OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: MS ISA activeX Filtering

From: Jim Harrison (ISA) (jmharrmicrosoft.com)
Date: Tue Oct 05 2004 - 16:01:30 CDT

ISA can't control client interpretation of file types without help.
The anti-virus folks may have something like that in their products for
ISA.
They're listed here:
http://www.microsoft.com/isaserver/partners/contentsecurity.asp

Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)

"The last 10 years of Internet usage has disproven
the theory that a million monkeys typing on a million
typewriters would eventually produce the complete
works of Shakespere. ..or maybe it only works for
typewriters..."
(unclaimed)
-----Original Message-----
From: Casey DeBerry [mailto:cdeberrycobizinc.com]
Sent: Tuesday, October 05, 2004 9:50 AM
To: Andrew van der Stock
Cc: focus-mssecurityfocus.com
Subject: RE: MS ISA activeX Filtering

This is more along the lines of what I was looking for- I don't want to
completely block activeX, just want to filter a specific activeX
application based on what you stated below; headers.

Do I need some kind of AV add-on or otherwise? Or will ISA 2000 do this
out of the box?

-----Original Message-----
From: Andrew van der Stock [mailto:avanderstockb-sec.com]
Sent: Monday, October 04, 2004 11:58 PM
To: 'Paul Kurczaba'; Casey DeBerry
Cc: focus-mssecurityfocus.com
Subject: RE: MS ISA activeX Filtering

NT/2k*/XP can run any file extension if it knows about them. For
example, Quicktime and NT both do this:

* Quicktime uses .qt
* NT uses .cpl and .scr amongst others

--

C:\WINDOWS\system32>dumpbin access.cpl
Microsoft (R) COFF/PE Dumper Version 7.10.3077
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file access.cpl

File Type: DLL

--

Blocking by extension is simply not going to cut the mustard if someone
works out how to replace content in a precise location.

In addition, some programs will launch *anything* if it's a registered
file type for them.

What's needed in addition to extension blocking is a PE header
inspector, and to block PE headers, not just file extensions. Block
extensions by all means, but it's not the complete solution. Lastly, a
blacklist is not as good as a whitelist (ie only allow ...)

Thanks,
Andrew

-----Original Message-----
From: Paul Kurczaba [mailto:paulmyipis.com]
Sent: Tuesday, 5 October 2004 4:52 AM
To: Casey DeBerry; focus-mssecurityfocus.com
Subject: Re: MS ISA activeX Filtering

I would filter the following file extensions: cab, ocx, and dll. These
are
used by ActiveX.

------------------------------------------------------------------------
--------------------------------------------
CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for
the individual named. If you are not the named addressee, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately if you have received this e-mail by mistake and delete this
e-mail from your system. E-mail cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. Neither the
sender nor CoBiz Inc. and its subsidiaries accept liability for any
errors or omissions in the contents of this message, which arise as a
result of e-mail transmission.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------