Using Snare Windows agents on systems with Microsoft Edge browser
SUMMARY
May 16, 2016
Microsoft has made some changes with their new Edge Browser that affects localhost authentication. These changes affect how local authentication works on a system and it has implemented some new restrictions that affect the Snare agents that run on Windows.
These new restrictions can affect how a http://localhost:6161 Snare agent authentication works. Customers can either:
use an alternative web browser such as IE 11, Chrome or Firefox which does not have this new limitation, or
implement the changes as described in this Microsoft article https://msdn.microsoft.com/en-us/library/windows/apps/hh780593.aspx?f=255&MSPPError=-2147217396. See further details below.
The Edge Browser will affect all Snare windows agents (Windows, Epilog and MSSQL agents) where you try to access the agent running on the localhost using the localhost name or localhost IP address. Remote access to other systems using the Snare agent are unaffected as this will use the format http://:6161 and the Edge browser supports the remote authentication request.
Implement changes as per Microsoft article
After enabling localhost loopback on Windows 10 Edge , for no authentication scenario, localhost access works as in other browsers. There is an issue when authentication is used, as it works only for http://ipaddress:port format.
Steps:
Enable loopback in the intranet app container as described here
https://msdn.microsoft.com/en-us/library/windows/apps/hh780593.aspx?f=255&MSPPError=-2147217396
In summary use one of below commands:
CheckNetIsolation LoopbackExempt -a -p=S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194
CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
For older builds of Edge, app name is different:
CheckNetIsolation LoopbackExempt -a -n=Microsoft.Windows.Spartan_cw5n1h2txyewy
Access your localhost machine by using following formats:
For no authentication:
http://hostname.doman:port
http://ipaddress:port
http://localhost:6161
http://127.0.0.1:6161
With authentication:
http://ipaddress:port
Other formats do not work.
According to MSDN:
Loopback is permitted only for development purposes.
To avoid any vulnerabilities, we recommend disabling loopback when you've completed your task.