| |||||
| |||||
Microsoft Windows SharePoint Services provides the ability to restrict certain kinds of files from being uploaded or retrieved, based on the file extension. For example, a file with the .exe file extension could potentially contain code that runs on client computers when it is downloaded. Because it has the .exe file extension, the file can be run on demand when it is downloaded. If files with the .exe file extension are blocked, users can neither upload nor download a file with the .exe extension, and potentially dangerous content in the .exe file cannot be downloaded. This feature does not prevent all exploits based on file types, nor is it designed to do so.
By default, several standard file extensions are blocked, including any file extensions that are treated as executable files by Windows Explorer. Files with curly braces { or } are also blocked automatically. The file extensions blocked by default are shown in the following table.
| File extension | File type |
| .ade | Microsoft Access project extension |
| .adp | Microsoft Access project |
| .app | Application file |
| .bas | Microsoft Visual Basic class module |
| .bat | Batch file |
| .chm | Compiled HTML Help file |
| .class | Java class file |
| .cmd | Microsoft Windows NT Command Script |
| .com | Microsoft MS-DOS program |
| .cpl | Control Panel extension |
| .crt | Security certificate |
| .dll | Windows dynamic link library |
| .exe | Program |
| .fxp | Microsoft Visual FoxPro compiled program |
| .hlp | Help file |
| .hta | HTML program |
| .ins | Internet Naming Service |
| .isp | Internet Communication settings |
| .jse | JScript Encoded Script file |
| .lnk | Shortcut |
| .mda | Microsoft Access add-in program |
| .mdb | Microsoft Access program |
| .mde | Microsoft Access MDE database |
| .mdt | Microsoft Access data file |
| .mdw | Microsoft Access workgroup |
| .mdz | Microsoft Access wizard program |
| .msc | Microsoft Common Console Document |
| .msi | Microsoft Windows Installer package |
| .msp | Windows Installer patch |
| .mst | Visual Test source files |
| .ops | Microsoft Office profile settings file |
| .pcd | Photo CD image or Microsoft Visual Test compiled script |
| .pif | Shortcut to MS-DOS program |
| .prf | System file |
| .prg | Program source file |
| .reg | Registration entries |
| .scf | Windows Explorer command file |
| .scr | Screen saver |
| .sct | Windows Script Component |
| .shb | Windows shortcut |
| .shs | Shell Scrap Object |
| .url | Uniform Resource Locator (Internet shortcut) |
| .vb | Microsoft Visual Basic Scripting Edition (VBScript) file |
| .vbe | VBScript Encoded Script file |
| .vbs | VBScript file |
| .wsc | Windows Script Component |
| .wsf | Windows Script file |
| .wsh | Windows Script Host Settings file |
The list of file extensions is controlled for the entire server or server farm and is recorded in the configuration database. Because the list of blocked file types is maintained by file extension, all files that use a file extension on the list cannot be uploaded or downloaded, irrespective of the file's intended use. If .asp is on the list of extensions to block, the feature blocks all .asp files on the server, even if they're used to support Web site features on another server in the server farm. If a file ends in a period (.), the preceding characters are checked against the list of blocked file extensions as well. For example, if .exe is on the list of blocked file extensions, a file called "filename.exe." is also blocked. The following list shows different ways of representing the same file, all of which are blocked if the .hta extension is on the list of blocked file extensions:
You can determine which files are blocked for Web sites on your servers by modifying the list of blocked file extensions. You can block additional file extensions (up to 1,024 file types) by adding them to the list in the SharePoint Central Administration pages, or you can remove a block by deleting the file extension from the list. When you change the list of file extensions, the change affects both new files being added to a Web site and files already posted to a Web site. For example, if a document library contains a .doc file, and you add the .doc file extension to the list of blocked file extensions, users will no longer be able to open the .doc file in the document library. Users will be able to rename or delete a file with a blocked file extension but will not be able to perform any other actions.