Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Blocking certain extensions in ISA server

  • Comments 27
  • Likes

For some reason I decided that today was a good day to figure out how to block certain file extensions from being accessible over the web. This could be very useful, for instance, if you are trying to prevent a particular exploit that utilizes a particular file extension for its payload.

To do this go to the rule that allows inbound web traffic and double-click it.
Click the "Protocols" tab
Click "Filtering"
Click "Configure HTTP"
Click the "Extensions" tab

Here is where you have to make the choice of what to block. If you have some time, it would be really good to enumerate good things here and block everything else. What might be good? The following probably are:

  • HTM
  • HTML
  • JPG
  • JPEG
  • JFIF
  • GIF
  • PNG
  • ASP
  • ASPX
  • TXT
  • EXE (we probably want to be able to download these)
  • OCX (arguably ActiveX is good)
  • SWF (I personally do not like Shockwave, but some people do)
  • CFM (Cold Fusion)
  • PHP
  • ZIP
  • There are probably a lot more and quite frankly, in an emergency, you would not want to build this list. Do this later, when you can do some real analysis on it

So obviously, if we are worried about a particular attack, we'll select "Block specified extensions (allow all others)" in the drop-down list
Click Add
In the "Extension" box type the name of the extension, such as "WMF" (without the quotes)
Click "OK" twice and then click Apply.

If you want to verify whether the filter works go to http://www.protectyourwindowsnetwork.com/test-wmf.htm. If the picture on that page is blocked your filter probably worked.

Comments
  • Thanks!

  • Strange that you should relegate WMF to the example, but not add it to the list - is that a coincidence, or have you been reading the tales of a WMF zero-day attack?

  • Awesome timing on that WMF example, hopefully its just some comic relief :)

  • Since you are using SBS, did this apply to a System Policy Rule or one of the SBS created Firewall Policy Rules? I've already tried the SBS Internet Access Rule unsuccesfully and am at odds to understand where the firewall controls the flow of website information back into the protected network if not there. Thanks for a well timed article on this bye the way ... I've read that paragraph on the WMF exclusion twice and understand its meaning to block the WMF not pass it through.

  • Alun, is WMF really necessary on the web? I don't recall seeing many web sites using it. I forgot a lot on the good list though, like XML. The point is more that yes, an allow list is the right thing to do, but it is not easy.

  • Dale, I actually applied the filter to the SBS Internet Access Rule. I typically like making new rules and not modify the built in ones, but if you are not using SBS you would have a custom rule like it and then that is where you would put it. With SBS it may be safer to make a new rule.

  • Seriously. Who uses ISA in any real world environment? Let me rephrase that -- any real world environment who hasn't consumed the kool-aid.

    Third party tools/hardware perhaps?

    Love the blog by the way.

  • There are some sites and vendors that have a full listing of file types that should be blocked, we use Clearswift products together with firewall policies. I sat down one day and went through these lists and worked out what we needed (that was safe) and blocked everything else, it's amazing just how little you really do need. However, my boss has a good understanding of why this is required and supports this, which makes it easy for me :)

  • Dr. D... a lot of folks use ISA in a real world environment sir.

    Every SBS 2003 Premium that has ISA 2004 in fact.

  • Dr. D, it's totally up to you. As I always say, if Microsoft products do not do what you need them to, you should not use them. That said, I'd love to know why you feel that no real world environments should use ISA, or do you simply mean that none do, regardless of whether they should or not?

  • Keith, can you send me some links to those types of sites? I would love to see it. You can send me e-mail if you want.

  • For the record, wmf files probably weren't the best example for this. It looks like Windows XP detects wmf files based on their file extension *and* their content. This means that a renamed wmf file may still be treated as a wmf file by XP when it hits your desktop, potentially by-passing ISA filters if ISA looks at the file extension alone.

  • Andy: This behaviour is an artefact of the way in which applications are associated with extensions, and in which they load files.

    Rename the WMF as any image format that is rendered by the same engine, and it will still cause you a problem. Rename it as a TXT file, and you won't see it pulling up the graphics viewer.

    This is because extensions are associated with applications, and a single application may render multiple formats. The association is made on the basis of the file extension, and the rendering is done on the basis of the file's contents.

    As an example, try running this command: "ftype | findstr /i shimgvw.dll" - it'll show you all the file types that are associated with the Fax And Image Viewer. To see what extensions are associated with those file types (let's use "wmffile" as the example), you would run "assoc | findstr /i wmffile".

    If you want to browse through this information in a text format, to see what types are associated with what programs, the following command produces some edifying output (doubtless someone will improve on it):

    ( for /f "tokens=1,* delims==" %a in ('assoc') do @echo %a=%b & ( @if not .%b==. ftype %b ) & @echo. ) > types 2>nul

  • Jesper: No, I'm not saying WMFs should be transferred as a matter of course over the Internet. Blocking them is sensible (an 'allow' list is always better, of course, than a 'deny' list - and I know you can't call them blacklists or whitelists).

    As pointed out earlier, though, you could provide the same content in a GIF or a JPG file, and it would be funneled to the same program. Filtering on extension is a poor substitute for filtering on content - and it would help if some of the tools would prompt the user if the contents and the extension don't match.

    Windows Media Player nearly gets there, as it prompts the user if the content doesn't match the extension - sadly, it doesn't allow an educated user to see what the content was determined to be, so that an informed decision can be made. If I know, say, that there's a bug in AVI files, but not in MPEGs, and someone sends me an MPEG, I'd like to be told "uh, this is really an AVI" when being asked if I want to load the content anyway.

  • I so wish there was a way to filter based on content at the firewall, but sadly, we seem to live in an extension oriented world; one full of programmer who refuse to realize that and do everything in their power to ensure that their buggy code gets invoked no matter what extension the attackers put on the file. Filtering in extensions is kind of like using Software Restriction Policies to block attacks. It will certainly stop a specific attack, but the way around it is typically quick, easy, and only a day or two away.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment