More on Using ISA to Block WMF Attacks

Jim Harrison has created a very cool script to do much better blocking of the WMF exploit in ISA server. The script is nice because it sets up a policy that actually parses the request body and blocks WMF files that are renamed to something else by using ISA's ability to look really deep into the payload. It also is helpful in that it can uninstall itself.

This script, while being much better than simply looking for extensions, is not foolproof. It will obviously not work with an HTTPS tunnel, unless the ISA server is proxying the HTTPS connection and terminating it at the ISA server. Nor would it work on an e-mail borne attack, such as where the offending file is attached to an e-mail. Those latter ones you need to block by blocking attachments in e-mail. Still, it does assist in blocking certain types of attacks and as I said before, all these things have to be accounted for in your risk management strategy.