ITM is an open framework - Submit your contributions now.

Preventions

No Ready System-Level Mitigation

Restrict Access to Administrative Privileges

Enforce an Acceptable Use Policy

Enforce a Social Media Policy

Install an Anti-Virus Solution

Install a Web Proxy Solution

Restrict Access to Registry Editor

Enforce File Permissions

Prohibition of Devices On-site

Physical Access Controls

End-User Security Awareness Training

Pre-Employment Background Checks

Disable Printing, Windows

Application Whitelisting

Enforce a Data Classification Policy

Prohibit Email Auto-Forwarding to External Domains, Exchange

Network Intrusion Prevention Systems

Data Loss Prevention Solution

DNS Filtering

Internal Whistleblowing

Access Reviews

Employee Off-boarding Process

Full Disk Encryption

Restrict Mobile Clipboard via Intune App Protection Policies

Financial Approval Process

Corporate Card Spending Limits

Enterprise-Managed Web Browsers

Bootloader Password

Next-Generation Firewalls

Native Anti-Tampering Protections

Protocol Allow Listing

Restrict Disc Media Mounting, Group Policy

Restrict Floppy Drive Mounting, Group Policy

Restrict Removable Disk Mounting, Group Policy

Insider Threat Awareness Training

Employee Mental Health & Support Program

Network Access Control (NAC)

Mobile Device Management (MDM)

Employee Vulnerability Support Program

Restrict Windows System Time Modification

Windows Time Service Synchronization

Exchange Restrict Outbound Emails via Recipient Domain

Regulation Awareness Training

Implement MIP Sensitivity Labels

Privileged Access Management (PAM)

Managerial Approval

Social Media Screening

Employment Reference Checks

Criminal Background Checks

Government-Issued ID Verification

Human Resources Collaboration for Early Threat Detection

Enforce Multi-Factor Authentication (MFA)

Azure Conditional Access Policies

Structured Request Channels for Operational Needs

Consistent Enforcement of Minor Violations

Insider-Focused Threat Intelligence

Disable Proxy Configuration on Windows Systems

ID: PV060
Created: 23rd June 2025
Updated: 23rd June 2025
Platforms: Microsoft Azure, Windows,
Contributor: James Weston

Disable Proxy Configuration on Windows Systems

Disable proxy configuration changes on Windows via Group Policy. This prevents users from manually altering proxy settings in Internet Explorer/Edge and applies to system-wide proxy use (affecting Chrome and other apps that rely on WinINET settings).

Group Policy sets the following registry key:

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] "Proxy"=dword:00000001

This disables UI access to change proxy settings in the Internet Options panel and applies across applications using WinINET.

Policy Enforcement Notes:

This policy applies per-user. Use loopback processing or enforce via user GPO linked to OUs if applying domain-wide.
Chrome and Edge Chromium both honor system proxy settings unless explicitly overridden by command-line flags or extension policies.
If managing via Intune or MDM, use the Policy CSP - Proxy or custom ADMX ingestion for equivalent enforcement.

Supported Versions:

Windows 10 (all editions that support Group Policy, typically Pro, Enterprise, and Education)
Windows 11 (same Group Policy-capable editions)
Windows 8.1 / 8
Windows 7
Windows Server 2008 R2 through 2022 (when user policies apply)

Notes on Support:

This setting applies only to versions that still use WinINET-based Internet Settings (i.e., Internet Explorer settings that are system-wide).
It does not prevent proxy changes via third-party tools that bypass WinINET unless additional controls are enforced (e.g., application whitelisting, restricted registry access).
Edge (Chromium) and Chrome will respect these proxy settings if they’re not configured independently (e.g., via extension or policy override).
On Windows Home editions, this registry key may not take effect unless equivalent settings are configured via other methods, as Group Policy-based enforcement is not fully supported.

Sections

ID	Name	Description
AF023	Browser or System Proxy Configuration	A subject configures either their web browser or operating system to route HTTP and HTTPS traffic through a manually defined outbound proxy server. This action enables them to redirect web activity through an external node, effectively masking the true destination of network traffic and undermining key layers of enterprise monitoring and control. By placing a proxy between their endpoint and the internet, the subject can obscure final destinations, bypass domain-based filtering, evade SSL inspection, and suppress logging artifacts that would otherwise be available to investigative teams. This behavior, when unsanctioned, is a hallmark of anti-forensic preparation—often signaling an intent to conceal exfiltration, contact unmonitored services, or test visibility boundaries. While proxies are sometimes used for legitimate troubleshooting, research, or sandboxing purposes, their use outside approved configurations or infrastructure should be treated as an investigatory lead. Technical Method Both browsers and operating systems offer mechanisms to define proxy behavior. These configurations typically involve: Declaring a proxy server IP address or hostname (e.g., `198.51.100.7`) Assigning a port (e.g., `8080`, `3128`) Specifying bypass rules for local or internal traffic (e.g., `localhost`, `.corp`) Once defined, the behavior is as follows: Outbound Traffic Routing:* All HTTP and HTTPS traffic is redirected through the proxy server, often using tunneling methods (e.g., HTTP `CONNECT`). DNS Resolution Shift: The proxy, not the local device, resolves domain names—bypassing internal DNS logging and threat intelligence correlation. Destination Obfuscation: To enterprise firewalls, CASBs, and Secure Web Gateways, the endpoint appears to connect only to the proxy—not to actual external services. Encrypted Traffic Concealment: If the proxy does not participate in the organization’s SSL inspection chain, encrypted traffic remains opaque and unlogged. System-Level Impact: When configured at the OS level, the proxy may affect all applications—not just browsers—expanding the anti-forensic footprint to tools such as command-line utilities, development environments, or exfiltration scripts. Proxy settings may be configured through user interfaces, system preferences, environment variables, or policy files—none of which necessarily require administrative privileges unless endpoint controls are in place. This technique is especially potent in organizations with reliance on DNS logs, web filtering, or SSL interception as primary visibility mechanisms. It fractures investigative fidelity and should be escalated when observed in unauthorized contexts.