Bypassing download restrictions - it's easy!!!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

In GP I setup the attachment manager as follows:

Default risk level for all attachments - High
Inclusion list for high risk file types - .PDF
Trust logic for file attachments - File handler and type

Great - Now when people download pdf files they will be told they are
dangerous and the dowenload removed. Or not.

I noticed that whilst the prompt is on-scren, the user can just take a copy
of the file and the copy remains whilst the original is deleted.

Am I doing something wrong? Why does IE download the entire file before
deciding to block it?

Is it not possible to simply say that if a file type is in the high risk
list not to even download it?
 
Hi,

Thanks for posting!

I understand that you want to block the file from downloading. If I have
misunderstood your concerns,please feel free to let me know.

When you try to download or open a file from a Web site that is in the
restricted Web content zone, you may receive a message that indicates that
the file is blocked.

When you try to open high-risk file types from sites that belong to the
Internet Web content zone, you may receive a warning message, but you may
be able to open these types of files.

For more information, please refer to the following article:
Description of how the Attachment Manager works in Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?scid=kb;en-us;883260

I hope my information helps. If there is anything that is unclear, please
feel free to let me know.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| Thread-Topic: Bypassing download restrictions - it's easy!!!
| thread-index: AcVP+C9TVkqKvXSFRKyXIXOeZI81ug==
| X-WBNR-Posting-Host: 193.128.28.145
| From: "=?Utf-8?B?REd1bm5lcg==?=" <[email protected]>
| Subject: Bypassing download restrictions - it's easy!!!
| Date: Tue, 3 May 2005 08:53:01 -0700
| Lines: 17
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.inetexplorer.ie6.browser
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.inetexplorer.ie6.browser:88752
| X-Tomcat-NG: microsoft.public.windows.inetexplorer.ie6.browser
|
| In GP I setup the attachment manager as follows:
|
| Default risk level for all attachments - High
| Inclusion list for high risk file types - .PDF
| Trust logic for file attachments - File handler and type
|
| Great - Now when people download pdf files they will be told they are
| dangerous and the dowenload removed. Or not.
|
| I noticed that whilst the prompt is on-scren, the user can just take a
copy
| of the file and the copy remains whilst the original is deleted.
|
| Am I doing something wrong? Why does IE download the entire file before
| deciding to block it?
|
| Is it not possible to simply say that if a file type is in the high risk
| list not to even download it?
|
 
DGunner,
Apparently that functionality won't stop Internet Explorer or Windows Explorer from downloading the file. However, there is another method of preventing Internet Explorer (or any other browser, at that) from downloading a file. You can use a PAC (Proxy Automatic Configuration) file which contains a JavaScript functions that gets called every time the browser wants to access a file. The return value of the function is the proxy server to use. To block a file, simply specify a web server address which will promptly get you a 404 Not Found page. Specifying a non-existant server will cause the browser to wait until time-out so that will take longer. Because the resultant page is a 404, the browser knows it doesn't exist and will let that know to the user.
All browsers support PAC files (IE, Firefox, Netscape, Mozilla, Opera, etc.), however only Internet Explorer can be forced to use a PAC file via Group Policy. You can probably write some script to modify Firefox's user settings to use a PAC file. The drawback is that this only works for HTTP downloads, not local filesharing downloads.
I've posted partial code for it here. As you can see, you build all sorts of rules. I developed three: one that blocks ads, another that block ActiveX .cab files to prevent web installations, and another that blocks both. You can download them at a web page I made so my friends could download them too: http://people.tamu.edu/~rdi1176/downloads-pacadfilter.html.

Hope that at least partially solves your problem,
Roberto



function FindProxyForURL(url, host)
{
var OKPROXY = "DIRECT";
var BANPROXY = "PROXY 172.168.1.1";

// Allow sites in Safe List.
if (
shExpMatch(host, "edu") ||
shExpMatch(host, "apple.com") ||
shExpMatch(host, "dell.com") ||
shExpMatch(host, "mozilla.org") ||
shExpMatch(host, "apache.org")
)
{
return OKPROXY;
}
// Ban domains in Banned Domains
else if (
dnsDomainIs(host, "xxxtoolbar.com") ||
dnsDomainIs(host, "windupdates.com") ||
dnsDomainIs(host, "belnk.com") ||
dnsDomainIs(host, "intellitxt.com")
)
{
return BANPROXY;
}
// Ban sites with special filters.
else if (
shExpMatch(url, "*/ads/*") ||
shExpMatch(url, "*/Ads/*") ||
shExpMatch(url, "*/ad/*") ||
shExpMatch(url, "*/banner/*") ||
shExpMatch(url, "*/banners/*") ||
shExpMatch(host, "adlog.*")
)
{
return BANPROXY;
}
// Allow all other sites.
else
{
return OKPROXY;
}

return OKPROXY;
}
 
Thanks Jason,

The issue isn't that the file downloads - although Robertos method looks
interesting - it's that the file isn't blocked immediatly once it has
downloaded - until the user acknowledges that the file has been blocked, they
are free to make a copy of the file and then confirm the blocked file - they
then can open the copy they took.

It would be more useful if IE had some sort of quarantine folder for
downloaded files that the user doesn't have access to until whether the file
is allowed has been determined.

Damian
 
Interesting - thanks!!


Roberto Icaza said:
DGunner,
Apparently that functionality won't stop Internet Explorer or Windows Explorer from downloading the file. However, there is another method of preventing Internet Explorer (or any other browser, at that) from downloading a file. You can use a PAC (Proxy Automatic Configuration) file which contains a JavaScript functions that gets called every time the browser wants to access a file. The return value of the function is the proxy server to use. To block a file, simply specify a web server address which will promptly get you a 404 Not Found page. Specifying a non-existant server will cause the browser to wait until time-out so that will take longer. Because the resultant page is a 404, the browser knows it doesn't exist and will let that know to the user.
All browsers support PAC files (IE, Firefox, Netscape, Mozilla, Opera, etc.), however only Internet Explorer can be forced to use a PAC file via Group Policy. You can probably write some script to modify Firefox's user settings to use a PAC file. The drawback is that this only works for HTTP downloads, not local filesharing downloads.
I've posted partial code for it here. As you can see, you build all sorts of rules. I developed three: one that blocks ads, another that block ActiveX .cab files to prevent web installations, and another that blocks both. You can download them at a web page I made so my friends could download them too: http://people.tamu.edu/~rdi1176/downloads-pacadfilter.html.

Hope that at least partially solves your problem,
Roberto



function FindProxyForURL(url, host)
{
var OKPROXY = "DIRECT";
var BANPROXY = "PROXY 172.168.1.1";

// Allow sites in Safe List.
if (
shExpMatch(host, "edu") ||
shExpMatch(host, "apple.com") ||
shExpMatch(host, "dell.com") ||
shExpMatch(host, "mozilla.org") ||
shExpMatch(host, "apache.org")
)
{
return OKPROXY;
}
// Ban domains in Banned Domains
else if (
dnsDomainIs(host, "xxxtoolbar.com") ||
dnsDomainIs(host, "windupdates.com") ||
dnsDomainIs(host, "belnk.com") ||
dnsDomainIs(host, "intellitxt.com")
)
{
return BANPROXY;
}
// Ban sites with special filters.
else if (
shExpMatch(url, "*/ads/*") ||
shExpMatch(url, "*/Ads/*") ||
shExpMatch(url, "*/ad/*") ||
shExpMatch(url, "*/banner/*") ||
shExpMatch(url, "*/banners/*") ||
shExpMatch(host, "adlog.*")
)
{
return BANPROXY;
}
// Allow all other sites.
else
{
return OKPROXY;
}

return OKPROXY;
}
Click to expand...
 
Hi Damian,

Thanks for update!

At this moment, as a workaround, I suggest you configure a Domain Group
Policy to Prevent clients from using Internet Explorer to download files
(browsing web sites is OK).

1) Edit GPO and go to User Configuration >> Windows Settings >> Internet
Explorer Maintenance >> Security >> Security Zones and Content Ratings

2) Check "Import the current security zones settings" under "Security
Zones" and click on "Modify Settings"

3) Select 'Internet' and click on "Custom Level"

4) Scroll down to 'Downloads' section and disable "File Download"

If there is anything that is unclear, please feel free to let me know.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| Thread-Topic: Bypassing download restrictions - it's easy!!!
| thread-index: AcVRYvu8e0HNmi1VQ0qo0WSFrRElBA==
| X-WBNR-Posting-Host: 193.128.28.145
| From: =?Utf-8?B?ZnVua3lk?= <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: RE: Bypassing download restrictions - it's easy!!!
| Date: Thu, 5 May 2005 04:10:02 -0700
| Lines: 101
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.inetexplorer.ie6.browser
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.inetexplorer.ie6.browser:88974
| X-Tomcat-NG: microsoft.public.windows.inetexplorer.ie6.browser
|
| Thanks Jason,
|
| The issue isn't that the file downloads - although Robertos method looks
| interesting - it's that the file isn't blocked immediatly once it has
| downloaded - until the user acknowledges that the file has been blocked,
they
| are free to make a copy of the file and then confirm the blocked file -
they
| then can open the copy they took.
|
| It would be more useful if IE had some sort of quarantine folder for
| downloaded files that the user doesn't have access to until whether the
file
| is allowed has been determined.
|
| Damian
|
|
| "Jason Tan (MSFT)" wrote:
|
| > Hi,
| >
| > Thanks for posting!
| >
| > I understand that you want to block the file from downloading. If I
have
| > misunderstood your concerns,please feel free to let me know.
| >
| > When you try to download or open a file from a Web site that is in the
| > restricted Web content zone, you may receive a message that indicates
that
| > the file is blocked.
| >
| > When you try to open high-risk file types from sites that belong to the
| > Internet Web content zone, you may receive a warning message, but you
may
| > be able to open these types of files.
| >
| > For more information, please refer to the following article:
| > Description of how the Attachment Manager works in Windows XP Service
Pack 2
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;883260
| >
| > I hope my information helps. If there is anything that is unclear,
please
| > feel free to let me know.
| >
| > Thanks & Regards,
| >
| > Jason Tan
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| >
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| >
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| > --------------------
| > | Thread-Topic: Bypassing download restrictions - it's easy!!!
| > | thread-index: AcVP+C9TVkqKvXSFRKyXIXOeZI81ug==
| > | X-WBNR-Posting-Host: 193.128.28.145
| > | From: "=?Utf-8?B?REd1bm5lcg==?=" <[email protected]>
| > | Subject: Bypassing download restrictions - it's easy!!!
| > | Date: Tue, 3 May 2005 08:53:01 -0700
| > | Lines: 17
| > | Message-ID: <[email protected]>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.inetexplorer.ie6.browser
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.inetexplorer.ie6.browser:88752
| > | X-Tomcat-NG: microsoft.public.windows.inetexplorer.ie6.browser
| > |
| > | In GP I setup the attachment manager as follows:
| > |
| > | Default risk level for all attachments - High
| > | Inclusion list for high risk file types - .PDF
| > | Trust logic for file attachments - File handler and type
| > |
| > | Great - Now when people download pdf files they will be told they are
| > | dangerous and the dowenload removed. Or not.
| > |
| > | I noticed that whilst the prompt is on-scren, the user can just take
a
| > copy
| > | of the file and the copy remains whilst the original is deleted.
| > |
| > | Am I doing something wrong? Why does IE download the entire file
before
| > | deciding to block it?
| > |
| > | Is it not possible to simply say that if a file type is in the high
risk
| > | list not to even download it?
| > |
| >
| >
|
 
Back
Top