How to set up a proxy for Local System account at the machine level
CLOUD
Applies to Gizmo Boston 2.0+
In some customer environments, the scan configurations are deployed with Local System account. In Gizmo Boston deployed in SaaS mode, we provide ability to deploy with another account that is declared in the list of Credentials, so it can be set up to go through a proxy to access Internet. However, this is not always possible because such user must be local administrator and requires “Log on as a Service” privileges. Therefore it often required approval from customer’s security team.
Therefore, this article could be used to set up a proxy for Local System account (aka nt authority\system), or other privileged account, so that account can also use a proxy. In that case, this will not need approval from customer’s security team.
Important! This only works with transparent proxy that does not require authentication.
This is only valid to proxy http and https protocols.
In any case, the ampqs (RabbitMQ) protocol must not go through a proxy.
This article may also solve the following symptom, which appears when you deploy a scan configuration to a robot under Local System account, and that robot cannot properly download the scan components (in a .zip file) that are hosted in the Gizmo Boston server due to a proxy.
In that case, you may see the scan configuration showing error Uninstalled, with red exclamation mark, as in screenshot below. Additional error also reads “SaveConfig: Fail to download and save 'http://<boston_server_url>/Downloads//Gsx.Robot.3.0.0.0.zip'. The remote server returned an error: (404) Not Found.”
Instructions
Prerequisites
User must have Local Administrator privileges.
Download Sysinternals PsExec.exe from https://live.sysinternals.com/PsExec.exe
Put PsExec.exe in C:\Windows\system32
Set up the proxy for Local System account
Start a command shell (cmd.exe) with administrator privileges.
Run the following command if you need Local System authority:
See the Set up the proxy for another account section below if you need another account.PsExec -i -s cmd.exe
This will open a new cmd.exe that is running under Local System authority. You may check this by executing "whoami" command into that new command shell which will return "nt authority\system"
Open the Internet Options with this command:
inetcpl.cpl
Go to “Connections” tab, click on “LAN settings”, and set up the “Proxy server” section with the relevant proxy address and port number.
(optional) If you need to Bypass proxy server for local addresses, tick the relevant checkbox.
(optional) If you need to specify exclusions, click “Advanced” and set up the “Exceptions” section accordingly, and click “OK”.
Click “OK”, and exit all open command shells.
You have set up a proxy for Local System account and you should be able to redeploy a scan configuration!
Set up the proxy for another account
If you need to set up a proxy for another account, use one of the below command in replacement of command in step 2 above:
PsExec -i -u "nt authority\local service" cmd.exe PsExec -i -u "nt authority\network service" cmd.exe