General discussion


Extension Blocking, The Debate

By LordInfidel ·
I am opening up this debate in order to field people's views on this.

Over the past several months since I have begun sharing my views about
extension blocking. I have received lot's of e-mail from people asking
me about extension blocking.I also have been critizied for advocating my view from other admins.
Admins who I would of have thought would be open and supporting to the idea.

When I made the decision 2 years ago to begin blocking extensions at the mail gateway.
It was to prevent my end users to receiving vbs scripts. I noticed that my end users
could not be trusted on their own to not execute the attachment. I also noticed that the
various AV products out there were not picking up the viruses.

Now what I am advocating is not new. I did not come up with the idea, nor was I the first
admin to employ such a tactic.

I am however one of it's most vocal advocates.

I have always sworn by the old adage, "Burn me once, shame on you, Burn me twice, shame onme."

As admins and IT professionals, if we do not learn from the past and from our mistakes, then how will
we ever learn at all.

So with those points in mind. I will now open the floor to debate.

Feel free to disagree with me and discussthe finer points of security.

I do urge people that before blasting another person on this debate. Be certain who you are blasting.
Read their profile. Look over some of their other posts. We are all reasonable people here, there is no
need for mud slinging.

This conversation is currently closed to new comments.

35 total posts (Page 3 of 4)   Prev   01 | 02 | 03 | 04   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

I'm glad someone disagreed..

by LordInfidel In reply to Someone has to disagree.. ...

I'm glad to see that you at least offered another alternative.

As far as outsourcing, while it may work for you, I am apprehensive about outsourcing any of my IT responsibilities.

My feelings on AV products is this. They are not 100% effective. Therefor there is no gurantee that the AV product will pick up every piece of mail.

No would I want a third party intercepting my companies e-mail. Absolutely not.

Not to mention the cash you have to outlay. Since I am assumimng that you have to pay them a fee each month/year for this service.

A simple one time cost (assuming that you would not be renewing support contracts) and you could essentially do this your self.

The overhead is minimal.

I assume that every attachment that my users receieve is a potential hazard.

Remember, you are responsible for the network. You are the one who knows best. Never let your users, directors, board members or executives, to include the ceo, dictate security/computer policies of the company. That is your job. That is why you are there.

As I said before. I do not "block" attachments in the sense that they are deleted. That would be a very ignoramous thing for me to do. I quranntine them. This allows me to verify, when a user requests the file, whether or not it is a virus.

Maybe I am just a control freak.

Out of curiousity, if a virus does get thru and takes down your entire network, what is their compensation to you. If they are just offering a month free, that can hardly account for the amount of time and money that your company would lose.

Just something to think about.

Collapse -

Policy and source

by D. Brock In reply to I'm glad someone disagree ...

I agree that as net admins we are there to be the experts and to do what needs to be done. But for the sake of your sanity, at least for most admins, security policy must appear to come from the company executive. If you are in a company where you are given freedom to enact security policy first hand, I commend you, but for most of us policy has only one source, and that is the executive suite.

We definitely must advise, and we certainly take the flak if the network is breached, but heavy handed tactics have landed more than one net admin in hot water and even the unemployment line. In many, if not most, companies an admin must be a skilled politician as well as technician so that they can properly secure the network and systems from harm. But we must never forget we are running THEIR networks not our own, and they call the shots in the end. I've taken too many battle scars not to have learned the value of a smooth tongue over a heavy hand. I guess I also envy your position of being able to enact unilateral decisions. To the rest of us who must walk that tight rope: best of luck.

Collapse -

I'm not saying I'm a rogue

by LordInfidel In reply to Policy and source

I obviuosly have to abide by some sort of rule-set.

I agree, security policies must *seem* like they are coming from the top.

A typical scenarion would be for me; When I know that I need to enact a new policy, I would first anylyze the networkfor the repurcussions of the policy.

I would then meet with the COO and VP of operations to inform them of the security policy and why it is needed. They will typically ask me some questions if the policy can be avoided and the risks involved ifwe did not enact it.

Generally the risks will be too great if we did not enact it. They sign off on it, an e-mail is generated by me explaining the new policy, proof read by the vp of ops, then sent out by him.

There have been times where this process met with resistance. There have been other times where the users have complained. But I usually have to explain to them again why the policy is in place.

Like why I can't up the mailbox from 200 megs to 250. I have limited amount of storage space and more space ='s more money.

If I give them more space then I have to take away from someone else. I then explain to them how to get rid of some of their mail.

In short I got my way, enforced our policy, and was nice about it.
But, If my CEO came to us and said that he wants to use some app on our network that requires us to open up a hole in the firewall. And that app is not business related and the hole is a security risk. We are going to tell him no.

I understandin private companies this can get a admin fired. But in a public company, our responsibility is just not to our network. It's also to the share holders. We should not be doing things to the network that could allow the company to be brought down. That includes being at the whim of the executives.

I too walk the tight rope and have been scolded on many a occasion. I just choose not to waiver from my position.

Collapse -

Experience shows

by D. Brock In reply to I'm not saying I'm a rogu ...

I can tell you too are a battle scared vetrain of the corporate politics game. Good to see that it hasn't stopped you from being firm on your policies for the good of your company rather than bending to all whims of executives. It's often too easy to give in when the CEO tells you he wants something. You really need a good working relationship with him to do this. :)

Collapse -

Not so clean-cut

by The Chad In reply to I'm glad someone disagree ...

>I assume that every attachment that my users receive (stet) is a potential hazard.

What about .PDF, .DOC and .XLS? Most of our folks transmit these regularly as part of their job, but they also happen to be infection vectors.

One cannot block them or delay them carte blanche and continue to do business -- at least where our users must receive their information (broker reports) in a timely manner before the market opens.

We, as policy, configure every machine to display extensions, keep the virus software up-to-date, and block the common executable extensions (.EXE, .COM, .BAT, .JS, .VBS, .PIF, etc.), the fun ones (.MP3, .WAV, .MOV, .QT, etc.), and some other things.

Granted, the easiest way around extension blocking involvesrenaming the file, but we generally assume our more technical savvy users who know how to do this won't run any old thing without taking care.

If one examines the infection patterns of typical email-borne-viruses, one finds the typical method of infection occurs when the user gets "click-happy" with attachments and doesn't bother to read the note or think about where it came from.

Collapse -

Blocking is critical.

by clearsmashdrop In reply to Not so clean-cut

We got hit by nimbda pretty hard. But our email system was never hit because of extention blocking. We were infected through either a website or someone using outlook express.

I just have to reaffirm what many people have already said.

1) Users cant be trusted not to open attachments.
2) People will scream like stuck pigs when they cant get My Keroppi Screen Saver because
we blocked it, but eventually they get used
to it.
3) Executive support is key. If the CEO ( this is for smaller companies) or CIO sends out an email supporting blocking it goes a long way.
4) Dont be ashamed to rely on 'power-users' in your organization. A couple of times they have informed us of patches or viruses before we knew about them.

Collapse -

My open invite to my users..

by LordInfidel In reply to Blocking is critical.

I have strived to establish a communication line with my users regarding virus notifications.

I urge them all, reguraly, to send us (network operations) any notices that they receive from their friends.

Sometimes they might be legitamate, other times they are a hoax.

This open invite gives users a feeling that they are part of the solution instead of part of the problem.

But before I got to that point it was a rocky road. I have found that we as admins have to secure the faith of not only the executives but also of our users.

If our users perceive us to be knowledgable and capable. They are generally more apt to follow our procedures. There have been times where I have had to "kiss ***" in order to secure relations for the future.

One thing I can say is, Keep your users in the loop of what you are doing and why, and they will probably follow you.

Collapse -

I do block pdf's

by LordInfidel In reply to Not so clean-cut

But only because they can not be scanned by AV scanners.

Doc's and XLS I let thru because they can be scanned for macros's and the macro's can be removed.

They can also be scanned for heuristics.

Since our company is a streaming media company, I have to allow stuff like rm, asf, gif, jpeg, ppt, etc. files thru.

I totally agree that we can not criple our users.

I would love to open up for pdf's. But I see hundreds of weird pdf's come in that have nothing to do with business.

Iknow that for a financial firm, receiving pdf's is critical. In that case I would open it up for it.

What I hope to achieve by this discussion is to make admins aware of the options before them. And to make wise decisions based on the goals andexpectaions of their company. But maintaing the security and integrity of their network.

As one thread above touched on. Establishing extension blocking as part of the security policy should be planned and not ventured into lightly. We will be blocking legitimate files. Which is why we need to give our users an avenue as to retrieving those legitamate files.

Collapse -

by Ron S. In reply to Extension Blocking, The D ...

It's a business decision. Do the users require files of a certain extension in an email to do their job? If so, then the file is not blocked. If not, well, too bad.

I don't have a problem with "entertainment" type emails either, unless it creates problems, which translates into more work. I'm not running a concentration camp type network, but neither am I running an amusement park.

Collapse -


by Ron S. In reply to

Silly title...mind you, there are a few users that I wouldn't mind doing, but there are a lot more that I would mind.

But...that is beyond the scope of this discussion.

Back to IT Employment Forum
35 total posts (Page 3 of 4)   Prev   01 | 02 | 03 | 04   Next

Related Discussions

Related Forums