Exchange Server TechCenter >
Exchange Server Forums
>
Clients
>
Blocking ZIP attachments except for select users
Blocking ZIP attachments except for select users
- Hello,
Due to all the new ZIP viruses, I would like to block ZIP attachments for all email users except a select few who actually need them.
We use Outlook 2007 on XP Pro boxes and Exchange 2003 (currently migrating to) Exchange 2007 servers on an AD 2003 domain.
I am trying to utilize the the "Level1Remove" client registry key without success and have done the following to test with a ficticious BBB attachment type..
1) Created GP to (A) add BBB to Level 1 block and (B) allow users to demote attachments to Level 2 (C) Outlook Security Mode Enabled
2) GPUDATE and RSOP verifies that this is applied to XP client machines
3) Renamed a blank "test.txt" file to "test.BBB" and sent it to client
4) Attachment blocked in Outlook 2007 on client machine as expected
5) Created registry key on clients HKCU\Software\Microsoft\Office\12.0\Outlook\Security\Level1Remove with values of bbb;BBB;.bbb;.BBB (included upper/lower case with and without DOTs seperated by semi-colons;)
When I resend the BBB attachment it still gets blocked and stripped with: "Outlook blocked access ..."
I have duplicated the setup to allow BBB attachments on both my sending and receiving test machines but still no love.
The attachment currently still appears if I use OWA on the clients but I will eventually want to block that as well.
Am I missing something? It seems like it should work at this point.
TIA for any help,
Michael- Edited byMichael Villages Thursday, November 05, 2009 4:11 PMtypo in KEY
Answers
- Ahh, ok, I missed the part where you wanted to strip the attachment rather than simply block the message.
You would need the Edge Role for that:
http://technet.microsoft.com/en-us/library/aa997139.aspx but you wouldnt have the granularity you may need
You really need an anti-virus / anti-spam solution as mentioned before ( ForeFront will do this as well) to make this happen effectively.- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 13, 2009 6:01 AM
- Edge server cannot be installed on existing Server Roles. It has to be disjoined from Domain.
You can even opt for Microsoft Forefront Security for Exchange Server
Which will also fulfill your goals. Take a look @ below article to how to handle the attachments
Attachment Filtering
http://technet.microsoft.com/en-us/library/bb124399.aspx
Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 13, 2009 6:02 AM
Hi Michael,
Regarding how to control the attachment in OWA, you could refer to the following article:
http://www.petri.co.il/control-exchange-server-2007-attachments-through-owa-part-one.htm
How to control the attachment in Outlook:
Customize attachment settings in Outlook 2007
http://technet.microsoft.com/en-us/library/cc178961.aspx
If you want strip the attachment only in server side, I would like to explain Exchange 2007 doesn't have such a feature and you may need to leverage other software to do that.
Thanks,
Elvis
- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 13, 2009 6:01 AM
All Replies
- Honestly, I wouldnt go this route using GPOs.
Use either your built-in Exchange aware anti-virus/anti-spam, or gateway anti-virus/anti-spam to create rules or create a hub transport rule when you upgrade to 2007.
http://msexchangeteam.com/archive/2006/12/12/431879.aspx - Thanks for the reply Andy,
We use a Symantec Endpoint Protection client on our Exchange server and I don't think I have the ability to mess with the attachments.
When using the Transport Rules I do not see an Action to strip an attachment from a message unless it is a type of header that I am unfamiliar with.
I am assuming I would use ".ZIP" for the "Attachment Contains Text Pattern"?
Thanks again,
Michael - Ahh, ok, I missed the part where you wanted to strip the attachment rather than simply block the message.
You would need the Edge Role for that:
http://technet.microsoft.com/en-us/library/aa997139.aspx but you wouldnt have the granularity you may need
You really need an anti-virus / anti-spam solution as mentioned before ( ForeFront will do this as well) to make this happen effectively.- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 13, 2009 6:01 AM
- Andy,
We are a not-for-profit agency and unfortunately I do not have the funds to purchase extra equipment or software at this time.
I would rather strip the attachment and keep the email. That way if it turns out to be a legitimate ZIP that is needed we would know that we didn't receive it and could organize a resend with a new extention to circumvent the stripping. I guess I didn;t state that originally, sorry.
We have 1 server that is dedicated to Exchange that is running the Mailbox Role, Client Access Role and Hub Transport Role. Can the Edge Transport Server Role be added to this server in this scenerio or would I actually need another server in my DMZ? (I don't see that happening any time soon.)
If we could figure out why the Level1Remove key isn't working then my solution would seem to work fine for us until I could get more cash next year. Any clue about this?
Michael - Edge server cannot be installed on existing Server Roles. It has to be disjoined from Domain.
You can even opt for Microsoft Forefront Security for Exchange Server
Which will also fulfill your goals. Take a look @ below article to how to handle the attachments
Attachment Filtering
http://technet.microsoft.com/en-us/library/bb124399.aspx
Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 13, 2009 6:02 AM
Hi Michael,
Regarding how to control the attachment in OWA, you could refer to the following article:
http://www.petri.co.il/control-exchange-server-2007-attachments-through-owa-part-one.htm
How to control the attachment in Outlook:
Customize attachment settings in Outlook 2007
http://technet.microsoft.com/en-us/library/cc178961.aspx
If you want strip the attachment only in server side, I would like to explain Exchange 2007 doesn't have such a feature and you may need to leverage other software to do that.
Thanks,
Elvis
- Marked As Answer byElvis Wei -MSFTMSFT, ModeratorFriday, November 13, 2009 6:01 AM
