Blocked File Types in SharePoint

Blocked File Types in SharePoint should be evaluated and considered when planning out Governance or Security of your SharePoint deployment. However, if you already have an existing environment, it’s never too late to revisit this part of SharePoint administration.  Bottom line, don't overlook Blocked File Types! 

What is it?
This security feature in SharePoint allows administrators of Central Administration to specify certain file types from being saved to or accessed from a SharePoint environment.   This list contains file extensions and each file extension corresponds to a specific type of file.   By default, SharePoint already specifies some file types to block (see default list at end of this post).  Most importantly, each web application in SharePoint has it’s own blocked file types list allowing you to administer blocked file types per application.

How does it work?
SharePoint will check a file name and any characters immediately after a period (.).  If a set of characters after a period is matched against a set of characters in the blocked file list, it will block that file.   You can’t trick it either with fancy naming conventions.  If you renamed your file to have a period at the end, it would also check any preceding characters. Hypothetically let’s say you wanted to block any file that ended in .docx (i know, hypothetical though okay?) .  If you added .docx to the blocked file types list, any of the following files would be blocked in SharePoint:

blockmeplease.docx     blockmeplease.docx.     blockmeplease.docx.old_save_for_later

How Do I Block / Unblock files?
To administer the file types you must login to Central Administration. To administer the file type list in Central Administration, navigate to the following location:  Central Administration > Operations > (Security Configuration) Blocked File Types.  On this page you may add or remove file types.

note: be sure to change what web application you are wanting to administer! 

To add a file type to be blocked (i.e.: don't allow it), add it's extension to the list.  If you want to unblock a file type (i.e.: allow it) then just remove the extension for that file type from the list.  If you decide to go a little overboard and try to block every known file type known to man, keep in mind that SharePoint will limit you to 1024 different types of files. (a little deductive logic here implies that each file extension is equivalent to 1kb, and the total file extension list can’t exceed 1Mb… interesting!)

This can be a big list, but don’t waste effort trying to add an extension in the correct alphabetical order.  You can put the new extension at the top, bottom, or middle – it doesn’t matter.  SharePoint will automatically sort the extensions for you alphabetically the next time you load the list for viewing/editing.

For an extension reference, here’s a list of file formats (I think all that exist!) and their extensions on Wikipedia: https://en.wikipedia.org/wiki/Alphabetical_list_of_file_extensions

Result of Changes
Once you make changes to the list of blocked file types, the change affects new files being added and files already on the web site. Using our previous example of .docx: if a document library contains a .docx file and you then block it, users won’t be able to open the .docx file any longer. They can delete it, but any other action isn’t permitted.

Trying to save a file that is blocked:

Trying to upload a file that is blocked:
or
Trying to access a file that is blocked:

Recommend Files to Block/Unblock
In my deployments, I started a practice of blocking and unblocking the following files below as a part of my routine steps in any installation.  I picked this idea up from Joel Oleson (I don't remember specific post).

1. Recommended files to unblock that are blocked by default:
   1. .chm (help file)
   2. .lnk (url link)
   3. .url (url link)
2. Recommended Files to block that are not blocked by default:
   1. .mp3 (audio file)
   2. .vhd (virtual hard drive file)

Notification
I also recommend that SharePoint administrators make available to their users the file types that aren't allowed in their SharePoint.  This will prevent a user from becoming frustrated that they can't upload a file and ranting within the organization placing erroneous blame on SharePoint. Can't you see the conversation on the elevator now? 

Disgruntled John: "Sorry Jane that I couldn't share that screensaver (.src) with you... our SharePoint [insert negative comment here]".  

It's company policy that's preventing the sharing of the file, not SharePoint!

Default Blocked File Types
When a web application is created, it gets the default blocked file list from a config file which is stored in the 12 hive.  So although SharePoint has a default blocked file list, you do have control over it.  If there are particular files that you are always going to want to block in your farm, you can edit this config file.  Just remember that this will only affect Web Applications created ‘after’ editing the config file.  It's located here:

\Program Files\Common Files\Microsoft Shared\web server extensions\12\CONFIG\docextflt.xml

Default Blocked File Type Extensions and Corresponding File Types
note: you should also know that files with curly braces { or } are also blocked by default

References:
Windows SharePoint Services 3.0 Help and How-to; Joel Oleson SharePoint Land; Personal Experience