Configuring Blocked File Extensions

Microsoft Windows SharePoint Services provides the ability to restrict certain kinds of files from being uploaded or retrieved, based on the file extension. For example, a file with the .exe file extension could potentially contain code that runs on client computers when it is downloaded. Because it has the .exe file extension, the file can be run on demand when it is downloaded. If files with the .exe file extension are blocked, users can neither upload nor download a file with the .exe extension, and potentially dangerous content in the .exe file cannot be downloaded. This feature does not prevent all exploits based on file types, nor is it designed to do so.

By default, several standard file extensions are blocked, including any file extensions that are treated as executable files by Windows Explorer. Files with curly braces { or } are also blocked automatically. The file extensions blocked by default are:

File extension File type
.ade Microsoft Access project extension
.adp Microsoft Access project
.app Application file
.bas Microsoft Visual Basic class module
.bat Batch file
.chm Compiled HTML Help file
.class Java class file
.cmd Microsoft Windows NT Command Script
.com Microsoft MS-DOS program
.cpl Control Panel extension
.crt Security certificate
.dll Windows dynamic link library
.exe Excutable program
.fxp Microsoft Visual FoxPro compiled program
.hlp Help file
.hta HTML application
.ins Internet Naming Service
.isp Internet Communication settings
.jse JScript Encoded Script file
.lnk Shortcut
.mda Microsoft Access add-in program
.mdb Microsoft Access program
.mde Microsoft Access MDE database
.mdt Microsoft Access data file
.mdw Microsoft Access workgroup
.mdz Microsoft Access wizard program
.msc Microsoft Common Console Document
.msi Microsoft Windows Installer package
.msp Windows Installer update
.mst Visual Test source files
.ops Microsoft Office profile settings file
.pcd Photo CD image or Microsoft Visual Test compiled script
.pif Shortcut to MS-DOS program
.prf System file
.prg Program source file
.reg Registration entries
.scf Windows Explorer command file
.scr Screen saver
.sct Windows Script Component
.shb Windows shortcut
.shs Shell Scrap Object
.url Uniform Resource Locator (Internet shortcut)
.vb Visual Basic Scripting Edition (VBScript) (Visual Basic Scripting Edition (VBScript): A subset of the Visual Basic for Applications programming language optimized for Web-related programming. As with Microsoft JScript, code for VBScript is embedded in HTML documents.) file
.vbe VBScript Encoded Script file
.vbs VBScript file
.wsc Windows Script Component
.wsf Windows Script file
.wsh Windows Script Host Settings file

The list of file extensions is controlled for the entire server or server farm (server farm: A centralized grouping of network servers maintained by an enterprise or, often, an Internet service provider (ISP). A server farm provides a network with load balancing, scalability, and fault tolerance.) and is recorded in the configuration database (configuration database: The Microsoft SQL Server or MSDE database that contains the configuration information that applies across all servers in a deployment of Windows SharePoint Services, such as virtual server information.). Because the list of blocked file types is maintained by file extension, all files that use a file extension on the list cannot be uploaded or downloaded, irrespective of the file's intended use. If .asp is on the list of extensions to block, the feature blocks all .asp files on the server, even if they're used to support Web site features on another server in the server farm. If a file ends in a period (.), the preceding characters are checked against the list of blocked file extensions as well. For example, if .exe is on the list of blocked file extensions, a file called "filename.exe." is also blocked. The following list shows different ways of representing the same file, all of which are blocked if the .hta extension is on the list of blocked file extensions:

  • filename.hta
  • filename.hta.
  • filename.hta.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
  • filename.hta::$DATA

You can determine which files are blocked for Web sites on your servers by modifying the list of blocked file extensions. You can block additional file extensions (up to 1024 file types) by adding them to the list in the SharePoint Central Administration pages, or remove a block by deleting the file extension from the list. When you change the list of file extensions, the change affects both new files being added to a Web site and files already posted to a Web site. For example, if a document library (document library: A folder where a collection of files is stored and the files often use the same template. Each file in a library is associated with user-defined information that is displayed in the content listing for that library.) contains a .doc file, and you add the .doc file extension to the list of blocked file extensions, users will no longer be able to open the .doc file in the document library. Users will be able to rename or delete a file with a blocked file extension, but will not be able to perform any other actions.

Add or remove a file type from the list of blocked file extensions
  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.
  2. On the SharePoint Central Administration page, under Security Configuration, click Manage blocked file types.
  3. On the Manage List of Blocked File Types page, perform one of the following actions:
    • To add a file type, click in the list and type the extension.
    • To delete a file type, delete the file extension from the list.
  4. Click OK.
 
 
Applies to:
Deployment Center 2003