What is WPAD?
WPAD stands for Windows Proxy Auto-Discovery. It is a protocol to obtain the URL for a PAC file.
WPAD uses the following methods in order to discover the PAC file URL:
- DHCP
- DNS
- WINS
- LLMNR
- NetBIOS
- Hosts
- Lmhosts
The PAC file tells the host where to direct network traffic. This is usually used to force traffic through a web proxy.
Why is it insecure?
When DHCP or DNS is misconfigured or not configured, an attacker can provide the client with a PAC file that directs traffic to a compromised server.
Mitigations
There is no one-size fits all solution, but in general there are two cases:
If a web filter with an alternative PAC delivery mechanism is installed or a web filter is not used:
- Disable WPAD client side.
- Sinkhole wpad.domain.com via DNS.
- Enable DHCP Guarding and/or set DHCP option 252 to sinkhole WPAD requests.
- Configure firewalls to block outbound requests for wpad.dat files.
If a web filter is installed and configured to deliver PAC files:
- Ensure DHCP option 252 is set to the correct value.
- Enable DHCP Guarding to defend against rogue DHCP servers.
- Ensure a DNS entry is created for wpad.domain.com, pointing to the server with a PAC file.