Fun with Forefront TMG Beta 3 and blocking download of certain file types over HTTP based on the server's response body

I saw a couple of time this question, can ISA Server 2006(Forefront TMG Beta 3) “identify” a certain file type (without any third-part add-ons) ?
Say a user changes a file's extension from '.zip' or '.exe' to '.jpg'(image file, something unlikely you will block), and  emails it using a web mail service like the one from Yahoo! to a friend of him or her, and this friend while at work behind ISA Server 2006(Forefront TMG Beta 3) downloads that file and then renames its extension. If you may want to allow the Yahoo! webmail (this may vary based on your business type), even not very smart users can bypass your file (content types) restrictions like so.

The answer might be somehow relative. If we look at what we have by default on TMG Beta 3, the answer could be: maybe. Note that what we can do bellow, we may be able to do with ISA Server 2006, but I want to mention a new feature of TMG Beta 3, feature which if Microsoft gives us access to it, we may have a smarter way of identifying and blocking certain file types accessed by users.

In part 1 we will take a quick look at the usual approach of restricting content types, analyze a few situations like the one mentioned above (renaming extension and Yahoo! web mail).
In part 2 we will play a little with a hex editor, the HTTP filter on Forefront TMG Beta 2 and HTTP response body signatures.

Read more:

Comments are closed