There's no simple solution. Your method of auditing is a great idea, and enables you to find anybody who installed a proxy that listened on port 8080. In your case, there was probably a single user who was knowledgeable enough to configure a proxy, and that person showed other people how to use the same application. However, finding other rogue applications will be difficult.
One way to stop this is to tighten the desktop operating systems so that users cannot install applications that you have not previously approved of. Many IT organizations do this with varying degrees of success. If users need the ability to install any application, it gets more difficult.
Another technique is to install a proxy server or a firewall at your Internet connection. This proxy server can log all outgoing requests. This wouldn?t stop users from installing proxies to allow others to the Internet, but it would offer some accountability -- if you found users surfing sites that were clearly not work related, you could track it back to them to investigate.
Finally, you could change the way your network is designed to separate users with Internet access from users without Internet access. If you created three separate LANs connected by a router with filtering, you could configure the router to allow only one LAN to access the Internet. The other LAN could be allowed to access internal resources, such as intranet servers, file servers and e-mail servers. However, they would be restricted from contacting other desktop computers or reaching the Internet.
This was first published in May 2002