Solved

Prevent users from Download same specific file extensions (.DLL, .MDB etc)

Posted on 2003-11-07
19
3,012 Views
Last Modified: 2007-12-19
Hi,
We need to prevent browser or script to download files .DLL .MDB and some other extensions.

We try to use a different Mime type but with some scripts like FileMan it can retrive the file to download in the browser.

How can I prevent specific extensions file download and prevent users to pass parameters like  file.asp?dir=c:/xxx/bbb/file.dll ou something similar?

We are using Windows 2003 Standard .
0
Comment
Question by:ipsystems
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +6
19 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 9701602
Hi ipsystems,
If you don't want other users of your computer to download and install unauthorized software from the Internet, you can set up such a restriction with Folder Guard.

The following instructions assume that your copy of Windows is installed into the folder C:\Windows, and that your web browser is Internet Explorer. (See also similar instructions for Opera browser).

The idea of the protection is based on the fact that when Internet Explorer is downloading a file, it stores it in its Temporary Internet Files folder, along with the images and other files necessary to display the web pages when browsing. Only after the file has been successfully downloaded into the temporary folder, Internet Explorer moves it to the destination folder for your choice. This gives us an idea of how to prevent the downloads: we need to prevent Internet Explorer from being able to create program files (such as the .exe and *.zip files) in the temporary folder. However, we must still allow Internet Explorer to store files of other types (such as image files), to be able to display the web pages properly when browsing the Internet. This is just the type of a problem that can be easily solved using the "filters" of Folder Guard.

http://www.winability.com/folderguard/restrict-downloads-ie.htm

Cheers!
0
 

Author Comment

by:ipsystems
ID: 9701668
Look.
We are a Internet Service Provider and we host websites.

We need to prevent download .DLL ou .MDB extensions from any user conected by internet in our servers.

This software works in this case?

We try to use URLSCAN, but with certain scripts we get the file....


Luiz
IPSystems
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9701800
Put better controls into your ASP code for starters. If people are able to get certain files by tossing arguments into the URL to manipulate your ASP page into sending down the files then your problem lies with the functionality of your ASP code. You can simply put conditional statements into your code that test the extension of the file before it is sent, or even as the argument it tossed to the function, to make sure that it doesn't contain one of the extensions that you don't want downloaded.
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:ipsystems
ID: 9701951

Not for an specific application... we have more than 3.500 wesites hosted on many servers and we only want to prevent any people to try download files with this extensions.

0
 
LVL 28

Expert Comment

by:sybe
ID: 9704027
to download a file with a browser, 3 conditions need to be met, if you take out one of them then the file can't be downloaded. But none of those conditions is extension-specific. And what if one of your customers offers a file with extension .mdb for download on purpose??

conditions are:
1. the file needs to be accessible through the webserver (so be placed under a root-directory of a domain)
2. the directory where the file remains needs to have "read" access (setting in the webserver)
3. the user needs to have read rights (on the file system). On Windows systems the (not logged in) internet user is IUSR_machinename

If you want to use access databases (.mdb), but not make them available for download, then remove the "read" access from the directory, or put the files outside of wwwroot (you need to give IUSR_machinename read rights in order to use the database for internet)





0
 
LVL 28

Expert Comment

by:sybe
ID: 9704093
>> How can I prevent specific extensions file download and prevent users to pass parameters like  file.asp?dir=c:/xxx/bbb/file.dll ou something similar?

Remove all rights for IUSR_machinename from the files you don't want to be downloaded.
0
 
LVL 4

Expert Comment

by:freshair
ID: 9705280
set file permission from NT: you may want to remove the read permission of the file from your customers so they cannot open the file in binary mode. right click on the file -> properties -> security, and add/remove whatever you want from there.
set file permission from IIS: there should be some option on IIS that allows users to access only files down a folder tree but not up (meaning they can't load anything like /../ or C:\xxx\file.ext). or you may want to prevent users from loading .dll files by checking the URL parameters they passes into your .asp script.
0
 

Author Comment

by:ipsystems
ID: 9705447

Look...

We are a hosting provider with more than 3.500 users in many servers. Each user has your own FTP and your own area to host your website.

We have more than 1.500.000 files in our servers than, we can't set permissions, we need to Deny web requests from the Browser...like an URLSCAN, but the Micro$oft URLSCAN has many little problems and I don't want use it...

Any other Idea?  A IDS maybe can block this requests? Any suggestion?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9705626
I'd think you'd need stateful inspection to do this from a network perspective, and in a big enterprise that a heck of a lot of proxying.

I don't see how you're going to get around scripting to look for files and overwrite permissions for http (or FTP unless you're going to hack the FTP daemon or find one with that sort of feature.)
 
0
 

Author Comment

by:ipsystems
ID: 9708930
Yes, our router is Cisco, but it's own is the Datacenter, then, we can't use or administer it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9710156
> We need to prevent download .DLL ou .MDB extensions from any user conected by internet in our servers.

Simply remove such files from the public accessable area.
What's the problem with this aproach?
0
 
LVL 3

Accepted Solution

by:
Ravi Goru earned 500 total points
ID: 9710392

yeah.. content filtering..!!

an be tried with many softwares..

anyway ..try to go through the following link..!!

u will have enough of idea..!!

http://www.bmas.ja.net/content_filtering/BMAS_content_filtering.html

regards..

Ravi Goru


0
 

Author Comment

by:ipsystems
ID: 9710449

Finally a person that undertand the problem!

Great  Ravi.... take your points!


Regards,
Luiz
0
 
LVL 28

Expert Comment

by:sybe
ID: 9710523
ipsystems, I am curious how you are going to do what you want with client side applications. Ask all visitors to your 2,500 websites to install this software?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9710733
ipsystems, could you please explain how the graded answer (link) helped in solving your problem?
Can't imagine that you for example installed proxomitron on your server ...
0
 

Author Comment

by:ipsystems
ID: 9710853

 One server acting as a Gateway from all servers running Squid .

  Squid will solve my problem blocking the word lists in a URLs requests....

   http://www.squidguard.org/config/
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9711505
ok, you use squid, with a blacklist,as reverse proxy.
0
 
LVL 3

Expert Comment

by:Ravi Goru
ID: 9712672

great man  ..


i like ur sort poeple .. who can just manage with a  link..:))

thanks :))


Ravi Goru
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question