General discussion

  • Creator
    Topic
  • #2130396

    Extension Blocking, The Debate

    Locked

    by lordinfidel ·

    I am opening up this debate in order to field people’s views on this.

    Over the past several months since I have begun sharing my views about
    extension blocking. I have received lot’s of e-mail from people asking
    me about extension blocking.I also have been critizied for advocating my view from other admins.
    Admins who I would of have thought would be open and supporting to the idea.

    When I made the decision 2 years ago to begin blocking extensions at the mail gateway.
    It was to prevent my end users to receiving vbs scripts. I noticed that my end users
    could not be trusted on their own to not execute the attachment. I also noticed that the
    various AV products out there were not picking up the viruses.

    Now what I am advocating is not new. I did not come up with the idea, nor was I the first
    admin to employ such a tactic.

    I am however one of it’s most vocal advocates.

    I have always sworn by the old adage, “Burn me once, shame on you, Burn me twice, shame onme.”

    As admins and IT professionals, if we do not learn from the past and from our mistakes, then how will
    we ever learn at all.

    So with those points in mind. I will now open the floor to debate.

    Feel free to disagree with me and discussthe finer points of security.

    I do urge people that before blasting another person on this debate. Be certain who you are blasting.
    Read their profile. Look over some of their other posts. We are all reasonable people here, there is no
    need for mud slinging.

All Comments

  • Author
    Replies
    • #3547264

      I agree…

      by fdurham ·

      In reply to Extension Blocking, The Debate

      …with the same quote you stated…
      “Burn me once, shame on you; Burn me twice, shame on me”

      I have since started blocking extensions at my company and a lot of resistance has been shown towards me. Yes I have a responsibility to the users, but I have a higher responsibility to the company. I feel at times I am part of the CIA because I am denying extensions without them knowing.

      Its always better to be safe then sorry.

      Frank Durham
      MCSE, CCNA, MCP

      • #3549828

        I encountered same resistance

        by lordinfidel ·

        In reply to I agree…

        In the beginning, I had the same thing. Users hated me for blocking their files.

        But as they saw other companies being brought down for hours/days due to a new virus and we were able to keep on going. They began to realize that a little extra step in getting their files was a small price to pay in light of the alternative.

        I have just resolved myself to the fact that I am here to protect the network and my companies data.

        I however, did make it clear to all users in a company wide e-mail that file extensions will be blocked. Make sure that you have the backing of your executive branch and that they understand why.

        Also, my users files are not technically blocked, they are really just quarrantined. I felt that just automatically blocking all extensions would of have been irresponsible. And deleting the attachments that I do block would be just as bad.

        Instead I use the qurrantine method. Where only myself and my counterpart can retrieve the files after the user requests the file retrieval. They remained quarrantined for 10 days and then they are removed from the server.

        If there are any doubts in our mind whether or not the file is a virus. We will test it on an off-line machine. If it’s clean we will send it to them. If it’s not, well then you know the answer.

        Feeling bad, at least for me, was just a fleeting moment once my network started to withstand the bombardment of new viruses.

        I’d rathe play UT then have to fix everyones machine.

      • #3549639

        I have and always will

        by randym ·

        In reply to I agree…

        My feelings are that the system is like a close personal friend to me. I spen nights and sometimes even weekends with it. It should be treated like a freind. I would never subject a freind to a human virus so why subject my system to one. Plus if the systems gets infected then I am the one to slave away for hours or even day’s to fix the thing. If the users dont like it so be it. This is work not play. You can shop or chat on your own time not on mine.

        Later

        • #3546340

          My feelings exactly…

          by lordinfidel ·

          In reply to I have and always will

          Users have no rights to play on my network.

          That is reserverd only for /.

          Why should we be subjected to work anyway?

    • #3547262

      Blocking Is Definatly good.

      by radiic ·

      In reply to Extension Blocking, The Debate

      I have to agree with you Lord. I read what jon p said in the other thread and he was totally off base for blasting you on that.

      IMHO it would be a big mistake not to block certain extensions. I dont have a single user on my network that needs to send/receive *.vbs files *.bat or *.* . Not that I will block *.* it’s just that our operation doesnt require that much transfer of files.

      Now Jon P brought up that point about users going to rogue websites and getting them that way. Well thats why I have Trend officescan corp on the desktop. I have had 3 users go to rogue websites and Trend stopped Troj_sircam.a and PE_magistr.a from being installed on their putters.

      So I say this in your defense Lordinfidel, to JON P, LI was notadvocating that file extension blocking is the ONLY line of defense just that it is one of the lines of defense. And how dare you say that his users are tied up with useless defense. Maybe you should have gotten to know LI before you slammed him, if you had you would have known that his AV scans fileatachments that are allowed in like your example *.zip and scans whats inside the zip file, if it passes that scan then it gets in if not then not.

      Seems like lately everyone is trying to slamsomeone in these discussions and not focusing on what it is about. All of us have our opinions on what works for our network and its good to share that opionion. But when your opionion becomes a way for you to attack someone, then maybe you shouldjust keep it to yourself.

      And thats just my opionion 😉

      Rad

      • #3549827

        Thanks Rad…

        by lordinfidel ·

        In reply to Blocking Is Definatly good.

        As always I thank you for your intelligent contributions.

        I was a little peeved at his comments towards me. Which Is why I hope he joins this thread so that we can openly debate the pros/cons of extenstion blocking.

        To me, extension blocking is a no brainer. But I might be missing a bigger picture.

        Which is what I hope to be enlightend with by this discussion.

        • #3549796

          Let me try

          by james r linn ·

          In reply to Thanks Rad…

          Our company doesn’t do extension blocking.

          But we have 3 layers of anti-virus protection and have spent much time and effort with the users to educate them about viruses. When Goner came in, it was users who reported it to the help desk, and we had our signatures files updated within the hour.

          In some environments, I can understand some user resisitance to extension blocking. I don’t agree but I understand it. What you may need to get them to help see your side is some PR. Let the users know how many viruses get intercepted. Let them know your successes – then they may be more inclined to think of the greater good.

          Personally, I’d like to lock down the desktop and not allow more than a handful of users to install programs(except via SMS or similar tools).

          Users, even ones within IT, don’t like to be told they can’t do things. Especially when they want to learn and try to exercise their natural curiousity. What we have to do is temper that curiousity with a dose of reality. I got my first virus 15 years ago – but some users have never known the panic and frustration which sets in when you wonder what damage has been caused. Give them a taste of it, and they might feel differently.

          James

        • #3549684

          I agree.

          by lordinfidel ·

          In reply to Let me try

          My users were resistant at first.

          But I took things a little further.

          I looked at it from the point of view that (and I still do) My users do not run my network, I do. I will do what is best for it which is ultimately winds up being best forthem, whether they realize it or not.

          After “I love you” and “Melissa”, I quickly found that I had the full backing of my users and executives to do whatever it was that I saw as necessary to protect the network.

          Once they saw other companies being down for days and we were still alive, kicking and working without any damage. They started praising and backing my policies.

          I do agree, PR goes a long way with users. I always, always, send them out virus bulletins of new viruses that come out.

          This serves 2 purposes.

          1) to keep them paranoid about opening attachments and e-mail (even though I know the truth about the possibility of them getting a harmful virus).

          and

          2) So that they stay informed so that when they are home checking their personal e-mail. That they don’t infect themselves. Most home employees have their work e-mail address’ saved in their contact lists. As well as other business contacts of the companies.

          Nothing is worse then 1 company sendingviruses to a client of theirs. It is just poor business practices. Especially when you are a technology based company. It will reflect poorly on your business relationships.

          Basically, I never let my users dictate how the network will be run, what software that can be installed and who installs it. Everything is controlled by Network Operations.

        • #3546334

          I agree but watch the tone

          by james r linn ·

          In reply to I agree.

          Not with me, but with your users.

          The only reason you have a network is to provide the infrastructure so that the users can do their work. If your policies are so restrictive that they can’t work then having a wonderful network is not at all useful.

          The line we try to take is that users give us requirements and we come up with solutions.

          You could and should use the line that you are sacrificing the needs of the few(to get executables via email) for the needs of the many(to have a safeand secure mail system).

          As for home use – we have an agreement with our vendor that allows us to make CDs for home users to put the same anti-virus software on their systems at home. We haven’t made it an ironclad rule that this software must beinstalled or we won’t allow RAS or VPN, though we’d like to.

          Vigilance and user awareness are the keys to stopping viruses before they start.

          James

        • #3546306

          I’m not a total tyrant…

          by lordinfidel ·

          In reply to I agree but watch the tone

          I would say that my users love me actual.

          Even though my nicknames run the gammut from Satan to God.

          I know that when I post here it seems like I am a complete and utter a**hole to my users. Well I can be at time, but I do it with tact.

          I believe in social engineering their minds. I get them to do what I want them to and they beleive that they are happy to do it.

          I understand the fine line with policies. But for an example. My ceo wanted the admin password to his machine. I told him flat out no. After some debate he saw my point of view. Even though he thought what he was asking for was harmless, since he was the ceo, it was a violation of our security policy. If he was to log in from somewhere else using that username/password (which is a very low level U/P, it’s for local machine accounts only) it could be a bad thing if someone was to get it.

          I went on to explain what the account was used for and the effects it would have it was comprimised.

          I agree, thereare always ways to enforce your policies without being restrictive. But the point still stands. Users should never dictate corporate policy.

          Let’s face it. We are not supposed to be the yes man. We have to be able to make harsh decisions and stick by them. We have to be able to say no and defend our position with intelligence. It’s a sucky job at times, but one that is necessary for our survival.

        • #3549681

          My Two Cents…

          by mrafrohead ·

          In reply to Let me try

          I think that extension blocking is a fine practise and actually a smart one at that…

          One thing to keep in mind.

          Scenario: You notice a virus that just infected your network and now e-mails are being sent to all users on your network. These are malicious e-mails that are trying to infect other users. So to be proactive in the matter you begin a Virus Definition update to catch the virus in it’s tracks and immediately send out a notice to all users to NOT open up the e-mail due to the fact that it contains a virus.

          Then guess what happens. As always, EVERY single time, you get about one hundred phone calls of people that opened the e-mail and infected their computer AFTER they read your e-mail stating not to open the infected one.

          Unfortunately the end users can’t generally be trusted in this kind of matter. They aren’t the ones that have to go around to every single site and clean the computers and try to restore them back to their original states either.

          As for me… At home, I have extension blocking set up for my Antivirus E-mail scanning and also in Outlook. I figure with all of the malicious messages that I receive in a week and the fact of all of the TIME and money that I have spent on my computerat home, I’m not going to take a chance of someone sending me something bad and even let it into my computer… The people that are sending me files or are going to, I make sure that I let them know to rename the extension to something that will not self execute or cant execute and then I rename it once I receive it and scan it…

          But that’s just me and this is just my two cents.

          I hope that it helps;)

          mrafrohead
          mrafrohead@yahoo.com

        • #3549666

          In that scenario..

          by lordinfidel ·

          In reply to My Two Cents…

          This is where having a strong emergency policy comes into play.

          My standing policy when a virus has sucessfully entered, infected and is propagating thru my network.

          1. Turn off the IMS at my Mail server (exchange), this prevents any mail fromleaving or entering my network.

          2. Immediate shutdown of all Network file servers.

          3. All users are too immediately close down their outlook clients.

          4. My staff then begins to go around and physically removes any infected machines from thenetwork.

          5. Using a grep style utility,(yes there is one for exchange) I scan all mailboxes for the keywords of the infected e-mail and delete it, permamently, from the IS (information store).

          6. Research the virus and remove any infected files from the file servers. Regardless of what the infected file was. It is permamently deleted and recorded as to it’s location.

          7. Once the network has been disinfected, I begin to reopen mail services and allow people to reconnect to the file servers.

          8.Finally we disenfect any infected client machines.

          Fortunately, since we have employed extension blocking, I have not had to employ the disaster plan. Before extension blocking I had to employ it at least once a month.

    • #3549643

      I agree with VBS blocking

      by tomsal ·

      In reply to Extension Blocking, The Debate

      I too, as a matter of fact quite recently, have started blocking .VBS extensions at the gateway.

      I agree with your theory 100%. You can’t trust your users. I have found, and I don’t think my end users are the only ones like this, that end users will ALWAYS chose the path of least resistance (effort).

      For this reason I automate as much as possible and let the software do the work. That’s why I have content scanning in place (because employees are too lazy to watch their language in corporate emails at times), I have extension blocking (because they are too lazy to listen to our email policies), and I have automated backups on certain computers (like the HR managers and the Accounting managers) – because they are not disciplined enoughto backup their critical files.

      And to think that some entry level/newbie admins think all we do is install Windows on client computers all day. 😉

      later.

    • #3546454

      Attachment Blocking – A saviour!

      by bremmerz ·

      In reply to Extension Blocking, The Debate

      I agree completely with attachment blocking. By blocking certain files at our mailgate (namely .exe, .bat, .com, .pif, .scr, .vbs + more) we’ve managed to thwart all potential infections since Melissa. Actually, Nimda did slip through the net but we where infected from the WAN to our parent company, not through our mailgate.

      A lot of companies are hot at picking up on virus’s and renewing their .dats as soon as they can. The problem is, they must know about the virus first in order to combat it, and the way they normally find out is when it hits the wild. Attachment blocking in this case is an excellent first line of defense as the virus can’t get through even when your AV can’t detect it.

      Also, users can’t be trusted not to open attachments. No matter how many times you tell them, there will always be some numpty who will open it. If it wasn’t for attachment blocking, I think a lot more people would have been hit by Badtrans.b as the payload was started just from reading the e-mail (even in Outlooks preview pane the attachment was run).

      Attachment blocking also has other bonuses. We receive around 30 .exes a day that are blocked. Of these, maybe 2 at the most will be work related, the rest are games. We’re happy to take any work related files out of quarantine for the users, but you can imagine our response when a user asks us to get a game out of quarantine for them!!! If the games did get through, you can pretty much guarantee that these files will bestored somewhere on the network, whether it’s a server share or in the mailbox these files take up storage space, which in turn is costing the company money to maintain and backup.

      That’s me done! ;o)

    • #3546453

      Definitely, but…

      by jagma_ ·

      In reply to Extension Blocking, The Debate

      I am all for extension blocking, from vbs to exe, but there is on small problem.

      Some admins get a bit carried away with this task, and don’t think of what they could be blocking in the future. I know one company that installed a email scanner, and set the language blocking to the maximum levels that they could. Of course, what nobody realized is that their company name could be interpreted by the program as being derogative, and therefore for the next couple of days not a single email came in to the company (sorry, can’t mention the name;) ). All because the admin didn’t think. A lot of planning should go into this sort of project.

      A company cannot run without certain things, like firewalls and AV, but now email scanning/management software is becoming critical, even things such as email size blocking is becoming crucial.

      Just think, the more admins who do this part of the job properly will help to lower the amount of viruses spreading to the rest of us. Not one single virus has passed into or out of my domain since I implemented all of these necessary things, and I think that all admins worth their salt will do whatever is necessary to ensure that they are a part of the solution, and not aiding the problem.

      • #3546438

        I heard a similar story

        by bremmerz ·

        In reply to Definitely, but…

        An article I read in Network News a couple of weeks ago made me chuckle. Scunthorpe County Council (in England) recently installed a mailscanner and used it to block profanities among other things.

        Their mail domain is something like scunthorpecc.gov.uk, and they couldn’t figure out why no-one was receiving any e-mail for a couple of days. Finally one bright spark figured it out ;o)

        This has also led me to believe that none of the system admins there support Scunthorpe United football (that’s soccer for those over the pond) team. A common song that emits from the Nationwide Division terraces when Scunthorpe play away is “Who put the &*^% in scunthorpe).

      • #3546409

        I am Reminded of a Story…(or 2)

        by ebob ·

        In reply to Definitely, but…

        Back in the olden days, before the Web was popular, and most “netizens” were connected through Compuserve (remember them?) and AOL, there was some attempt to “civilize” the available content.

        AOL really lead the charge, in an attempt to make their offering more “consumer accessible”. So they built filters. They loaded their filters with words that represented potentially risque content.

        The result was that AOL users couldn’t do research on “breast” cancer, or even look up a recipe for barbecued “breast” of chicken.

        Ooops.

        Similar issues involve filtering email attachments.

        At my last place of employment the email admin started blocking .VBS attachments. The one and only VB scripter in the company (15,000 users, 18 sites world-wide, and only one VB scripter – it’s true) raised his concern that now he couldn’t transfer his scripts.

        “You’re an IT ‘professional’, and you can’t figure out a workaround, for yourself (the one an only VB scripter)?”, we all asked (with very little patience for this KNOB).

        “Duh, like what?”

        “Oh, perhaps rename the extension to ‘.VB_’. Or maybe use something other than email to move your scripts.”

        “Duh, like what?”

        “Ever hear of ‘FTP’?”

        • #3546225

          Users we dread

          by d. brock ·

          In reply to I am Reminded of a Story…(or 2)

          Sounds like my experience with many of these HTML wonders, the so called “Webmasters” who don’t seem to know the first thing about computers and networks, yet they think they are so great because they can code HTML, and they think they are actually programming! Not all webmasters are in this category, I’ve done my own work in that field, but their are enough of these half-wits around to get really annoying.

          I found that their are three types of users that we must deal with:

          1) Those who don’t know anything about computers and realize this. They can be annoying at times but usually don’t cause too many real problems because they are too scared of breaking something.

          2) Those who don’t know anything about computers but don’t realizeit. These are of the “Enough knowledge to be dangerous but not enough to be useful” type.

          3) Those who know what they are doing and rarely do something really stupid.

          Group two is the worst, and seem to cause about 95% + of my headaches. Thosecomputer “Wizards” who impress their friends because they have read two pages more than anyone else in the latest Dummies book. They seem to be the most know-it-all and condiscending as well. Too bad they don’t know 10% of what they think they do, or my life would be A LOT easier.

          That’s my soap box time. 🙂

      • #3546347

        Exactly….

        by lordinfidel ·

        In reply to Definitely, but…

        Extension blocking does take some planning.

        For example, even though I block roughly 50+ extenstions. It would be stupid of e-mail to block doc, xls, dbf etc. Why, because viruses that are in these sort of docs are macro’s

        With most AV scanners that do extension blocking you can simply strip out the macro’s. Or scan the macro for heuristics.

        I did however block pdf’s. Why you ask? It was determined about 3 months ago that it was possible to insert maliscious code inside a pdf thatwhen the user click on a link inside the pdf would cause it to execute.

        Well that’s not that bad you might think. The problem is 2 fold, 1 AV scanners can not scan PDF’s, and 2 as we all know users are idiots and will click on anything that theyreceive.

        As far as size blocking. I have always looked at it from several viewpoints.

        E-mail should not be used as a file sending mechanism. SMTP is not the right protocol for large files.
        Bandwidth is a issue when sending a large file. Especially to a group of people.
        Finally, overhead on the mail server itself.

        Regardless of your bandwidth and size of mailserver, size limitations is a must have for every mail server.

    • #3546414

      Someone has to disagree…

      by the chalky ·

      In reply to Extension Blocking, The Debate

      Perhaps it is because this is a small company that I work for (only 24 users), but the idea of blocking attachments would send my MD (and most probably the other directors) off his head.

      Fortunately there is another solution. Our mail virus scanning is outsourced to a company called MessageLabs and we get regular reports on the viruses that are sent to us – and intercepted by them!

      They even offer us a 100% guarantee that we will not get infected via an email virus.

      No doubt most of you guys work in IT departments, but for the smaller organisations where I am the only IT person, there really isn’t the time to look at this issue when such a simple solution exists.

      Carry on blocking if you wish, but I prefer to allow this optionwhich quarantines anything that they find suspicious and allows us to continue accepting all the normal attachments that are available to us.

      As a final note, nobody else here would know what vbs meant! Whilst this is a clear reason for blocking, MessageLabs have stopped every malicious virus so far.

      Even managed to disagree without being personal! How’s that?

      • #3546356

        I’m glad someone disagreed..

        by lordinfidel ·

        In reply to Someone has to disagree…

        I’m glad to see that you at least offered another alternative.

        As far as outsourcing, while it may work for you, I am apprehensive about outsourcing any of my IT responsibilities.

        My feelings on AV products is this. They are not 100% effective. Therefor there is no gurantee that the AV product will pick up every piece of mail.

        No would I want a third party intercepting my companies e-mail. Absolutely not.

        Not to mention the cash you have to outlay. Since I am assumimng that you have to pay them a fee each month/year for this service.

        A simple one time cost (assuming that you would not be renewing support contracts) and you could essentially do this your self.

        The overhead is minimal.

        I assume that every attachment that my users receieve is a potential hazard.

        Remember, you are responsible for the network. You are the one who knows best. Never let your users, directors, board members or executives, to include the ceo, dictate security/computer policies of the company. That is your job. That is why you are there.

        As I said before. I do not “block” attachments in the sense that they are deleted. That would be a very ignoramous thing for me to do. I quranntine them. This allows me to verify, when a user requests the file, whether or not it is a virus.

        Maybe I am just a control freak.

        Out of curiousity, if a virus does get thru and takes down your entire network, what is their compensation to you. If they are just offering a month free, that can hardly account for the amount of time and money that your company would lose.

        Just something to think about.

        • #3546259

          Policy and source

          by d. brock ·

          In reply to I’m glad someone disagreed..

          I agree that as net admins we are there to be the experts and to do what needs to be done. But for the sake of your sanity, at least for most admins, security policy must appear to come from the company executive. If you are in a company where you are given freedom to enact security policy first hand, I commend you, but for most of us policy has only one source, and that is the executive suite.

          We definitely must advise, and we certainly take the flak if the network is breached, but heavy handed tactics have landed more than one net admin in hot water and even the unemployment line. In many, if not most, companies an admin must be a skilled politician as well as technician so that they can properly secure the network and systems from harm. But we must never forget we are running THEIR networks not our own, and they call the shots in the end. I’ve taken too many battle scars not to have learned the value of a smooth tongue over a heavy hand. I guess I also envy your position of being able to enact unilateral decisions. To the rest of us who must walk that tight rope: best of luck.

        • #3546241

          I’m not saying I’m a rogue

          by lordinfidel ·

          In reply to Policy and source

          I obviuosly have to abide by some sort of rule-set.

          I agree, security policies must *seem* like they are coming from the top.

          A typical scenarion would be for me; When I know that I need to enact a new policy, I would first anylyze the networkfor the repurcussions of the policy.

          I would then meet with the COO and VP of operations to inform them of the security policy and why it is needed. They will typically ask me some questions if the policy can be avoided and the risks involved ifwe did not enact it.

          Generally the risks will be too great if we did not enact it. They sign off on it, an e-mail is generated by me explaining the new policy, proof read by the vp of ops, then sent out by him.

          There have been times where this process met with resistance. There have been other times where the users have complained. But I usually have to explain to them again why the policy is in place.

          Like why I can’t up the mailbox from 200 megs to 250. I have limited amount of storage space and more space =’s more money.

          If I give them more space then I have to take away from someone else. I then explain to them how to get rid of some of their mail.

          In short I got my way, enforced our policy, and was nice about it.
          But, If my CEO came to us and said that he wants to use some app on our network that requires us to open up a hole in the firewall. And that app is not business related and the hole is a security risk. We are going to tell him no.

          I understandin private companies this can get a admin fired. But in a public company, our responsibility is just not to our network. It’s also to the share holders. We should not be doing things to the network that could allow the company to be brought down. That includes being at the whim of the executives.

          I too walk the tight rope and have been scolded on many a occasion. I just choose not to waiver from my position.

        • #3546193

          Experience shows

          by d. brock ·

          In reply to I’m not saying I’m a rogue

          I can tell you too are a battle scared vetrain of the corporate politics game. Good to see that it hasn’t stopped you from being firm on your policies for the good of your company rather than bending to all whims of executives. It’s often too easy to give in when the CEO tells you he wants something. You really need a good working relationship with him to do this. 🙂

        • #3546204

          Not so clean-cut

          by the chad ·

          In reply to I’m glad someone disagreed..

          >I assume that every attachment that my users receive (stet) is a potential hazard.

          What about .PDF, .DOC and .XLS? Most of our folks transmit these regularly as part of their job, but they also happen to be infection vectors.

          One cannot block them or delay them carte blanche and continue to do business — at least where our users must receive their information (broker reports) in a timely manner before the market opens.

          We, as policy, configure every machine to display extensions, keep the virus software up-to-date, and block the common executable extensions (.EXE, .COM, .BAT, .JS, .VBS, .PIF, etc.), the fun ones (.MP3, .WAV, .MOV, .QT, etc.), and some other things.

          Granted, the easiest way around extension blocking involvesrenaming the file, but we generally assume our more technical savvy users who know how to do this won’t run any old thing without taking care.

          If one examines the infection patterns of typical email-borne-viruses, one finds the typical method of infection occurs when the user gets “click-happy” with attachments and doesn’t bother to read the note or think about where it came from.

        • #3546196

          Blocking is critical.

          by clearsmashdrop ·

          In reply to Not so clean-cut

          We got hit by nimbda pretty hard. But our email system was never hit because of extention blocking. We were infected through either a website or someone using outlook express.

          I just have to reaffirm what many people have already said.

          1) Users cant be trusted not to open attachments.
          2) People will scream like stuck pigs when they cant get My Keroppi Screen Saver because
          we blocked it, but eventually they get used
          to it.
          3) Executive support is key. If the CEO ( this is for smaller companies) or CIO sends out an email supporting blocking it goes a long way.
          4) Dont be ashamed to rely on ‘power-users’ in your organization. A couple of times they have informed us of patches or viruses before we knew about them.

        • #3546149

          My open invite to my users..

          by lordinfidel ·

          In reply to Blocking is critical.

          I have strived to establish a communication line with my users regarding virus notifications.

          I urge them all, reguraly, to send us (network operations) any notices that they receive from their friends.

          Sometimes they might be legitamate, other times they are a hoax.

          This open invite gives users a feeling that they are part of the solution instead of part of the problem.

          But before I got to that point it was a rocky road. I have found that we as admins have to secure the faith of not only the executives but also of our users.

          If our users perceive us to be knowledgable and capable. They are generally more apt to follow our procedures. There have been times where I have had to “kiss ass” in order to secure relations for the future.

          One thing I can say is, Keep your users in the loop of what you are doing and why, and they will probably follow you.

        • #3546153

          I do block pdf’s

          by lordinfidel ·

          In reply to Not so clean-cut

          But only because they can not be scanned by AV scanners.

          Doc’s and XLS I let thru because they can be scanned for macros’s and the macro’s can be removed.

          They can also be scanned for heuristics.

          Since our company is a streaming media company, I have to allow stuff like rm, asf, gif, jpeg, ppt, etc. files thru.

          I totally agree that we can not criple our users.

          I would love to open up for pdf’s. But I see hundreds of weird pdf’s come in that have nothing to do with business.

          Iknow that for a financial firm, receiving pdf’s is critical. In that case I would open it up for it.

          What I hope to achieve by this discussion is to make admins aware of the options before them. And to make wise decisions based on the goals andexpectaions of their company. But maintaing the security and integrity of their network.

          As one thread above touched on. Establishing extension blocking as part of the security policy should be planned and not ventured into lightly. We will be blocking legitimate files. Which is why we need to give our users an avenue as to retrieving those legitamate files.

    • #3546846

      Reply To: Extension Blocking, The Debate

      by ron s. ·

      In reply to Extension Blocking, The Debate

      It’s a business decision. Do the users require files of a certain extension in an email to do their job? If so, then the file is not blocked. If not, well, too bad.

      I don’t have a problem with “entertainment” type emails either, unless it creates problems, which translates into more work. I’m not running a concentration camp type network, but neither am I running an amusement park.

      • #3546843

        hehe….

        by ron s. ·

        In reply to Reply To: Extension Blocking, The Debate

        Silly title…mind you, there are a few users that I wouldn’t mind doing, but there are a lot more that I would mind.

        But…that is beyond the scope of this discussion. 😉

    • #3546713

      What a WASTE!

      by mishratron ·

      In reply to Extension Blocking, The Debate

      Dude I can sum up my dissagreement in one brief discription of our server room

      lotus notes servers running norton antivirus corporate edition 2002 with live updates every night (assuming there is an update) new nav deff’s weekly plus emergency definitions.

      nimda lasted exactly 8 hours in our organization, when the nav deffs arrived it died
      flat out

      quarrentine everything

      • #3548609

        Are you agreeing or disagreeing?

        by lordinfidel ·

        In reply to What a WASTE!

        I was kind of confused by your statements?

        Nimda was primaraliy a IIS Index Server exploit. If index server was not running on your servers and the ida and idq mappings were not there, then you should of have been safe.

        Sorry about your org having lotus notes and norton. Talk about having 2 strikes against you.

        But I somewhat agree with the qurrantine everything attitude. But it must be done within reason. Which is why I prefer to customize the list of extenstions that I block/quarrantine rather then flat out quarrantine all attachments.

    • #3546648

      Agree, And…

      by rdschaefer ·

      In reply to Extension Blocking, The Debate

      I heartily agree with you. Most users don’t seem to realize that the Corporate email system is NOT their personal, private communications system. The hardware and software are owned by the company and we can/must do whatever is necessary to protect the business.

      If blocking is not allowed by mgt., there is another alternative. Setting the following reg keys will foil almost all email script attachments from running:

      ————Start—————————-
      REGEDIT4

      [HKEY_CLASSES_ROOT\JSEFile\Shell\Open\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\JSEFile\Shell\Open2\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\JSFile\Shell\Open2\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\VBEFile\Shell\Open2\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\WSFFile\Shell\Open\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\WSFFile\Shell\Open2\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\WSHFile\Shell\Open\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      [HKEY_CLASSES_ROOT\WSHFile\Shell\Open2\Command]
      @=”C:\\WINDOWS\\Notepad.exe \”%1\” %*”

      ———–End—————————–

      Ralph

      • #3548608

        Never thought about that….

        by lordinfidel ·

        In reply to Agree, And…

        I do like things opening up in notepad. Hard to run things when they are in plain text.

        The only thing I can see to this is for large orgs. It might be dificult to deploy this method. Unless all machines are equal os’ and yo can just create the keys and then import them as soon as you build the machine.

        I can see the validity in it.

        Thanx for the info.

    • #3546638

      A Network Is NOT A Democracy

      by difster ·

      In reply to Extension Blocking, The Debate

      My clients hire me to maintain and secure their networks. Users don’t get to vote on what I do. If your brother sends you that cool mpeg he found; too bad, you can look at it from home. I am what you would call a benevolent dictator when it comesto my networks. I allow people to make a case but ultimately it’s my butt so I do what’s best for the network (even if it makes my job harder).

Viewing 9 reply threads