Blocking File Downloads by File Type
Let's consider another HTTP filtering option that most administrators will find useful: blocking file downloads based on file type (extension). From the Configure HTTP policy for rule dialog box, select the Extensions tab that Figure 5 shows.
The dialog box lets you define any number of file extensions to either allow or block, depending on how you want to create your rules. For example, if your organization's security policy indicates that users should be downloading documents only (never anything else), you can set Specify the action taken for file extensions to allow specified extensions only and populate this page with the types you want to allow (e.g., .doc, .xls, .ppt, .pdf, .rtf, .txt).
Figure 5, however, shows the opposite approach. Users behind this ISA Server can download any file type except the ones I specifically blocked: several executable content types (.exe, .pif, .scr) and .zip files. After the rule is in place, any attempt to download a file with one of the specified extensions results in an error message that explains that the HTTP filter rejected the request.
Let me list common file types that many organizations filter either through their mail server or through a Web proxy filter such as ISA Server. You'll find it worth your while to add many of these file types to an HTTP filter applied to your general user community's traffic. Your headaches will be reduced if users aren't allowed to download questionable content or have their browsers tricked into doing so.
I strongly recommend that you block the following attachment types:
.com, .bat, .chm, .cmd, .eml, .dll., .exe, .js, .msi, .pif, .scr, .shs, .vb, and .vbs. You should also consider blocking the following attachment types: .asx, .ade, .adp, .bas, .bin, .cpl, .crt, .hiv, .hlp, .hta, .inf, .ins, .isp, .jse, .jtd, .mht, .msc, .msp, .mst, .nws, .ocx, .oft, .ovl, .pcd, .pl, .plx, .sct, .sh, .shb, .sys, .vbe, .vss, .vst, .vxd, .wsc, .wsf, and .wsh.
ISA Server has the ability to filter specific types of content within the protocols on which most organizations must depend. ISA 2004's application-level content filtering is a breeze to set up, and it raises the security capabilities of organizations that use it to previously unattainable levels.
Editor's note: This article is excerpted from Keeping Your Business Safe from Attack, which is available at http://www.windowsitpro.com/ebooks.