The Microsoft Exchange Edge
Transport server can also filter content within attachments of a
message. There are times when an organization wants to prevent offensive
or malicious content being stored in a Word document, Hypertext Markup
Language (HTML) attachment, and so on from being transmitted to users in
a network, so a filter can be configured to identify and handle
incoming attachment messages.
Understanding
Attachment Filtering Processing
A powerful tool in the
fight against computer viruses and other malicious email attachments is
the use of attachment filtering. Attachment filtering allows you to
identify a specific filename or all files of a particular type using
Multipurpose Internet Mail Extensions (MIME) recognition. Attachment
filtering can be applied to both incoming and outgoing email. This
allows you the flexibility of implementing attachment distribution that
complies with business requirements or policy. For example, you can
choose to block all executable file types (for example, .bat, .exe,
.scr) on inbound email to help prevent
the spread of new computer viruses or distribution of unacceptable
content. On outbound connections, you could elect to block distribution
of particular files by name (for example, tradesecrets.doc, salaryinfo.xls), which can help prevent
proprietary information from being accidentally or purposefully
distributed. SMTP Send and Receive Connectors can be included or
excluded from attachment filtering.
Note
Changes described in
this section are applied only to the local system. This is important if
you have more than one Edge Transport server in your environment.
Planning
Attachment Filtering Processing
One limitation to
attachment filtering is that it can only be configured using the
Exchange Management Shell. No attachment filtering options are available
in the Exchange Management Console.
Exchange Server 2010,
Outlook 2007, and Active Directory’s Group Policy can work together to
orchestrate implementation of an organization’s policy on email
attachments. Outlook 2007 includes an enabled default list of Level 1
attachments—attachments that will not be allowed. The Level 1 attachment
list was derived from their known or potential ability to carry
malicious code. Level 2 attachments are attachments that will initiate a
prompt requiring that the user first download the attachment prior to
running it. This allows any locally installed antimalware product the
opportunity to scan the attachment for viral code that might have
bypassed email virus scanning, albeit a rare circumstance, but not
impossible. By default, there are no Level 2 file types defined in
Outlook 2007.
There are over 70 Level 1
files included in Outlook 2007. Some examples of Level 1 file types are
shown in the following list. For a complete list, refer to the Microsoft
Outlook 2007 documentation:
Using Group Policy, an
administrator can “open up” Level 1 attachments to users so they can
choose whether to accept the attachment and/or make modifications to the
Level 1 and Level 2 attachment lists. Alternatively, administrators can
take full control of this functionality. This flexibility,
unfortunately, can pose a security risk. To offset this risk,
administrators can use the attachment-filtering component on an Edge
Transport server to block specific attachments, regardless of the
configuration in place on internal email systems.
First, you need to
determine what attachments and/or types of attachments you want blocked
and in what direction(s) attachment filtering should take place:
inbound, outbound, or both. If you will be blocking a specific
attachment, implement the block using the filename. If you want to block
all email attachments of a specific type, add the file extension so it
can be identified by its MIME type, regardless of the filename.
After you have decided
on which attached files or file types you want to identify in email
messages, you also need to determine what you want to do with messages
containing those attachments. The default action is to block
the attachment and the message (Reject). The available actions you can
take on messages and attachments defined in the attachment filter
include the following:
Reject— Stops delivery of the message and planning
attachments to the recipient and sends an undeliverable response to the
sender.
Strip— Delivers the message to the recipient,
replacing the attachment in the message with a notification it has been
removed. Any attachment not listed in the attachment filter will still
be available to the recipient.
SilentDelete—
Similar to the Reject action in that the message and attachment aren’t
delivered; however, the SilentDelete action does not send an
undeliverable notification to the sender.
Using the Exchange
Management Shell to Configure Attachment Filtering
Attachment filtering,
as previously mentioned, can only be configured through the Exchange
Management Shell. Each shell command has its own parameters you can set
based on the action(s) performed by the command. There are four
commands: Get, Add, Remove, and Set. Each command works with one or more IP Block and
Allow List components.
The Get-
command is used to retrieve the configuration of a component. For
example, entering Get-AttachmentFilterEntry filename displays the result of whether that file is
being identified in messages.
The Add- command
can be used to add an entry to the Attachment Filter Agent. The
following example adds a filename to be blocked:
add-AttachmentFilterEntry -name virus.exe -type FileName
The Remove- command can
be used to remove an attachment filter entry. The following example
removes an entry by filename:
remove-AttachmentFilterEntry -Identity filename:virus.exe
The Set-
command allows an administrator to modify the configuration of the
attachment filter. In attachment filtering, it is primarily used to set
the action. The following example configures the action and response
options:
Set-AttachmentFilterListConfig -Action Reject -RejectResponse "Attachment type not allowed."
