:8080 --proxy-user username:password https://www.google.com

The first is a direct connection, the second is a proxy connection without authentication, the third is a proxy connection with basic authentication. There are many more proxy authentication options in Curl, everything from certificates to Kerberos or whatever else one might image.

You could step through a series of those in the Action, stopping when any of the connections are successful. If all of the connections fail, that’s a pretty good indication of No Internet Access, I think.

To check whether any users have a configured proxy at the Windows/Winsock2 layer, at least, you could check the Registry keys beneath HKEY_USERS. This checks for at least all logged-on users or recently-loaded profile registry hives:

q: (pathname of it, concatenation "; " of ((name of it & ":" & it as string) of values ("ProxyEnable";"Proxy") of it)) of keys "Software\Microsoft\Windows\CurrentVersion\Internet Settings" of keys of keys "HKEY_USERS" of native registry
A: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyEnable:0
A: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings, 
A: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings, 
A: HKEY_USERS\S-1-5-21-474380057-1838352999-1581317240-10427\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyEnable:0; Proxy:http://127.0.0.1:8080
A: HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings, ProxyEnable:0

You might filter those for only cases where ProxyEnable is 1, if you like.

I’m not sure whether a system-wide proxy at HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings is even valid but you could validate that and check on yours as well.

FatScottishGuy · May 14, 2025, 3:09pm

I think this hit’s the same case where I hit - it will tell you for the user that BigFix executes commands on but not for other users of the server

ageorgiev · May 14, 2025, 3:14pm

“Internet-facing” in my honest opinion means something else - it’s a machine that is reachable from the internet (there is some traffic allowed from outside to it and as such generally, “Internet-facing” or “external-facing” are the most critical system to an organization because they are attack points. Whether or not machine has outgoing traffic allowed is not making it “internet-facing” as a machine can reach internet and still have all incoming connectivity blocked. From that prospective detecting “internet-facing” is not really possible from machine-level.

If you are just looking for machines who have internet connection then what you have is generally ok but be careful there are some filters/per-website things that can be applied to block only certain website while the machine can reach others… I would add 3 separate websites to check per each machine to be thorough, where others should be OS-specific vendor websites - ex. *.windowsupdate.microsoft.com, azure.com, amazonaws.com, etc.

DerrickD · May 14, 2025, 3:48pm

With multiple users scenario, I think the best option is to simply gather a report if a user has configured a proxy and deal with them manually… or maybe you could loop throw any proxy and see if it works from the system side & hard coding the proxy address…

I also know BigFix I think can run as a user, so maybe you have something running as the current logged in user and do that “often” enough to identify when that occurs… or use a scheduled task to run at login, export results, and then capture the results.

FatScottishGuy · May 21, 2025, 12:08pm

You were spot on!

Anyone got any ideas ?

orbiton · May 21, 2025, 8:54pm

@FatScottishGuy are you saying you looking for servers which are accessible from the outside-world?

This is not quite “simple” -

Machines which have a NIC with Public IP Address - those are less common, this is easy you can check the Public IP Ranges on those NICs with Client Relevance.
Machines which are being accessed from the outside world through D-NAT or Reverse Proxy - more common, most of the time there will be a Public IP which will be translated through the Services mentioned above to the Internal IP address. from the BigFix Client perspective the request came from an Internal IP device

The best approach should be to have a Tool / Service which will scan the Public IP range the company have and search for open ports

FatScottishGuy · May 21, 2025, 8:59pm

I had been thinking about it today trying to work out of there was anything BigFix could do and my solution, untested and still purely as a thought in my head, would be to place a file in a location on the server that would be accessible to the external Web then have an Internet facing relay do a download now for that file to see if it was accessible or not.

It’s far from full proof and indeed may not even work but I’d be happy to listen to thoughts on it.

orbiton · May 21, 2025, 9:07pm

How does the Internet Facing Relay will contact the Web Server?

DNS name ? IP?

If it’s a DNS Name - to which IP the Relay will translate it to? an Internal or Public?

If it’s IP - Internal or Public?

FatScottishGuy · May 21, 2025, 9:10pm

I think I’d have it try a download now to the ip address and the fqdn to see if it resolves…

ageorgiev · May 22, 2025, 6:47pm

Right but in order for this to work, you’d need to have web server running on each machines and configured on every single port to, so that making the attempt through the firewall on port X actually aligns with an app listening on it and this is if they are not “translating ports” (i.e. they open port “50000” on external firewall but when you connect to host:50000 that sends your traffic to MachineName:40000)… If they are translating them you can sniff an open port but you’d not know which in reality it is. I would imagine some lightweight standalone web server software can work but still - installing additional software just to test and besides “internet-facing” is not necessarily on default ports only - you’d need to be attempting 64k times to scan each available port for each machine…

I’d honestly tell them “Can’t be done cause it’s effort prohibitive”, and send them to Security team - they are the ones who configure the ports to be open on the perimeter firewall devices, so let them jump on every such and dump the open ports - once they produce a report of all open ports and to what IP address that/those port(s) are open then you can work with that to match the IP addresses to endpoints!

FatScottishGuy · May 22, 2025, 6:55pm

Yeah I definitely agree Angel, when I had an attempt at it today it’s gonna be an absolute nightmare to make it work.

Huge thanks for everyone’s input.

jgstew · May 23, 2025, 1:24am

I do have examples on BigFixMe of actions that get a computer’s public IP address.

This might not be exactly what you want, because if the computer is behind a NAT, it will give the IP of the NAT, but that is still useful info.

You could then compare that public IP with the list of IPs on all the network adapters to see if there is a match, but even then that isn’t exactly right if it is behind a loadbalancer but is reachable through the loadbalancer.

There are some others as well.

FatScottishGuy · May 23, 2025, 9:31am

Fantastic mate, thanks so much!