Much ado about Files Screening in R2

File Screening in Windows 2003 R2 can be circumvented, but this isn't that terrible, IMHO, and I'll explain you why.
You might be wondering what the heack am I talking about. I am referring to what's written in this blog post (an old one) that I spotted only today. Here the author is referring to a MS Blog also mentioning a post about the fact that file screening in R2 can be circumvented.

Yes it can be circumvented, BUT… there are seveal "but"s I can say; In fact, I have been presenting Windows 2003 R2 to several customers and I got asked this question several times, and I usually explain this in the following way:

first, it would be too heavy of a performance hit to get and check the real "nature" of a file, rather than just its file name.
Also: how would you technically do that ? Checking some headers in the file ? In this case you would need to mantain a database of known file types, keeping it up to date as new versions of that file format appear…
and then what about executables which have been passed through a "packer"
(one of those utility that effectively shrinks them while mantaining them executable) ?
What about encrypted files ? What about… ?? It just doesn't plain work. Just like many other signature-based detection mechanisms (Antivirus or IDS). Or at least, to KEEP working needs to be constantly updated (or be useless).

The file screening thing is not meant to be impossible to circumvent, rather is a way of saying to the user that he/she's not allowed to place that content there, to get notified about that, to get this information TRACKED somewhere possibly….
Of course this can be circumvented. But is not going to be very practicle, especially when your users are USERS and are restricted so that they can't associate new extention to be opened from within their media player as you are suggesting….

Moreover, file screeing is just ONE of many features of the component called "File Server Resource Manager" in Windows 2003 R2. Those features are meant to be used altogether: So, for example, while a user COULD circumvent the restriction and copy ".mp3" files by calling them ".xyz", but then with the useful reporting an admin would very easily spot them by looking at those directory that strangely contain a lot of ".xyz" files that happen to be roughly 5MB in size (all of them)…
In the same way by using the reporting feature you could see those huge ".doc" files are actually divx by looking at the "large files" report – how many pages would you have written to get that Word document up to 700MB ?? It can't be the usual letter Mary writes, it looks a lot more like the size of Encarta… something is then fishy about it.

You get what I mean ? It won't block the user ALL the times, but it will still drastically reduce the user abilty to waste our space, and if implemented with the proper controls and procedures and preocesses (think ITIL) in place, this can still be a valuable tool.

(I also posted this answer as a comment on the above-mentioned blog).




%d bloggers like this: