I figured I’d throw this out there.. I wanted to make sure that in the event that somehow my network were infected by something that used this vulnerability that it would be limited to an individual machine. Basically, I didn’t want it on my file server. Also, at the bottom of this post I give a link to an article about enabling “File Screening” on Windows server’s that will accomplish the same thing as what I do here…
On my NAS running Samba:
# cat /usr/local/samba/lib/smb.conf|grep Veto Veto Files = /*.lnk/
On another box:
# mount -t smbfs //1.2.3.4/data -o username=blah /share # touch /home/matt/test.lnk # touch /home/matt/test.txt # cp /home/matt/test.txt /share # cp /home/matt/test.lnk /share cp: cannot create regular file `/share/test.lnk': No such file or directory # ls -l /share/test.lnk /bin/ls: cannot access /share/test.lnk: No such file or directory
Super simple and at least it will prevent the spread.
If you want to block more than just one file type, the syntax looks like this:
Veto Files = /*.lnk/*.exe/*.dll/*.bat/*.pif/*.whatever/
Just keep in mind what it is that you have on your file server. If you block something, people wont be able to save these file types, but they also wont be able to access them. So!
If you run Windows Server as your file server, you can implement “File Screening”. I don’t use Windows for any network/server applications, so I’m not about to sit here and write the 358735 steps it takes to point-and-click your way to enabling file screening, but thankfully this guy cares more about Windows than I do, so he’s already written up an article on how to do it. It’s not specifically FOR .lnk files, but it will work.
Related posts: