Netscape 6.1 Beta 1

Tuesday June 12th, 2001

Netscape today released a beta of their upcoming 6.1 release, based on the mozilla 0.9.1 branch. Check out the release notes, or grab the build.

#99 About MS Proxy

by SomeGuy

Thursday June 14th, 2001 5:13 PM

You are replying to this message

Well then, you have a vary gracious systems administrator.

MS-Proxy can provide access in three different ways:

1: HTTP Web proxy service. Allows proxying of HTTP, browser FTP, and Gopher protocols. This can be enabled with either no authentication, basic authentication, or NTLM authentication. To use basic authentication you have to grant users the right to "log on locally" to the proxy server. In general the user ID and password are your Windows NT domain logon which your administrator probably doesn't want floating around in plain text on the network (although NTLM is not really secure either). Some administrators like to log and monitor internet usage. With no authentication only IP addresses can be logged.

2: SOCKS V4 - When set up, a client program can act almost as if it were directly on the Internet. This can be enabled to allow specific or all ports, but this affects all users as there is no authentication. Mozilla requires SOCKS 5 or higher, although SocksCap can be used.

3: MS-Proxy client - A program that runs on the client computer kind of like SocksCap, but applies itself to the entire OS (available for Windows only) instead of an individual application. Authenticates the user with the MS-Proxy, and permissions to ports and protocols are set on the proxy server on a per-user basis.

A typical configuration which I have witnessed is to have just the web proxy service enabled with only NTLM authentication, and the MS-Proxy client enabled but set to only allow FTP and Telnet (HTTP is forbidden so you can't run a browser though it). The result: you may only use MSIE as your web browser. You may only use FTP and Telnet clients on the Microsoft Windows operating system.

If you administrator was gracious enough, they may have allowed unathenticated HTTP web proxy access, given your user account permissions for basic authentication, enabled the SOCKS V4 proxy (works with Netscape 4.x and earlier) or allowed HTTP through the MS-Proxy client (limiting you to using apps on MS-Windows)

So MS-Proxy can be friendly to other web browsers, but it doesn't have to be. It is wrong to configure a proxy in such a way but there are many people who just don't care.

Implementation wise NTLM is not bound to the Windows OS. As proof I can install and run MSIE 3 for Win3.1 under Linux using Wine without any trace of Windows and it can authenticate using NTLM. MSIE can make use of the Windows networking components (client for Microsoft Networking) by grabbing the security info of the currently logged in user and sending that info to the proxy so the user does not have to re-enter their user id and password.