Hunting IE6 Zombies with TMG Reporter

In large companies with bigger deployments it is easy for machines to fall through the cracks especially in remote offices.  Perhaps there is a neglected PC stashed in a store room, or a server locked in a cash office. Losing track of hardware is one thing but more often than not, these machines are still on and still connected to your network making calls to the Internet. These old machines are probably running Windows XP or Server 2003.  Synonymous with these two operating systems is the infamous Internet Explorer 6 (IE6).

The problem with IE 6

IE 6 is old, really old. It was first released in August 2001.  To give you an idea of just how old that is consider the system requirements for IE6 are:

• 486 DX2 66MHz
• 64 MB RAM
• 20MB Disk Space

IE6 with no service packs or security updates is a big security concern. So much so that Microsoft strongly encourages people to stop using it. They have even set up a dedicated site for keeping track of the decline of IE6 usage on the Internet.  https://www.ie6countdown.com/

These old and discarded machines I refer to are often not actively used by anyone. They are silently ticking away in the background running a system such as digital signage, air conditioning and refrigeration monitoring etc. It is exactly for this reason that we don’t simply want to block access to these machines, but to identify, track them down and fix them.

Using TMG Reporter to hunt down IE6 Zombies

I recently discovered a few of these machines with the help of Fastvue TMG Reporter. Using TMG Reporter's Alerts, I now get notified as soon as one of these machines makes a connection.

The procedure here uses the latest development build of TMG Reporter so the interface may look a little different. To update to the latest dev version go to https://www.fastvue.co/dev

1. Create a new alert

• In TMG Reporter, click the Settings tab
• Select Alerts on the left hand side
• Click the Add Alert button in the top right corner
• Specify a name such as IE 6 Zombie Machines
• Click the Add and Configure Alert button

2. Alert Criteria

• For Alert Criteria change the first field to: User Agent |  Contains |  MSIE 6.
• Click the + button to add another Alert Criteria as follows: Destination Network | Equal to  | External

3. Alert Properties

• Change the Alert Key to Source IP (Note that when you change the key it updates the Preview to the right)
• Change the priority to Medium

4. Alert Evidence

• Change the first field to URL
• Change the second field User Agent

You can add additional fields if you wish to get more details about the activity on these machines, such as the authenticated username, but this should do the trick. Having the full User Agent can help identify more information about the source machine such as the operating system. It also allows you to spot any false positives from other applications using a similar User Agent string. For more information about User Agents strings, see Everything you need to know about User Agents.

5. Alert Notification

By specifying an email address, TMG Reporter will email the relevant people all the details without them needing to view the Alert in TMG Reporter.

6. Save and Activate the Alert

• Click the Save Alert button to finalize the alert configuration.
• Toggle the On | Off button to enable the alert.

Viewing the IE6 Zombie Machines Alerts

The alerts can be viewed on TMG Reporter's Alerts tab. The list of alerts appear on the left, and when you select an alert, its details are shown in the alert evidence table to the right. The alert in the screenshot below shows a Windows Server 2003 machine accessing some Yahoo sites.

The email alert contains the same information and looks like this:

Conclusion

Getting rid of IE6 is important, and as an IT professional it is probably your responsibility. After configuring the alert, TMG Reporter will do all the hard work for you. That's all there is to it. Sit back, relax and wait for the zombies to come out and play!