There is a possibility to define exception in such firewall
policies in ISA 2004 so you can define "trusted target" (sites,
domains, networks etc)
Best regards,
Igor Panassiouk
MCT,MCSE NT3.51-2003:Security,CNE,Sun CNA,LPIC-1
Kvazar-Micro Education Center
Technical Director
www.edu.kvazar-micro.com
IP> -----Original Message-----
IP> From: Jim Harrison (ISA) [mailto:jmharr (at) microsoft (dot) com [email concealed]]
IP> Sent: Tuesday, October 05, 2004 1:53 AM
IP> To: Paul Kurczaba; Casey DeBerry; focus-ms (at) securityfocus (dot) com [email concealed]
IP> Subject: RE: MS ISA activeX Filtering
IP>
IP> Yes, ISA 2000 and ISA 2004 can both block those file types
IP> (or mime-types).
IP> As Paul pointed out, simply blocking those will also cause
IP> trouble for legitimate sites (Windows Update, for instance).
IP>
IP> Better that you review the ISA web proxy logs and determine
IP> where they got it and block that site.
IP>
IP> Jim Harrison
IP> MCP(NT4/2K), A+, Network+
IP> Security Business Unit (ISA SE)
IP>
IP> "The last 10 years of Internet usage has disproven the
IP> theory that a million monkeys typing on a million
IP> typewriters would eventually produce the complete works of
IP> Shakespeare. ..or maybe it only works for typewriters..."
IP> (unclaimed)
IP>
IP>
IP> -----Original Message-----
IP> From: Paul Kurczaba [mailto:paul (at) myipis (dot) com [email concealed]]
IP> Sent: Monday, October 04, 2004 11:52 AM
IP> To: Casey DeBerry; focus-ms (at) securityfocus (dot) com [email concealed]
IP> Subject: Re: MS ISA activeX Filtering
IP>
IP> I would filter the following file extensions: cab, ocx, and
IP> dll. These are used by ActiveX.
IP>
IP> I don't know if ISA 2000 can block ActiveX. That would be
IP> kind of funny though...One microsoft technology blocking
IP> another microsoft technology.
IP>
IP> Note that if you block cab, ocx, and dll extensions, it
IP> will block the legitimate Windows Update site as well as
IP> the Office update site.
IP>
IP> -Paul
IP> ----- Original Message -----
IP> From: "Casey DeBerry" <cdeberry (at) cobizinc (dot) com [email concealed]>
IP> To: <focus-ms (at) securityfocus (dot) com [email concealed]>
IP> Sent: Monday, October 04, 2004 11:41 AM
IP> Subject: MS ISA activeX Filtering
IP>
IP>
IP> Will MS ISA 2000 Server block ActiveX applications on its
IP> own? In other
IP>
IP> words.. Users are unknowingly downloading the dowloader.MM
IP> trojan. My
IP> AV
IP> Software is finding and renaming/deleting it successfully,
IP> but I would
IP> like
IP> another layer of protection to keep the specific activeX application
IP> from
IP> entering the enterprise.
IP>
IP> Do I need another add-on?
IP>
IP> Thanks,
IP> Casey
policies in ISA 2004 so you can define "trusted target" (sites,
domains, networks etc)
Best regards,
Igor Panassiouk
MCT,MCSE NT3.51-2003:Security,CNE,Sun CNA,LPIC-1
Kvazar-Micro Education Center
Technical Director
www.edu.kvazar-micro.com
IP> -----Original Message-----
IP> From: Jim Harrison (ISA) [mailto:jmharr (at) microsoft (dot) com [email concealed]]
IP> Sent: Tuesday, October 05, 2004 1:53 AM
IP> To: Paul Kurczaba; Casey DeBerry; focus-ms (at) securityfocus (dot) com [email concealed]
IP> Subject: RE: MS ISA activeX Filtering
IP>
IP> Yes, ISA 2000 and ISA 2004 can both block those file types
IP> (or mime-types).
IP> As Paul pointed out, simply blocking those will also cause
IP> trouble for legitimate sites (Windows Update, for instance).
IP>
IP> Better that you review the ISA web proxy logs and determine
IP> where they got it and block that site.
IP>
IP> Jim Harrison
IP> MCP(NT4/2K), A+, Network+
IP> Security Business Unit (ISA SE)
IP>
IP> "The last 10 years of Internet usage has disproven the
IP> theory that a million monkeys typing on a million
IP> typewriters would eventually produce the complete works of
IP> Shakespeare. ..or maybe it only works for typewriters..."
IP> (unclaimed)
IP>
IP>
IP> -----Original Message-----
IP> From: Paul Kurczaba [mailto:paul (at) myipis (dot) com [email concealed]]
IP> Sent: Monday, October 04, 2004 11:52 AM
IP> To: Casey DeBerry; focus-ms (at) securityfocus (dot) com [email concealed]
IP> Subject: Re: MS ISA activeX Filtering
IP>
IP> I would filter the following file extensions: cab, ocx, and
IP> dll. These are used by ActiveX.
IP>
IP> I don't know if ISA 2000 can block ActiveX. That would be
IP> kind of funny though...One microsoft technology blocking
IP> another microsoft technology.
IP>
IP> Note that if you block cab, ocx, and dll extensions, it
IP> will block the legitimate Windows Update site as well as
IP> the Office update site.
IP>
IP> -Paul
IP> ----- Original Message -----
IP> From: "Casey DeBerry" <cdeberry (at) cobizinc (dot) com [email concealed]>
IP> To: <focus-ms (at) securityfocus (dot) com [email concealed]>
IP> Sent: Monday, October 04, 2004 11:41 AM
IP> Subject: MS ISA activeX Filtering
IP>
IP>
IP> Will MS ISA 2000 Server block ActiveX applications on its
IP> own? In other
IP>
IP> words.. Users are unknowingly downloading the dowloader.MM
IP> trojan. My
IP> AV
IP> Software is finding and renaming/deleting it successfully,
IP> but I would
IP> like
IP> another layer of protection to keep the specific activeX application
IP> from
IP> entering the enterprise.
IP>
IP> Do I need another add-on?
IP>
IP> Thanks,
IP> Casey
[ reply ]