Microsoft Winhttp Web Proxy Auto Discovery Service
Rayén Rundall
We have a web service that is running slowly in production. In QA and UAT it is fine but those are housed at our corporate HQs. But production is in a data center in the cloud. I ran wireshark and found that it is making at least 6 calls to NBNS WPAD (each one timing out), each taking about 3/4 of a second making it very slow. I want to turn off WPAD since the environment is not configured to use it but it is still making the calls and just wasting time.
My platform is windows server 2008 r2 with IE9. I want to completely disable WPAD DNS queries (and NBNS queries). We don't use a proxy. We don't use DHCP. I want to stop WPAD but I haven't been successful. I have tried the following:1.disable "automatically detect settings" in IE2.disable "use automatic configuration script" in IE3.Checked that WinHTTP Web Proxy Auto-Discovery Service is not running automatically, it is set to run manual so I think that should be ok.4.Executed "Netsh winhttp show proxy" which tells me Direct access (no proxy server).
Many suggestions around disabling WPAD focus on Internet Explorer user settings. While this will tell IE to not use auto proxy detection, it will not stop the WinHTTP Web Proxy Auto-Discovery Service from querying for wpad. Some have suggested disabling this service entirely, but as of Windows 10, it is required for the IP Helper service and not recommended to disable it.
Keep in mind that WPAD can be a good thing when setup properly. As with any advice from the Internet, be sure to do your own testing before applying any changes. For example, if you make this change to corporate laptops and they travel to a site that requires WPAD, they will not work.
I have tested removing proxy from computers by renaming the WPAD key and rebooting.
You can also use IEAK11 to create a GPO to remove "Automatically detect settings" and that is why the script uses gpupdate to apply the GPO as well. If you already applied the change to a computer this script won't do changes and will exit. The basic script is bellow.
Even when you turn on in Internet Explorer "Automatically detect settings" proxy is not used and WPAD key is recreated but with no proxy. This setting is no longer recommended as makes your computer vulnerable ( -wpad-now-or-have-your-accounts-compromised-researchers-warn) .
For something I am working on, I need to be able to stop and start the Dhcp Client service. However, when I attempt to do so through elevated command prompt I am greeted with System error 5 has occurred and Access is denied. I believe the error is caused when Windows tries to stop the WinHttpAutoProxySvc since that is one of its dependencies. To my knowledge, this is seemed to be a problem while back in 2018 so I am wondering if this is still not fixed. Discussion: -us/windows/forum/all/windows-10-build-1803winhttp-web-proxy-cant-be/74673a26-fd69-4d83-9ab8-5cb616b4dde5. Please correct me and let me know if this is intentional and not an error that needs to be fixed. If so, what am I missing in order to disable the Dhcp Client service?
You can disable WinHttp Web Proxy Auto-Discovery Service by editing a registry setting, i.e. using regedit (Registry Editor) with admin privileges. Make sure to back up before making any changes! The registry setting you want is under:
One consideration: Note that a couple of other services depend on this one, so they probably won't work any longer, either: NcaSvc ("Network Connectivity Assistant") and iphlpsvc ("IP Helper"). I don't think either of these services are absolutely essential, but your mileage may vary, of course. Follow these steps at your own risk.
Veeam Backup & Replication provides a built-in tool to ensure that your backup server configuration follows security best practices for Veeam backup infrastructure components based on Microsoft Windows Server and Linux operating systems.
Configuration parameters set up as recommended will have the Passed status. Parameters that have the Not implemented status should be revised in terms of your backup infrastructure. You can set them up as recommended or exclude specific parameters from the checklist.
Security & Compliance Analyzer checks configuration parameters both for the operating system and Veeam products. You can implement these recommendations manually or use the automatic configuration script provided by Veeam. For more information, see this KB article.
Remote services should be disabled if they are not needed. Note that for the Veeam Cloud Connect infrastructure, this parameter must be enabled if the SP uses Remote Desktop Protocol (RDP) to connect to the tenant backup server. For more information, see Remote Desktop Connection to Tenant.
Microsoft Defender Firewall with Advanced Security should be turned on. Also, rules for inbound and outbound connections should be set up according to your infrastructure and Microsoft best practices. For more information, see this Microsoft article.
WDigest credentials caching stores cleartext credentials in Windows RAM. To reduce the risk of credential dumping attacks, the setting should be disabled with a registry value. For more information, see this Microsoft article.
The Web Proxy Auto-Discovery (WPAD) protocol provides automatic discovery of web proxy configuration. If this feature is not used in the backup infrastructure, the WinHTTP Web Proxy Auto-Discovery Service should be disabled to prevent man-in-the-middle (MITM) attacks.
Outdated network protocols SSL 2.0 and 3.0 should be disabled as they have well-known security vulnerabilities and are not NIST-approved. Also, TLS 1.0 and 1.1 should be disabled if they are not needed. For more information, see NIST guidelines.
Note that this parameter will have the Passed or Not implemented status only if specific registry keys with specific values exist. For more information, see this Microsoft article. If the registry key does not exist, the parameter will have the Unable to detect status.
Before disabling Windows Script Host, make sure that this service is not used by backup infrastructure components you plan to install on the backup server. If there are any (for example, PostgreSQL database), install these components first, then disable the service. To update these components, you need to enable the service temporarily.
Note that this parameter will have the Passed or Not implemented status only if specific registry keys with specific values exist. If the registry key does not exist, the parameter will have the Unable to detect status.
If SMB shares are used in the backup infrastructure, SMB signing and encryption should be enabled to prevent NTLMv2 relay attacks. For more information, see these Microsoft articles: Configure SMB Signing with Confidence, SMB security enhancements.
Multi-factor authentication (MFA) should be enabled for the Veeam Backup & Replication console to protect user accounts with additional user verification. For more information, see Multi-Factor Authentication.
Password loss protection should be enabled on Veeam Backup Enterprise Manager to provide an alternative way to decrypt the data if a password for encrypted backup or tape is lost. For more information, see Managing Encryption Keys.
For large environments, it is recommended to add the backup server and other backup infrastructure components to a management domain in a separate Active Directory forest. For medium-sized and small environments, backup infrastructure components can be placed to a separate workgroup.
Note that this parameter will have the Passed status only if the backup server is not joined to any domain. In other cases, it will have the Unable to detect status because there is no way to identify the production domain automatically.
To be compliant with the 3-2-1 rule, at least one backup copy job should be created, or a scale-out backup repository with the copy mode or archive tier should be added. For more information, see Plan How Many Copies of Data You Need (3-2-1 rule).
The configuration backup must not be stored on the backup server or on the default backup repository to be able to recover its configuration in case of failure. For more information, see Configuration Backup.
If a VMware backup proxy uses the Network transport mode, it is recommended to transfer VM data over an encrypted TLS connection. For more information about this configuration and its limitations, see Choose Server.
To reduce the attack surface, the hardened repository should be hosted on a physical machine with local storage. For more information about hardened repository requirements, see Requirements and Limitations.
Network traffic encryption should be enabled in the backup network to ensure secure communication of sensitive data not only between public networks but also between private ones. For more information, see Enabling Traffic Encryption.
Key-based SSH authentication is generally considered more secure than password-based authentication. The private key is not passed to the server and cannot be captured even if a user connects to a fake server and accepts a bad fingerprint. This helps averting man-in-the-middle (MITM) attacks.
Configuration backup should be enabled to reduce the risk of data loss and manage the Veeam Backup & Replication configuration database easier. For more information, see Configuration Backup and Restore.
SSH connection is necessary only for the deployment of Veeam Data Mover. For security purposes, after adding the hardened repository to the backup infrastructure, the SSH connection should be disabled for the user account used to connect to the Linux server or for the server itself.
The Compliance retention mode should be used for object storage repositories with immutability enabled. This is a more secure option compared to the Governance retention mode. For more information about immutability for object storage repositories, see this section. For more information about retentions modes, see this Amazon article.
You can skip security check for specific parameters. For example, if you use Remote Desktop Service to connect to Veeam Backup & Replication and do not need to disable it, exclude this parameter from the checklist. To do this, perform the following steps:
7fc3f7cf58