Blocking MSN Messenger?

Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"

Group policies are the solution

Disable MSN Messenger via group policy.

Try this.

[rplacd]

Block port 1863 (tcp) at the router/nat box/whatever.

On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.

Turn off SOCKS for port 1863, too.

Re:Try this.

[questionlp]

According to may Gaim accounts.xml file (which stores passwords in clear-text unfortunately), port 1863 should be blocked (just to be safe, both TCP and UDP) and block outbound traffic going to messenger.hotmail.com [207.46.104.20]. Keep an eye on the IP that is resolved for that host name to make sure that it doesn't change in the future :)

Re:Try this.

[Basje]

I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...

So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!

Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.

</rant>

Re:The easy way isn't always popular

[questionlp]

One thing that could be done is to forcibly remove any software installed on the machines (using things like SMS or LANDesk) that shouldn't be on there... including any IM tools that they want to block. Once you remove them, keep a log/audit of which apps are running on which machines on a daily basis and those who continue to install software that is banned should be passed on to management.

With MSN Messenger literally embedded in Windows XP, that may be a bit hard unless if you create a policy that not only hides the program but also restricts access to the application's folder and executables to the domain administrator or equivalent account if you are in an NT4/AD/NDS environment.

Just some thoughts... though I really don't know how useful they are :)

Packeteer

[gooru]

Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page describing how to control instant messaging including MSN.

Simple

[Kizzle]

Everyone is getting all technical about this but it's very easy. Just block messenger.hotmail.com. Walla msn messenger stops working. It connects to this central server to find out what server to use.

Re:Simple

[anthony_dipierro]

Won't work for people who have ever connected before. The IP address is cached for future connections.

Re:Simple

[anthony_dipierro]

The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

But if a user has already previously connected to messenger.hotmail.com and received an XFR, the client will cache the IP address given to it by the XFR. Therefore blocking only messenger.hotmail.com (the dispatch server), and not all the possible notification servers, "won't work for people who have ever connected before."

I'm assuming of course direct connections through messenger.hotmail.com. Blocking gateway.messenger.hotmail.com will block access through the HTTP proxy (at least until the IP address changes).

Re:The easy way isn't always popular

[bluephone]

Actually, it IS possible to remove MSN Messenger, and even things like Outlook Express. Two ways actually.

You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.

An easier way is to edit %systemroot%\inf\sysoc.inf

Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.

Re:Why block MSN?

[thesnide]

Actually, in some 'sensitive' companies (for example: stock exchange brokers) all communications involving a third party are officially tapped.
It's done in order to prevent some obvious abuses.

Re:Why block MSN?

[leviramsey]

RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.

Re:The easy way isn't always popular

[Zocalo]

Actually, I doubt this is BS in this particular case. The specific case in question is in the financial sector, and it is often a requirement that *all* electronic communication is logged in such places to help prevent insider trading etc. Legitimate or not, if IM provides no logging of conversations then such institutions will need to evict it from their network.

Block one, block them all?

[__aafkqj3628]

You may be able to block the win32 client, but that does not stop employees from using services like http://www.wbmsn.com/ (MSN) or http://go.icq.com/ (ICQ) for their IM needs.

Alternatively, a mass block of Microsoft's IP address range(s) should help stop people being able to connect (and you'll also kill hotmail, passport and a lot of other of their useless services with the same stone).

Installl Messenger mandatory and lock it down

[wimbor]

I did the exact opposite at our company.

I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.

When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.

We disabled file transfer to avoid viruses slipping in via this way.

If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.

Re:How to stop MSN Messenger? You kidding?

[Loosewire]

err , gAIM, AMSN, Kopete
Im using MSN from linux right now on this machine :-D

Re:The easy way isn't always popular

[gallen1234]

In a financial services environment this is definitely not petty. If I remember a previous discussion corretly they are required by law to log all IM activity - not an easy proposition. Failure to do so will get them an unpleasant visit form the SEC.

linux/ipchains

[ohchaos]

I block MSMessenger without any problems with the following rules:

ipchains -A input -p TCP -b --sport 1863 -j DENY
ipchains -A input -b -d 64.4.13.0/24 -j DENY

now the extremely persistant Yahoo IM is something I still haven't nailed down yet.....

Why? Beacuse its againt the rules, and law.

[nurb432]

In this case being a finance institution, they have to log all conversations or possibly face fines.

In 99% of normal businesses, its NOT needed to have outside IM access, peroid.. If you need IM communication between your employees, great, then you use a secure internal IM setup, with no outside server access.. For people outside the firwall like sales guys, they vpn back in.

Its not in best business interest to let you talk to your wife, or friend down the street about where to go for lunch. Regardless of what you might think.

Phones the same, many dont get outside line access. Its ONLY Internal calls that they can make, unless they have a business case to get 'out'.

Re:The easy way isn't always popular

[Jucius+Maximus]

"Are you fucking serious? Really. Have you ever had a job before? You can't go around firing people for petty reasons like instant messaging"

Instant messaging could be considered to be inappropriate use of company resources. That's pretty serious. It's also a security vulnerability because someone could send you a trojan. Violating the company's security policies is pretty serious too. Aren't there rules about the logging of business communications? Could the company get in trouble with the SEC if they don't properly log everything like IMs? Yes, employees could get into big trouble for using MSN IM. It's not such a petty little thing.

Re:The easy way isn't always popular

[bigsteve@dstc]

A workplace requirement for communication monitoring; e.g. finance, defence, etc. A futile maneuver that can easily be flouted by using steganography in e-mails.

This is not futile. The monitoring system will record the email including the steganographic content, and a (later) forensic audit may reveal that content. This may be sufficient to secure a criminal conviction, if not to deter the activity in the first place.

A need to protect infrastructure; e.g. against viruses. That's also futile, if they're using windows. Messenger is a tiny minor hole compared to the gaping ones in the OS itself.

In the real world, organisations will employ various mechanisms to protect their infrastructure, even though they know those measures to not be completely effective. Instant messaging might be a "tiny hole" (I don't know what evidence you have for the statement). But it may also be the security hole that gets exploited, because the other holes are adequately plugged.

A need to conserve bandwidth, or control network usage charges. Text messaging uses negligible bandwidth, and bandwidth costs less than 1/10 of a cent in bulk, meaning that If I used IM a lot for years and years it might cost the company an extra 1/10 of a cent in bandwidth out of my $50,000+/year salary. It's a grain of sand in the sea. All of those reasons are bunk, and would only provide justification to those who truly have their headfs up their asses.

A month ago I was installing software at a client site. They had 500 odd employees, and all of their external communications went through an overloaded 500Kbit pipe. Downloading a 40Mbyte installer took 1 1/2 hours. This is not bullshit! I didn't ask why they couldn't simply upgrade their network connection, but I didn't need to. The answer would have been that they didn't have flexibility to reallocate resources to address the problem. (This was a government dept.)

Just because you haven't had enough real-world experience to recognize these situations, doesn't mean that they do not exist.