Slashdot Mirror
Blocking MSN Messenger?
Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"
Use a packet shaper. The one that comes to mind (proprietary, however) is Packeteer. These filter based on protocol (I think), so usually they can keep out resourceful programs like gnutella, etc.
Oh, also. I've caught people using http redirectors. You run an app on your desktop that acts like a socks or http proxy. It encodes tcp traffic in http headers, sends it out to a site that demangles the packets and forwards them on.
There are a few commercial companies providing this support, and pretty much everyone can set up their own tunnel. While it's not that hard to track down the commercial stuff, I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet.
This is a very inelegant approach, but I suppose you could block EVERY logon server at the router. There has to be a finite number of logon servers out there, so all you'd have to do is sit down for X amount of time with a MSN client and monitor outgoing traffic from your IP. Block each logon server as it comes up, wait for the client to reconnect, block that server, rinse, repeat.
Also, you could try looking for the location that the MSN client fetches the server list from and block that IP. If the list is stored locally, it'd be even easier to find and block those servers.
Of course, the above approach assumes that the router can handle blocking X amount of IPs. I wouldn't put it past MS to have hundreds or thousands of servers out there.
Then log all access to port 1863.
It won't work in all circumstances. When my DNS goes down, MSN Messenger still works. That's because it saves the last IP address in the registry. Just use regedit and you can confirm this for yourself. Trust me, I've written an MSN Messenger server, I know this shit.
Hey,
you can block stuff like this using Group Policies (GPO's). I think you should start asking at news.microsoft.com at their group policy newsgroups.
If you have windows XP's as a member of your domain, you can easily block it using GPO.
I totally agree with your point, but I have a similar situation, we have a lot of computers that share the internet connection, and there ain't that much bandwidth (around 40Kbits/sec if you're lucky)
so somtimes I want to block MSN because the connection gets too slow for legitimate use, and I know most of the people in the office are just chatting with friends and getting no real work done, and, eventually, preventing me from doing my work, which requires being 90% of the time online.
what about a script that queries DNS for messenger.hotmail.com, then blocks the IP address returned?
Won't work. Messenger.hotmail.com is only contacted the first time you connect. After that you are redirected to a new IP address which is based on your username. That's how Microsoft load balances the connections.
Yeah, I have a similar situation, since I work as a programmer for a medical lab. The answer is, write your own client, and block/uninstall everything else. Plus, by writing your own IM client/server (since this is the best model for logging and administration, p2p is not as useful for logging), you can add your own functionality, like controlling buddy lists, spying, shutting down systems, etc. (Mine has a nice feature to disconnect and lockout a user from the system when they are fired, in order to avoid problems while they're packing their things).
It is actually quite easy to code this up, and it gives you full control over what happens.
--That's the point of being root, you can do anything you want, even if it's stupid.
The altternative aproach realy works I used it once for HTTP limitations. The user would connect to our intranet server to compile his/her timesheet. Before getting to the timesheet there was a page you latest 50 URLS are: ...
;)
Each URL was cheked on certain domains and keywords when the URL matched a non.productive rule the line would be set in red. ex playboy.com would be viewed as ar red line.
After some days even the boss stopped surfing to certain sites
I've worked in QA where employees have had to open dialup ISP accounts on personal credit cards so that they could actually test the products they were given.
The product would try to go contact our company's webserver for some kind of content, but it wasn't proxy-aware. And they still wouldn't put us out on the internet.
We never had to escalate it, 'cause of some employees taking it into their own hands, but that was incredible. Blew my damn mind.
There are no trails. There are no trees out here.
I joke about all this stuff , but seriously, I had a person email me a resume for a job we had open from "fatshaft42" at a well known free email provider.
Of course , all the girls in the office wanted to hire him but it did nothing for his professional appeal. Well, if we were an escort agency maybe it would have.....
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Disable via the registry with login scripts
8 1/
/ Gr oup%20Policy%20Registry%20Editor.htm
http://www.winguides.com/registry/display.php/9
Or group policy
http://www.subvers.com/technobabble/html/tweaks
If you have wildcat machines that people just setup on their own, you have a larger problem.
Conformity is the jailer of freedom and enemy of growth. -JFK
If you're going to go down that path, what about the guy who uses
X11 forwarding or VNC or what-have-you to access his home system
and run the IM on that, displaying it on his desktop at work?
Cut that out, or I will ship you to Norilsk in a box.
Case in point:
I work for a large state university.
There are very strict laws regarding the use and storage of any student information. A student's personal data (SSN, Address, on campus phone #) must be kept private at all costs.
When word got out that some departments were using AIM to send student information between employees, a lot of people got very nervous.
To fix this situation, we set up an internal SSL'd Jabber Server. Even though the rules are clear, some people still try to use AIM.
In this situation, for those employees who are working with this student data, it would not be outrageous to make sure that there is no way that this data could be sent over a connection through AOL's servers.
The burden of proof is on the University to make sure that this information is being used and stored in a manner consistent with the law. To be extra 100% sure, the best way to solve this issue is to block access to IM services.
The best way that I would think of doing this is just to firewall off all the machines from the internet, and have the machines use a web proxy for outside web access. If a user uses the proxy to run their MSN client, it would be fairly easy to spot in the logs of the proxy server.
This is not BS. It doesn't matter if you "Trust" someone or not -- this is the real world. High schools are anal with their students because high school students are uncivilized beasties. Businesses and the like are anal because they get in deep shit if an employee mistakenly pastes some sort of information in the wrong application.
It's not petty -- in fact, in both situations, High Schools and Businesses have liability that isn't exactly trivial. I would say that this situation is the exact oppisate of petty.
XP Pro has a number of things I don't think have a place in corporate environments. Such as MSN Explorer, Messenger (the non-exchange one at least), Windows Movie Maker, Media Player, games. You would think that in the Pro version at least you could remove these things. I have been unsuccessful at ridding my work box of anything but Messenger.
"Windows Me offers tremendous reliability and stability improvements..." -- Paul Thurott