From: "Geo." 

"Jan van Hoek (NL)"  wrote in
message news:VA.000001d3.0037df4d{at}xs4alldot.nl...

> We only allow a very limited list of file types (only 5 to 10 long) and
> refuse the rest of the universe. File type spoofing is detected by our
front
> end virus scanner (eSafe), and handled as such (blocked). ZIP-files are
not
> refused upfront, but are expanded (max 10 levels deep), after which the
> building blocks are handled one by one via the standard policies.

I forget who it was but one of the guys on full disclosure came up with a 2
level zip file, the first level expanded to 2 files, first was a zip and
second was an exe. When you tried to unzip the first it would expand to
500gb of 1 character so the zip was like 1K but would expand to a size
larger than most disk volumes. This stopped the virus scanners from even
looking at the exe file.


> Our company policy is to use MS stuff for everything, unless... There is
no
> compelling reason (read: not one reason that management understands) to
ban
> Outlook from our premises. IOW that is our default e-mail client (no
Outlook
> Express is given to any user, however).

email them a web bug (or that IE exploit that opens a million windows) then
email them a notice of when and where they read your email. If you show
management how easy it is to exploit them they may consider it a reason
they understand.

> For similar "political" reasons I cannot block the contents
of DOC and XLS
> attachments (we strip all macro's, however), as long as you cannot teach
the
> bean counters to use our FTP server to transfer monthly figures to/from
> various official agents they (legally) have to report to.

It's very easy to do since everyone knows how to use a folder. Just give
all users a shortcut on their desktop to a server share where you have the
user directories. They then just put any file they want to send to someone
in that directory and append the name of it to a link you give each of
them. It's then a simple matter of them taking that link and typing it into
an email, example http://www.somewhere.com/username/filename.zip to send
instead of attaching the file. It's certainly no more difficult to do that
than to explain to them why the file they tried to email to someone was
bounced by the remote server (something that is happening more and more
often).

Up until this last IE patch you could have even included a username and
password in the link..

> All in all, my hands are tied in some respects.

I understand. That's one of the things I never have to deal with except for
financing. As far as technical directions, I get to make all the calls,
course they hold me responsible for making sure things work too so it's got
it's ups and down. 

> But on average, our policies
> are very strict (some say: too strict).

One good destructive virus and they will all stfu.. 

At one point a few managers decided I was being too strict and so they got
everyone together in a meeting and then proceeded to tell me it was
unacceptable, in front of the owner. They used an example of faxing the
montly sales report as opposed to emailing it. It was really funny when I
suggested that tomorrow they turn off all the computers and spend the day
trying to do their jobs because one infection could easily mean that's what
they would need to do for possibly a few days to a week until the network
could be cleaned and data restored. I then asked them if it was worth that
just so one of them could send a file instead of getting off his fat ass
and walking the three feet from his office door to the fax machine.

Once they understood the computer is a tool they use and that they would
*still be expected to do their jobs if the computers didn't work* they
realized I wasn't doing this just for my benefit (since my department would
have to do the cleanup). The key was making them understand it's more work
for them when the computers are down, but since the computers are never
down they didn't consider that.

> And we have nearly 4 "virus free"
> years as proof that this is the right approach. Only 3% of Dutch companies
> can say the same, as recent research revealed.

Last time we got a virus on our internal network, it came in on a 44mb
syquest cartridge. I don't remember how long ago that was but it's got to
be over 10 years as we were running WFWG and we switched to NT in 1994.

Geo.

--- BBBS/NT v4.01 Flag-5