Some time ago, I discovered students were using a program called Ultrasurf to get around our internet filter. The app is portable and so can run off a USB key or from a cloud drive. (As of writing this, the latest file name is u1403.exe. You can recognize it is running by a yellow gold lock icon on the screen and usually in the lower right corner)
Apparently it was designed for citizens of China to get around “The great firewall of China.” The app sets itself up as a proxy. Ultrasurf then changes Internet Explorer to use this new proxy to surf. Behind the scenes the app works by connecting to an IP overseas from a wide-range of choices. From what I saw, it connects using https and the port can be varied by users. Blocking it is a daunting task.
Blocking the app itself via group policy is tough as well. The checksum is a moving target. Ultrasurf often has a new version out plus old versions can be found everywhere.
You might think that blocking proxy access in IE via GPO would help. It really doesn’t. All the GPO does it block being able to put in the settings via Internet Options. Policies still allow changing the actual proxy value in the registry.
What I discovered is that to block Ultrasurf, you need to prevent the users from being able to edit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
This is where IE stores it’s proxy information. As long as the user has write access, Ultrasurf can work.
I have created a script that works at the user level. I deploy it via a policy that will run as the user for anyone who is a member of our student user group. I called it UltraFin as a play on UltraSurf. A surfers day is ruined if they see a Fin in the water 🙂
What the script does is use a tool called regini.exe to set the part of the registry I mentioned above as read-only. This essentially locks them out from making any changes to their proxy settings. To undo the permissions settings, an admin would have to mount their profile hive (ntuser.dat) and correct the permissions.
Once this is done, launching Ultrasurf says it is connected but will go nowhere. Ultrasurf normally launches IE once it connects but this won’t happen anymore.
I keep both my script and regini.exe in the netlogon folder of our DC’s.
You get regini.exe as part of the Windows Server 2003 Resource Kit Tools.
Here is my script and please note, you will need to rename it from ultrafin.txt to ultrafin.vbs
In the GPO I create, here is where I place it:
User Configuration->Policies->Windows Settings->Scripts->Logon
I use the logonserver variable to reduce network traffic and to prevent a workstation from hanging up on logon if X server is down.
One important note, I still keep a policy in place for this group that prevents them from changing their proxy settings in IE. The main reason for this is so my users in question can’t manually set a different browser to use the Ultrasurf proxy address. Ultrasurf thrives on IE but there is the potential to workaround it.
To ensure this, I also have imported policy templates for the other popular browsers such as Chrome and Firefox. I enable settings to force these browsers to use IE proxy settings.
I hope this helps someone as I haven’t found many good ways so far on how to block Ultrasurf.