Prevent users from Download same specific file extensions (.DLL, .MDB etc)

Hi ipsystems,
If you don't want other users of your computer to download and install unauthorized software from the Internet, you can set up such a restriction with Folder Guard.

The following instructions assume that your copy of Windows is installed into the folder C:\Windows, and that your web browser is Internet Explorer. (See also similar instructions for Opera browser).

The idea of the protection is based on the fact that when Internet Explorer is downloading a file, it stores it in its Temporary Internet Files folder, along with the images and other files necessary to display the web pages when browsing. Only after the file has been successfully downloaded into the temporary folder, Internet Explorer moves it to the destination folder for your choice. This gives us an idea of how to prevent the downloads: we need to prevent Internet Explorer from being able to create program files (such as the .exe and *.zip files) in the temporary folder. However, we must still allow Internet Explorer to store files of other types (such as image files), to be able to display the web pages properly when browsing the Internet. This is just the type of a problem that can be easily solved using the "filters" of Folder Guard.

http://www.winability.com/folderguard/restrict-downloads-ie.htm

Cheers!

Look.
We are a Internet Service Provider and we host websites.

We need to prevent download .DLL ou .MDB extensions from any user conected by internet in our servers.

This software works in this case?

We try to use URLSCAN, but with certain scripts we get the file....


Luiz
IPSystems

Put better controls into your ASP code for starters. If people are able to get certain files by tossing arguments into the URL to manipulate your ASP page into sending down the files then your problem lies with the functionality of your ASP code. You can simply put conditional statements into your code that test the extension of the file before it is sent, or even as the argument it tossed to the function, to make sure that it doesn't contain one of the extensions that you don't want downloaded.

Not for an specific application... we have more than 3.500 wesites hosted on many servers and we only want to prevent any people to try download files with this extensions.

to download a file with a browser, 3 conditions need to be met, if you take out one of them then the file can't be downloaded. But none of those conditions is extension-specific. And what if one of your customers offers a file with extension .mdb for download on purpose??

conditions are:
1. the file needs to be accessible through the webserver (so be placed under a root-directory of a domain)
2. the directory where the file remains needs to have "read" access (setting in the webserver)
3. the user needs to have read rights (on the file system). On Windows systems the (not logged in) internet user is IUSR_machinename

If you want to use access databases (.mdb), but not make them available for download, then remove the "read" access from the directory, or put the files outside of wwwroot (you need to give IUSR_machinename read rights in order to use the database for internet)

>> How can I prevent specific extensions file download and prevent users to pass parameters like  file.asp?dir=c:/xxx/bbb/file.dll ou something similar?

Remove all rights for IUSR_machinename from the files you don't want to be downloaded.

set file permission from NT: you may want to remove the read permission of the file from your customers so they cannot open the file in binary mode. right click on the file -> properties -> security, and add/remove whatever you want from there.
set file permission from IIS: there should be some option on IIS that allows users to access only files down a folder tree but not up (meaning they can't load anything like /../ or C:\xxx\file.ext). or you may want to prevent users from loading .dll files by checking the URL parameters they passes into your .asp script.

Look...

We are a hosting provider with more than 3.500 users in many servers. Each user has your own FTP and your own area to host your website.

We have more than 1.500.000 files in our servers than, we can't set permissions, we need to Deny web requests from the Browser...like an URLSCAN, but the Micro$oft URLSCAN has many little problems and I don't want use it...

Any other Idea?  A IDS maybe can block this requests? Any suggestion?

I'd think you'd need stateful inspection to do this from a network perspective, and in a big enterprise that a heck of a lot of proxying.

I don't see how you're going to get around scripting to look for files and overwrite permissions for http (or FTP unless you're going to hack the FTP daemon or find one with that sort of feature.)
 

If you have Cisco routers, you can use NBAR
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800c75d0.html
http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml

Yes, our router is Cisco, but it's own is the Datacenter, then, we can't use or administer it.

> We need to prevent download .DLL ou .MDB extensions from any user conected by internet in our servers.

Simply remove such files from the public accessable area.
What's the problem with this aproach?

Finally a person that undertand the problem!

Great  Ravi.... take your points!


Regards,
Luiz

ipsystems, I am curious how you are going to do what you want with client side applications. Ask all visitors to your 2,500 websites to install this software?

ipsystems, could you please explain how the graded answer (link) helped in solving your problem?
Can't imagine that you for example installed proxomitron on your server ...

 One server acting as a Gateway from all servers running Squid .

  Squid will solve my problem blocking the word lists in a URLs requests....

   http://www.squidguard.org/config/

ok, you use squid, with a blacklist,as reverse proxy.

great man  ..


i like ur sort poeple .. who can just manage with a  link..:))

thanks :))


Ravi Goru