Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Microsoft

Blocking MSN Messenger? 236

Posted by Cliff from the making-IMs-not-so-instant dept.
Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"
This discussion has been archived. No new comments can be posted.

Blocking MSN Messenger? More

Blocking MSN Messenger?

Comments Filter:

  • Group policies are the solution (Score:5, Informative)

    by Anonymous Coward on Wednesday July 30, 2003 @01:34AM (#6568151)
    Disable MSN Messenger via group policy.
    • Where I work IM is forbidden, I know for a fact that AIM is blocked (not sure how), and them seem to have figured out how to block the AIM express applet as well. I am not sure about Messenger, since I don't use that on general principle. However the one glaring omission by our network was Jabber. I could get to ICQ/AIM and probably Messenger using Jabber.
      • Instead of going the technical approach, have you ever considered proposing the idea of docking pay, and/or firing? Most people need their jobs more than they need instant messaging. Also, why are you letting your users install programs on the company's computers? Do you have everyone run as admin?
        • Well if I'm not mistaken MSN Messenger is a "feature" of XP and seems to be pretty well ingrained much like IE. If he's not using WinXP then you're right...
          • XP Pro has a number of things I don't think have a place in corporate environments. Such as MSN Explorer, Messenger (the non-exchange one at least), Windows Movie Maker, Media Player, games. You would think that in the Pro version at least you could remove these things. I have been unsuccessful at ridding my work box of anything but Messenger.
        • I like sysadmins that run Windows shops and think that since they are the only ones that know what they set the Administrator password to, their machines can't be modified. They're funny.

          Anyone who thinks I'm going to work on Windows without cygwin, JSPager, xemacs, etc, has another think coming. Sysadmins are *support* personnel. They're there to facilitate work getting done. They aren't supervisors of said personnel, and controlling behavior is certainly not in their baliwick unless expressly handed

          • Re:Group policies are not the solution (Score:5, Insightful)

            by metacosm ( 45796 ) on Wednesday July 30, 2003 @03:38PM (#6573310)
            Ding Ding Ding! Correct, IT is there to HELP. Same exact thing goes with contractors, they are there to help the full time employees. As a contractor in IT departments, I can tell you that companies, contractors and IT departments are often very broken in how they try to get stuff done.

            NOT EVERYTHING IS A TECHNICAL ISSUE. Policy is as important as technology. Lazy management makes management problems (lack of control and accountability) into technical problems because they are too weak to deal with the issues on their own and want IT to do it for them.

            Also, FlashDesktops is far better than JSPager :).

  • The easy way isn't always popular (Score:5, Funny)

    by seinman ( 463076 ) on Wednesday July 30, 2003 @01:35AM (#6568159) Homepage Journal
    Fire everyone who's caught using it. Eventually you'll fire enough people that they'll be afraid to open it. Just like the RIAA suing P2P users... eventually nobody will share because they'll be afraid of lawsuits.
    • One thing that could be done is to forcibly remove any software installed on the machines (using things like SMS or LANDesk) that shouldn't be on there... including any IM tools that they want to block. Once you remove them, keep a log/audit of which apps are running on which machines on a daily basis and those who continue to install software that is banned should be passed on to management.

      With MSN Messenger literally embedded in Windows XP, that may be a bit hard unless if you create a policy that not o
      • Actually, it IS possible to remove MSN Messenger, and even things like Outlook Express. Two ways actually.

        You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.

        An easier way is to edit %systemroot%\inf\sysoc.inf

        Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.

    • Eventually you'll fire enough people that they'll be afraid to open it.
      ... or there won't be anyone left to fire :-).
      • open it!, your living in a deam world! messenger is buried in WindowsXP so deep its like trying to kill a hydra by beheadment. Every time I think it gone, or at least shut up, the next "updates" puts it back in or turns it on. I get more IM spam thru messenger, than thru Email so there is nothing you have to open. Guess I'm spoiled by using Linux.
    • Are you fucking serious? Really. Have you ever had a job before? You can't go around firing people for petty reasons like instant messaging. Before you know it you have people striking and everyone hates you.

      • Re:The easy way isn't always popular (Score:5, Insightful)

        by bigsteve@dstc ( 140392 ) on Wednesday July 30, 2003 @02:52AM (#6568543)
        You can't go around firing people for petty reasons like instant messaging.
        Who are you to say that this would petty? I can think of any number of reasons why instant messaging might be deemed highly inappropriate in a particular workplace. If that is the case, AND management has made this clear to all employees, then somebody who willfully flouts the rules deserves to be sacked.
        • I call BS. Instant messaging is a useful tool that has many legitimate applications in the workplace, and in any case should be acceptable to use during breaks just like a cell phone, etc. Banning IM programs just means they don't trust the employees, and it's analogous to a high school where students aren't allowed to leave the building during lunch break. That's petty.

          • Re:The easy way isn't always popular (Score:5, Informative)

            by Zocalo ( 252965 ) on Wednesday July 30, 2003 @04:21AM (#6568863) Homepage
            Actually, I doubt this is BS in this particular case. The specific case in question is in the financial sector, and it is often a requirement that *all* electronic communication is logged in such places to help prevent insider trading etc. Legitimate or not, if IM provides no logging of conversations then such institutions will need to evict it from their network.
          • Yes. Some employers don't trust their employees. And in some cases, the distrust is entirely justified. (In the same way, some high-school students are not worthy of trust. BTW, when I went to high school, we weren't allowed to leave the school grounds at lunch time. Those of us who had at least half a brain were capable of understanding why ... and it was nothing to do with pettiness.)

            Banning instant messaging might be counter productive if the aim is to increase the amount of work done. (It is bad

          • In a perfect world, it would be nice to allow people to use IM for personal use on their breaks. Unfortunately this is not a perfect world. People have a tendancy to abuse the privledges they are given. People will use the IM anytime they feel the urge to communcate with someone else. This has a tendancy to turn 15 minute breaks into 30 minute breaks and 1/2 hour lunches into 2 hour lunches.

            The part of IM that I really hate is that most IM clients will allow the user to download files. I can not tel
          • Case in point:

            I work for a large state university.

            There are very strict laws regarding the use and storage of any student information. A student's personal data (SSN, Address, on campus phone #) must be kept private at all costs.

            When word got out that some departments were using AIM to send student information between employees, a lot of people got very nervous.

            To fix this situation, we set up an internal SSL'd Jabber Server. Even though the rules are clear, some people still try to use AIM.

            In this s
        • management has made this clear to all employees, then somebody who willfully flouts the rules deserves to be sacked.

          Is thinking prohibitied on the job, too?
          • Is thinking prohibitied on the job, too?

            No, but hanging your butt out of an office window probably is!!

            The point is that management has the right to set rules about what is not acceptable behaviour. Within limits of fairness, due process, etc, they are entitled to take action against people who break the rules ... including dismisal. The fact that an employee might think the rules are petty is not relevant.

          • The real point is that SEC says we HAVE to block it or log it via a server (not the logging that users initiate) or we get shut down.

      • Re:The easy way isn't always popular (Score:5, Informative)

        by gallen1234 ( 565989 ) <gallen@@@whitecraneeducation...com> on Wednesday July 30, 2003 @07:36AM (#6569378)
        In a financial services environment this is definitely not petty. If I remember a previous discussion corretly they are required by law to log all IM activity - not an easy proposition. Failure to do so will get them an unpleasant visit form the SEC.
      • Before you know it you have people striking and everyone hates you.
        For the life of me, I can't remember white collar workers ever striking. They usually just file a wrong termination suit or somesuch. I might be wrong, tho, I admit I haven't lived much.

        As for hatred, meh... Managers will almost always be hated/mistrusted by the managed.
      • "Are you fucking serious? Really. Have you ever had a job before? You can't go around firing people for petty reasons like instant messaging"

        Instant messaging could be considered to be inappropriate use of company resources. That's pretty serious. It's also a security vulnerability because someone could send you a trojan. Violating the company's security policies is pretty serious too. Aren't there rules about the logging of business communications? Could the company get in trouble with the SEC if th

    • And just like China, how they imprison people that speak badly about the government, or leak information, such as a virus outreak. :)

  • Try this. (Score:5, Informative)

    by rplacd ( 123904 ) on Wednesday July 30, 2003 @01:39AM (#6568189) Homepage
    Block port 1863 (tcp) at the router/nat box/whatever.

    On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.

    Turn off SOCKS for port 1863, too.

    • Re:Try this. (Score:4, Interesting)

      by rplacd ( 123904 ) on Wednesday July 30, 2003 @01:44AM (#6568224) Homepage
      Oh, also. I've caught people using http redirectors. You run an app on your desktop that acts like a socks or http proxy. It encodes tcp traffic in http headers, sends it out to a site that demangles the packets and forwards them on.

      There are a few commercial companies providing this support, and pretty much everyone can set up their own tunnel. While it's not that hard to track down the commercial stuff, I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet.

      • Re:Try this. (Score:5, Informative)

        by Basje ( 26968 ) <bas@bloemsaat.org> on Wednesday July 30, 2003 @02:58AM (#6568572) Homepage
        I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

        Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...

        So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!

        Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.

        </rant>

        • Re:Try this. (Score:4, Interesting)

          by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday July 30, 2003 @04:36AM (#6568915) Journal
          I've worked in QA where employees have had to open dialup ISP accounts on personal credit cards so that they could actually test the products they were given.

          The product would try to go contact our company's webserver for some kind of content, but it wasn't proxy-aware. And they still wouldn't put us out on the internet.

          We never had to escalate it, 'cause of some employees taking it into their own hands, but that was incredible. Blew my damn mind.
        • Just throwing this out there, but you might be able to get ssh-over-icmp or some other type of tcp-over-icmp going. There's a backdoor kit called Portacelo which you could install on a box outside of the network somewhere.

          Because of stuff like this, seems like the best way to control the problem is to control what software gets installed on the machines in your office, and don't let users install software. I know that's pretty hard, and makes extra work for the admins.

        • Higher Management? (Score:2, Insightful)

          by vasqzr ( 619165 )

          I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.

          Geez. Try baking the sysadmin some cookies, give him a case of Guiness/Bawlz, or take the poor guy to lunch.

      • Man, where do you work? My users--if the app isn't in the dock, it may as well not exist. But yours are installing their own http redirectors?

    • Re:Try this. (Score:5, Informative)

      by questionlp ( 58365 ) on Wednesday July 30, 2003 @01:46AM (#6568237) Homepage
      According to may Gaim accounts.xml file (which stores passwords in clear-text unfortunately), port 1863 should be blocked (just to be safe, both TCP and UDP) and block outbound traffic going to messenger.hotmail.com [207.46.104.20]. Keep an eye on the IP that is resolved for that host name to make sure that it doesn't change in the future :)

  • Packeteer (Score:5, Informative)

    by gooru ( 592512 ) on Wednesday July 30, 2003 @01:43AM (#6568214)
    Have you tried Packeteer? Many educational institutions use it to shape and manage traffic. They also have a help page [packeteer.com] describing how to control instant messaging including MSN.

  • packet shaping (Score:4, Interesting)

    by Satai ( 111172 ) * on Wednesday July 30, 2003 @01:44AM (#6568218)
    Use a packet shaper. The one that comes to mind (proprietary, however) is Packeteer. These filter based on protocol (I think), so usually they can keep out resourceful programs like gnutella, etc.

  • Simple (Score:3, Informative)

    by Kizzle ( 555439 ) on Wednesday July 30, 2003 @02:00AM (#6568317)
    Everyone is getting all technical about this but it's very easy. Just block messenger.hotmail.com. Walla msn messenger stops working. It connects to this central server to find out what server to use.

    • Re:Simple (Score:4, Informative)

      by anthony_dipierro ( 543308 ) on Wednesday July 30, 2003 @02:04AM (#6568344) Journal
      Won't work for people who have ever connected before. The IP address is cached for future connections.
      • I tried my method before I posted. It works.

        • Re:Simple (Score:5, Interesting)

          by anthony_dipierro ( 543308 ) on Wednesday July 30, 2003 @02:21AM (#6568429) Journal
          It won't work in all circumstances. When my DNS goes down, MSN Messenger still works. That's because it saves the last IP address in the registry. Just use regedit and you can confirm this for yourself. Trust me, I've written an MSN Messenger server, I know this shit.
          • I'm not sure if you're trolling or just lacking in knowledge, but if all connections to messenger.msn.com are blocked by the firewall (ie all packets to messenger.msn.com are blocked) then DNS doesn't make a blind bit of difference.
            • Go read the messenger protocol and find out what the XFR command does then get back to me.
              • From http://www.hypothetic.org/docs/msn/notification/a u thentication.php [hypothetic.org]:

                messenger.hotmail.com always sends XFR, but gateway.messenger.hotmail.com never does. Microsoft's other notification servers very rarely send XFR - presumably, they send it when they are overloaded or going down for maintainence.

                The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

                • Re:Simple (Score:4, Informative)

                  by anthony_dipierro ( 543308 ) on Wednesday July 30, 2003 @08:28AM (#6569605) Journal

                  The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.

                  But if a user has already previously connected to messenger.hotmail.com and received an XFR, the client will cache the IP address given to it by the XFR. Therefore blocking only messenger.hotmail.com (the dispatch server), and not all the possible notification servers, "won't work for people who have ever connected before."

                  I'm assuming of course direct connections through messenger.hotmail.com. Blocking gateway.messenger.hotmail.com will block access through the HTTP proxy (at least until the IP address changes).

      • I've never had to block Messenger before (translated: I'm talking out of my ass. My CCNA-certified ass), but what about a script that queries DNS for messenger.hotmail.com, then blocks the IP address returned? That way, you've got all your bases covered: if the IP is cached, it goes to a blocked address; if that fails or the IP isn't cached, it looks up a name that, according to the nameserver, doesn't exist.

        The only problem then would be some sort of VPN tunnel across the firewall to an open box. Still,

        • Re:Simple (Score:3, Interesting)

          by anthony_dipierro ( 543308 )

          what about a script that queries DNS for messenger.hotmail.com, then blocks the IP address returned?

          Won't work. Messenger.hotmail.com is only contacted the first time you connect. After that you are redirected to a new IP address which is based on your username. That's how Microsoft load balances the connections.

      • I assume blocking that site to include its IP range, too.
    • Walla? What do you mean "walla?"

      Do you, perchance, mean "voila," the French word? Yes, I know it should have accents on it but I'll be damned if I can figure out how to type them.

      Walla indeed!

      • Re:Walla? (Score:3, Funny)

        by tsvk ( 624784 )

        LOL, that reminded me of this gem from Dilbert newsletter #43 [dilbert.com]:

        True Tales of Induhviduals

        Here are some true tales of Induhviduals as reported by DNRC members.

        One of my teammates was giving a presentation to our department about an exciting development. He clicked to bring up the next slide and announced with great enthusiasm, "and walla, there it is!!" On the slide in huge letters was the word "Walla." The audience was stunned at first, not knowing if it was suppose to be a joke on the spelling

  • Brute force (Score:3, Interesting)

    by {8_8} ( 31689 ) on Wednesday July 30, 2003 @02:03AM (#6568333) Journal
    This is a very inelegant approach, but I suppose you could block EVERY logon server at the router. There has to be a finite number of logon servers out there, so all you'd have to do is sit down for X amount of time with a MSN client and monitor outgoing traffic from your IP. Block each logon server as it comes up, wait for the client to reconnect, block that server, rinse, repeat.

    Also, you could try looking for the location that the MSN client fetches the server list from and block that IP. If the list is stored locally, it'd be even easier to find and block those servers.

    Of course, the above approach assumes that the router can handle blocking X amount of IPs. I wouldn't put it past MS to have hundreds or thousands of servers out there.

  • Tell people not to use it... (Score:5, Interesting)

    by anthony_dipierro ( 543308 ) on Wednesday July 30, 2003 @02:06AM (#6568357) Journal
    Then log all access to port 1863.
  • In addition to blocking MSN on the network, why not kill the software? This page [betarun.net] discusses in gory detail the various methods of crippling/uninstalling/haxoring MSN software on the user machine, and making sure it won't come back. You have to be careful, as there are right ways and wrong ways to do it. My favourite method is to uninstall the software (made possible on XP via a convoluted run command), then place a blank file called "msn messenger" in Program Files. Installer won't work, and the user nev

  • An alternative approach (Score:5, Funny)

    by skinfitz ( 564041 ) on Wednesday July 30, 2003 @02:35AM (#6568473) Journal
    Blcoking 1863 does work, as I use that method myself.

    The only problem is that they will move on to the next messenger that works (like Yahoo! etc).

    If you wanted to be really insidious and get people to self police themselves, log all messenger messages and put a new section on your companies Intranet user customised page - something like "Hello xxxx, here are your last few messenger messages:

    [bIcycleSExfiEND] w00t!
    [cute^babe7599] SO BABEE U WANA C MY PIC?
    [bIcycleSExfiEND] yeah - send it
    [cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269
    ...

    Please contact the helpdesk if you would like a complete log.
    Have a nice day."

    ...and below that:
    Here are your last few web accesses:

    ... etc... you get the idea.
    • The altternative aproach realy works I used it once for HTTP limitations. The user would connect to our intranet server to compile his/her timesheet. Before getting to the timesheet there was a page you latest 50 URLS are: ...

      Each URL was cheked on certain domains and keywords when the URL matched a non.productive rule the line would be set in red. ex playboy.com would be viewed as ar red line.

      After some days even the boss stopped surfing to certain sites ;)
    • [cute^babe7599] http://www.crackparty.com/showpictrojanisemachine? suckerid=bIcycleSExfiEND&referrid=1269

      You know, it makes me wonder...how many people went to that link and were dissapointed when they got a 'Connection Refused' error, and couldn't see cute^babe's pic...

      /me raises hand
      Okay, I admit it.
    • something like "Hello xxxx, here are your last few messenger messages:

      Something like that would make me very happy - Because I would have instant feedback about whether or not my attempts to circumvent stupid network usage policies had succeeded, and if so, did they work anonymously.

      Mind you, I don't care about vising playboy.com from work - I never understood the point of porn at work anyway, since every work environment I've ever encountered made killing kittens all but impossible while there. But c

  • Why block MSN? (Score:3, Insightful)

    by flikx ( 191915 ) on Wednesday July 30, 2003 @02:37AM (#6568476) Homepage Journal

    The real question here is why block MSN? What about people who use instant messaging for legitimate business purposes?? People chat on telephones, and I don't see many offices rushing to ban them. Fire unproductive people, and let the rest of us communicate.

    • Re:Why block MSN? (Score:3, Informative)

      by thesnide ( 640733 )
      Actually, in some 'sensitive' companies (for example: stock exchange brokers) all communications involving a third party are officially tapped.
      It's done in order to prevent some obvious abuses.

    • Re:Why block MSN? (Score:5, Informative)

      by leviramsey ( 248057 ) on Wednesday July 30, 2003 @02:54AM (#6568557) Journal

      RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.

      • Re:Why block MSN? (Score:2, Interesting)

        by innosent ( 618233 )
        Yeah, I have a similar situation, since I work as a programmer for a medical lab. The answer is, write your own client, and block/uninstall everything else. Plus, by writing your own IM client/server (since this is the best model for logging and administration, p2p is not as useful for logging), you can add your own functionality, like controlling buddy lists, spying, shutting down systems, etc. (Mine has a nice feature to disconnect and lockout a user from the system when they are fired, in order to avo

    • Re:Why block MSN? (Score:2, Insightful)

      by NanoGator ( 522640 )
      "The real question here is why block MSN? What about people who use instant messaging for legitimate business purposes?? People chat on telephones, and I don't see many offices rushing to ban them. Fire unproductive people, and let the rest of us communicate."

      Gotta say, I agree. I've visited a number of large corps and all of them had computers using Im of some sort. Beats the heck out of walking to another building or even making a phone call. (Phones are so annoying.)

      What really bugs me is that if

      • Re:Why block MSN? (Score:3, Insightful)

        by fatrat ( 324232 )
        > I can't wait until my generation is in charge.#

        and when you get there, you'll find that all the same regulations about being able to record all conversations/encrypt it etc still apply and so you'd still have to block MSN.
      • What really bugs me is that if they weren't using MSN, they'd probably be using email. It's futile, really.

        I disagree. We can't use IM here at work (well, we could use MSN, but we all like AIM too much and don't really care to switch) and it does restrict what we say in emails because...

        1) Emails get logged in at least three places...your computer, the recipient(s) computer, the server. Possibly a router log too, depending.
        2) IMs will only get logged going across a router. I'm sure someone keeps a rou

    • Re:Why block MSN? (Score:3, Interesting)

      by dotpl ( 601535 )
      I totally agree with your point, but I have a similar situation, we have a lot of computers that share the internet connection, and there ain't that much bandwidth (around 40Kbits/sec if you're lucky)

      so somtimes I want to block MSN because the connection gets too slow for legitimate use, and I know most of the people in the office are just chatting with friends and getting no real work done, and, eventually, preventing me from doing my work, which requires being 90% of the time online.

    • SEC rules (Score:3, Insightful)

      by whoda ( 569082 ) *
      Blame Enron and other such fiasco's.
      Financial institution's have to record and hold all elctronic communications for years now. The specific number of years eludes me atm.

      If you think some E-mails people send are incriminating, imagine what IM's traded around an office would expose.

      It's much easier to stop the people from using IM services than to try to capture/record/log/preserve it all. At least for financial institutions which theoretically could face billion dollar lawsuits.
    • Sure, there are a lot of bad managers who worry about employees wasting their time on the Internet, and implement all kinds of technical restrictions: what web sites you can access, what programs you can use, etc. etc. I agree, it's stupid: if managers are worried about people not using their time productively, they should be out talking to them about it, making them understand that they're only hurting themselves. These kindergarten games are worse than useless.

      In college I worked as a projectionist. We


    • The answer is really simple: compliance.

      At a 'financial institution', if it's a bank, you are working with traders. A lot of countries have very very strict requirements as to the communications of brokers and traders--this includes having every single phone on the floor where they work (in my last company it wasn't just the trading floor, but the whole 3d floor) specially monitored.

      A lot of banks and exchanges also do this to protect themselves from claims by associates/customers that they "were told a
    • In this case being a finance institution, they have to log all conversations or possibly face fines.

      In 99% of normal businesses, its NOT needed to have outside IM access, peroid.. If you need IM communication between your employees, great, then you use a secure internal IM setup, with no outside server access.. For people outside the firwall like sales guys, they vpn back in.

      Its not in best business interest to let you talk to your wife, or friend down the street about where to go for lunch. Regardless o

  • Group Policies (Score:4, Interesting)

    by fluor2 ( 242824 ) on Wednesday July 30, 2003 @02:43AM (#6568502)
    Hey,

    you can block stuff like this using Group Policies (GPO's). I think you should start asking at news.microsoft.com at their group policy newsgroups.

    If you have windows XP's as a member of your domain, you can easily block it using GPO.

  • Don't block it, sniff it. (Score:5, Funny)

    by ColaMan ( 37550 ) on Wednesday July 30, 2003 @03:38AM (#6568708) Journal
    Get a MSN sniffer... the (very beta) one I used was called MSN666.

    Tell everyone that you're sniffing MSN messenger traffic, and that you can trace it to a person esaily. Wait a day. Post a few innocuous messages between people on the noticeboard to prove it. Add a scrawled note on the bottom of the message saying "and , FatShaft42, you are one SICK Bastard! I'll be passing *your* messages onto HR!!" for maximum effect.

    • Re:Don't block it, sniff it. (Score:4, Interesting)

      by ColaMan ( 37550 ) on Wednesday July 30, 2003 @05:20AM (#6569035) Journal
      I joke about all this stuff , but seriously, I had a person email me a resume for a job we had open from "fatshaft42" at a well known free email provider.

      Of course , all the girls in the office wanted to hire him but it did nothing for his professional appeal. Well, if we were an escort agency maybe it would have.....

  • Kill them all. (Score:5, Funny)

    by trouser ( 149900 ) on Wednesday July 30, 2003 @03:53AM (#6568763) Journal
    Or not. On second thoughts perhaps not a good idea. Still, it's your call.

  • How to stop MSN Messenger? You kidding? (Score:4, Insightful)

    by Feztaa ( 633745 ) on Wednesday July 30, 2003 @04:03AM (#6568795) Homepage
    Install Linux, MSN Messenger will go away rather quickly :)

    I think it would be easier to lock down a linux box to prevent installations of gaim, Gabber, etc than it would be to putz around with your firewalls trying to kill MSN Messenger.

  • If you allow www (Score:3, Insightful)

    by gl4ss ( 559668 ) on Wednesday July 30, 2003 @04:10AM (#6568818) Homepage Journal
    If you allow www, you can't stop all chats. You can pretend, but you can't do it. Heck, email can be used for such as well. How about making internet access a priviledge that only those have that need. Though im can be used to boost productivity too.
    • I agree, at my "educational institute," we are always trying to find ways to escape out of the restrictions they put on us (which are quite stupid sometimes). eg. only ports 80 and 113 (SSL) are open, www.hotmail.com is blocked (but not hotmail.com).
      By letting port 80 though, programs like HTTPort can tunnel through (unless your proxy/firewall doesn't support normal proxy CONNECT messages).

  • Brrrr technological fix.... (Score:3)

    by Chilles ( 79797 ) on Wednesday July 30, 2003 @04:12AM (#6568827)
    I thought financial people were supposed to be more socially able than technological people. Don't your managers understand the concept of "talking to people abouth things they should and should not do during work hours?"
    I now it's not generally accepted in most larger companies, but I always question bad and lazy management decisions like this one. Management is usually paid generously enough to compensate for the occasional difficult talk with a bothersome employee. Besides, talking has a lot less negative (or even positive, depending on the person doing the talking) effect on the work atmosphere and might alleviate a general feeling of "us against the managers" in employees.

  • Block one, block them all? (Score:3, Informative)

    by __aafkqj3628 ( 596165 ) on Wednesday July 30, 2003 @04:30AM (#6568897)
    You may be able to block the win32 client, but that does not stop employees from using services like http://www.wbmsn.com/ (MSN) or http://go.icq.com/ (ICQ) for their IM needs.

    Alternatively, a mass block of Microsoft's IP address range(s) should help stop people being able to connect (and you'll also kill hotmail, passport and a lot of other of their useless services with the same stone).

  • Installl Messenger mandatory and lock it down (Score:5, Informative)

    by wimbor ( 302967 ) * on Wednesday July 30, 2003 @05:29AM (#6569053)
    I did the exact opposite at our company.

    I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.

    When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.

    We disabled file transfer to avoid viruses slipping in via this way.

    If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.

  • Very easy (Score:5, Interesting)

    by duffbeer703 ( 177751 ) on Wednesday July 30, 2003 @08:34AM (#6569633)
    Disable via the registry with login scripts

    http://www.winguides.com/registry/display.php/98 1/

    Or group policy

    http://www.subvers.com/technobabble/html/tweaks/ Gr oup%20Policy%20Registry%20Editor.htm

    If you have wildcat machines that people just setup on their own, you have a larger problem.

  • linux/ipchains (Score:2, Informative)

    by ohchaos ( 564646 )
    I block MSMessenger without any problems with the following rules:

    ipchains -A input -p TCP -b --sport 1863 -j DENY
    ipchains -A input -b -d 64.4.13.0/24 -j DENY

    now the extremely persistant Yahoo IM is something I still haven't nailed down yet.....

  • Assuming you are on a domain and not a workgroup, its not hard to lock down pcs to only run 'approved' apps..

    If you dont know how to do that, then you have got some basic windows admin skills to learn.

Slashdot Top Deals

I have hardly ever known a mathematician who was capable of reasoning. -- Plato

Close