Blocking MSN Messenger?

Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"

Group policies are the solution

Disable MSN Messenger via group policy.

Re:Group policies are the solution

[MrResistor]

Yes, there are others, but do we really think that the Average Joe IM-Abuser-At-Work will know of these programs?

Yes, within a week of whatever he was using being blocked. It only takes one person to figure it out, and word will spread.

The easy way isn't always popular

[seinman]

Fire everyone who's caught using it. Eventually you'll fire enough people that they'll be afraid to open it. Just like the RIAA suing P2P users... eventually nobody will share because they'll be afraid of lawsuits.

Re:The easy way isn't always popular

[questionlp]

One thing that could be done is to forcibly remove any software installed on the machines (using things like SMS or LANDesk) that shouldn't be on there... including any IM tools that they want to block. Once you remove them, keep a log/audit of which apps are running on which machines on a daily basis and those who continue to install software that is banned should be passed on to management.

With MSN Messenger literally embedded in Windows XP, that may be a bit hard unless if you create a policy that not only hides the program but also restricts access to the application's folder and executables to the domain administrator or equivalent account if you are in an NT4/AD/NDS environment.

Just some thoughts... though I really don't know how useful they are :)

Re:The easy way isn't always popular

[bluephone]

Actually, it IS possible to remove MSN Messenger, and even things like Outlook Express. Two ways actually.

You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.

An easier way is to edit %systemroot%\inf\sysoc.inf

Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.

Re:The easy way isn't always popular

[bigsteve@dstc]

You can't go around firing people for petty reasons like instant messaging.

Who are you to say that this would petty? I can think of any number of reasons why instant messaging might be deemed highly inappropriate in a particular workplace. If that is the case, AND management has made this clear to all employees, then somebody who willfully flouts the rules deserves to be sacked.

Re:The easy way isn't always popular

[Zocalo]

Actually, I doubt this is BS in this particular case. The specific case in question is in the financial sector, and it is often a requirement that *all* electronic communication is logged in such places to help prevent insider trading etc. Legitimate or not, if IM provides no logging of conversations then such institutions will need to evict it from their network.

Re:The easy way isn't always popular

[gallen1234]

In a financial services environment this is definitely not petty. If I remember a previous discussion corretly they are required by law to log all IM activity - not an easy proposition. Failure to do so will get them an unpleasant visit form the SEC.

Try this.

[rplacd]

Block port 1863 (tcp) at the router/nat box/whatever.

On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.

Turn off SOCKS for port 1863, too.

Re:Try this.

[rplacd]

Oh, also. I've caught people using http redirectors. You run an app on your desktop that acts like a socks or http proxy. It encodes tcp traffic in http headers, sends it out to a site that demangles the packets and forwards them on.

There are a few commercial companies providing this support, and pretty much everyone can set up their own tunnel. While it's not that hard to track down the commercial stuff, I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet.

Re:Try this.

[questionlp]

According to may Gaim accounts.xml file (which stores passwords in clear-text unfortunately), port 1863 should be blocked (just to be safe, both TCP and UDP) and block outbound traffic going to messenger.hotmail.com [207.46.104.20]. Keep an eye on the IP that is resolved for that host name to make sure that it doesn't change in the future :)

Re:Try this.

[Basje]

I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...

So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!

Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.

</rant>

Re:Try this.

[Elwood+P+Dowd]

I've worked in QA where employees have had to open dialup ISP accounts on personal credit cards so that they could actually test the products they were given.

The product would try to go contact our company's webserver for some kind of content, but it wasn't proxy-aware. And they still wouldn't put us out on the internet.

We never had to escalate it, 'cause of some employees taking it into their own hands, but that was incredible. Blew my damn mind.

Packeteer

[gooru]

Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page describing how to control instant messaging including MSN.

packet shaping

[Satai]

Use a packet shaper. The one that comes to mind (proprietary, however) is Packeteer. These filter based on protocol (I think), so usually they can keep out resourceful programs like gnutella, etc.

Brute force

[{8_8}]

This is a very inelegant approach, but I suppose you could block EVERY logon server at the router. There has to be a finite number of logon servers out there, so all you'd have to do is sit down for X amount of time with a MSN client and monitor outgoing traffic from your IP. Block each logon server as it comes up, wait for the client to reconnect, block that server, rinse, repeat.

Also, you could try looking for the location that the MSN client fetches the server list from and block that IP. If the list is stored locally, it'd be even easier to find and block those servers.

Of course, the above approach assumes that the router can handle blocking X amount of IPs. I wouldn't put it past MS to have hundreds or thousands of servers out there.

Re:Simple

[anthony_dipierro]

Won't work for people who have ever connected before. The IP address is cached for future connections.

Tell people not to use it...

[anthony_dipierro]

Then log all access to port 1863.

Re:Simple

[anthony_dipierro]

It won't work in all circumstances. When my DNS goes down, MSN Messenger still works. That's because it saves the last IP address in the registry. Just use regedit and you can confirm this for yourself. Trust me, I've written an MSN Messenger server, I know this shit.

An alternative approach

[skinfitz]

Blcoking 1863 does work, as I use that method myself.

The only problem is that they will move on to the next messenger that works (like Yahoo! etc).

If you wanted to be really insidious and get people to self police themselves, log all messenger messages and put a new section on your companies Intranet user customised page - something like "Hello xxxx, here are your last few messenger messages:

[bIcycleSExfiEND] w00t!
[cute^babe7599] SO BABEE U WANA C MY PIC?
[bIcycleSExfiEND] yeah - send it
[cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269
...

Please contact the helpdesk if you would like a complete log.
Have a nice day."

...and below that:
Here are your last few web accesses:

... etc... you get the idea.

Why block MSN?

[flikx]

The real question here is why block MSN? What about people who use instant messaging for legitimate business purposes?? People chat on telephones, and I don't see many offices rushing to ban them. Fire unproductive people, and let the rest of us communicate.

Re:Why block MSN?

[thesnide]

Actually, in some 'sensitive' companies (for example: stock exchange brokers) all communications involving a third party are officially tapped.
It's done in order to prevent some obvious abuses.

Re:Why block MSN?

[leviramsey]

RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.

Re:Why block MSN?

[dotpl]

I totally agree with your point, but I have a similar situation, we have a lot of computers that share the internet connection, and there ain't that much bandwidth (around 40Kbits/sec if you're lucky)

so somtimes I want to block MSN because the connection gets too slow for legitimate use, and I know most of the people in the office are just chatting with friends and getting no real work done, and, eventually, preventing me from doing my work, which requires being 90% of the time online.

Re:Why block MSN?

[fatrat]

> I can't wait until my generation is in charge.#

and when you get there, you'll find that all the same regulations about being able to record all conversations/encrypt it etc still apply and so you'd still have to block MSN.

Group Policies

[fluor2]

Hey,

you can block stuff like this using Group Policies (GPO's). I think you should start asking at news.microsoft.com at their group policy newsgroups.

If you have windows XP's as a member of your domain, you can easily block it using GPO.

Don't block it, sniff it.

[ColaMan]

Get a MSN sniffer... the (very beta) one I used was called MSN666.

Tell everyone that you're sniffing MSN messenger traffic, and that you can trace it to a person esaily. Wait a day. Post a few innocuous messages between people on the noticeboard to prove it. Add a scrawled note on the bottom of the message saying "and , FatShaft42, you are one SICK Bastard! I'll be passing *your* messages onto HR!!" for maximum effect.

Re:Don't block it, sniff it.

[ColaMan]

I joke about all this stuff , but seriously, I had a person email me a resume for a job we had open from "fatshaft42" at a well known free email provider.

Of course , all the girls in the office wanted to hire him but it did nothing for his professional appeal. Well, if we were an escort agency maybe it would have.....

Kill them all.

[trouser]

Or not. On second thoughts perhaps not a good idea. Still, it's your call.

How to stop MSN Messenger? You kidding?

[Feztaa]

Install Linux, MSN Messenger will go away rather quickly :)

I think it would be easier to lock down a linux box to prevent installations of gaim, Gabber, etc than it would be to putz around with your firewalls trying to kill MSN Messenger.

Installl Messenger mandatory and lock it down

[wimbor]

I did the exact opposite at our company.

I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.

When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.

We disabled file transfer to avoid viruses slipping in via this way.

If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.

Re:Simple

[anthony_dipierro]

The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

But if a user has already previously connected to messenger.hotmail.com and received an XFR, the client will cache the IP address given to it by the XFR. Therefore blocking only messenger.hotmail.com (the dispatch server), and not all the possible notification servers, "won't work for people who have ever connected before."

I'm assuming of course direct connections through messenger.hotmail.com. Blocking gateway.messenger.hotmail.com will block access through the HTTP proxy (at least until the IP address changes).

Very easy

[duffbeer703]

Disable via the registry with login scripts

http://www.winguides.com/registry/display.php/98 1/

Or group policy

http://www.subvers.com/technobabble/html/tweaks/ Gr oup%20Policy%20Registry%20Editor.htm

If you have wildcat machines that people just setup on their own, you have a larger problem.

Re:Group policies are not the solution

[metacosm]

Ding Ding Ding! Correct, IT is there to HELP. Same exact thing goes with contractors, they are there to help the full time employees. As a contractor in IT departments, I can tell you that companies, contractors and IT departments are often very broken in how they try to get stuff done.

NOT EVERYTHING IS A TECHNICAL ISSUE. Policy is as important as technology. Lazy management makes management problems (lack of control and accountability) into technical problems because they are too weak to deal with the issues on their own and want IT to do it for them.

Also, FlashDesktops is far better than JSPager :).