Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blocking MSN Messenger?

Posted by Cliff on from the making-IMs-not-so-instant dept.

Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"

14 of 236 comments (clear)

  1. Group policies are the solution by Anonymous Coward · · Score: 5, Informative

    Disable MSN Messenger via group policy.

  2. Try this. by rplacd · · Score: 5, Informative

    Block port 1863 (tcp) at the router/nat box/whatever.

    On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.

    Turn off SOCKS for port 1863, too.

    1. Re:Try this. by questionlp · · Score: 5, Informative

      According to may Gaim accounts.xml file (which stores passwords in clear-text unfortunately), port 1863 should be blocked (just to be safe, both TCP and UDP) and block outbound traffic going to messenger.hotmail.com [207.46.104.20]. Keep an eye on the IP that is resolved for that host name to make sure that it doesn't change in the future :)

    2. Re:Try this. by Basje · · Score: 4, Informative

      I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

      Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...

      So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!

      Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.

      </rant>

      --
      the pun is mightier than the sword
  3. Re:The easy way isn't always popular by questionlp · · Score: 3, Informative

    One thing that could be done is to forcibly remove any software installed on the machines (using things like SMS or LANDesk) that shouldn't be on there... including any IM tools that they want to block. Once you remove them, keep a log/audit of which apps are running on which machines on a daily basis and those who continue to install software that is banned should be passed on to management.

    With MSN Messenger literally embedded in Windows XP, that may be a bit hard unless if you create a policy that not only hides the program but also restricts access to the application's folder and executables to the domain administrator or equivalent account if you are in an NT4/AD/NDS environment.

    Just some thoughts... though I really don't know how useful they are :)

  4. Packeteer by gooru · · Score: 5, Informative

    Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page describing how to control instant messaging including MSN.

  5. Re:Simple by anthony_dipierro · · Score: 3, Informative

    Won't work for people who have ever connected before. The IP address is cached for future connections.

  6. Re:The easy way isn't always popular by bluephone · · Score: 5, Informative
    Actually, it IS possible to remove MSN Messenger, and even things like Outlook Express. Two ways actually.

    You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.

    An easier way is to edit %systemroot%\inf\sysoc.inf

    Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.

    --
    jX [ Make everything as simple as possible, but no simpler. - Einstein ]
  7. Re:Why block MSN? by thesnide · · Score: 3, Informative

    Actually, in some 'sensitive' companies (for example: stock exchange brokers) all communications involving a third party are officially tapped.
    It's done in order to prevent some obvious abuses.

  8. Re:Why block MSN? by leviramsey · · Score: 5, Informative

    RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.

  9. Re:The easy way isn't always popular by Zocalo · · Score: 4, Informative

    Actually, I doubt this is BS in this particular case. The specific case in question is in the financial sector, and it is often a requirement that *all* electronic communication is logged in such places to help prevent insider trading etc. Legitimate or not, if IM provides no logging of conversations then such institutions will need to evict it from their network.

    --
    UNIX? They're not even circumcised! Savages!
  10. Installl Messenger mandatory and lock it down by wimbor · · Score: 5, Informative
    I did the exact opposite at our company.

    I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.

    When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.

    We disabled file transfer to avoid viruses slipping in via this way.

    If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.

  11. Re:The easy way isn't always popular by gallen1234 · · Score: 4, Informative

    In a financial services environment this is definitely not petty. If I remember a previous discussion corretly they are required by law to log all IM activity - not an easy proposition. Failure to do so will get them an unpleasant visit form the SEC.

  12. Re:Simple by anthony_dipierro · · Score: 3, Informative

    The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

    But if a user has already previously connected to messenger.hotmail.com and received an XFR, the client will cache the IP address given to it by the XFR. Therefore blocking only messenger.hotmail.com (the dispatch server), and not all the possible notification servers, "won't work for people who have ever connected before."

    I'm assuming of course direct connections through messenger.hotmail.com. Blocking gateway.messenger.hotmail.com will block access through the HTTP proxy (at least until the IP address changes).