Jim Harrison has created a very cool script to do much better blocking of the WMF exploit in ISA server. The script is nice because it sets up a policy that actually parses the request body and blocks WMF files that are renamed to something else by using ISA's ability to look really deep into the payload. It also is helpful in that it can uninstall itself.
This script, while being much better than simply looking for extensions, is not foolproof. It will obviously not work with an HTTPS tunnel, unless the ISA server is proxying the HTTPS connection and terminating it at the ISA server. Nor would it work on an e-mail borne attack, such as where the offending file is attached to an e-mail. Those latter ones you need to block by blocking attachments in e-mail. Still, it does assist in blocking certain types of attacks and as I said before, all these things have to be accounted for in your risk management strategy.
Hi Jesper, sorry this is not related to the WMF exploit blog, but can you push me towards some IPsec info? In your book, pg 379, you mention IPsec filters to prevent clients talking to each other. That's what I would like to trial, but all my clients and servers are on the same 192.168.x.x/24 subnet and IPsec filters don't seem to allow me to set a range (ie from .25 to .100 on the same subnet). Cheers.
Scratch that! I came from the other angle, which is arguably better anyway. I blocked all traffic on the entire subnet *except* that to the known servers and printers. Thank you.