Blocking MSN Messenger?

Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"

Group policies are the solution

Disable MSN Messenger via group policy.

Re:Group policies are the solution

[leifm]

Where I work IM is forbidden, I know for a fact that AIM is blocked (not sure how), and them seem to have figured out how to block the AIM express applet as well. I am not sure about Messenger, since I don't use that on general principle. However the one glaring omission by our network was Jabber. I could get to ICQ/AIM and probably Messenger using Jabber.

Re:Group policies are the solution

[neosake]

Actually removing the program does not actually block messenger. There are many clones out there that use the same protocol and servers that messenger uses (trillian, JMSN, etc).

To actually effectively remove MSN Messenger communications, work must be done at the firewall level. (I won't bother repeating the excellent solutions below)

Re:Group policies are the solution

[Tekno2k3]

Microsoft built Messenger to bypass firewalling. It will use different ports and different IPs.

Re:Group policies are the solution

[Directrix1]

Instead of going the technical approach, have you ever considered proposing the idea of docking pay, and/or firing? Most people need their jobs more than they need instant messaging. Also, why are you letting your users install programs on the company's computers? Do you have everyone run as admin?

Re:Group policies are the solution

[b!arg]

Well if I'm not mistaken MSN Messenger is a "feature" of XP and seems to be pretty well ingrained much like IE. If he's not using WinXP then you're right...

Re:Group policies are the solution

[Alizarin+Erythrosin]

Yes, there are others, but do we really think that the Average Joe IM-Abuser-At-Work will know of these programs?

Re:Group policies are the solution

[MrResistor]

Yes, there are others, but do we really think that the Average Joe IM-Abuser-At-Work will know of these programs?

Yes, within a week of whatever he was using being blocked. It only takes one person to figure it out, and word will spread.

Re:Group policies are the solution

[Directrix1]

Oooh oooh, I got a better idea!!!! Sue Microsoft!!!!! Or better yet, sue yourself. That way Microsoft will be forced to foot the bill.

Re:Group policies are the solution

[leifm]

XP Pro has a number of things I don't think have a place in corporate environments. Such as MSN Explorer, Messenger (the non-exchange one at least), Windows Movie Maker, Media Player, games. You would think that in the Pro version at least you could remove these things. I have been unsuccessful at ridding my work box of anything but Messenger.

Re:Group policies are the solution

[kfuq]

There are alot of references to "M$N messenger" , but only a few about "Windows Messenger"

Searching for "disable windows messenger" Google: Results 1 - 10 of about 44,400. Search took 0.08 seconds.

Searching for "disable msn messenger" Google: Results 1 - 10 of about 29,100. Search took 0.15 seconds.


Aim isn't any better....

Or if you would like to record all aim usage

or just control what they can do...

uhh... STFU & RTFM ?

The easy way isn't always popular

[seinman]

Fire everyone who's caught using it. Eventually you'll fire enough people that they'll be afraid to open it. Just like the RIAA suing P2P users... eventually nobody will share because they'll be afraid of lawsuits.

Re:The easy way isn't always popular

[questionlp]

One thing that could be done is to forcibly remove any software installed on the machines (using things like SMS or LANDesk) that shouldn't be on there... including any IM tools that they want to block. Once you remove them, keep a log/audit of which apps are running on which machines on a daily basis and those who continue to install software that is banned should be passed on to management.

With MSN Messenger literally embedded in Windows XP, that may be a bit hard unless if you create a policy that not only hides the program but also restricts access to the application's folder and executables to the domain administrator or equivalent account if you are in an NT4/AD/NDS environment.

Just some thoughts... though I really don't know how useful they are :)

Re:The easy way isn't always popular

[bluephone]

Actually, it IS possible to remove MSN Messenger, and even things like Outlook Express. Two ways actually.

You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.

An easier way is to edit %systemroot%\inf\sysoc.inf

Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.

Re:The easy way isn't always popular

[bigsteve@dstc]

Eventually you'll fire enough people that they'll be afraid to open it.

... or there won't be anyone left to fire :-).

Re:The easy way isn't always popular

[Kizzle]

Are you fucking serious? Really. Have you ever had a job before? You can't go around firing people for petty reasons like instant messaging. Before you know it you have people striking and everyone hates you.

Re:The easy way isn't always popular

[bigsteve@dstc]

You can't go around firing people for petty reasons like instant messaging.

Who are you to say that this would petty? I can think of any number of reasons why instant messaging might be deemed highly inappropriate in a particular workplace. If that is the case, AND management has made this clear to all employees, then somebody who willfully flouts the rules deserves to be sacked.

Re:The easy way isn't always popular

[Tuxinatorium]

I call BS. Instant messaging is a useful tool that has many legitimate applications in the workplace, and in any case should be acceptable to use during breaks just like a cell phone, etc. Banning IM programs just means they don't trust the employees, and it's analogous to a high school where students aren't allowed to leave the building during lunch break. That's petty.

Re:The easy way isn't always popular

[Zocalo]

Actually, I doubt this is BS in this particular case. The specific case in question is in the financial sector, and it is often a requirement that *all* electronic communication is logged in such places to help prevent insider trading etc. Legitimate or not, if IM provides no logging of conversations then such institutions will need to evict it from their network.

Re:The easy way isn't always popular

[JohnFluxx]

They could go through a sametime server - that provides logging and support for msn.

Re:The easy way isn't always popular

[More+Karma+Than+God]

But how do you enforce that?

Re:The easy way isn't always popular

[gallen1234]

In a financial services environment this is definitely not petty. If I remember a previous discussion corretly they are required by law to log all IM activity - not an easy proposition. Failure to do so will get them an unpleasant visit form the SEC.

Re:The easy way isn't always popular

Yeah man, and kazaaa is a useful tool that has many legitimate places in the workplace.

Re:The easy way isn't always popular

[JohnFluxx]

punish anyone that doesn't use sametime ;)

Re:The easy way isn't always popular

[Johnny+Mnemonic]

Doesn't MSN provide for logging? Even iChat does, so I'm kinda surprised that it's not there for MSN.

Or is it that logging is an option, without an easy way to force it and set it [true] by default?

Re:The easy way isn't always popular

[salesgeek]

management has made this clear to all employees, then somebody who willfully flouts the rules deserves to be sacked.

Is thinking prohibitied on the job, too?

Re:The easy way isn't always popular

[leifm]

In addition to that I've seem some interesting little proof of concept worms come in through Messenger.

Re:The easy way isn't always popular

[DShard]

transparent proxies.

Re:The easy way isn't always popular

[bigsteve@dstc]

Is thinking prohibitied on the job, too?

No, but hanging your butt out of an office window probably is!!

The point is that management has the right to set rules about what is not acceptable behaviour. Within limits of fairness, due process, etc, they are entitled to take action against people who break the rules ... including dismisal. The fact that an employee might think the rules are petty is not relevant.

Re:The easy way isn't always popular

Yeah right! And while you're at it, ban also their telephone and prohibit the use of cellphones, take out the cofeemachine .. or better, lock everyone in into their cubicle, chain 'm and point a camera at them .. and then you start wondering why they aren't productive. Stop fucking around and allow MSN and accept that they use it for productive or non-productive reasons! They *will* be unproductive whatsoever!!!!

Re:The easy way isn't always popular

[secolactico]

Before you know it you have people striking and everyone hates you.

For the life of me, I can't remember white collar workers ever striking. They usually just file a wrong termination suit or somesuch. I might be wrong, tho, I admit I haven't lived much.

As for hatred, meh... Managers will almost always be hated/mistrusted by the managed.

Re:The easy way isn't always popular

[bigsteve@dstc]

Yes. Some employers don't trust their employees. And in some cases, the distrust is entirely justified. (In the same way, some high-school students are not worthy of trust. BTW, when I went to high school, we weren't allowed to leave the school grounds at lunch time. Those of us who had at least half a brain were capable of understanding why ... and it was nothing to do with pettiness.)

Banning instant messaging might be counter productive if the aim is to increase the amount of work done. (It is bad for staff morale.) However, it is management's responsibility to manage productivity. If the workplace culture (or the nature of the work) is such that people find excuses to "bunk off" all of the time, then banning instant messaging as a time waster may be necessary. Besides, there are other (much stronger) reasons why instant messaging might be banned. For example:

• A workplace requirement for communication monitoring; e.g. finance, defence, etc.
• A need to protect infrastructure; e.g. against viruses.
• A need to conserve bandwidth, or control network usage charges.

Re:The easy way isn't always popular

[Tekno2k3]

The real point is that SEC says we HAVE to block it or log it via a server (not the logging that users initiate) or we get shut down.

Re:The easy way isn't always popular

[Tekno2k3]

You are overexagerating AND blowing up in the wrong direction. In the finacial world, take Enron on Martha Stewart as examples, insider trading is SERIOUS business. Inside traders can screw us all. I am sure everyone remembers how the end of the tech boom all but doomed most of us. This happened because of bad business and insiders. This is why we are required to monitor all activity in these walls. We are not tapping home phones. But we are trying to protect our futures. People get so caught up in the fantasy world of anarchy and forget that rules are there for a reason. I was rebellious once, too, but I grew up.

Re:The easy way isn't always popular

[budgenator]

open it!, your living in a deam world! messenger is buried in WindowsXP so deep its like trying to kill a hydra by beheadment. Every time I think it gone, or at least shut up, the next "updates" puts it back in or turns it on. I get more IM spam thru messenger, than thru Email so there is nothing you have to open. Guess I'm spoiled by using Linux.

Re:The easy way isn't always popular

[ratsnapple+tea]

The issue is that most financial companies, for whatever reason, would rather not keep logs at all. The law requiring IM loggging only came into effect a few weeks ago, and until then most companies treated IM like phone calls. Now companies who want to minimize their risk to insider-trading charges (spurious or not) are requiring business to be conducted over the phone, since phone calls still don't need to be recorded. This way there's no permanent record of what was said, and therefore it's much harder to build a case against the parties involved. That's business in the 21st century.

yours

Re:The easy way isn't always popular

[fubar1971]

In a perfect world, it would be nice to allow people to use IM for personal use on their breaks. Unfortunately this is not a perfect world. People have a tendancy to abuse the privledges they are given. People will use the IM anytime they feel the urge to communcate with someone else. This has a tendancy to turn 15 minute breaks into 30 minute breaks and 1/2 hour lunches into 2 hour lunches.

The part of IM that I really hate is that most IM clients will allow the user to download files. I can not tell you how many times I have seen people get viral infections because their new friend that they just made on-line, sent them a really cool screensaver. Next thing you know my firewall is logging multiple netbus and subseven attacks. I even had one l-user chatting with a friend(that they have only known online for a couple of days) that tried to walk my l-user through how to disable the AV software (luckly they can't, because it is locked down), because they constanly kept trying to send her (through IM) a file with BackOrfice.

Another business problem with IM, is if the l-users are chatting online, then they are utilizing costly bandwidth that their employer pays for. If you remove all IM'ing, then you have increased the amouny of availble bandwidth for business opportunities.

So as to being petty, that may be true, but in the business world the bottom line is what counts. Due to reduced productivity, costly IT expenses to cleanup the messes that IM users create, and increased bandwidth availability, I can understand why businesses want ot ban IM. Don't get me wrong, IM is a great way to communicate, and has the potential to be an extremely usefull and powerfull business tool. Unfortunately people have turned it into a costly nightmare.

Re:The easy way isn't always popular

[Asgard]

I'm almost certain all calls to/from a trading company are recorded.

Re:The easy way isn't always popular

Petty? You didn't go to /my/ high school.

It must be nice to live in your little white utopia where all students love mom and apple pie.

Re:The easy way isn't always popular

[nomel]

And just like China, how they imprison people that speak badly about the government, or leak information, such as a virus outreak. :)

Re:The easy way isn't always popular

[ATMAvatar]

For the life of me, I can't remember white collar workers ever striking.

Tell that to Boeing.

Re:The easy way isn't always popular

[Johnny+Mnemonic]

since phone calls still don't need to be recorded.

Ah, I see. I assumed that they were also being recorded, and maybe transcribed by an auto-thingy. The analog hole, again. I'm curious--are there plans to require logged phone calls then, too? This seems a rather obvious omission.

Re:The easy way isn't always popular

[Jucius+Maximus]

"Are you fucking serious? Really. Have you ever had a job before? You can't go around firing people for petty reasons like instant messaging"

Instant messaging could be considered to be inappropriate use of company resources. That's pretty serious. It's also a security vulnerability because someone could send you a trojan. Violating the company's security policies is pretty serious too. Aren't there rules about the logging of business communications? Could the company get in trouble with the SEC if they don't properly log everything like IMs? Yes, employees could get into big trouble for using MSN IM. It's not such a petty little thing.

Re:The easy way isn't always popular

[op00to]

Case in point:

I work for a large state university.

There are very strict laws regarding the use and storage of any student information. A student's personal data (SSN, Address, on campus phone #) must be kept private at all costs.

When word got out that some departments were using AIM to send student information between employees, a lot of people got very nervous.

To fix this situation, we set up an internal SSL'd Jabber Server. Even though the rules are clear, some people still try to use AIM.

In this situation, for those employees who are working with this student data, it would not be outrageous to make sure that there is no way that this data could be sent over a connection through AOL's servers.

The burden of proof is on the University to make sure that this information is being used and stored in a manner consistent with the law. To be extra 100% sure, the best way to solve this issue is to block access to IM services.

The best way that I would think of doing this is just to firewall off all the machines from the internet, and have the machines use a web proxy for outside web access. If a user uses the proxy to run their MSN client, it would be fairly easy to spot in the logs of the proxy server.

This is not BS. It doesn't matter if you "Trust" someone or not -- this is the real world. High schools are anal with their students because high school students are uncivilized beasties. Businesses and the like are anal because they get in deep shit if an employee mistakenly pastes some sort of information in the wrong application.

It's not petty -- in fact, in both situations, High Schools and Businesses have liability that isn't exactly trivial. I would say that this situation is the exact oppisate of petty.

Re:The easy way isn't always popular

[Tuxinatorium]

It's easy enough to get information across without a trace even when the message is logged. If inasider traders were the least bit smart they'd use steganography.

Re:The easy way isn't always popular

[Tuxinatorium]

A workplace requirement for communication monitoring; e.g. finance, defence, etc. A futile maneuver that can easily be flouted by using steganography in e-mails. A need to protect infrastructure; e.g. against viruses. That's also futile, if they're using windows. Messenger is a tiny minor hole compared to the gaping ones in the OS itself. A need to conserve bandwidth, or control network usage charges. Text messaging uses negligible bandwidth, and bandwidth costs less than 1/10 of a cent in bulk, meaning that If I used IM a lot for years and years it might cost the company an extra 1/10 of a cent in bandwidth out of my $50,000+/year salary. It's a grain of sand in the sea. All of those reasons are bunk, and would only provide justification to those who truly have their headfs up their asses.

Re:The easy way isn't always popular

[camelrider]

This is not BS. If I learned that my bank allowed IM on the network that contains my account information I would probably be looking for a more reliable bank!
This is not just an IT responsibility. People who work on a sensitive network must be made aware by management that if they compromise the security of the network they are subject to disciplinary action.

Re:The easy way isn't always popular

[0x0d0a]

BTW, when I went to high school, we weren't allowed to leave the school grounds at lunch time. Those of us who had at least half a brain were capable of understanding why ... and it was nothing to do with pettiness

Back when I was an HS student, I spent time both at an urban school where you could leave school grounds and go get food and other things at shops, run errands, whatever, and a school in the middle of nowhere where you couldn't.

People did drugs, had sex, vandalized stuff, and cut classes in both environments (granted, at the closed campus, they'd have to cut the whole day instead of a single class). The major difference was that on the closed campus, everyone was stuck with school food, everyone resented the situation, simple pragmatism made the guards essentially let anyone go at any time (you can't check up on all the people going in and out of a good size HS each day), and you couldn't get useful errands done during the day.

Re:The easy way isn't always popular

[Glonoinha]

Off topic (sorta)

How do they propogate? Are they self spawning like the HTML loopholes that bit us in Outlook, or is it just sending a program named I_Love_You.doc.vbs (or whatever) to curious users who then run it (at which point it does whatever it does.)

Re:The easy way isn't always popular

[Glonoinha]

SEC also says you must keep all work related email for three years, keeping it in a readily accessed form for two of those years.

I am curious, how do you manage that?

Re:The easy way isn't always popular

[Tuxinatorium]

typo: i meant 1/10 of a cent per GB

Re:The easy way isn't always popular

[Tekno2k3]

It must be done using a third party archiving app that lives on the Exchange server. It basically grabs every email before the recipient ever sees it. Backup isn't good enough because it gives the recipient the option of deleting it before backup. It requires A TON of drive space, but it is money better spent there than in court.

Re:The easy way isn't always popular

[leifm]

The one I saw would send out a file transer request( Hi, want to see my new pic?), and if the user receiving the request answered in the affermative (Symantec had the whole list of things it'd accept) it'd transfer the file. If you looked at the file it was a VBS icon, and if you have hide known extentions off it was nameed something.jpg.vbs. So if you are paying attention to icons/extentions it should just get deleted. My girlfriend however wasn't paying attention. She ran it, it pops up a fake corrupt file message, and adds itself to the startup area of the registry. Then it just sends out more Want my new pic? messages to everyone on the infected user's list. It also dropped a file somewhere( can't remember where) that told you it meant no harm, and gave instructions on how to remove it.

So no it wasn't using any real loophole, although I am not sure why VBScript can send messages without your knowledge.

Re:The easy way isn't always popular

[Zork+the+Almighty]

People have a tendancy to abuse the privledges they are given. People will use the IM anytime they feel the urge to communcate with someone else. This has a tendancy to turn 15 minute breaks into 30 minute breaks and 1/2 hour lunches into 2 hour lunches.

The same argument could easily be applied to the telephone, or to email, or to face-to-face conversations.

Re:The easy way isn't always popular

Parent != Informative

MSN Messenger is NOT "literally embedded in Windows XP" If you are refering to Windows Messenger, then you need to be informed that they are not the same thing, and you can always disable that service.

Questionlp, please tell me where I might find MSN Messenger on my Windows XP box? It's not there, never was, and that makes it far from "embedded".

Re:The easy way isn't always popular

[dbrutus]

All communications in brokerages have to be logged and reviewable by management and the government so that people don't pass on inside tips to allow confederates to trade ahead of large moves in a security. AFAIK, MSN simply doesn't come with a "run through central logging server" feature, thus it's illegal for certain companies to have on their network and people run the risk of massive fines or jail time if they ignore the problem.

Is that petty? I don't think so.

Re:The easy way isn't always popular

[dbrutus]

Is it technically possible to violate the law even with logging? Sure. But you better make sure that all evidence is wiped and your outside confederate is solid because when those investigators start talking about 5-15 in prison for violating information secrecy/insider trading laws you are very likely going to be left holding the bag.

Taking IM off is just keeping the honest people honest.

Re:The easy way isn't always popular

[dbrutus]

So minorities don't love their mothers like white folk do? What a nasty racist comment.

Re:The easy way isn't always popular

[bigsteve@dstc]

A workplace requirement for communication monitoring; e.g. finance, defence, etc. A futile maneuver that can easily be flouted by using steganography in e-mails.

This is not futile. The monitoring system will record the email including the steganographic content, and a (later) forensic audit may reveal that content. This may be sufficient to secure a criminal conviction, if not to deter the activity in the first place.

A need to protect infrastructure; e.g. against viruses. That's also futile, if they're using windows. Messenger is a tiny minor hole compared to the gaping ones in the OS itself.

In the real world, organisations will employ various mechanisms to protect their infrastructure, even though they know those measures to not be completely effective. Instant messaging might be a "tiny hole" (I don't know what evidence you have for the statement). But it may also be the security hole that gets exploited, because the other holes are adequately plugged.

A need to conserve bandwidth, or control network usage charges. Text messaging uses negligible bandwidth, and bandwidth costs less than 1/10 of a cent in bulk, meaning that If I used IM a lot for years and years it might cost the company an extra 1/10 of a cent in bandwidth out of my $50,000+/year salary. It's a grain of sand in the sea. All of those reasons are bunk, and would only provide justification to those who truly have their headfs up their asses.

A month ago I was installing software at a client site. They had 500 odd employees, and all of their external communications went through an overloaded 500Kbit pipe. Downloading a 40Mbyte installer took 1 1/2 hours. This is not bullshit! I didn't ask why they couldn't simply upgrade their network connection, but I didn't need to. The answer would have been that they didn't have flexibility to reallocate resources to address the problem. (This was a government dept.)

Just because you haven't had enough real-world experience to recognize these situations, doesn't mean that they do not exist.

Re:The easy way isn't always popular

[salesgeek]

management has the right to set rules about what is not acceptable behaviour.

Of that, there is little doubt. I wonder though what the value is of treating 20-70 year old adults like children is. Moral of the story: hire people you don't have to manage, then you don't have to deal with this. And people will use tools to be more effective, not to waste on the clock time.

Re:The easy way isn't always popular

[Tuxinatorium]

it's impossible to prove anything if they can't crack the code. And if you're good, they can't.

Re:The easy way isn't always popular

[Tuxinatorium]

A short-range OC3 lease can be had for $30,000 and that sort of thing is reasonable for any IT company with over 100 employees. OC3 = 155Mbit/s

Re:The easy way isn't always popular

[bigsteve@dstc]

Not in Australia is can't!

Re:The easy way isn't always popular

[Raven42rac]

Not difficult, time consuming, but not difficult. The SEC thing is more of a "we will be here within the next three years, get your shit together." Logging e-mails was easier than logging instant messages, but it can be done.

Re:The easy way isn't always popular

[questionlp]

There is the Messenger service and there is the MSN Messenger client that is included with Windows XP. I definitely know the differences between the two.

With SP1 and other tricks, there are ways to remove the MSN Messenger client (or whatever Microsoft decided to call it, I can't remember but it's not the Messenger service for sending SMB messages between Windows machines on a network)... still, the MSN Messenger client is included with Windows XP and is installed by default.

Re:The easy way isn't always popular

[Mark+Pitman]

There really are two different MS clients for the MSN Messenger service available for XP.

Windows Messenger comes with the OS. It doesn't have the little ad window at the bottom and has basic features.

MSN Messenger is downloadable from the MSN Messenger website. It has the ad window at the bottom and has more features like Alerts, forwarding of IMs to your mobile phone, etc.

If you install MSN Messenger on Windows XP, Windows Messenger is still there, you can run either client, but I don't think you can log in with both at the same time (at least not with the same ID).

Re:The easy way isn't always popular

[1010011010]

I am not sure why VBScript can send messages without your knowledge.

Because Windows is fundamentally broken -- it judges whether a file is executable based on its name.

Re:The easy way isn't always popular

[bigsteve@dstc]

Moral of the story: hire people you don't have to manage, then you don't have to deal with this.

Perhaps you can explain how an employer can determine that a potential future employee will not be a source of management problems?

Re:The easy way isn't always popular

[salesgeek]

Perhaps you can explain how an employer can determine that a potential future employee will not be a source of management problems?

1) Make sure you are 100% certain you have the right person.
2) Check background, references, and use testing tools for skills and personality. (use HR professional if you don't know how to do these things legally)
3) If someone is a management problem or you are saying, "this person will work out with a little work" in the first 90 days, let them go.

I try my hardest to find self-managing people. When I do, I fight tooth and nail to keep and reward them. When a joker gets on to the team, we get rid of them in a hurry. I owe it to the people who work hard.

Re:The easy way isn't always popular

[bigsteve@dstc]

In short, no matter how hard you try, there is always a significant chance that you will employ someone who is a problem. IMO, your "moral" is a bit like this one:

Most of the passengers on the Titanic died as a result of exposure. Moral: when your ship sinks in the North Atlantic, and you end up in the water, be careful to avoid heat loss.

Re:The easy way isn't always popular

[salesgeek]

No, it's your choice as an employer to allow a problem employee to remain employeed. The titanic story assumes you can't get off the ship when you notice it's going a little too fast in cold seas at night. You can always divorce the company from the problem employee. And even if it's inconveinient for a few weeks, you can always replace people - no matter how much they think they know, or how high up they are in the company.

Re:The easy way isn't always popular

[conteXXt]

not to be repetitive but:

Some orgs (financial) have a REQUIREMENT TO LOG ANY POTENTIAL CONVERSATION with clients.

No one is disputing IM is useful.

For financial folks, Reuters provides a solution to this. It's an integrated msn client with the ability to log centrally etc... free to custs

Re:The easy way isn't always popular

[conteXXt]

We are required to record and (and archive) all those phone calls too.

That's exactly why traders are always on cell phones .

Re:The easy way isn't always popular

[dbrutus]

Idiot. You have a legal requirement not to encrypt. Keeping communications secret in that job is breaking the law. There are jobs that require you to give up some rights to take them. That's just a fact of life. Technical encryption means squat in such situations.

Re:The easy way isn't always popular

[bigsteve@dstc]

You've missed my point.

My point was that your "moral" was saying that you could solve the problem by not employing the wrong people. This is of course unrealistic, as my silly Titanic analogy attempted to suggest.

Given that we accept that we sometimes employ the wrong person, we get back to the original discussion ... which is that we need some way to deal with this. Sacking the bad employee is (usually) one option.

Re:The easy way isn't always popular

[salesgeek]

The problem with most companies is they spend six years figuring out what the best option is for the bad hire. You really have two choices:

*Find somewhere in the company where they fit.
*Terminate.

Most managers never get this and live with the problem employee for years. It sucks to fire people but it sucks more to lay people off who are doing good work. And thats what happens if you don't deal with the situation with extreme speed.

My point is this: make sure your people are all the right people. All the time. Make corrections immediately when that's not the case. Don't get caught up in trying to build a foolproof system. Just get the fools out of the system.

Re:The easy way isn't always popular

[bigsteve@dstc]

My point is this:

And my point is this:

make sure your people are all the right people. All the time.

You can't, because you can't always predict that someone is going to be the wrong person, and ...

Make corrections immediately when that's not the case.

... because you can't always get rid of someone who doesn't fit.

In reality, there are many workplaces where it is hard to rid of an employee who doesn't fit in or isn't competent. For example:

• Someone employed in the public service typically cannot be dismissed without going through lengthy formal processes. (These processes are intended to help to protect against corruption and abuse, but they also shelter the lazy and incompetent.)
• Tenured academics basicly have a job for life unless they are found to have committed acts of "gross moral turpitude" ... or some such.
• Executives often have contracts which entitle them to be fully paid out if the contract is terminated ahead of time. Even if the CEO is doing a rotten job, it may cost millions to get rid of him/her.
• In Australia, an employer must go through a process in which the employee is warned and given a chance to correct his/her behaviour. If the employer dismiss someone out of hand, they risk being taken to court under federal Unfair Dismissal legislation. [This was the case a few years ago ...]

Try this.

[rplacd]

Block port 1863 (tcp) at the router/nat box/whatever.

On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.

Turn off SOCKS for port 1863, too.

Re:Try this.

[rplacd]

Oh, also. I've caught people using http redirectors. You run an app on your desktop that acts like a socks or http proxy. It encodes tcp traffic in http headers, sends it out to a site that demangles the packets and forwards them on.

There are a few commercial companies providing this support, and pretty much everyone can set up their own tunnel. While it's not that hard to track down the commercial stuff, I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet.

Re:Try this.

[questionlp]

According to may Gaim accounts.xml file (which stores passwords in clear-text unfortunately), port 1863 should be blocked (just to be safe, both TCP and UDP) and block outbound traffic going to messenger.hotmail.com [207.46.104.20]. Keep an eye on the IP that is resolved for that host name to make sure that it doesn't change in the future :)

Re:Try this.

[ventalin]

Ontop of this you can lookup the login server(s) ip's and deny connections to those hosts as well just as a sanity check. Name: messenger.hotmail.com Address: 207.46.104.20

Re:Try this.

[Basje]

I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...

So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!

Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.

</rant>

Re:Try this.

[mcdrewski42]

Why not map that name to a dud address too?

I assume you ownzor the DNS that client PCs will use!

Re:Try this.

[Elwood+P+Dowd]

I've worked in QA where employees have had to open dialup ISP accounts on personal credit cards so that they could actually test the products they were given.

The product would try to go contact our company's webserver for some kind of content, but it wasn't proxy-aware. And they still wouldn't put us out on the internet.

We never had to escalate it, 'cause of some employees taking it into their own hands, but that was incredible. Blew my damn mind.

Re:Try this.

[rmohr02]

I filed a bug on the accounts.xml file.

Re:Try this.

[Glass+of+Water]

Just throwing this out there, but you might be able to get ssh-over-icmp or some other type of tcp-over-icmp going. There's a backdoor kit called Portacelo which you could install on a box outside of the network somewhere.

Because of stuff like this, seems like the best way to control the problem is to control what software gets installed on the machines in your office, and don't let users install software. I know that's pretty hard, and makes extra work for the admins.

Re:Try this.

[Johnny+Mnemonic]

Man, where do you work? My users--if the app isn't in the dock, it may as well not exist. But yours are installing their own http redirectors?

Re:Try this.

[rplacd]

I work for a company that does outsourced software development. A high percentage of the staff are Java/C++ developers.

Re:Try this.

[questionlp]

Thank you :)

Re:Try this.

[Jucius+Maximus]

"I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet."

Either that or folks doing it are still under the radar ;-)

Re:Try this.

[Jucius+Maximus]

"Because of stuff like this, seems like the best way to control the problem is to control what software gets installed on the machines in your office, and don't let users install software. I know that's pretty hard, and makes extra work for the admins."

This is not difficult. Just don't let them run as administrator.

Re:Try this.

[jonadab]

If you're going to go down that path, what about the guy who uses
X11 forwarding or VNC or what-have-you to access his home system
and run the IM on that, displaying it on his desktop at work?

Re:Try this.

[phillyclaude]

try to uninstall Messenger from windows XP. I dare you

Re:Try this.

[Jucius+Maximus]

"try to uninstall Messenger from windows XP. I dare you"

This can be done if you know how.

Re:Try this.

[Glass+of+Water]

Jucius, my man, I am in full agreement. However, after working as a tech for a while and seeing the pain in the ass that is a user with limited rights on the machine that they use for work, which the user thinks of as "his" or "her" machine, I have caved. The modern company's and CIO's attitudes toward security are fully baffling.

I find my self less and less able to give a fuck what the user installs or does. Perhaps I will end up in agreement with these people who think that noobs should not be allowed to use computers at all.

Re:Try this.

[billatq]

If you're going to go down that path, what about the guy who uses X11 forwarding or VNC or what-have-you to access his home system and run the IM on that, displaying it on his desktop at work?

Funny you mention that, because I do that exact thing with ssh tunneling because I like to keep my logs in one place.

Re:Try this.

[rmohr02]

The developers don't seem to want it.

Something at the protocol level?

[dimator]

I'm sure something is known about the messenger protocol... Find it, and find out how the authentication is done. Now, the problem just becomes listening in on new connections, and determining if its a messenger client authenticating itself. If it is, you could kill the connection.

I don't know the tools that do any of that, though, but I'm sure they exist. :)

Packeteer

[gooru]

Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page describing how to control instant messaging including MSN.

Re:Packeteer

Packeteer Packetshapers are a joke.

and a bad joke at that.

Their devices are 99% crap, 1% fluff.

Re:Packeteer

[ShaggyBOFH]

We use Packeteer at our University to keep (L)users from sucking all our bandwidth with streaming audio and P2P stuff. Nice web interface and easy to configure. Not cheap.

packet shaping

[Satai]

Use a packet shaper. The one that comes to mind (proprietary, however) is Packeteer. These filter based on protocol (I think), so usually they can keep out resourceful programs like gnutella, etc.

Re:packet shaping

[ILEoo]

or free snitch includes support for l7-shaping (witch a patch,see website)

Simple

[Kizzle]

Everyone is getting all technical about this but it's very easy. Just block messenger.hotmail.com. Walla msn messenger stops working. It connects to this central server to find out what server to use.

Re:Simple

[anthony_dipierro]

Won't work for people who have ever connected before. The IP address is cached for future connections.

Re:Simple

[Kizzle]

I tried my method before I posted. It works.

Re:Simple

[anthony_dipierro]

It won't work in all circumstances. When my DNS goes down, MSN Messenger still works. That's because it saves the last IP address in the registry. Just use regedit and you can confirm this for yourself. Trust me, I've written an MSN Messenger server, I know this shit.

Re:Simple

[PurpleFloyd]

I've never had to block Messenger before (translated: I'm talking out of my ass. My CCNA-certified ass), but what about a script that queries DNS for messenger.hotmail.com, then blocks the IP address returned? That way, you've got all your bases covered: if the IP is cached, it goes to a blocked address; if that fails or the IP isn't cached, it looks up a name that, according to the nameserver, doesn't exist.

The only problem then would be some sort of VPN tunnel across the firewall to an open box. Still, that would have to run on some open port; you might implement protocol-specific traffic filtering, or just proxy everything. Of course, even without blocking tunneling, you've just taken away Messenger from the 99% of users who don't know how to set up a firewall-piercing VPN.

Re:Simple

[phaze3000]

I'm not sure if you're trolling or just lacking in knowledge, but if all connections to messenger.msn.com are blocked by the firewall (ie all packets to messenger.msn.com are blocked) then DNS doesn't make a blind bit of difference.

Re:Simple

[anthony_dipierro]

what about a script that queries DNS for messenger.hotmail.com, then blocks the IP address returned?

Won't work. Messenger.hotmail.com is only contacted the first time you connect. After that you are redirected to a new IP address which is based on your username. That's how Microsoft load balances the connections.

Re:Simple

[anthony_dipierro]

Go read the messenger protocol and find out what the XFR command does then get back to me.

Re:Simple

[iMMersE]

Go and read the messenger protocol and find out which server the XFR is sent to, and get back to me.

Re:Simple

[phaze3000]

From http://www.hypothetic.org/docs/msn/notification/au thentication.php:

messenger.hotmail.com always sends XFR, but gateway.messenger.hotmail.com never does. Microsoft's other notification servers very rarely send XFR - presumably, they send it when they are overloaded or going down for maintainence.

The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

Re:Simple

[anthony_dipierro]

The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

But if a user has already previously connected to messenger.hotmail.com and received an XFR, the client will cache the IP address given to it by the XFR. Therefore blocking only messenger.hotmail.com (the dispatch server), and not all the possible notification servers, "won't work for people who have ever connected before."

I'm assuming of course direct connections through messenger.hotmail.com. Blocking gateway.messenger.hotmail.com will block access through the HTTP proxy (at least until the IP address changes).

Re:Simple

Just block messenger.hotmail.com. Walla msn messenger stops working

Unclear. Are you calling parent poster "Wallah" as a sign of respect? Are you trying to say "voila"? Please elaborate.

Brute force

[{8_8}]

This is a very inelegant approach, but I suppose you could block EVERY logon server at the router. There has to be a finite number of logon servers out there, so all you'd have to do is sit down for X amount of time with a MSN client and monitor outgoing traffic from your IP. Block each logon server as it comes up, wait for the client to reconnect, block that server, rinse, repeat.

Also, you could try looking for the location that the MSN client fetches the server list from and block that IP. If the list is stored locally, it'd be even easier to find and block those servers.

Of course, the above approach assumes that the router can handle blocking X amount of IPs. I wouldn't put it past MS to have hundreds or thousands of servers out there.

Re:Brute force

[Micro$will]

The problem with this as stated earlier, is that the ip of the logon server is picked based on your login name. So for example if it's based on the first letter, you would have to create 26 throwaway accounts starting with a-z, connect with each of them, then see which logon server they connect to.

IMO, if this much work is involved, I'd just block everything, then open up legit ips as they're needed. This would also eliminate the possibility of people tunneling through the firewall as well.

Tell people not to use it...

[anthony_dipierro]

Then log all access to port 1863.

jsut test it out

[nocomment]

install msn messenger...and run it. See how it connects and then block that method, then re-run messenger and see how it connects and block that. wash lather rinse repeat until messenger can no longer connect.

Kill the software.

[flux4]

In addition to blocking MSN on the network, why not kill the software? This page discusses in gory detail the various methods of crippling/uninstalling/haxoring MSN software on the user machine, and making sure it won't come back. You have to be careful, as there are right ways and wrong ways to do it. My favourite method is to uninstall the software (made possible on XP via a convoluted run command), then place a blank file called "msn messenger" in Program Files. Installer won't work, and the user never goes into Program Files! It works.

Having the software right out of the computer is a good thing, because then it can't begin to pester the user or remind them of their painful inability to chat.

An alternative approach

[skinfitz]

Blcoking 1863 does work, as I use that method myself.

The only problem is that they will move on to the next messenger that works (like Yahoo! etc).

If you wanted to be really insidious and get people to self police themselves, log all messenger messages and put a new section on your companies Intranet user customised page - something like "Hello xxxx, here are your last few messenger messages:

[bIcycleSExfiEND] w00t!
[cute^babe7599] SO BABEE U WANA C MY PIC?
[bIcycleSExfiEND] yeah - send it
[cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269
...

Please contact the helpdesk if you would like a complete log.
Have a nice day."

...and below that:
Here are your last few web accesses:

... etc... you get the idea.

Re:An alternative approach

[jurrehart]

The altternative aproach realy works I used it once for HTTP limitations. The user would connect to our intranet server to compile his/her timesheet. Before getting to the timesheet there was a page you latest 50 URLS are: ...

Each URL was cheked on certain domains and keywords when the URL matched a non.productive rule the line would be set in red. ex playboy.com would be viewed as ar red line.

After some days even the boss stopped surfing to certain sites ;)

Re:An alternative approach

[boredMDer]

[cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269

You know, it makes me wonder...how many people went to that link and were dissapointed when they got a 'Connection Refused' error, and couldn't see cute^babe's pic...

/me raises hand
Okay, I admit it.

Re:An alternative approach

[Stephen+Maturin]

...and below that: Here are your last few web accesses
Who says Slashdot isn't a useful tool? Its an ideal forum for collaboration. As as well as wasting time.
My boss asked me just this morning about a way to monitor the about of time and sites visited by a few "problem" employees. I'm a DBA, and not very well versed in system administration, but how would one go about tracking and reporting this sort of information? I'm especially intrigued by the idea of a customized intranet page or (even better) a daily email sent to the employee and his supervisor

Re:An alternative approach

[skinfitz]

My boss asked me just this morning about a way to monitor the about of time and sites visited by a few "problem" employees. I'm a DBA, and not very well versed in system administration, but how would one go about tracking and reporting this sort of information? I'm especially intrigued by the idea of a customized intranet page or (even better) a daily email sent to the employee and his supervisor

Very very easy. For example so long as your intranet is set to use user authentication, then you know the users user account, which you can usually get to in server side code (in windows ASP it would be Request.ServerVariables("LOGON_USER") encapsulated in asp delimiters that get filtered out in /.).

A good way to do it is log all web accesses by user account into a database, and since you then have the user account from the Intranet page, as a DBA I'm sure I don't need to tell you how you do the next part :)

Re:An alternative approach

[cdrudge]

Duh. You have to remove the space between the ? and suckerid. :)

Re:An alternative approach

[pla]

something like "Hello xxxx, here are your last few messenger messages:

Something like that would make me very happy - Because I would have instant feedback about whether or not my attempts to circumvent stupid network usage policies had succeeded, and if so, did they work anonymously.

Mind you, I don't care about vising playboy.com from work - I never understood the point of porn at work anyway, since every work environment I've ever encountered made killing kittens all but impossible while there. But corporate IT departments have a bad habit of blocking valid, work-related traffic that they don't see the need for. "We notice you've visited alphaworks.ibm.com over fifty times in the last two weeks, so we've decided to block it to boost your productivity and ''help'' you not waste company resources.".

Incidentally, I see the parent article's theme as very similar - Too many people use IM, so block it. This ignores the fact that many people using it may well have a valid, work-related reason for doing so. Personally I've used IM exactly three times (from home, not work, though), and each of those times I used it for the sole purpose of chatting with a fellow coder about something that, in another context, would count as work related (yeah, call me a geek, I actually code for fun).

Re:An alternative approach

[skinfitz]

Too many people use IM, so block it. This ignores the fact that many people using it may well have a valid, work-related reason for doing so.

This is true, however where I work the vast majority used IM for nothing constructive whatsoever.

I operate a simple policy - you get what you need. If you need IM then you simply need to ask for it. The idea is to prevent abuse, not make people's work lives difficult. I've found this works as people won't ask for something if they can't justify it, however if they have a legitimate reason I am more than happy to facilitate whatever they need.

Bottom line is that you are at work to work, not get paid for pissing about on the Internet.

Why block MSN?

[flikx]

The real question here is why block MSN? What about people who use instant messaging for legitimate business purposes?? People chat on telephones, and I don't see many offices rushing to ban them. Fire unproductive people, and let the rest of us communicate.

Re:Why block MSN?

[thesnide]

Actually, in some 'sensitive' companies (for example: stock exchange brokers) all communications involving a third party are officially tapped.
It's done in order to prevent some obvious abuses.

Re:Why block MSN?

[leviramsey]

RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.

Re:Why block MSN?

[NanoGator]

"The real question here is why block MSN? What about people who use instant messaging for legitimate business purposes?? People chat on telephones, and I don't see many offices rushing to ban them. Fire unproductive people, and let the rest of us communicate."

Gotta say, I agree. I've visited a number of large corps and all of them had computers using Im of some sort. Beats the heck out of walking to another building or even making a phone call. (Phones are so annoying.)

What really bugs me is that if they weren't using MSN, they'd probably be using email. It's futile, really.

Okay, I'm haven't really added anything new to the parent post. It's just a topic I feel strongly about. The CEO of my company hates chat programs with a passion. (he hates games too, though he has played golf out of town in the middle of a work day...) I remember he was in my office just after I installed ICQ. I wanted to try it out so I could use it for tech support. Neat idea really. I could send files back and forth between people, plus they could easily copy/paste stuff I send them to enter into the app we sold. The real time communication would have been nice since it could take 5 mins or so to get an email to them. Nope, that idea got axed. Within moments of going on line, this voice comes on and says "INCOMING CHAT REQUEST". I was immediately ordered to remove it without explanation. Grr. That idea died a quick death.

If he didn't have such a nasty attitude about it, I could have been more productive, plus saved money on long distance calls. What really bothers me is that there are PLENTY of managers who have similar opinions about the topic.

I can't wait until my generation is in charge.

Re:Why block MSN?

[dotpl]

I totally agree with your point, but I have a similar situation, we have a lot of computers that share the internet connection, and there ain't that much bandwidth (around 40Kbits/sec if you're lucky)

so somtimes I want to block MSN because the connection gets too slow for legitimate use, and I know most of the people in the office are just chatting with friends and getting no real work done, and, eventually, preventing me from doing my work, which requires being 90% of the time online.

Re:Why block MSN?

[innosent]

Yeah, I have a similar situation, since I work as a programmer for a medical lab. The answer is, write your own client, and block/uninstall everything else. Plus, by writing your own IM client/server (since this is the best model for logging and administration, p2p is not as useful for logging), you can add your own functionality, like controlling buddy lists, spying, shutting down systems, etc. (Mine has a nice feature to disconnect and lockout a user from the system when they are fired, in order to avoid problems while they're packing their things).
It is actually quite easy to code this up, and it gives you full control over what happens.

Re:Why block MSN?

[innerlimit]

'getting no real work done'

like reading slashdot first thing, when you come into work :)

Re:Why block MSN?

[fuzzybunny]

The answer is really simple: compliance.

At a 'financial institution', if it's a bank, you are working with traders. A lot of countries have very very strict requirements as to the communications of brokers and traders--this includes having every single phone on the floor where they work (in my last company it wasn't just the trading floor, but the whole 3d floor) specially monitored.

A lot of banks and exchanges also do this to protect themselves from claims by associates/customers that they "were told abc by xyz working for you"; especially in a lawsuit-happy environment like the US, this is admissible as evidence under certain circumstances. And yes, legally the line between hard concrete evidence (a signed, witnessed contract, for example) and a cut-and-pasted supposed MSN conversation is pretty fuzzy.

Re:Why block MSN?

[fatrat]

> I can't wait until my generation is in charge.#

and when you get there, you'll find that all the same regulations about being able to record all conversations/encrypt it etc still apply and so you'd still have to block MSN.

Re:Why block MSN?

[Loosewire]

so what do finance houses do about mobile phones ?

Re:Why block MSN?

[CableModemSniper]

Well with the mobile phone its not coming out of the finacial co.s network.

Re:Why block MSN?

[Elm+Tree]

What you need is some sort of QOS solution. Just give MSN a lower priority and everything works itself out. That's the only way I've found to have a functioning system and run BitTorrent at the same time.

Re:Why block MSN?

[jobugeek]

I'm losing my moderations in order to reply to you. It isn't just about productivity, it's also security. IM is highly insecure. Argue all you want about it, but currently there is no way to monitor/filter attachments throughly.

Atleast with email, we can control certain attachments in addition to help keeping confiditional information from getting send to people it shouldn't. We have a lot of sales people, it happens.

I don't work for a financial institution, but there is no way, we are allowing MSN, Yahoo or AOL in until strict control can be setup with them.

Re:Why block MSN?

Aw, now why did you have to go and squash his naive idealism? Those pre-college graduates can be so cute with their simplistic view of the world. ("Hey, I know, let's go and protest something we don't understand!")

Re:Why block MSN?

[(trb001)]

What really bugs me is that if they weren't using MSN, they'd probably be using email. It's futile, really.

I disagree. We can't use IM here at work (well, we could use MSN, but we all like AIM too much and don't really care to switch) and it does restrict what we say in emails because...

1) Emails get logged in at least three places...your computer, the recipient(s) computer, the server. Possibly a router log too, depending.
2) IMs will only get logged going across a router. I'm sure someone keeps a router log, but the reality is that even if they are keeping a log, getting to it would suck. I'm a subcontractor to a contractor for the government, I can't tell you how many layers of management there are betwee me and someone who would care if I IM'd another person about how much works blows.

We email each other pithy comments and such, but they're definitely cleaned up. If nothing else, all those sites featuring misdirected company emails are enough to persuade me not to do it.

--trb

Re:Why block MSN?

[budgenator]

You might find jabber interesting, you can run your own server on your network, force all employees to go through your server, so what alowed or blocked or monitored is only limited by your imagination and programing abilities.
It talks to AOL, yahoo and msn messenger services out of the box and can even conference the above.

Re:Why block MSN?

[jobugeek]

I actually am looking at Jabber. I'm trying to decide which server software I like best. The free versions I've seen leave something to be desired so far.

Re:Why block MSN?

Of course they can always deltree *.* before they go.

Re:Why block MSN?

[HBI]

In addition, companies like that randomly (and sometimes not so randomly) record phone calls on audio tape for the same reasons that IM is logged.

I worked there, I know.

Re:Why block MSN?

[R2.0]

"I can't wait until my generation is in charge."

And your employees are writing /. complaining about what a jerk you are, and how they can't wait until THEY are in charge.

Re:Why block MSN?

[kfuq]

Jabber works great for inhouse messaging

Re:Why block MSN?

[innosent]

Actually, no, since they don't have access outside the lab system. The system runs on windows, but the only thing they can run is the lab system. Also, even if they did manage to delete everything on their machine, it's still no loss, since there is nothing on the machine of any value. All important information is either in the database, or on the file servers, and only administrators can delete files from the servers.

Group Policies

[fluor2]

Hey,

you can block stuff like this using Group Policies (GPO's). I think you should start asking at news.microsoft.com at their group policy newsgroups.

If you have windows XP's as a member of your domain, you can easily block it using GPO.

Two words

[Quicksilver31337]

Packet Filtering

Don't block it, sniff it.

[ColaMan]

Get a MSN sniffer... the (very beta) one I used was called MSN666.

Tell everyone that you're sniffing MSN messenger traffic, and that you can trace it to a person esaily. Wait a day. Post a few innocuous messages between people on the noticeboard to prove it. Add a scrawled note on the bottom of the message saying "and , FatShaft42, you are one SICK Bastard! I'll be passing *your* messages onto HR!!" for maximum effect.

Re:Don't block it, sniff it.

[ColaMan]

I joke about all this stuff , but seriously, I had a person email me a resume for a job we had open from "fatshaft42" at a well known free email provider.

Of course , all the girls in the office wanted to hire him but it did nothing for his professional appeal. Well, if we were an escort agency maybe it would have.....

SEC rules

[whoda]

Blame Enron and other such fiasco's.
Financial institution's have to record and hold all elctronic communications for years now. The specific number of years eludes me atm.

If you think some E-mails people send are incriminating, imagine what IM's traded around an office would expose.

It's much easier to stop the people from using IM services than to try to capture/record/log/preserve it all. At least for financial institutions which theoretically could face billion dollar lawsuits.

Management by IP Filter

[fm6]

Sure, there are a lot of bad managers who worry about employees wasting their time on the Internet, and implement all kinds of technical restrictions: what web sites you can access, what programs you can use, etc. etc. I agree, it's stupid: if managers are worried about people not using their time productively, they should be out talking to them about it, making them understand that they're only hurting themselves. These kindergarten games are worse than useless.

In college I worked as a projectionist. We had a stupid, paternalistic boss who worried that we were watching the movie when we should be keeping an eye on the equipment. His solution: disable the speaker in the projection booth! Of course that made things even worse, since projectionists kept running between the booth and the auditorium. The real problem was that some projectionists just had a bad work attitude, but the boss had no idea how to address that.

None of which really matters. I had no hope of changing the stupid speaker policy, and Steve has no chance of changing the stupid MSN policy. No it's no use arguing over it.

Incidentally, there is a legitimate reason to forbid MSN, AIM, etc. They're not secure. Some companies don't forbid IMing, but insist that you use special software and servers. Probably not the issue here, but worth mentioning.

Kill them all.

[trouser]

Or not. On second thoughts perhaps not a good idea. Still, it's your call.

So what's to stop you blocking the IP?

[Inoshiro]

I assume blocking that site to include its IP range, too.

Re:So what's to stop you blocking the IP?

[anthony_dipierro]

I'm not sure how you'd find the IP range. I guess you could just guess, and hope you don't accidently shut off hotmail access as well (or maybe shutting off hotmail access is a good thing).

How to stop MSN Messenger? You kidding?

[Feztaa]

Install Linux, MSN Messenger will go away rather quickly :)

I think it would be easier to lock down a linux box to prevent installations of gaim, Gabber, etc than it would be to putz around with your firewalls trying to kill MSN Messenger.

Re:How to stop MSN Messenger? You kidding?

[spongman]

yeah, and while you're waiting for the install to complete you can port that $2M suite of custom/in-house trading software you just finished paying for.

Re:How to stop MSN Messenger? You kidding?

[Loosewire]

err , gAIM, AMSN, Kopete
Im using MSN from linux right now on this machine :-D

Re:How to stop MSN Messenger? You kidding?

unless you take away their compilers, and give them zero quota, it will be pretty hard to prevent someone from installing something in unix.

eg. "./configure --prefix=$HOME/usr"

Re:How to stop MSN Messenger? You kidding?

[curious.corn]

flag the /home fs noexec... I suggest you have another go at those HOWTOs ;-)

Re:How to stop MSN Messenger? You kidding?

[Knara]

Eh, that's alright. Chances are the users didn't know how to use the software properly on Windows anyway, so Linux won't be any different.

Oh you wrote *trading*, not *training*.

Nevermind. =)

Re:How to stop MSN Messenger? You kidding?

[Feztaa]

Yeah, so am I. What's your point? Admins can uninstall those programs and prevent them from being installed by properly locking down the box (don't give users install permissions, and mount /home with noexec so that they can't install stuff into their own home directories. Don't give them permission to execute the compiler, etc. It's not difficult to do.

Re:How to stop MSN Messenger? You kidding?

[0x0d0a]

Wow, guess you were pretty dumb to purchase it, eh?

Re:How to stop MSN Messenger? You kidding?

Fucking fag pussy at it again.

You know noting little bitch. Fuck off. You never shut the fuck up. You never say anything real. You are a fraud and a knave. MOTHERFUCKER!

If you allow www

[gl4ss]

If you allow www, you can't stop all chats. You can pretend, but you can't do it. Heck, email can be used for such as well. How about making internet access a priviledge that only those have that need. Though im can be used to boost productivity too.

Re:If you allow www

[__aafkqj3628]

I agree, at my "educational institute," we are always trying to find ways to escape out of the restrictions they put on us (which are quite stupid sometimes). eg. only ports 80 and 113 (SSL) are open, www.hotmail.com is blocked (but not hotmail.com).
By letting port 80 though, programs like HTTPort can tunnel through (unless your proxy/firewall doesn't support normal proxy CONNECT messages).

Brrrr technological fix....

[Chilles]

I thought financial people were supposed to be more socially able than technological people. Don't your managers understand the concept of "talking to people abouth things they should and should not do during work hours?"
I now it's not generally accepted in most larger companies, but I always question bad and lazy management decisions like this one. Management is usually paid generously enough to compensate for the occasional difficult talk with a bothersome employee. Besides, talking has a lot less negative (or even positive, depending on the person doing the talking) effect on the work atmosphere and might alleviate a general feeling of "us against the managers" in employees.

Re:Brrrr technological fix....

jeez - is everyone asleep - SEC rules demand copies be kept of all communications - phones are recorded, email archived. Since there is no cheap way to do it with IM, some firms HAVE TO BY LAW disable it.

Jeez - its not about big bad corporate execs - its the law - and its designed to help the consumer not get ripped off by shady brokers.

Re:Brrrr technological fix....

[tommck]

Brrr? Are you cold?

Block one, block them all?

[__aafkqj3628]

You may be able to block the win32 client, but that does not stop employees from using services like http://www.wbmsn.com/ (MSN) or http://go.icq.com/ (ICQ) for their IM needs.

Alternatively, a mass block of Microsoft's IP address range(s) should help stop people being able to connect (and you'll also kill hotmail, passport and a lot of other of their useless services with the same stone).

Re:Block one, block them all?

I've blocked those web IM via proxy and firewall...

Installl Messenger mandatory and lock it down

[wimbor]

I did the exact opposite at our company.

I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.

When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.

We disabled file transfer to avoid viruses slipping in via this way.

If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.

Re:Installl Messenger mandatory and lock it down

[Hornstar]

I know that the parent to this post has already been modded as informative but I would like to take a moment to recognize and thank wimbor for contributing positive and useful information to this topic.

Great insight, good suggestions and a perfect answer to the "Ask Slashdot".

My contribution to this topic would be much the same; that Group Policies are a great way to limit access to unwanted software with exceptions made for users that must have access to a particular program. By being very selective with install/run rights/priviliges you can prevent people from running workarounds as well as the intended programs (i.e. prevent the installation/execution of SSH clients).

The real question is how restrictive you would like your work environment to be. Other non-technical ways of addressing the same problem would be to meet with HR and make the use of IM clients a contravention of office policy. Use IM once, get a warning, use it twice, a reprimand, third strike, you're fired. In the past I have found that a combination of technical and procedural solutions often work best (that way IT doesn't look like a bunch of domineering a$$holes as well because you can now say "I'm sorry... I want to give you IM but HR says no.")

Just my $0.02

Very easy

[duffbeer703]

Disable via the registry with login scripts

http://www.winguides.com/registry/display.php/98 1/

Or group policy

http://www.subvers.com/technobabble/html/tweaks/ Gr oup%20Policy%20Registry%20Editor.htm

If you have wildcat machines that people just setup on their own, you have a larger problem.

Shoot the Messenger

[permaculture]

Shoot the Messenger .

Re:Shoot the Messenger

[Coward+the+Anonymous]

That is a different Messenger Service. That service handles messages like those sent by the net send command.

Re:Shoot the Messenger

Shoot Steve Gibson. That guy is an idiot.

Higher Management?

[vasqzr]

I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.


Geez. Try baking the sysadmin some cookies, give him a case of Guiness/Bawlz, or take the poor guy to lunch.

Re:Higher Management?

[snake_dad]

Yeah.. being friendly with the sysadmin is worth a lot. He might even grep -v the webproxy logs for you or set you up for the alternet unlogged proxy :)

iptables

[CaraCalla]

Iptables (as well as any decent firewall) can match packets containing arbitrary strings. Tcpdump a couple of Messenger handshake sequences and look for some common ids.

Edgar

What about

[vasqzr]

WindowsUpdate.com?

support.microsoft.com?

Office Tools on the Web? (clipart, template galleries)

Re:What about

[0x0d0a]

Simple. Use Linux.

Re:What about

[__aafkqj3628]

That's why you use a windows update server on your local network and keep a technet subscription ready.
Doing it that way also saves on the bandwidth and traffic you might otherwise go through.

Walla?

[turgid]

Walla? What do you mean "walla?"

Do you, perchance, mean "voila," the French word? Yes, I know it should have accents on it but I'll be damned if I can figure out how to type them.

Walla indeed!

Re:Walla?

[tsvk]

LOL, that reminded me of this gem from Dilbert newsletter #43:

True Tales of Induhviduals

Here are some true tales of Induhviduals as reported by DNRC members.

One of my teammates was giving a presentation to our department about an exciting development. He clicked to bring up the next slide and announced with great enthusiasm, "and walla, there it is!!" On the slide in huge letters was the word "Walla." The audience was stunned at first, not knowing if it was suppose to be a joke on the spelling of the word "voila" or not. Then he turned to a member of our department who was from France and said, "You know, walla! Walla!!"

Coincidentally, earlier that week he had mentioned to our team that he wanted to go into management.

Walla?

Damn! It isn't even pronounced like that! Why is literacy becoming a lost art? Get thee back to school, moron!

linux/ipchains

[ohchaos]

I block MSMessenger without any problems with the following rules:

ipchains -A input -p TCP -b --sport 1863 -j DENY
ipchains -A input -b -d 64.4.13.0/24 -j DENY

now the extremely persistant Yahoo IM is something I still haven't nailed down yet.....

Blocking Messenger

Don't mean to be rude but this is a case of RTFM.
We manage MSN IM use and all the ports are listed on the M$ Technet.

Re:Blocking Messenger

[Tekno2k3]

Don't mean to be rude, but RTFM. It will move to port 80 if 1863 is closed.

Just block running of unauthorized programs

[nurb432]

Assuming you are on a domain and not a workgroup, its not hard to lock down pcs to only run 'approved' apps..

If you dont know how to do that, then you have got some basic windows admin skills to learn.

Re:Just block running of unauthorized programs

[Tekno2k3]

Wanna let me in on how to do that in NT4? ;-)

"TASK" IS NOT A VERB!

Moron,

"Tasked" is not a word.

TASK is a noun. You do not "task" somebody, you ASSIGN A TASK to them.

Please smack yourself several times in the head with a large crowbar until you understand english.

Re:"TASK" IS NOT A VERB!

[Phil+Ulrich]

Smack yourself, dolt. From dictionary.com: tr.v. tasked, tasking, tasks 1. To assign a task to or impose a task on. 2. To overburden with labor; tax.

Re:"TASK" IS NOT A VERB!

http://dictionary.reference.com/search?q=task

Also look here for a quick introduction to morphology. Pay special attention to bullet six (zero morphology).

Please smack yourself several times in the head with a large crowbar until you understand linguistics.

Re:"TASK" IS NOT A VERB!

[Blob+Pet]

"He tasks me....He tasks me and I shall have him. I'll chase him round the moons of Nibia and round the Antares Maelstrom and round Perdition's flames before I give him up!"
--Khan

Why? Beacuse its againt the rules, and law.

[nurb432]

In this case being a finance institution, they have to log all conversations or possibly face fines.

In 99% of normal businesses, its NOT needed to have outside IM access, peroid.. If you need IM communication between your employees, great, then you use a secure internal IM setup, with no outside server access.. For people outside the firwall like sales guys, they vpn back in.

Its not in best business interest to let you talk to your wife, or friend down the street about where to go for lunch. Regardless of what you might think.

Phones the same, many dont get outside line access. Its ONLY Internal calls that they can make, unless they have a business case to get 'out'.

This is how I blocked MSN Messenger

[$exyNerdie]

This is how I blocked MSN Messenger... bought SuSE Linux 8.1 professional. Installed it and no more MSN Messenger for me!!

Re:This is how I blocked MSN Messenger

Wow - what a completely useless post!

Re:This is how I blocked MSN Messenger

Wow - what a completely useless post!

Ditto..

Via Global policy

[nurb432]

Use policy editor and apply it to the entire domain.

Re:Via Global policy

[Tekno2k3]

I did see that pols can be converted to group policy.

shut it all down

The only way to block it is to shut down ALL network traffic, then allow only the explicit traffic you want. I'm not sure about MSN, but AOL's AIM server protocol binds to *every* port on the AIM server. Just because there is a "preferred" port means nothing - a user can simply change their AIM client to use *any* other port on that server and will get the same result.

If you want to block IM, you need to block *everything*, then allow access only as requested. It's a network management nightmare. You allow port 80, except to certain AOL hosts which are AIM servers, for instance (you might not want to block aol.com, but the AIM servers are *somewhere* in the aol.com domain).

See where this is headed?

Not too hard with iptables.

[Sanction]

You just need to block access to port 1863, the entire subnet 64.4.13.0/24, and gateway.messenger.hotmail.com. It will then attempt to tunnel through port 80, so have your web proxy stop it there. This will stop the ability to authenticate, and works for us with Win98 and XP clients, haven't tried with other ones. Interestingly, the built in XP client was easier to stop, it was the Win98 version that took extra measures.

Re:Not too hard with iptables.

[Sanction]

Oh, might as well include the simple version for any Linux 2.4 kernel with iptables:

# Block AIM/ICQ
iptables -A FORWARD -p tcp --dport 5190 -j REJECT
iptables -A FORWARD -d login.oscar.aol.com -j REJECT
iptables -A FORWARD -d login.icq.com -j REJECT

# Block MSN
iptables -A FORWARD -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -d 64.4.13.0/24 -j REJECT
iptables -A FORWARD -d gateway.messenger.hotmail.com -j REJECT

There is no way...

[macemoneta]

...Unless all Internet access is blocked, to prevent any IM from being used. Remember, you can always SSH to a home server (using any port you want to configure) and start an IM client via the encrypted tunnel. If you are going to check all data transfer on all ports to/from the Internet, you might as well just block it all. It's the "clever" end-users that know how to do this that are your real worry.

Re:There is no way...

[MacEnvy]

I disagree. I've blocked MSN and Yahoo on several machines by using McAfee Desktop Firewall. You merely set a rule to disallow the application to run at all. This is the surest way to block it, and it's the only way I've found to be affective. MSN has a tendency to reinstall, reactivate, and open itself. Without taking desperate measures such as setting rules, it will at the very least run itself in the background and take up cycles.

Re:There is no way...

[macemoneta]

The problem is that you are blocking the IM client on the work machine. If the work machine uses SSH to start the application remotely, all you see is SSH. Since SSH can be configured to run on any port, unless you block all ports (i.e., no Internet access), this method can't be stopped.

For example, say an employer only allowed outgoing web requests. I would configured an SSH server on my home machine on port 80. As far as anything in the path was concerned, the SSH tunnel was an HTTP transaction.

I could then run any application on my home machine, including IM clients, personal email, web browsing prohibited sites, etc., completely secure from evesdropping by my employer.

SSH is one of the greatest tools of all time. :-)

Re:There is no way...

[MacEnvy]

I see your point, but no one in most offices - I mean NO ONE - is going to start a remote SSH session to run their piddly MSN Messenger. My method works in 99.9% of the cases in a corporate environment, as long as the administration has had the foresight to use a software firewall on client-side machines.

Re:Group policies are not the solution

[0x0d0a]

I like sysadmins that run Windows shops and think that since they are the only ones that know what they set the Administrator password to, their machines can't be modified. They're funny.

Anyone who thinks I'm going to work on Windows without cygwin, JSPager, xemacs, etc, has another think coming. Sysadmins are *support* personnel. They're there to facilitate work getting done. They aren't supervisors of said personnel, and controlling behavior is certainly not in their baliwick unless expressly handed down by management.

That said, I've had grand old times with IT folks who don't feel the need to try to be assholes.

Finally, I don't use any form of instant messaging at work, because I find email and phone to be more convenient. But I *have* done software development before with another person on the other end of an ICQ connection, and if that's the most convenient way to do work, IT should definitely not be trying to be a pain in the ass about it.

Re:Group policies are not the solution

[metacosm]

Ding Ding Ding! Correct, IT is there to HELP. Same exact thing goes with contractors, they are there to help the full time employees. As a contractor in IT departments, I can tell you that companies, contractors and IT departments are often very broken in how they try to get stuff done.

NOT EVERYTHING IS A TECHNICAL ISSUE. Policy is as important as technology. Lazy management makes management problems (lack of control and accountability) into technical problems because they are too weak to deal with the issues on their own and want IT to do it for them.

Also, FlashDesktops is far better than JSPager :).

Re:Group policies are not the solution

[0x0d0a]

JSPager is free. :-)

Re:Group policies are not the solution

I'm not sure, but I think you're talking about Virtual Desktops (Pagers in *nix).

For my money, and yes I spent 20 whole dollars on it, cause it was TOTALLY WORTH IT, Vern was the hands-down winner.

Even though I'm now on Linux, the pagers still pale in comparison to Vern on Win2k (which, again, I no longer use.)
-A

Don't forget to block

[Cyclone66]

Web Based MSN proxies. Yes it's not secure, but it does work.. sometimes.

Simple

[winston1984]

As Administrator, go to 'Services' in the Control Panel. go to 'Properties' for Windows Messaging, and uncheck the box that says something like "Turn on at startup." (I don't have an XP machine in front of me right now.) That's really all there is to it.

...who would build their own redirectors...

[leonbrooks]

...if you shot all of the standard ones. Probably operating over GRE or something your firewall doesn't know exists (which is a good reason for French Foreign Legion firewalling rules, but it's real work to nail down everything even so).

Re:Group policies are not the solution

[dbrutus]

In financial institutions, you have to log all communications as a matter of law. If there's no logging facility for an IM method, that method has to be blocked or eventually people will go to jail.

Insider trading rules are a bitch but if you can't deal with everything being read by management, don't work for a brokerage or similarly constrained institution.

That's not MSN Messenger

[supergumby]

That turns off the Windows Messenger serivce. It sends administrative messages to machines over NetBIOS.

MSN Messenger is not a service, it's a user program.

However, if you set Windows Messenger to manual or disabled you don't get that annoying spam that's so popular now.

Re:Group policies are not the solution

[0x0d0a]

Every IM client I've ever used can log conversations.

Give them an alternative

[cgenman]

Give everyone Jabber / PSI, and your local server. Communications over Jabber can be encrypted, logged, and secured enough to meet federal mandates. There are gateways that can be installed to allow people to chat with the outside world (logged, of course). And, most importantly, few enough people use Jabber that most chatting will be going on within the company, not with outside parties.

IM is a powerful alternative to phone calls and e-mails for getting work done. It shouldn't be taken entirely out of a workplace, just put in its proper (and legal) place.

- C

Termination

[EelBait]

If your corporate policy is to ban Messenger, then a few firings will go far.

Use Snort

[Old+Man+Trouble]

As far as I know, Snort should be able to recognize Messenger's packets' fingerprints and block them.

Re:Use Snort

[Old+Man+Trouble]

Nope, seems like I remembered wrong, however, you can use it to feed the IPs to a firewall.

Blocking MSN Messenger

[atcurtis]

I had successfully completely blocked MSN Messenger from working... And the same goes with OutLook Express to Hotmail.

Unfortunately, there are some consultants who can only talk to each other (even whilst in the same room) via MSN Messenger, so I had to reenable access to them.

C'est la vie.

MSN Messenger

[Lord+Fren]

Too bad I just now saw this. Anyone using Windows or MSN Messenger on XP has probably gotten those stupid spam messgaes. To disable them, just block anyone on your address list. If they want access, they can just email you requesting access. Works great!

pretty easy really

[bonezed]

I had msn blocked at work until various ppl lobbied management for it back :/

either way its not overly hard, I run and iptables based firewall on debian. I restrict both incoming and outgoing traffic, I also have a filtering proxy for all web traffic (squid and dansguardian).

Anyway, msn didn't like working thru my proxy setup so I had to open tcp port 1863. So, restrict outgoing traffic by destination port and source ip and you should take care of most nastiness :)

Re:Group policies are not the solution

[melonman]

Yes, for the client, but can you log the traffic centrally? I think a logging system that required each user to hand over the incriminating data at the end of each session would be considered inadequate, even in corporate America.