Blocking MSN Messenger?

Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"

Group policies are the solution

Disable MSN Messenger via group policy.

Re:Group policies are the solution

[Directrix1]

Instead of going the technical approach, have you ever considered proposing the idea of docking pay, and/or firing? Most people need their jobs more than they need instant messaging. Also, why are you letting your users install programs on the company's computers? Do you have everyone run as admin?

Re:Group policies are the solution

[MrResistor]

Yes, there are others, but do we really think that the Average Joe IM-Abuser-At-Work will know of these programs?

Yes, within a week of whatever he was using being blocked. It only takes one person to figure it out, and word will spread.

Re:Group policies are the solution

[leifm]

XP Pro has a number of things I don't think have a place in corporate environments. Such as MSN Explorer, Messenger (the non-exchange one at least), Windows Movie Maker, Media Player, games. You would think that in the Pro version at least you could remove these things. I have been unsuccessful at ridding my work box of anything but Messenger.

The easy way isn't always popular

[seinman]

Fire everyone who's caught using it. Eventually you'll fire enough people that they'll be afraid to open it. Just like the RIAA suing P2P users... eventually nobody will share because they'll be afraid of lawsuits.

Re:The easy way isn't always popular

[questionlp]

One thing that could be done is to forcibly remove any software installed on the machines (using things like SMS or LANDesk) that shouldn't be on there... including any IM tools that they want to block. Once you remove them, keep a log/audit of which apps are running on which machines on a daily basis and those who continue to install software that is banned should be passed on to management.

With MSN Messenger literally embedded in Windows XP, that may be a bit hard unless if you create a policy that not only hides the program but also restricts access to the application's folder and executables to the domain administrator or equivalent account if you are in an NT4/AD/NDS environment.

Just some thoughts... though I really don't know how useful they are :)

Re:The easy way isn't always popular

[bluephone]

Actually, it IS possible to remove MSN Messenger, and even things like Outlook Express. Two ways actually.

You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.

An easier way is to edit %systemroot%\inf\sysoc.inf

Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.

Re:The easy way isn't always popular

[bigsteve@dstc]

Eventually you'll fire enough people that they'll be afraid to open it.

... or there won't be anyone left to fire :-).

Re:The easy way isn't always popular

[bigsteve@dstc]

You can't go around firing people for petty reasons like instant messaging.

Who are you to say that this would petty? I can think of any number of reasons why instant messaging might be deemed highly inappropriate in a particular workplace. If that is the case, AND management has made this clear to all employees, then somebody who willfully flouts the rules deserves to be sacked.

Re:The easy way isn't always popular

[Tuxinatorium]

I call BS. Instant messaging is a useful tool that has many legitimate applications in the workplace, and in any case should be acceptable to use during breaks just like a cell phone, etc. Banning IM programs just means they don't trust the employees, and it's analogous to a high school where students aren't allowed to leave the building during lunch break. That's petty.

Re:The easy way isn't always popular

[Zocalo]

Actually, I doubt this is BS in this particular case. The specific case in question is in the financial sector, and it is often a requirement that *all* electronic communication is logged in such places to help prevent insider trading etc. Legitimate or not, if IM provides no logging of conversations then such institutions will need to evict it from their network.

Re:The easy way isn't always popular

[gallen1234]

In a financial services environment this is definitely not petty. If I remember a previous discussion corretly they are required by law to log all IM activity - not an easy proposition. Failure to do so will get them an unpleasant visit form the SEC.

Re:The easy way isn't always popular

[JohnFluxx]

punish anyone that doesn't use sametime ;)

Re:The easy way isn't always popular

[bigsteve@dstc]

Yes. Some employers don't trust their employees. And in some cases, the distrust is entirely justified. (In the same way, some high-school students are not worthy of trust. BTW, when I went to high school, we weren't allowed to leave the school grounds at lunch time. Those of us who had at least half a brain were capable of understanding why ... and it was nothing to do with pettiness.)

Banning instant messaging might be counter productive if the aim is to increase the amount of work done. (It is bad for staff morale.) However, it is management's responsibility to manage productivity. If the workplace culture (or the nature of the work) is such that people find excuses to "bunk off" all of the time, then banning instant messaging as a time waster may be necessary. Besides, there are other (much stronger) reasons why instant messaging might be banned. For example:

• A workplace requirement for communication monitoring; e.g. finance, defence, etc.
• A need to protect infrastructure; e.g. against viruses.
• A need to conserve bandwidth, or control network usage charges.

Re:The easy way isn't always popular

[Tekno2k3]

The real point is that SEC says we HAVE to block it or log it via a server (not the logging that users initiate) or we get shut down.

Re:The easy way isn't always popular

[Jucius+Maximus]

"Are you fucking serious? Really. Have you ever had a job before? You can't go around firing people for petty reasons like instant messaging"

Instant messaging could be considered to be inappropriate use of company resources. That's pretty serious. It's also a security vulnerability because someone could send you a trojan. Violating the company's security policies is pretty serious too. Aren't there rules about the logging of business communications? Could the company get in trouble with the SEC if they don't properly log everything like IMs? Yes, employees could get into big trouble for using MSN IM. It's not such a petty little thing.

Re:The easy way isn't always popular

[op00to]

Case in point:

I work for a large state university.

There are very strict laws regarding the use and storage of any student information. A student's personal data (SSN, Address, on campus phone #) must be kept private at all costs.

When word got out that some departments were using AIM to send student information between employees, a lot of people got very nervous.

To fix this situation, we set up an internal SSL'd Jabber Server. Even though the rules are clear, some people still try to use AIM.

In this situation, for those employees who are working with this student data, it would not be outrageous to make sure that there is no way that this data could be sent over a connection through AOL's servers.

The burden of proof is on the University to make sure that this information is being used and stored in a manner consistent with the law. To be extra 100% sure, the best way to solve this issue is to block access to IM services.

The best way that I would think of doing this is just to firewall off all the machines from the internet, and have the machines use a web proxy for outside web access. If a user uses the proxy to run their MSN client, it would be fairly easy to spot in the logs of the proxy server.

This is not BS. It doesn't matter if you "Trust" someone or not -- this is the real world. High schools are anal with their students because high school students are uncivilized beasties. Businesses and the like are anal because they get in deep shit if an employee mistakenly pastes some sort of information in the wrong application.

It's not petty -- in fact, in both situations, High Schools and Businesses have liability that isn't exactly trivial. I would say that this situation is the exact oppisate of petty.

Re:The easy way isn't always popular

[bigsteve@dstc]

A workplace requirement for communication monitoring; e.g. finance, defence, etc. A futile maneuver that can easily be flouted by using steganography in e-mails.

This is not futile. The monitoring system will record the email including the steganographic content, and a (later) forensic audit may reveal that content. This may be sufficient to secure a criminal conviction, if not to deter the activity in the first place.

A need to protect infrastructure; e.g. against viruses. That's also futile, if they're using windows. Messenger is a tiny minor hole compared to the gaping ones in the OS itself.

In the real world, organisations will employ various mechanisms to protect their infrastructure, even though they know those measures to not be completely effective. Instant messaging might be a "tiny hole" (I don't know what evidence you have for the statement). But it may also be the security hole that gets exploited, because the other holes are adequately plugged.

A need to conserve bandwidth, or control network usage charges. Text messaging uses negligible bandwidth, and bandwidth costs less than 1/10 of a cent in bulk, meaning that If I used IM a lot for years and years it might cost the company an extra 1/10 of a cent in bandwidth out of my $50,000+/year salary. It's a grain of sand in the sea. All of those reasons are bunk, and would only provide justification to those who truly have their headfs up their asses.

A month ago I was installing software at a client site. They had 500 odd employees, and all of their external communications went through an overloaded 500Kbit pipe. Downloading a 40Mbyte installer took 1 1/2 hours. This is not bullshit! I didn't ask why they couldn't simply upgrade their network connection, but I didn't need to. The answer would have been that they didn't have flexibility to reallocate resources to address the problem. (This was a government dept.)

Just because you haven't had enough real-world experience to recognize these situations, doesn't mean that they do not exist.

Try this.

[rplacd]

Block port 1863 (tcp) at the router/nat box/whatever.

On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.

Turn off SOCKS for port 1863, too.

Re:Try this.

[rplacd]

Oh, also. I've caught people using http redirectors. You run an app on your desktop that acts like a socks or http proxy. It encodes tcp traffic in http headers, sends it out to a site that demangles the packets and forwards them on.

There are a few commercial companies providing this support, and pretty much everyone can set up their own tunnel. While it's not that hard to track down the commercial stuff, I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet.

Re:Try this.

[questionlp]

According to may Gaim accounts.xml file (which stores passwords in clear-text unfortunately), port 1863 should be blocked (just to be safe, both TCP and UDP) and block outbound traffic going to messenger.hotmail.com [207.46.104.20]. Keep an eye on the IP that is resolved for that host name to make sure that it doesn't change in the future :)

Re:Try this.

[Basje]

I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...

So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!

Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.

</rant>

Re:Try this.

[mcdrewski42]

Why not map that name to a dud address too?

I assume you ownzor the DNS that client PCs will use!

Re:Try this.

[Elwood+P+Dowd]

I've worked in QA where employees have had to open dialup ISP accounts on personal credit cards so that they could actually test the products they were given.

The product would try to go contact our company's webserver for some kind of content, but it wasn't proxy-aware. And they still wouldn't put us out on the internet.

We never had to escalate it, 'cause of some employees taking it into their own hands, but that was incredible. Blew my damn mind.

Re:Try this.

[jonadab]

If you're going to go down that path, what about the guy who uses
X11 forwarding or VNC or what-have-you to access his home system
and run the IM on that, displaying it on his desktop at work?

Packeteer

[gooru]

Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page describing how to control instant messaging including MSN.

packet shaping

[Satai]

Use a packet shaper. The one that comes to mind (proprietary, however) is Packeteer. These filter based on protocol (I think), so usually they can keep out resourceful programs like gnutella, etc.

Re:packet shaping

[ILEoo]

or free snitch includes support for l7-shaping (witch a patch,see website)

Simple

[Kizzle]

Everyone is getting all technical about this but it's very easy. Just block messenger.hotmail.com. Walla msn messenger stops working. It connects to this central server to find out what server to use.

Re:Simple

[anthony_dipierro]

Won't work for people who have ever connected before. The IP address is cached for future connections.

Re:Simple

[anthony_dipierro]

It won't work in all circumstances. When my DNS goes down, MSN Messenger still works. That's because it saves the last IP address in the registry. Just use regedit and you can confirm this for yourself. Trust me, I've written an MSN Messenger server, I know this shit.

Re:Simple

[anthony_dipierro]

what about a script that queries DNS for messenger.hotmail.com, then blocks the IP address returned?

Won't work. Messenger.hotmail.com is only contacted the first time you connect. After that you are redirected to a new IP address which is based on your username. That's how Microsoft load balances the connections.

Re:Simple

[anthony_dipierro]

The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

But if a user has already previously connected to messenger.hotmail.com and received an XFR, the client will cache the IP address given to it by the XFR. Therefore blocking only messenger.hotmail.com (the dispatch server), and not all the possible notification servers, "won't work for people who have ever connected before."

I'm assuming of course direct connections through messenger.hotmail.com. Blocking gateway.messenger.hotmail.com will block access through the HTTP proxy (at least until the IP address changes).

Brute force

[{8_8}]

This is a very inelegant approach, but I suppose you could block EVERY logon server at the router. There has to be a finite number of logon servers out there, so all you'd have to do is sit down for X amount of time with a MSN client and monitor outgoing traffic from your IP. Block each logon server as it comes up, wait for the client to reconnect, block that server, rinse, repeat.

Also, you could try looking for the location that the MSN client fetches the server list from and block that IP. If the list is stored locally, it'd be even easier to find and block those servers.

Of course, the above approach assumes that the router can handle blocking X amount of IPs. I wouldn't put it past MS to have hundreds or thousands of servers out there.

Tell people not to use it...

[anthony_dipierro]

Then log all access to port 1863.

Kill the software.

[flux4]

In addition to blocking MSN on the network, why not kill the software? This page discusses in gory detail the various methods of crippling/uninstalling/haxoring MSN software on the user machine, and making sure it won't come back. You have to be careful, as there are right ways and wrong ways to do it. My favourite method is to uninstall the software (made possible on XP via a convoluted run command), then place a blank file called "msn messenger" in Program Files. Installer won't work, and the user never goes into Program Files! It works.

Having the software right out of the computer is a good thing, because then it can't begin to pester the user or remind them of their painful inability to chat.

An alternative approach

[skinfitz]

Blcoking 1863 does work, as I use that method myself.

The only problem is that they will move on to the next messenger that works (like Yahoo! etc).

If you wanted to be really insidious and get people to self police themselves, log all messenger messages and put a new section on your companies Intranet user customised page - something like "Hello xxxx, here are your last few messenger messages:

[bIcycleSExfiEND] w00t!
[cute^babe7599] SO BABEE U WANA C MY PIC?
[bIcycleSExfiEND] yeah - send it
[cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269
...

Please contact the helpdesk if you would like a complete log.
Have a nice day."

...and below that:
Here are your last few web accesses:

... etc... you get the idea.

Re:An alternative approach

[jurrehart]

The altternative aproach realy works I used it once for HTTP limitations. The user would connect to our intranet server to compile his/her timesheet. Before getting to the timesheet there was a page you latest 50 URLS are: ...

Each URL was cheked on certain domains and keywords when the URL matched a non.productive rule the line would be set in red. ex playboy.com would be viewed as ar red line.

After some days even the boss stopped surfing to certain sites ;)

Re:An alternative approach

[boredMDer]

[cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269

You know, it makes me wonder...how many people went to that link and were dissapointed when they got a 'Connection Refused' error, and couldn't see cute^babe's pic...

/me raises hand
Okay, I admit it.

Re:An alternative approach

[cdrudge]

Duh. You have to remove the space between the ? and suckerid. :)

Re:An alternative approach

[pla]

something like "Hello xxxx, here are your last few messenger messages:

Something like that would make me very happy - Because I would have instant feedback about whether or not my attempts to circumvent stupid network usage policies had succeeded, and if so, did they work anonymously.

Mind you, I don't care about vising playboy.com from work - I never understood the point of porn at work anyway, since every work environment I've ever encountered made killing kittens all but impossible while there. But corporate IT departments have a bad habit of blocking valid, work-related traffic that they don't see the need for. "We notice you've visited alphaworks.ibm.com over fifty times in the last two weeks, so we've decided to block it to boost your productivity and ''help'' you not waste company resources.".

Incidentally, I see the parent article's theme as very similar - Too many people use IM, so block it. This ignores the fact that many people using it may well have a valid, work-related reason for doing so. Personally I've used IM exactly three times (from home, not work, though), and each of those times I used it for the sole purpose of chatting with a fellow coder about something that, in another context, would count as work related (yeah, call me a geek, I actually code for fun).

Why block MSN?

[flikx]

The real question here is why block MSN? What about people who use instant messaging for legitimate business purposes?? People chat on telephones, and I don't see many offices rushing to ban them. Fire unproductive people, and let the rest of us communicate.

Re:Why block MSN?

[thesnide]

Actually, in some 'sensitive' companies (for example: stock exchange brokers) all communications involving a third party are officially tapped.
It's done in order to prevent some obvious abuses.

Re:Why block MSN?

[leviramsey]

RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.

Re:Why block MSN?

[dotpl]

I totally agree with your point, but I have a similar situation, we have a lot of computers that share the internet connection, and there ain't that much bandwidth (around 40Kbits/sec if you're lucky)

so somtimes I want to block MSN because the connection gets too slow for legitimate use, and I know most of the people in the office are just chatting with friends and getting no real work done, and, eventually, preventing me from doing my work, which requires being 90% of the time online.

Re:Why block MSN?

[innosent]

Yeah, I have a similar situation, since I work as a programmer for a medical lab. The answer is, write your own client, and block/uninstall everything else. Plus, by writing your own IM client/server (since this is the best model for logging and administration, p2p is not as useful for logging), you can add your own functionality, like controlling buddy lists, spying, shutting down systems, etc. (Mine has a nice feature to disconnect and lockout a user from the system when they are fired, in order to avoid problems while they're packing their things).
It is actually quite easy to code this up, and it gives you full control over what happens.

Re:Why block MSN?

[fatrat]

> I can't wait until my generation is in charge.#

and when you get there, you'll find that all the same regulations about being able to record all conversations/encrypt it etc still apply and so you'd still have to block MSN.

Group Policies

[fluor2]

Hey,

you can block stuff like this using Group Policies (GPO's). I think you should start asking at news.microsoft.com at their group policy newsgroups.

If you have windows XP's as a member of your domain, you can easily block it using GPO.

Don't block it, sniff it.

[ColaMan]

Get a MSN sniffer... the (very beta) one I used was called MSN666.

Tell everyone that you're sniffing MSN messenger traffic, and that you can trace it to a person esaily. Wait a day. Post a few innocuous messages between people on the noticeboard to prove it. Add a scrawled note on the bottom of the message saying "and , FatShaft42, you are one SICK Bastard! I'll be passing *your* messages onto HR!!" for maximum effect.

Re:Don't block it, sniff it.

[ColaMan]

I joke about all this stuff , but seriously, I had a person email me a resume for a job we had open from "fatshaft42" at a well known free email provider.

Of course , all the girls in the office wanted to hire him but it did nothing for his professional appeal. Well, if we were an escort agency maybe it would have.....

SEC rules

[whoda]

Blame Enron and other such fiasco's.
Financial institution's have to record and hold all elctronic communications for years now. The specific number of years eludes me atm.

If you think some E-mails people send are incriminating, imagine what IM's traded around an office would expose.

It's much easier to stop the people from using IM services than to try to capture/record/log/preserve it all. At least for financial institutions which theoretically could face billion dollar lawsuits.

Kill them all.

[trouser]

Or not. On second thoughts perhaps not a good idea. Still, it's your call.

How to stop MSN Messenger? You kidding?

[Feztaa]

Install Linux, MSN Messenger will go away rather quickly :)

I think it would be easier to lock down a linux box to prevent installations of gaim, Gabber, etc than it would be to putz around with your firewalls trying to kill MSN Messenger.

Re:How to stop MSN Messenger? You kidding?

[spongman]

yeah, and while you're waiting for the install to complete you can port that $2M suite of custom/in-house trading software you just finished paying for.

Re:How to stop MSN Messenger? You kidding?

[Loosewire]

err , gAIM, AMSN, Kopete
Im using MSN from linux right now on this machine :-D

If you allow www

[gl4ss]

If you allow www, you can't stop all chats. You can pretend, but you can't do it. Heck, email can be used for such as well. How about making internet access a priviledge that only those have that need. Though im can be used to boost productivity too.

Brrrr technological fix....

[Chilles]

I thought financial people were supposed to be more socially able than technological people. Don't your managers understand the concept of "talking to people abouth things they should and should not do during work hours?"
I now it's not generally accepted in most larger companies, but I always question bad and lazy management decisions like this one. Management is usually paid generously enough to compensate for the occasional difficult talk with a bothersome employee. Besides, talking has a lot less negative (or even positive, depending on the person doing the talking) effect on the work atmosphere and might alleviate a general feeling of "us against the managers" in employees.

Block one, block them all?

[__aafkqj3628]

You may be able to block the win32 client, but that does not stop employees from using services like http://www.wbmsn.com/ (MSN) or http://go.icq.com/ (ICQ) for their IM needs.

Alternatively, a mass block of Microsoft's IP address range(s) should help stop people being able to connect (and you'll also kill hotmail, passport and a lot of other of their useless services with the same stone).

Installl Messenger mandatory and lock it down

[wimbor]

I did the exact opposite at our company.

I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.

When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.

We disabled file transfer to avoid viruses slipping in via this way.

If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.

Very easy

[duffbeer703]

Disable via the registry with login scripts

http://www.winguides.com/registry/display.php/98 1/

Or group policy

http://www.subvers.com/technobabble/html/tweaks/ Gr oup%20Policy%20Registry%20Editor.htm

If you have wildcat machines that people just setup on their own, you have a larger problem.

Higher Management?

[vasqzr]

I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.


Geez. Try baking the sysadmin some cookies, give him a case of Guiness/Bawlz, or take the poor guy to lunch.

linux/ipchains

[ohchaos]

I block MSMessenger without any problems with the following rules:

ipchains -A input -p TCP -b --sport 1863 -j DENY
ipchains -A input -b -d 64.4.13.0/24 -j DENY

now the extremely persistant Yahoo IM is something I still haven't nailed down yet.....

Why? Beacuse its againt the rules, and law.

[nurb432]

In this case being a finance institution, they have to log all conversations or possibly face fines.

In 99% of normal businesses, its NOT needed to have outside IM access, peroid.. If you need IM communication between your employees, great, then you use a secure internal IM setup, with no outside server access.. For people outside the firwall like sales guys, they vpn back in.

Its not in best business interest to let you talk to your wife, or friend down the street about where to go for lunch. Regardless of what you might think.

Phones the same, many dont get outside line access. Its ONLY Internal calls that they can make, unless they have a business case to get 'out'.

Re:Walla?

[tsvk]

LOL, that reminded me of this gem from Dilbert newsletter #43:

True Tales of Induhviduals

Here are some true tales of Induhviduals as reported by DNRC members.

One of my teammates was giving a presentation to our department about an exciting development. He clicked to bring up the next slide and announced with great enthusiasm, "and walla, there it is!!" On the slide in huge letters was the word "Walla." The audience was stunned at first, not knowing if it was suppose to be a joke on the spelling of the word "voila" or not. Then he turned to a member of our department who was from France and said, "You know, walla! Walla!!"

Coincidentally, earlier that week he had mentioned to our team that he wanted to go into management.

Re:Group policies are not the solution

[0x0d0a]

I like sysadmins that run Windows shops and think that since they are the only ones that know what they set the Administrator password to, their machines can't be modified. They're funny.

Anyone who thinks I'm going to work on Windows without cygwin, JSPager, xemacs, etc, has another think coming. Sysadmins are *support* personnel. They're there to facilitate work getting done. They aren't supervisors of said personnel, and controlling behavior is certainly not in their baliwick unless expressly handed down by management.

That said, I've had grand old times with IT folks who don't feel the need to try to be assholes.

Finally, I don't use any form of instant messaging at work, because I find email and phone to be more convenient. But I *have* done software development before with another person on the other end of an ICQ connection, and if that's the most convenient way to do work, IT should definitely not be trying to be a pain in the ass about it.

Re:Group policies are not the solution

[metacosm]

Ding Ding Ding! Correct, IT is there to HELP. Same exact thing goes with contractors, they are there to help the full time employees. As a contractor in IT departments, I can tell you that companies, contractors and IT departments are often very broken in how they try to get stuff done.

NOT EVERYTHING IS A TECHNICAL ISSUE. Policy is as important as technology. Lazy management makes management problems (lack of control and accountability) into technical problems because they are too weak to deal with the issues on their own and want IT to do it for them.

Also, FlashDesktops is far better than JSPager :).