FIX: Site and Content Rules Do Not Filter Based on File Name Extensions (813864)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Internet Security and Acceleration Server 2000 SP1

SYMPTOMS

When you use Content Types (HTTP Content) in Site and Content Rules to deny or allow requests for downloading specific files (for example, .exe files), ISA Server does not deny or allow the request if you only have the file name extension (for example, .exe) configured in the appropriate Content Group.

This problem occurs only when you serve outgoing HTTP request through ISA Server.

This problem does not occur if you include the content type that is appropriate for the file name extension that you want to block or allow in the correct Content Group (for example, .application/octet-stream for the .exe file name extension). However, if you do this, you may experience other problems. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

319073 Web Pages May Not Display Correctly When You Deny the Application/Octet-Stream Content Type

(For more information about how to set the Content Type, see the "More Information" section of this article.)

CAUSE

The behavior occurs because ISA Server cannot deny or allow http requests based on file name extensions, regardless of whether you have configured this setting in HTTP Content of the appropriate Site and Content Rule.

RESOLUTION

To resolve this problem, obtain the Update Rollup for ISA Server Services. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

810493 INFO: Update Rollup for ISA Server Services

Hotfix Information

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
After you apply this hotfix, you can control whether ISA Server blocks or allows requests based on file name extension or based on Content Type:
  • If you want ISA Server to block requests based only on the file name extension, add the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType : DWORD : 1

  • If you want ISA Server to block requests based only on Content Type, add the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType : DWORD : 0

Note If you receive authentication prompts after you install this hotfix and add the correct registry entries, apply the registry change that appears in the following article in the Microsoft Knowledge Base:

297324 Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control

MORE INFORMATION

After you apply the hotfix and you set the CheckOnlyFileExtensionAsContentType = 1 registry value, you may notice that HTTP requests from some users are denied to URLs where you do not want to block requests. This behavior did not occur before you applied the hotfix.

This problem occurs because ISA Server denies all requests to the file name extensions that you have configured in the Site and Content Rules, regardless of whether the response is a file download (Binary Stream) or http content.

If you notice this issue, you can exclude URLs from being denied. Add these URLs as exceptions to the Site and Content Rules where you have defined the Content to be blocked. For example, assume that you have the following Site and Content Rule for blocking .exe file name extensions:

Site and Content Rule Name: Block exe
Enabled: True Rule
Applies to: All Destinations
Access to the specified destinations: Denied
Rule Applies to: Any Request
Rule Applies to: Selected Content Groups
Content Groups Selected: exe file extension

Requests to http://www.northwindtraders.com/example.exe are denied because this rule blocks them. However, you do not want these requests to be blocked because the response to these requests is not the binary stream of the file (download). The response is ordinary text/html because this is a .cgi file that generates http content.

To exclude this URL from being blocked, follow these steps:
  1. Open the ISA Server MMC.
  2. Click Policy Elements.
  3. Click Destination Sets.
  4. Right-click Destination Sets, and then add a new Destination Set named exception.
  5. Type www.northwindtraders.com for the Destination of this new destination set.
  6. Click Access Rules.
  7. Click Site and Content Rules.
  8. Open the blocking .exe extensions Site and Content Rule, and then click Destinations.
  9. Under This Rule applies to, click All Destinations except Selected Set.
  10. Click the exception destination set that you created in step 4.
Modification Type:MinorLast Reviewed:9/27/2005
Keywords:kbHotfixServer kbQFE kbQFE kbISAServ2000preSP2fix kbfix kbbug KB813864 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.