Hi Tim, You can export the HTTP Security Filter config with a script and then import it to each allow rule that includes the HTTP protocol. Check out: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering .mspx Go toward the end of the article to see the details on how to use the httpfilterconfig.vbs script Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Wednesday, January 04, 2006 8:32 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > So we have to configure this for every HTTP rule individually? > > t > ----- > "I may disapprove of what you say, > but I will defend to the death your > right to say it." > > > ----- Original Message ----- > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, January 04, 2006 5:57 PM > Subject: [isalist] RE: WMF Vunrability > > > http://www.ISAserver.org > > Updated: > > HTTP filter settings (you all know how to get there). > > 1. Extensions: > <choice> > Set "block specified" > Add .emf > Description="application/x-msmetafile" > Add .wmf > Description="application/x-msmetafile" > </choice> > <choice> > Set "allow specified" > Remove .emf > Remove .wmf > </choice> > <notachoice> > Set "allow all" > </notachoice> > > 2. Signatures: > Name=WMF-1 > Description="request file type trigger" > Type="Request URL" > Signature=".emf" > > Name=WMF-2 > Description="request file type trigger" > Type="Request URL" > Signature=".wmf" > > Name=WMF-3 > Description="response headers trigger" > Type="Response Headers" > HTTP Header="content-type" > Signature="msmetafile" > > Name=WMF-4 > Description="response body file type trigger" > Type="Response Body" > Signature=".emf" > > Name=WMF-5 > Description="response body file type trigger" > Type="Response Body" > Signature=".wmf" > > Name=WMF-6 > Description="response body file header trigger" > Type="Response Body" > Signature="184Gmg" > > WMF-6 is the kewl one because all binary files are base-64 > encoded when > transferred over HTTP and FTP. > WMF files usually incorporate a predefined header value that > resolves to the > Base-64 signature in this definition. > It's probably the same technique as the GFI filter, except > not as smart. > > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Wednesday, January 04, 2006 16:03 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > HTTP filter settings (you all know how to get there). > > 1. Extensions: > <choice> > Set "block specified" > Add .emf > Description="application/x-msmetafile" > Add .wmf > Description="application/x-msmetafile" > </choice> > <choice> > Set "allow specified" > Remove .emf > Remove .wmf > </choice> > <notachoice> > Set "allow all" > </notachoice> > > 2. Signatures: > Name=WMF-1 > Description="request file type trigger" > Type="Request URL" > Signature=".emf" > > Name=WMF-2 > Description="request file type trigger" > Type="Request URL" > Signature=".wmf" > > Name=WMF-3 > Description="response headers trigger" > Type="Response Headers" > HTTP Header="content-type" > Signature="msmetafile" > > Name=WMF-4 > Description="response body file type trigger" > Type="Response Body" > Signature=".emf" > > Name=WMF-5 > Description="response body file type trigger" > Type="Response Body" > Signature=".wmf" > > Name=WMF-6 > Description="response body file header trigger" > Type="Response Body" > Signature="184Gmg" > > WMF-6 is the kewl one because all binary files are base-64 > encoded when > transferred over HTTP and FTP. > WMF files usually incorporate a predefined header value that > resolves to the > Base-64 signature in this definition. > It's probably the same technique as the GFI filter, except > not as smart. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Wednesday, January 04, 2006 15:27 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: WMF Vunrability > > http://www.ISAserver.org > > Hey Jim, > > Forget about the automation, just let us know what to do :) > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Wednesday, January 04, 2006 2:18 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vunrability > > > > http://www.ISAserver.org > > > > Sorry - I haven't. > > I'm working with MSRC to narrow down the definitions and automation > > for the ISA 2004 blocker. > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Wednesday, January 04, 2006 11:45 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: WMF Vunrability > > > > http://www.ISAserver.org > > > > Jim, did you read this? I'm wondering if the method described to > > "block extensions" is correct or not. Rather than using "Configure > > HTTP" and setting allowable extensions, I though one should > explicitly > > create a deny rule specifying both the .wmf extension *as well* as > > application/x-msmetafile as the MIME type. Incoming HTTP file > > associations are handled by MIME type, not file extension. > Only when > > there is no MIME type handed down by the server is a file extension > > used (or when you do an actual file transfer, like with FTP.) > > > > Comments on that? > > > > t > > > > > > > > ----- > > "I may disapprove of what you say, > > but I will defend to the death your > > right to say it." > > > > > > ----- Original Message ----- > > From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Wednesday, January 04, 2006 11:24 AM > > Subject: [isalist] RE: WMF Vunrability > > > > > > > http://www.ISAserver.org > > > > > > Hey guys, > > > > > > Check out > > > > > http://blogs.technet.com/jesper_johansson/archive/2006/01/02/4 > > 16762.aspx > > > too > > > ;-) > > > > > > HTH, > > > Stefaan > > > > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: woensdag 4 januari 2006 20:16 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: WMF Vunrability > > > > > > http://www.ISAserver.org > > > > > > Hi Tim, > > > > > > I agree. There seems to be than the ususal amount of FUD > > associated with > > > this problem. :( > > > > > > Tom > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > > > > > > > > > > >> -----Original Message----- > > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > >> Sent: Wednesday, January 04, 2006 1:01 PM > > >> To: [ISAserver.org Discussion List] > > >> Subject: [isalist] RE: WMF Vunrability > > >> > > >> http://www.ISAserver.org > > >> > > >> I wouldn't call it "program like behavior." They just > contain both > > >> metadata and rendering data in the same file (as I > understand it.) > > >> > > >> Renaming the file to something like ".gif" or ".jpg" could > > still cause > > >> execution if loaded from a file, but only if the Picture and Fax > > >> Viewer was the default program for those file types. From > > a browser, > > >> for WP&FV to open it and parse the data, it has to be that > > MIME type > > >> (again, as I understand > > >> it.) > > >> > > >> While I've read here that the "way to do it" is how GFI > > does it, I've > > >> still not seen any information on why simple content > > filtering won't > > >> work. But then again, I read where Jim is working with > > MSRC to come > > >> up with a "workable" filter. It would be nice to get some > > >> authoritative, detailed information on why MIME and file type > > >> filtering *won't* work. > > >> > > >> t > > >> > > >> > > >> ----- > > >> "I may disapprove of what you say, > > >> but I will defend to the death your right to say it." > > >> > > >> > > >> ----- Original Message ----- > > >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > >> Sent: Wednesday, January 04, 2006 10:31 AM > > >> Subject: [isalist] RE: WMF Vunrability > > >> > > >> > > >> http://www.ISAserver.org > > >> > > >> Hi Tim, > > >> > > >> Don't know about that, but it's a good question. But I > > have to wonder > > >> about other apps that open the WMF files. FWIU, WMF files > > have some > > >> program like behavior that allow it to call other programs if > > >> something doesn't work. > > >> > > >> How's that as a erudite description for a process? :) > > >> > > >> Tom > > >> > > >> Thomas W Shinder, M.D. > > >> Site: www.isaserver.org > > >> Blog: http://spaces.msn.com/members/drisa/ > > >> Book: http://tinyurl.com/3xqb7 > > >> MVP -- ISA Firewalls > > >> **Who is John Galt?** > > >> > > >> > > >> > > >> > -----Original Message----- > > >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > >> > Sent: Wednesday, January 04, 2006 12:13 PM > > >> > To: [ISAserver.org Discussion List] > > >> > Subject: [isalist] RE: WMF Vunrability > > >> > > > >> > http://www.ISAserver.org > > >> > > > >> > But if he sets a differnt mime type, Fax Viewer won't open the > > >> > program, right? > > >> > > > >> > t > > >> > ----- > > >> > "I may disapprove of what you say, but I will defend > to the death > > >> > your right to say it." > > >> > > > >> > > > >> > ----- Original Message ----- > > >> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > >> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > >> > Sent: Wednesday, January 04, 2006 9:32 AM > > >> > Subject: [isalist] RE: WMF Vunrability > > >> > > > >> > > > >> > http://www.ISAserver.org > > >> > > > >> > Hi Jonathon, > > >> > > > >> > That won't work, because the scumbag can use any file > > name he wants. > > >> > Same goes with the MIME type. The MIME type is set at the Web > > >> > server, so the scumbag can associate any MIME type he wants. > > >> > > > >> > Tom > > >> > > > >> > Thomas W Shinder, M.D. > > >> > Site: www.isaserver.org > > >> > Blog: http://spaces.msn.com/members/drisa/ > > >> > Book: http://tinyurl.com/3xqb7 > > >> > MVP -- ISA Firewalls > > >> > **Who is John Galt?** > > >> > > > >> > > > >> > > > >> > > -----Original Message----- > > >> > > From: Jonathon J. Howey [mailto:Jonathon@xxxxxxx] > > >> > > Sent: Wednesday, January 04, 2006 11:25 AM > > >> > > To: [ISAserver.org Discussion List] > > >> > > Subject: [isalist] RE: WMF Vunrability > > >> > > > > >> > > http://www.ISAserver.org > > >> > > > > >> > > What I did to block it was: > > >> > > > > >> > > Internet Access Policy -> Protocols tab -> Filtering -> > > >> > Configure HTTP > > >> > > -> Extensions tab. Should be self explanatory from there. > > >> > > > > >> > > > > >> > > > > >> > > Jonathon J. Howey > > >> > > KPSA Compliance Management Inc. > > >> > > P 780.409.5620 > > >> > > F 780.409.5621 > > >> > > D 780.409.5628 > > >> > > C 780.965.8363 > > >> > > Jonathon@xxxxxxx > > >> > > > > >> > > Guiding the Future of Transportation www.KPSA.ca > > >> > > > > >> > > > > >> > > > > >> > > -----Original Message----- > > >> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > >> > > Sent: January 4, 2006 10:12 AM > > >> > > To: [ISAserver.org Discussion List] > > >> > > Subject: [isalist] RE: WMF Vunrability > > >> > > > > >> > > http://www.ISAserver.org > > >> > > > > >> > > He never stated what his "block" was. > > >> > > > > >> > > > > >> > > ------------------------------------------------------- > > >> > > Jim Harrison > > >> > > MCP(NT4, W2K), A+, Network+, PCG > > >> > > http://isaserver.org/Jim_Harrison/ > > >> > > http://isatools.org > > >> > > Read the help / books / articles! > > >> > > ------------------------------------------------------- > > >> > > > > >> > > > > >> > > -----Original Message----- > > >> > > From: Brian Boyes [mailto:BrianB@xxxxxxxxx] > > >> > > Sent: Wednesday, January 04, 2006 09:02 > > >> > > To: [ISAserver.org Discussion List] > > >> > > Subject: [isalist] RE: WMF Vunrability > > >> > > > > >> > > http://www.ISAserver.org > > >> > > > > >> > > > I have installed the "wmf" block to my ISA 2004 clients but > > >> > > I not sure > > >> > > > > >> > > > how to set this up for ISA 2000. > > >> > > > Could someone provide advice of the best way to do this. > > >> > > > > >> > > Did anyone ever post an answer? I'm curious about this > > >> "wmf block". > > >> > > > > >> > > Brian > > >> > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > thor@xxxxxxxxxxxxxxx > > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jim@xxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > jim@xxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > jim@xxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >