Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blocking MSN Messenger?

Posted by Cliff on from the making-IMs-not-so-instant dept.

Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"

20 of 236 comments (clear)

  1. Group policies are the solution by Anonymous Coward · · Score: 5, Informative

    Disable MSN Messenger via group policy.

    1. Re:Group policies are the solution by MrResistor · · Score: 4, Insightful

      Yes, there are others, but do we really think that the Average Joe IM-Abuser-At-Work will know of these programs?

      Yes, within a week of whatever he was using being blocked. It only takes one person to figure it out, and word will spread.

      --
      Under capitalism man exploits man. Under communism it's the other way around.
  2. The easy way isn't always popular by seinman · · Score: 5, Funny

    Fire everyone who's caught using it. Eventually you'll fire enough people that they'll be afraid to open it. Just like the RIAA suing P2P users... eventually nobody will share because they'll be afraid of lawsuits.

    1. Re:The easy way isn't always popular by bluephone · · Score: 5, Informative
      Actually, it IS possible to remove MSN Messenger, and even things like Outlook Express. Two ways actually.

      You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.

      An easier way is to edit %systemroot%\inf\sysoc.inf

      Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.

      --
      jX [ Make everything as simple as possible, but no simpler. - Einstein ]
    2. Re:The easy way isn't always popular by bigsteve@dstc · · Score: 4, Insightful
      You can't go around firing people for petty reasons like instant messaging.
      Who are you to say that this would petty? I can think of any number of reasons why instant messaging might be deemed highly inappropriate in a particular workplace. If that is the case, AND management has made this clear to all employees, then somebody who willfully flouts the rules deserves to be sacked.
    3. Re:The easy way isn't always popular by Zocalo · · Score: 4, Informative

      Actually, I doubt this is BS in this particular case. The specific case in question is in the financial sector, and it is often a requirement that *all* electronic communication is logged in such places to help prevent insider trading etc. Legitimate or not, if IM provides no logging of conversations then such institutions will need to evict it from their network.

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:The easy way isn't always popular by gallen1234 · · Score: 4, Informative

      In a financial services environment this is definitely not petty. If I remember a previous discussion corretly they are required by law to log all IM activity - not an easy proposition. Failure to do so will get them an unpleasant visit form the SEC.

  3. Try this. by rplacd · · Score: 5, Informative

    Block port 1863 (tcp) at the router/nat box/whatever.

    On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.

    Turn off SOCKS for port 1863, too.

    1. Re:Try this. by questionlp · · Score: 5, Informative

      According to may Gaim accounts.xml file (which stores passwords in clear-text unfortunately), port 1863 should be blocked (just to be safe, both TCP and UDP) and block outbound traffic going to messenger.hotmail.com [207.46.104.20]. Keep an eye on the IP that is resolved for that host name to make sure that it doesn't change in the future :)

    2. Re:Try this. by Basje · · Score: 4, Informative

      I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

      Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...

      So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!

      Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.

      </rant>

      --
      the pun is mightier than the sword
  4. Packeteer by gooru · · Score: 5, Informative

    Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page describing how to control instant messaging including MSN.

  5. Tell people not to use it... by anthony_dipierro · · Score: 5, Interesting

    Then log all access to port 1863.

  6. Re:Simple by anthony_dipierro · · Score: 4, Interesting

    It won't work in all circumstances. When my DNS goes down, MSN Messenger still works. That's because it saves the last IP address in the registry. Just use regedit and you can confirm this for yourself. Trust me, I've written an MSN Messenger server, I know this shit.

  7. An alternative approach by skinfitz · · Score: 4, Funny

    Blcoking 1863 does work, as I use that method myself.

    The only problem is that they will move on to the next messenger that works (like Yahoo! etc).

    If you wanted to be really insidious and get people to self police themselves, log all messenger messages and put a new section on your companies Intranet user customised page - something like "Hello xxxx, here are your last few messenger messages:

    [bIcycleSExfiEND] w00t!
    [cute^babe7599] SO BABEE U WANA C MY PIC?
    [bIcycleSExfiEND] yeah - send it
    [cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269
    ...

    Please contact the helpdesk if you would like a complete log.
    Have a nice day."

    ...and below that:
    Here are your last few web accesses:

    ... etc... you get the idea.

  8. Re:Why block MSN? by leviramsey · · Score: 5, Informative

    RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.

  9. Don't block it, sniff it. by ColaMan · · Score: 4, Funny

    Get a MSN sniffer... the (very beta) one I used was called MSN666.

    Tell everyone that you're sniffing MSN messenger traffic, and that you can trace it to a person esaily. Wait a day. Post a few innocuous messages between people on the noticeboard to prove it. Add a scrawled note on the bottom of the message saying "and , FatShaft42, you are one SICK Bastard! I'll be passing *your* messages onto HR!!" for maximum effect.

    --

    You are in a twisty maze of processor lines, all alike.
    There is a lot of hype here.
  10. Kill them all. by trouser · · Score: 4, Funny

    Or not. On second thoughts perhaps not a good idea. Still, it's your call.

    --
    Now wash your hands.
  11. Installl Messenger mandatory and lock it down by wimbor · · Score: 5, Informative
    I did the exact opposite at our company.

    I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.

    When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.

    We disabled file transfer to avoid viruses slipping in via this way.

    If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.

  12. Very easy by duffbeer703 · · Score: 4, Interesting

    Disable via the registry with login scripts

    http://www.winguides.com/registry/display.php/98 1/

    Or group policy

    http://www.subvers.com/technobabble/html/tweaks/ Gr oup%20Policy%20Registry%20Editor.htm

    If you have wildcat machines that people just setup on their own, you have a larger problem.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  13. Re:Group policies are not the solution by metacosm · · Score: 4, Insightful

    Ding Ding Ding! Correct, IT is there to HELP. Same exact thing goes with contractors, they are there to help the full time employees. As a contractor in IT departments, I can tell you that companies, contractors and IT departments are often very broken in how they try to get stuff done.

    NOT EVERYTHING IS A TECHNICAL ISSUE. Policy is as important as technology. Lazy management makes management problems (lack of control and accountability) into technical problems because they are too weak to deal with the issues on their own and want IT to do it for them.

    Also, FlashDesktops is far better than JSPager :).