Policy to Restrict User Account Access for a Specific Site

book

Article ID: 169972

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When a user logs in to a website, the browser performs an HTTP POST request towards the website. This request has a "Request Body" attribute that includes user credentials. The proxy can inspect this request including the credentials that are being sent and apply policy to it.

The purpose of this article is to show how to allow a specific username and deny authentication attempts with other usernames.

Resolution

  • Launchthe proxy Visual Policy Manager (VPM)
  • Create a Web Access Layer
  • Create a rule and in the Source column go to Set > New > HTTP Request Body
  • Enter the Name of the Object > from the drop-down menu select "Contains" > In Content, enter the username > Set the length of the content in bytes, 50 initially (This will vary depending on the website and the username)
  • Go to the Destination column > Set > New > Request URL
  • Enter the name of the site 
  • In the Action column > Set to Allow
  • Create a new rule within the same layer below the first one
  • In the new rule Set the Service Column to Protocol Methods > HTTP POST
  • Go to the Destination column and select the same Request URL as in the first rule
  • Set the Action to Deny

 

The policy should look as follows:


Notes: 

  • Further policy tweaking may be required depending on the website in question.
  • SSL Interception is required in order for the the proxy to "see" encrypted HTTP POST requests and apply policy based on the "Request Data" attribute.
  • This policy does not apply to all sites. For example, this cannot be applied to Google account login due to how it handles user sessions.