IT Employment

General discussion


Extension Blocking, The Debate

By LordInfidel ·
I am opening up this debate in order to field people's views on this.

Over the past several months since I have begun sharing my views about
extension blocking. I have received lot's of e-mail from people asking
me about extension blocking.I also have been critizied for advocating my view from other admins.
Admins who I would of have thought would be open and supporting to the idea.

When I made the decision 2 years ago to begin blocking extensions at the mail gateway.
It was to prevent my end users to receiving vbs scripts. I noticed that my end users
could not be trusted on their own to not execute the attachment. I also noticed that the
various AV products out there were not picking up the viruses.

Now what I am advocating is not new. I did not come up with the idea, nor was I the first
admin to employ such a tactic.

I am however one of it's most vocal advocates.

I have always sworn by the old adage, "Burn me once, shame on you, Burn me twice, shame onme."

As admins and IT professionals, if we do not learn from the past and from our mistakes, then how will
we ever learn at all.

So with those points in mind. I will now open the floor to debate.

Feel free to disagree with me and discussthe finer points of security.

I do urge people that before blasting another person on this debate. Be certain who you are blasting.
Read their profile. Look over some of their other posts. We are all reasonable people here, there is no
need for mud slinging.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

I agree...

by Fdurham In reply to Extension Blocking, The D ...

...with the same quote you stated...
"Burn me once, shame on you; Burn me twice, shame on me"

I have since started blocking extensions at my company and a lot of resistance has been shown towards me. Yes I have a responsibility to the users, but I have a higher responsibility to the company. I feel at times I am part of the CIA because I am denying extensions without them knowing.

Its always better to be safe then sorry.

Frank Durham

Collapse -

I encountered same resistance

by LordInfidel In reply to I agree...

In the beginning, I had the same thing. Users hated me for blocking their files.

But as they saw other companies being brought down for hours/days due to a new virus and we were able to keep on going. They began to realize that a little extra step in getting their files was a small price to pay in light of the alternative.

I have just resolved myself to the fact that I am here to protect the network and my companies data.

I however, did make it clear to all users in a company wide e-mail that file extensions will be blocked. Make sure that you have the backing of your executive branch and that they understand why.

Also, my users files are not technically blocked, they are really just quarrantined. I felt that just automatically blocking all extensions would of have been irresponsible. And deleting the attachments that I do block would be just as bad.

Instead I use the qurrantine method. Where only myself and my counterpart can retrieve the files after the user requests the file retrieval. They remained quarrantined for 10 days and then they are removed from the server.

If there are any doubts in our mind whether or not the file is a virus. We will test it on an off-line machine. If it's clean we will send it to them. If it's not, well then you know the answer.

Feeling bad, at least for me, was just a fleeting moment once my network started to withstand the bombardment of new viruses.

I'd rathe play UT then have to fix everyones machine.

Collapse -

I have and always will

by randym In reply to I agree...

My feelings are that the system is like a close personal friend to me. I spen nights and sometimes even weekends with it. It should be treated like a freind. I would never subject a freind to a human virus so why subject my system to one. Plus if the systems gets infected then I am the one to slave away for hours or even day's to fix the thing. If the users dont like it so be it. This is work not play. You can shop or chat on your own time not on mine.


Collapse -

My feelings exactly...

by LordInfidel In reply to I have and always will

Users have no rights to play on my network.

That is reserverd only for /.

Why should we be subjected to work anyway?

Collapse -

Blocking Is Definatly good.

by radiic In reply to Extension Blocking, The D ...

I have to agree with you Lord. I read what jon p said in the other thread and he was totally off base for blasting you on that.

IMHO it would be a big mistake not to block certain extensions. I dont have a single user on my network that needs to send/receive *.vbs files *.bat or *.* . Not that I will block *.* it's just that our operation doesnt require that much transfer of files.

Now Jon P brought up that point about users going to rogue websites and getting them that way. Well thats why I have Trend officescan corp on the desktop. I have had 3 users go to rogue websites and Trend stopped Troj_sircam.a and PE_magistr.a from being installed on their putters.

So I say this in your defense Lordinfidel, to JON P, LI was notadvocating that file extension blocking is the ONLY line of defense just that it is one of the lines of defense. And how dare you say that his users are tied up with useless defense. Maybe you should have gotten to know LI before you slammed him, if you had you would have known that his AV scans fileatachments that are allowed in like your example *.zip and scans whats inside the zip file, if it passes that scan then it gets in if not then not.

Seems like lately everyone is trying to slamsomeone in these discussions and not focusing on what it is about. All of us have our opinions on what works for our network and its good to share that opionion. But when your opionion becomes a way for you to attack someone, then maybe you shouldjust keep it to yourself.

And thats just my opionion


Collapse -

Thanks Rad...

by LordInfidel In reply to Blocking Is Definatly goo ...

As always I thank you for your intelligent contributions.

I was a little peeved at his comments towards me. Which Is why I hope he joins this thread so that we can openly debate the pros/cons of extenstion blocking.

To me, extension blocking is a no brainer. But I might be missing a bigger picture.

Which is what I hope to be enlightend with by this discussion.

Collapse -

Let me try

by James R Linn In reply to Thanks Rad...

Our company doesn't do extension blocking.

But we have 3 layers of anti-virus protection and have spent much time and effort with the users to educate them about viruses. When Goner came in, it was users who reported it to the help desk, and we had our signatures files updated within the hour.

In some environments, I can understand some user resisitance to extension blocking. I don't agree but I understand it. What you may need to get them to help see your side is some PR. Let the users know how many viruses get intercepted. Let them know your successes - then they may be more inclined to think of the greater good.

Personally, I'd like to lock down the desktop and not allow more than a handful of users to install programs(except via SMS or similar tools).

Users, even ones within IT, don't like to be told they can't do things. Especially when they want to learn and try to exercise their natural curiousity. What we have to do is temper that curiousity with a dose of reality. I got my first virus 15 years ago - but some users have never known the panic and frustration which sets in when you wonder what damage has been caused. Give them a taste of it, and they might feel differently.


Collapse -

I agree.

by LordInfidel In reply to Let me try

My users were resistant at first.

But I took things a little further.

I looked at it from the point of view that (and I still do) My users do not run my network, I do. I will do what is best for it which is ultimately winds up being best forthem, whether they realize it or not.

After "I love you" and "Melissa", I quickly found that I had the full backing of my users and executives to do whatever it was that I saw as necessary to protect the network.

Once they saw other companies being down for days and we were still alive, kicking and working without any damage. They started praising and backing my policies.

I do agree, PR goes a long way with users. I always, always, send them out virus bulletins of new viruses that come out.

This serves 2 purposes.

1) to keep them paranoid about opening attachments and e-mail (even though I know the truth about the possibility of them getting a harmful virus).


2) So that they stay informed so that when they are home checking their personal e-mail. That they don't infect themselves. Most home employees have their work e-mail address' saved in their contact lists. As well as other business contacts of the companies.

Nothing is worse then 1 company sendingviruses to a client of theirs. It is just poor business practices. Especially when you are a technology based company. It will reflect poorly on your business relationships.

Basically, I never let my users dictate how the network will be run, what software that can be installed and who installs it. Everything is controlled by Network Operations.

Collapse -

I agree but watch the tone

by James R Linn In reply to I agree.

Not with me, but with your users.

The only reason you have a network is to provide the infrastructure so that the users can do their work. If your policies are so restrictive that they can't work then having a wonderful network is not at all useful.

The line we try to take is that users give us requirements and we come up with solutions.

You could and should use the line that you are sacrificing the needs of the few(to get executables via email) for the needs of the many(to have a safeand secure mail system).

As for home use - we have an agreement with our vendor that allows us to make CDs for home users to put the same anti-virus software on their systems at home. We haven't made it an ironclad rule that this software must beinstalled or we won't allow RAS or VPN, though we'd like to.

Vigilance and user awareness are the keys to stopping viruses before they start.


Collapse -

I'm not a total tyrant...

by LordInfidel In reply to I agree but watch the ton ...

I would say that my users love me actual.

Even though my nicknames run the gammut from Satan to God.

I know that when I post here it seems like I am a complete and utter a**hole to my users. Well I can be at time, but I do it with tact.

I believe in social engineering their minds. I get them to do what I want them to and they beleive that they are happy to do it.

I understand the fine line with policies. But for an example. My ceo wanted the admin password to his machine. I told him flat out no. After some debate he saw my point of view. Even though he thought what he was asking for was harmless, since he was the ceo, it was a violation of our security policy. If he was to log in from somewhere else using that username/password (which is a very low level U/P, it's for local machine accounts only) it could be a bad thing if someone was to get it.

I went on to explain what the account was used for and the effects it would have it was comprimised.

I agree, thereare always ways to enforce your policies without being restrictive. But the point still stands. Users should never dictate corporate policy.

Let's face it. We are not supposed to be the yes man. We have to be able to make harsh decisions and stick by them. We have to be able to say no and defend our position with intelligence. It's a sucky job at times, but one that is necessary for our survival.

Related Discussions

Related Forums