Blocking certain extensions in ISA server


For some reason I decided that today was a good day to figure out how to block certain file extensions from being accessible over the web. This could be very useful, for instance, if you are trying to prevent a particular exploit that utilizes a particular file extension for its payload.


To do this go to the rule that allows inbound web traffic and double-click it.
Click the “Protocols” tab
Click “Filtering”
Click “Configure HTTP”
Click the “Extensions” tab


Here is where you have to make the choice of what to block. If you have some time, it would be really good to enumerate good things here and block everything else. What might be good? The following probably are:



  • HTM

  • HTML

  • JPG

  • JPEG

  • JFIF

  • GIF

  • PNG

  • ASP

  • ASPX

  • TXT

  • EXE (we probably want to be able to download these)

  • OCX (arguably ActiveX is good)

  • SWF (I personally do not like Shockwave, but some people do)

  • CFM (Cold Fusion)

  • PHP

  • ZIP

  • There are probably a lot more and quite frankly, in an emergency, you would not want to build this list. Do this later, when you can do some real analysis on it

So obviously, if we are worried about a particular attack, we’ll select “Block specified extensions (allow all others)” in the drop-down list
Click Add
In the “Extension” box type the name of the extension, such as “WMF” (without the quotes)
Click “OK” twice and then click Apply.


If you want to verify whether the filter works go to http://www.protectyourwindowsnetwork.com/test-wmf.htm. If the picture on that page is blocked your filter probably worked.


Comments (27)

  1. Patrick Nolan says:

    Thanks!

  2. Alun Jones says:

    Strange that you should relegate WMF to the example, but not add it to the list – is that a coincidence, or have you been reading the tales of a WMF zero-day attack?

  3. Vlad Mazek says:

    Awesome timing on that WMF example, hopefully its just some comic relief 🙂

  4. Dale Unroe says:

    Since you are using SBS, did this apply to a System Policy Rule or one of the SBS created Firewall Policy Rules? I’ve already tried the SBS Internet Access Rule unsuccesfully and am at odds to understand where the firewall controls the flow of website information back into the protected network if not there. Thanks for a well timed article on this bye the way … I’ve read that paragraph on the WMF exclusion twice and understand its meaning to block the WMF not pass it through.

  5. Jesper Johansson says:

    Alun, is WMF really necessary on the web? I don’t recall seeing many web sites using it. I forgot a lot on the good list though, like XML. The point is more that yes, an allow list is the right thing to do, but it is not easy.

  6. Jesper Johansson says:

    Dale, I actually applied the filter to the SBS Internet Access Rule. I typically like making new rules and not modify the built in ones, but if you are not using SBS you would have a custom rule like it and then that is where you would put it. With SBS it may be safer to make a new rule.

  7. Dr. D says:

    Seriously. Who uses ISA in any real world environment? Let me rephrase that — any real world environment who hasn’t consumed the kool-aid.

    Third party tools/hardware perhaps?

    Love the blog by the way.

  8. Keith Pawson says:

    There are some sites and vendors that have a full listing of file types that should be blocked, we use Clearswift products together with firewall policies. I sat down one day and went through these lists and worked out what we needed (that was safe) and blocked everything else, it’s amazing just how little you really do need. However, my boss has a good understanding of why this is required and supports this, which makes it easy for me 🙂

  9. Susan says:

    Dr. D… a lot of folks use ISA in a real world environment sir.

    Every SBS 2003 Premium that has ISA 2004 in fact.

  10. Jesper Johansson says:

    Dr. D, it’s totally up to you. As I always say, if Microsoft products do not do what you need them to, you should not use them. That said, I’d love to know why you feel that no real world environments should use ISA, or do you simply mean that none do, regardless of whether they should or not?

  11. Jesper Johansson says:

    Keith, can you send me some links to those types of sites? I would love to see it. You can send me e-mail if you want.

  12. Andy McKnight says:

    For the record, wmf files probably weren’t the best example for this. It looks like Windows XP detects wmf files based on their file extension *and* their content. This means that a renamed wmf file may still be treated as a wmf file by XP when it hits your desktop, potentially by-passing ISA filters if ISA looks at the file extension alone.

  13. Alun Jones says:

    Andy: This behaviour is an artefact of the way in which applications are associated with extensions, and in which they load files.

    Rename the WMF as any image format that is rendered by the same engine, and it will still cause you a problem. Rename it as a TXT file, and you won’t see it pulling up the graphics viewer.

    This is because extensions are associated with applications, and a single application may render multiple formats. The association is made on the basis of the file extension, and the rendering is done on the basis of the file’s contents.

    As an example, try running this command: "ftype | findstr /i shimgvw.dll" – it’ll show you all the file types that are associated with the Fax And Image Viewer. To see what extensions are associated with those file types (let’s use "wmffile" as the example), you would run "assoc | findstr /i wmffile".

    If you want to browse through this information in a text format, to see what types are associated with what programs, the following command produces some edifying output (doubtless someone will improve on it):

    ( for /f "tokens=1,* delims==" %a in (‘assoc’) do @echo %a=%b & ( @if not .%b==. ftype %b ) & @echo. ) > types 2>nul

  14. Alun Jones says:

    Jesper: No, I’m not saying WMFs should be transferred as a matter of course over the Internet. Blocking them is sensible (an ‘allow’ list is always better, of course, than a ‘deny’ list – and I know you can’t call them blacklists or whitelists).

    As pointed out earlier, though, you could provide the same content in a GIF or a JPG file, and it would be funneled to the same program. Filtering on extension is a poor substitute for filtering on content – and it would help if some of the tools would prompt the user if the contents and the extension don’t match.

    Windows Media Player nearly gets there, as it prompts the user if the content doesn’t match the extension – sadly, it doesn’t allow an educated user to see what the content was determined to be, so that an informed decision can be made. If I know, say, that there’s a bug in AVI files, but not in MPEGs, and someone sends me an MPEG, I’d like to be told "uh, this is really an AVI" when being asked if I want to load the content anyway.

  15. Jesper Johansson says:

    I so wish there was a way to filter based on content at the firewall, but sadly, we seem to live in an extension oriented world; one full of programmer who refuse to realize that and do everything in their power to ensure that their buggy code gets invoked no matter what extension the attackers put on the file. Filtering in extensions is kind of like using Software Restriction Policies to block attacks. It will certainly stop a specific attack, but the way around it is typically quick, easy, and only a day or two away.

  16. Alun Jones says:

    It’s not just because of that, surely? Isn’t it just possible that the firewall can’t adequately do thorough content filtering _and_ remain small, agile, responsive, fast and secure?

    If you ask a firewall to be an AV filter as well, it’s going to be damn near impossible to get any work done in a medium to large size company over the network!

  17. Andy McKnight says:

    Alun: This makes sense and shows why blocking based on file extensions isn’t a great idea.

    I’ve read that to mitigate the current wmf issue a workaround is to unregister the shimgvw.dll file which will prevent the Picture and Fax viewer from running. From your explanation I’d guess that changing the associations of all file types currently associated with shimgvw.dll to a different (third party?) file viewing application would also prevent any infection through this vector?

    I’m presuming that shimgvw.dll is only used by Picture and Fax viewer and no third party apps are likely to be using it (as in the MS04-028 gdiplus vulnerability).

  18. Alun Jones says:

    Andy: That would all depend on whether the bug is in shimgvw.dll, or is in some other library. Also, whether code for other applications you run might be calling shimgvw.dll.

  19. Jesper Johansson says:

    Answering two questions:

    1. Andy, shimgvw.dll is used to display JPG, GIF, PNG, WMF, EMF, and Paint files, at least. If you deregister it, you will not see any of those. Think "turn off the web" and you get an idea as to the impact. As for third-party apps, we know that at least Google desktop search uses it. I would be very surprised if most apps did not end up using it in the end. Why invent your own way to show pictures when there already is one?

    2. Blocking file extensions (or file types more like it) at a firewall – I think what came through there is my general disdain for traditional firewalls. Traditional firewalls block ports. They know that TCP 135 is bad, but that TCP 443 is good. So what? Ports are totally meaningless today. The firewall administrators’ favorite word has always been "No" so the developers had to figure out a work-around to make the apps work. That means that HTTP is the Universal Firewall Bypass Protocol (UFBP), because everyone knows that port 80 is open so they write their apps to use that port. If you want to be secure, all you need to do is use the Secure UFBP (SUFBP), which runs on TCP 443. This is why port filters are meaningful only as very coarse filters today. To do fine-grained filters the firewall needs to understand layer 7; they need to be able to parse the protocols and figure out what is ACTUALLY in it, not what claims to be in it based on an antiquated system of ports.

    This is really why I like ISA server, because it has a good application filtering architecture, and it is extensible as well. In the ultimate design I would put a filtering router at the gateway and filter ports there. Buying a full firewall to do port filtering is unnecessary. Then put an application filtering firewall (like ISA, but you can use anything that does the job) behind the filtering router. If you have a lot of traffic parcel it out into pieces, like web traffic to the web farm, mail to the front-end mail servers, and then stick an application filtering firewall in front of each. Need more perf? Buy a 64-bit box, or buy several machines and cluster them. By using a tiered and specialized filtering architecture like this you can get the performance you need, the granularity you need, and you can even tell which pieces of the architecture is vulnerable to a particular issue because you know which pieces would actually parse that traffic and which would just toss it in the bitbucket.

    Sure, this costs a bit. I certainly don’t have this at home, but the scalability is there, up or down, as needed.

  20. Scotte says:

    Whats especially obnoxious about relying on extension and not filtering on actual type is that there’s nothing you can do to stop it with ISA. Even using only allows on the HTTP filter, a bad file can still get through by renaming the extension. The exploit would be just as accurately described by saying a malformed .jpg or .gif or any file parsed by shimgvw.dll can cause the problem.

  21. Steve Riley says:

    So, given the sneakiness of attackers and their deplorable tactics these days, we can no longer take any claim at its word. And that’s what a file extension is — merely a claim that a file is of some type. We must dig deep into the bits of everything
    passing into and out of our networks now.

    What does this mean? Yes, the end of life for traditional packet-filtering firewalls. The architecture Jesper wrote up in an earlier comment (http://blogs.technet.com/jesper_johansson/archive/2005/12/28/416565.aspx#416632)
    is one I’ve been promoting also. Use your border router to throw off the obviously spoofed stuff (see the book for the five rules), then parcel traffic to appropriate content-inspection firewall farms. Inspect *everything*; throw away whatever doesn’t conform.

    …Now to those who doubt the enterprise-worthiness of ISA Server… I was once a doubter myself, in the early ISA Server 2000 days. But after spending lots of time with the product, tearing it apart, and building several large enterprise installations with
    it, I’m convinced it’s great stuff. In my opinion, it’s some of the best code Microsoft has ever released. ISA Server 2000 has had only five critical or important security bulletins in its lifetime — and only two of them involved remote exploits, one in the
    Gopher protocol handler and one in the H.323 filter. Most people don’t even use these bits. ISA Server 2004 has had zero bulletins.

  22. Alun Jones says:

    Aw come on, there’s always value in blocking file types that are known to carry dangerous information.

    Just as SRP is valuable, just as USB-disk blocking is valuable, as a policy measure.

    In the case of WMFs, the data type is one that is designed to carry complex data that verges on instructions. Blocking them by the mere claim that "this is a WMF" allows you to block the more malicious ones at other points by noting that "this is a GIF" accompanied by a WMF-file’s contents can be rejected immediately.

    There _is_ value in protecting against malware that doesn’t pretend to be anything it’s not. Spyware usually tells users in the EULA roughly what it’s going to do, so if there was an EULA scanner, that would catch most spyware. The most widespread GIF/JPG/WMF/etc exploits all seem to be comfortable spreading as GIF/JPG/WMF/etc. Password-protected Zip file viruses declare themselves to be password-protected zip files.

    There is a reason, after all, that immigration questionnaires include questions like "do you intend to enter this country to engage in acts of subversion or terrorism?" and "have you ever committed genocide?"

  23. Alun Jones says:

    Uh… Which is not to say that we should rely on that as our only means of defence, or expect that it is sufficient. But it is a means to cut out the simple and obvious threats. How does the old saying go? "If you’ve just jumped out of a plane with a time-bomb strapped to you, you should probably pull the rip-cord on your parachute before you worry about defusing the bomb."

  24. Jesper Johansson says:

    When it comes to security, almost everything has a value, and it is almost always dangerous to rely too much on one thing. There is no black and white in Security. Everything is grey scale. Blocking WMF files may take the heat off you for a while, until
    the bad guys exploit JPG files (totally theoretical as I am not aware of an exploit in JPG, lest someone thinks I was revealing something). The point is that Alun is right. Even technologies that do not provide absolute security often have value if the cost
    of implementing them is lower than the expected loss of the security breach they stop, however temporarily; and they are used properly. If our security toolbox could only have technologies that provide absolute security there would only be one tool in it:

    http://www.amazon.com/exec/obidos/tg/detail/-/B000BHPY0S/sr=1-14/qid=1136009865/ref=sr_1_14/002-4134391-6394434?%5Fencoding=UTF8&v=glance