How do you configure Web Proxy Autodiscovery Protocol (WPAD) when you have no proxy?
Even if you are using a proxy you should disable WPAD and manually configure your client's proxy setting using GPOs. WPAD does not have any mechanism for authentication. A Man-in-the-Middle attack is simply a matter of attacker answering the DNS query for wpad.ad.domain.tld faster than the legitimate nameserver (see this article going over the WPAD Metasploit).
You can disable WPAD by using the following GPO:
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\
Related videos on Youtube
00 : 47
03 : 06
04 : 21
![[PROXY]: Web Proxy Auto-Discovery Protocol (WPAD)](https://i.ytimg.com/vi/iLxZZNFomdg/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCwkkvL237bGZMrh9gKyuWJl3C3fg)
05 : 54
01 : 15
gregmac
Professional software developer since 2000. Have worked on many open-source projects, and am currently employed as a senior web application developer.
Updated on September 18, 2022Comments
-
gregmac over 1 year
Windows (going back to at least IE6) by default has WPAD turned on (Internet Options > Connections > LAN Settings > Automatically Detect Settings).
When you don't have a proxy or WPAD server, browsers initially take several seconds saying something to the effect of "Discovering proxy server.." before timing out and loading the page directly.
I can find lots of stuff about how to set up your proxy information via WPAD, but not how to configure WPAD to tell clients you have no proxy.
WPAD works via both DHCP and DNS, however Firefox only supports the DNS method, so a complete answer ideally provides configuration of both DHCP and DNS.
-
gregmac almost 11 yearsBecause I believe in automation over repetition. This is a default setting; the implication of this is that the default behaviour the end user sees is "wait until it times out".. to me, this is stupid. Working out a general config that could be put in place to make it work for both enterprise users (where you can control via GPOs) and also home users (where routers could handle this in some way) is better than thousands of users turning it off on millions of PCs, or simply living with the timeout. Maybe the router firmwares like dd-wrt will provide this by default even.
-
Zoredache almost 11 yearsFor most people the checks are really fast. If it really is taking a long time, then maybe you have a problem locally.
-
gregmac over 10 yearsI've been noticing this issue for well over 10 years, probably back to Windows 2000. In that time I've used many different systems on many different networks set up by completely different people, so I'm pretty sure it's not just me (though I'm certainly less tolerant than most of computers doing pointless and avoidable things). I accept that many people are fine with just always waiting the 10 seconds or so, but that doesn't mean there shouldn't be an answer for how to do this, so IT people that care to fix it can do so.
-
-
Zoredache almost 11 yearsHow do you handle laptops without wpad? Are you suggesting that a proxy server should be open on the public network, or that users on the laptops should be permitted to configure their own proxy? Or do you know of some other method? - serverfault.com/questions/529092/…
-
zdzich about 7 yearsSetting in GPO does not concern 'computer configuration' section (as @kce wrote) but 'user configuration' section as described in: stackoverflow.com/questions/15029615/…
