For some reason I decided that today was a good day to figure out how to block certain file extensions from being accessible over the web. This could be very useful, for instance, if you are trying to prevent a particular exploit that utilizes a particular file extension for its payload.
To do this go to the rule that allows inbound web traffic and double-click it.
Click the "Protocols" tab
Click "Configure HTTP"
Click the "Extensions" tab
Here is where you have to make the choice of what to block. If you have some time, it would be really good to enumerate good things here and block everything else. What might be good? The following probably are:
- EXE (we probably want to be able to download these)
- OCX (arguably ActiveX is good)
- SWF (I personally do not like Shockwave, but some people do)
- CFM (Cold Fusion)
- There are probably a lot more and quite frankly, in an emergency, you would not want to build this list. Do this later, when you can do some real analysis on it
So obviously, if we are worried about a particular attack, we'll select "Block specified extensions (allow all others)" in the drop-down list
In the "Extension" box type the name of the extension, such as "WMF" (without the quotes)
Click "OK" twice and then click Apply.
If you want to verify whether the filter works go to http://www.protectyourwindowsnetwork.com/test-wmf.htm. If the picture on that page is blocked your filter probably worked.