"Sys Admins" - Deployed ad-blocking on your networks?

visibleman · 20 Jan 2023 at 13:59

Hi all,

There's a bit of noise in the community around deploying ad-blocking in terms of security to help thwart malware/ransomware that is punted through ads (big rise at the minute) and it's got a few of us thinking about it the office today and if it's something we should look into possibly putting in place although there's some valid concerns.

So a quick one of the admins here - has anyone actively deployed ad-blocking, either locally through browser extensions or via DNS, to their (company) networks/systems? If so, what route have you gone and what products or services are you using? Have you seen any positives deploying it? And more importantly, has it caused you any problems either with staff or sites breaking etc?

Cheers all

Deleted member 77746 · 20 Jan 2023 at 16:02

No sites breaking here at businesses that I do tech support for and we have some smaller companies (50 users and less) where pi-hole is deployed.

Works pretty good. (Security and Malware/Ransomware).

What are the valid concerns?

Rroff · 20 Jan 2023 at 16:11

I've noticed a lot of the tabloid type news sites and other sites with similar ad provisioning are serving a small number of hijacked ads lately - most just redirect (or attempt to) the whole web page but some are actively trying to compromise the system - fortunately unless you are running XP or an out the box 7 with no updates, or a web-browser which is like 10 years behind latest versions they don't succeed.

EDIT: Actually a bit of a threat there as some companies maintain a moderately out of date Internet Explorer for compatibility with their bespoke systems which this stuff will go right through.

Deleted member 77746 · 20 Jan 2023 at 16:14

However, I've noticed some sites (stop at home) working completely where the website ads have been blocked by a browser plugin (for example) ublock origin.
It then displays a message saying that the ad blocker must be disabled to continue using the site.

I close these pages though and don't bother browsing the site and just move to another one.
We are going backwards with adverts, it's getting out of hand.

visibleman · 20 Jan 2023 at 18:10

It's only an idea we're bouncing around, after one of us read a Twitter thread from SwiftOnSecurity (https://twitter.com/SwiftOnSecurity/status/1616133885305450496), and now wondering if it's something we should actively be doing (rather than leaving it to our EPP) given the recent increase in hijacked ads, what we've seen in logs and various agencies (NSA for example) suggesting you block "unnecessary advertising".

GaryTheSnail said:
What are the valid concerns?

I'm all for it but some are thinking about issue with it breaking sites but, i think having a fairly robust whitelist (eg - all "org" related sites) upon deployment would in theory only leave edge cases which you deal with when they crop-up.
There's also the question of what we deploy but it's likely to be DNS-based given we're an Apple org (so Safari all around) and there isn't a whole load of options to do it via plugins/extensions.

With your Pi-hole deployments, is that bare metal or have you gone down the Docker route? Have you had an issues with implementing and maintaining and/or users?
And do you deploy anything to your larger orgs or is it purely smaller-user orgs you're dealing with?

Rroff said:
I've noticed a lot of the tabloid type news sites and other sites with similar ad provisioning are serving a small number of hijacked ads lately....

Similarly but it's not something we've really thought too much about. I'm guessing you're not actively blocking ads on your network?

Deleted member 77746 · 20 Jan 2023 at 18:27

You know what I would do, get a couple of pi-hole boxes up and running, slowly migrate users over to it to ensure you have the right ad-blocking and other services in place.

Pick some users who are willing to 'test' this with you over 3 months..

visibleman said:
With your Pi-hole deployments, is that bare metal or have you gone down the Docker route? Have you had an issues with implementing and maintaining and/or users?
And do you deploy anything to your larger orgs or is it purely smaller-user orgs you're dealing with?

Some are on Docker some are pure dns/dhcp boxes (PI-HOLE) all are SMB under 50 users.
We have even virtualised some as well which is cool for quick upping of spare pi-holes to get users over to them if we ever need to move them.
Not got any large orgs on it but nothing different from a small org to a big org except users.

Maintaining not a problem at all we do live updates to lists and stuff and even update the boxes then schedule a reboot during the night.
We have a couple of hot boxes sitting so if we ever need to move over quickly we can.

If you want to can host these somewhere off-prem as well to host multi orgs depends how big, how fast you are willing to go.

Rroff · 20 Jan 2023 at 20:11

visibleman said:
Similarly but it's not something we've really thought too much about. I'm guessing you're not actively blocking ads on your network?

Not actively blocking but had some warnings/undesirable behaviour blocked by anti-malware scripts.

Possibly due to the situation with Russia but seems to be a rise in old school Blaster era kind of malware activity lately.

ecksmen · 18 Feb 2023 at 16:56

Someone had the great idea of deploying Adblock in my company; saying it's for "security". We run a very tight browsing experience with a cloud proxy solution that includes blocking malicous domains and sinarios such as domain fronting. Now adblocking is getting it the way its breaking our logging and monitoring solution - detection of possible intrusions or weaknesses in our proxy config are now made so much harder with having to corrolate with EDR. Somethings fall into the category of "just becuase you can doesn't mean you should".

Deleted member 77746 · 18 Feb 2023 at 16:59

ecksmen said:
Someone had the great idea of deploying Adblock in my company; saying it's for "security". We run a very tight browsing experience with a cloud proxy solution that includes blocking malicous domains and sinarios such as domain fronting. Now adblocking is getting it the way its breaking our logging and monitoring solution - detection of possible intrusions or weaknesses in our proxy config are now made so much harder with having to corrolate with EDR. Somethings fall into the category of "just becuase you can doesn't mean you should".

This is a case of "you ran something else along side which become broken by running an adblock"

If you deploy something at least make sure it's not going to break another system.

and if it does... well you know what to do.

steinooo · 26 Feb 2023 at 22:23

I've given this some thought at various companies I've worked for and never bothered due to the expected uptick in tickets due to innocuous things not working as they should due to the ad blockers