Solved

Prevent users from Download same specific file extensions (.DLL, .MDB etc)

Posted on 2003-11-07
19
3,004 Views
Last Modified: 2007-12-19
Hi,
We need to prevent browser or script to download files .DLL .MDB and some other extensions.

We try to use a different Mime type but with some scripts like FileMan it can retrive the file to download in the browser.

How can I prevent specific extensions file download and prevent users to pass parameters like  file.asp?dir=c:/xxx/bbb/file.dll ou something similar?

We are using Windows 2003 Standard .
0
Comment
Question by:ipsystems
  • 6
  • 3
  • 3
  • +6
19 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 9701602
Hi ipsystems,
If you don't want other users of your computer to download and install unauthorized software from the Internet, you can set up such a restriction with Folder Guard.

The following instructions assume that your copy of Windows is installed into the folder C:\Windows, and that your web browser is Internet Explorer. (See also similar instructions for Opera browser).

The idea of the protection is based on the fact that when Internet Explorer is downloading a file, it stores it in its Temporary Internet Files folder, along with the images and other files necessary to display the web pages when browsing. Only after the file has been successfully downloaded into the temporary folder, Internet Explorer moves it to the destination folder for your choice. This gives us an idea of how to prevent the downloads: we need to prevent Internet Explorer from being able to create program files (such as the .exe and *.zip files) in the temporary folder. However, we must still allow Internet Explorer to store files of other types (such as image files), to be able to display the web pages properly when browsing the Internet. This is just the type of a problem that can be easily solved using the "filters" of Folder Guard.

http://www.winability.com/folderguard/restrict-downloads-ie.htm

Cheers!
0
 

Author Comment

by:ipsystems
ID: 9701668
Look.
We are a Internet Service Provider and we host websites.

We need to prevent download .DLL ou .MDB extensions from any user conected by internet in our servers.

This software works in this case?

We try to use URLSCAN, but with certain scripts we get the file....


Luiz
IPSystems
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9701800
Put better controls into your ASP code for starters. If people are able to get certain files by tossing arguments into the URL to manipulate your ASP page into sending down the files then your problem lies with the functionality of your ASP code. You can simply put conditional statements into your code that test the extension of the file before it is sent, or even as the argument it tossed to the function, to make sure that it doesn't contain one of the extensions that you don't want downloaded.
0
 

Author Comment

by:ipsystems
ID: 9701951

Not for an specific application... we have more than 3.500 wesites hosted on many servers and we only want to prevent any people to try download files with this extensions.

0
 
LVL 28

Expert Comment

by:sybe
ID: 9704027
to download a file with a browser, 3 conditions need to be met, if you take out one of them then the file can't be downloaded. But none of those conditions is extension-specific. And what if one of your customers offers a file with extension .mdb for download on purpose??

conditions are:
1. the file needs to be accessible through the webserver (so be placed under a root-directory of a domain)
2. the directory where the file remains needs to have "read" access (setting in the webserver)
3. the user needs to have read rights (on the file system). On Windows systems the (not logged in) internet user is IUSR_machinename

If you want to use access databases (.mdb), but not make them available for download, then remove the "read" access from the directory, or put the files outside of wwwroot (you need to give IUSR_machinename read rights in order to use the database for internet)





0
 
LVL 28

Expert Comment

by:sybe
ID: 9704093
>> How can I prevent specific extensions file download and prevent users to pass parameters like  file.asp?dir=c:/xxx/bbb/file.dll ou something similar?

Remove all rights for IUSR_machinename from the files you don't want to be downloaded.
0
 
LVL 4

Expert Comment

by:freshair
ID: 9705280
set file permission from NT: you may want to remove the read permission of the file from your customers so they cannot open the file in binary mode. right click on the file -> properties -> security, and add/remove whatever you want from there.
set file permission from IIS: there should be some option on IIS that allows users to access only files down a folder tree but not up (meaning they can't load anything like /../ or C:\xxx\file.ext). or you may want to prevent users from loading .dll files by checking the URL parameters they passes into your .asp script.
0
 

Author Comment

by:ipsystems
ID: 9705447

Look...

We are a hosting provider with more than 3.500 users in many servers. Each user has your own FTP and your own area to host your website.

We have more than 1.500.000 files in our servers than, we can't set permissions, we need to Deny web requests from the Browser...like an URLSCAN, but the Micro$oft URLSCAN has many little problems and I don't want use it...

Any other Idea?  A IDS maybe can block this requests? Any suggestion?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9705626
I'd think you'd need stateful inspection to do this from a network perspective, and in a big enterprise that a heck of a lot of proxying.

I don't see how you're going to get around scripting to look for files and overwrite permissions for http (or FTP unless you're going to hack the FTP daemon or find one with that sort of feature.)
 
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 79

Expert Comment

by:lrmoore
ID: 9708456
0
 

Author Comment

by:ipsystems
ID: 9708930
Yes, our router is Cisco, but it's own is the Datacenter, then, we can't use or administer it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9710156
> We need to prevent download .DLL ou .MDB extensions from any user conected by internet in our servers.

Simply remove such files from the public accessable area.
What's the problem with this aproach?
0
 
LVL 3

Accepted Solution

by:
Ravi Goru earned 500 total points
ID: 9710392

yeah.. content filtering..!!

an be tried with many softwares..

anyway ..try to go through the following link..!!

u will have enough of idea..!!

http://www.bmas.ja.net/content_filtering/BMAS_content_filtering.html

regards..

Ravi Goru


0
 

Author Comment

by:ipsystems
ID: 9710449

Finally a person that undertand the problem!

Great  Ravi.... take your points!


Regards,
Luiz
0
 
LVL 28

Expert Comment

by:sybe
ID: 9710523
ipsystems, I am curious how you are going to do what you want with client side applications. Ask all visitors to your 2,500 websites to install this software?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9710733
ipsystems, could you please explain how the graded answer (link) helped in solving your problem?
Can't imagine that you for example installed proxomitron on your server ...
0
 

Author Comment

by:ipsystems
ID: 9710853

 One server acting as a Gateway from all servers running Squid .

  Squid will solve my problem blocking the word lists in a URLs requests....

   http://www.squidguard.org/config/
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9711505
ok, you use squid, with a blacklist,as reverse proxy.
0
 
LVL 3

Expert Comment

by:Ravi Goru
ID: 9712672

great man  ..


i like ur sort poeple .. who can just manage with a  link..:))

thanks :))


Ravi Goru
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now