• Revisiting WPAD

    Author
    Topic
    #1876636

    I’m running a few Win 7 systems (Ultimate & Home Prem).

    So, back in 2016, WPAD (Web Proxy Auto-Discovery) was found to be a gaping hole in Windows security.  A number of articles were published on the web, which described the issues and how to disable WPAD.  For example: https://www.pcworld.com/article/3105998/disable-wpad-now-or-have-your-accounts-and-private-data-compromised.html

    So, back then, I performed the steps to disable WPAD that were commonly documented at the time:

    Uncheck the “Automatically detect settings” in “Local Area Network (LAN) Settings”.

    Set the “WinHTTP Web Proxy Auto-Discovery Service” to Disabled.

    I added the registry setting to disable WPAD bypass:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride -> 0

    I also changed the IE setting to disable automatically detecting settings (redundant because I switched from IE to firefox years ago).  I couldn’t change any of the documented group policies for WPAD because those policies don’t exist on my systems (I don’t employ a windows domain).

    And that was that.  At the time, I had no way to actually confirm the changes stopped wpad proxy queries…

    Fast forward to today (2019).  Now I’m using a pihole DNS filter for my home net.  And in the pihole query logs I was seeing a lot of these kinds of entries from my Win 7 systems:

    2019-07-18 10:23:49 A wpad.zzz foo OK (forwarded) NXDOMAIN

    In the above, “zzz” is my local domain name and “foo” is the host name of one of the Win 7 systems.

    So, seeing a query to wpad.zzz means WPAD is NOT really disabled after all.  In fact, all my Win 7 systems were showing WPAD queries in the pihole logs.

    I re-checked all previous WPAD related settings and registry changes to confirm they were still set to disable WPAD.  I also checked my DHCP server to see if it was serving “option 252” – which MS uses for WPAD .  It wasn’t.

    After lots of sleuthing, I just could not figure out how WPAD was still active.  So, I went ahead with the nuclear option:

    adding the following to the Windows system32/drivers/etc/hosts file:

    0.0.0.0 wpad.zzz
    0.0.0.0 wpad

    Note that one of those entries includes my local domain name.  Your domain name will probably be different.  The above host file method is actually mentioned in a MS KB describing mitigations for WPAD vulnerabilities.

    The above stopped WPAD queries completely.

    Notes/Warnings: This is for Win 7 or perhaps 8.1 too.  Windows 10 is different and (from what I’ve read) relies more on WPAD functionality.  Even if you’re using Win 7/8.1, disabling WPAD may interfere with your wireless access to public access points.

    I remain puzzled by WPAD.  Were the documented steps I took a few years ago to disable it simply ineffective?  Or did a subsequent Windows update negate those changes?  In any case, the host file method is pretty much immutable, so WPAD will stay disabled from now on.

    The bottom line of this post: if you thought you disabled WPAD on Win 7 a few years ago, you may not have and your systems may still be vulnerable.

    • This topic was modified 5 years, 10 months ago by ek.
    2 users thanked author for this post.
    Viewing 0 reply threads
    Author
    Replies
    • #1876775

      If the query is only for your local domain there won’t be an issue unless your domain or router is compromised. This seems like reasonable protection for ordinary users, although disabling WPAD is preferable – is it even used outside the corporate environment?

      cheers, Paul

      • #1877207

        Correct – if the system is always connected to a wired home net behind a reasonably well maintained secure router/firewall. Sadly, this is often not the case for too many home users.

        Also, if the system is actually a laptop using wireless and WPAD isn’t completely disabled (as I described in my original post) then WPAD is indeed a security problem when the laptop is taken into the wild.  When that laptop connects to a wireless AP, it will (usually) take on the domain name the AP assigns via DHCP.  That will be OK if the AP can be trusted.  Otherwise, the AP could be rogue/fake/compromised and bad things could happen if the AP is setup to leverage WPAD.

        This is why I was concerned.  I had assumed I had disabled WPAD on my systems, using steps documented on tech sites & MS knowledge base.  Fortunately for me, I always boot my laptop to Linux (it’s dual boot) when on the road.

         

        • This reply was modified 5 years, 10 months ago by ek.
    Viewing 0 reply threads
    Reply To: Revisiting WPAD

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: