| CISA

Block High-risk File Types at Web Gateway (CM0047)

In Playbook

Details

ID: CM0047
Version: 1.0
Created: 14 March 2025
Modified: 14 March 2025
Type: Disable
Status: Active

Intended Outcome

Blocking high-risk file types at the web gateway restricts adversary initial access and execution.

Introduction

A web gateway acts as an intermediary, situated between end-users and the internet. Web gateways can be hosted on-premises or via the cloud. The web gateway's purpose is to inspect, analyze, and filter malicious inbound/outbound web traffic. Web gateways enforce acceptable use and security policies.

Preparation

Research the web gateway's capabilities.
Review policies currently applied to the web gateway.
Identify file types necessary to operations.
Identify file types that if blocked, could result in operational disruption.

Risks

Blocking a file type that is necessary to operations can result in an operational disruption. To mitigate the risk of disruption, ensure that blocked file types are not required. Continually monitor the web gateway and adjust policies accordingly.

Guidance

This countermeasure assumes the organization is using a web gateway. Please refer to vendor documentation for specific guidance.

Login to the web gateway management portal
Locate the existing rule you want to edit or create a new rule
Edit or populate the rule with content
Save, add, and activate the rule
Monitor the web gateway to ensure the newly created rule is effective

Though not exhaustive, the following file types could introduce risk. Consider blocking executable file types. Other file types can be blocked though operational necessity should be considered to mitigate the likelihood of disruption.

File Types	File Extensions
Executable	exe, scr, vbs, js, xml, docm, xps
Image	iso, img
Archive/Compressed	arj, lzh, r01, r14, r18, r25, tar, ace, zip, jar
Documents	doc, rtf, xls, pdf, pub

References

File Types to Block | https://docs.umbrella.com/umbrella-user-guide/docs/file-types
Internet Gateway Best Practice Security Policy | https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/transition-safely-to-best-practice-security-profiles/transition-file-blocking-profiles-safely-to-best-practices