Blocking MSN Messenger? 236
Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"
Group policies are the solution (Score:5, Informative)
Re:Group policies are the solution (Score:2)
Re:Group policies are the solution (Score:3, Insightful)
Re:Group policies are the solution (Score:2)
Re:Group policies are the solution (Score:3, Interesting)
Re:Group policies are not the solution (Score:3, Insightful)
Anyone who thinks I'm going to work on Windows without cygwin, JSPager, xemacs, etc, has another think coming. Sysadmins are *support* personnel. They're there to facilitate work getting done. They aren't supervisors of said personnel, and controlling behavior is certainly not in their baliwick unless expressly handed
Re:Group policies are not the solution (Score:5, Insightful)
NOT EVERYTHING IS A TECHNICAL ISSUE. Policy is as important as technology. Lazy management makes management problems (lack of control and accountability) into technical problems because they are too weak to deal with the issues on their own and want IT to do it for them.
Also, FlashDesktops is far better than JSPager
Re:Group policies are the solution (Score:5, Insightful)
Yes, within a week of whatever he was using being blocked. It only takes one person to figure it out, and word will spread.
The easy way isn't always popular (Score:5, Funny)
Re:The easy way isn't always popular (Score:3, Informative)
With MSN Messenger literally embedded in Windows XP, that may be a bit hard unless if you create a policy that not o
Re:The easy way isn't always popular (Score:5, Informative)
You can just delete it, but make sure you delete it from both the program folder, and %SYSTEMROOT%\system32\dllcache which is where the "protected" copies live.
An easier way is to edit %systemroot%\inf\sysoc.inf
Open is in Notepad and under the Edit > Replace menu, replace all instances of HIDE with nothing, save, reboot. Then you can go to Control Panel > Add/Remove Programs and tell Windows to remove it.
Re:The easy way isn't always popular (Score:3, Funny)
Re:The easy way isn't always popular (Score:2)
Re:The easy way isn't always popular (Score:2, Insightful)
Re:The easy way isn't always popular (Score:5, Insightful)
Re:The easy way isn't always popular (Score:3, Insightful)
Re:The easy way isn't always popular (Score:5, Informative)
Re:The easy way isn't always popular (Score:2)
Re:The easy way isn't always popular (Score:3, Funny)
Re:The easy way isn't always popular (Score:2)
Re:The easy way isn't always popular (Score:2)
Doesn't MSN provide for logging? Even iChat does, so I'm kinda surprised that it's not there for MSN.
Or is it that logging is an option, without an easy way to force it and set it [true] by default?
Re:The easy way isn't always popular (Score:2)
Re:The easy way isn't always popular (Score:2)
Re:The easy way isn't always popular (Score:3, Insightful)
Banning instant messaging might be counter productive if the aim is to increase the amount of work done. (It is bad
Re:The easy way isn't always popular (Score:3, Informative)
This is not futile. The monitoring system will record the email including the steganographic content, and a (later) forensic audit may reveal that content. This may be sufficient to secure a criminal conviction, if not to deter the activity in the first place.
Re:The easy way isn't always popular (Score:2)
The part of IM that I really hate is that most IM clients will allow the user to download files. I can not tel
Re:The easy way isn't always popular (Score:3, Interesting)
I work for a large state university.
There are very strict laws regarding the use and storage of any student information. A student's personal data (SSN, Address, on campus phone #) must be kept private at all costs.
When word got out that some departments were using AIM to send student information between employees, a lot of people got very nervous.
To fix this situation, we set up an internal SSL'd Jabber Server. Even though the rules are clear, some people still try to use AIM.
In this s
Re:The easy way isn't always popular (Score:2)
Is thinking prohibitied on the job, too?
Re:The easy way isn't always popular (Score:2)
No, but hanging your butt out of an office window probably is!!
The point is that management has the right to set rules about what is not acceptable behaviour. Within limits of fairness, due process, etc, they are entitled to take action against people who break the rules ... including dismisal. The fact
that an employee might think the rules are petty
is not relevant.
Re:The easy way isn't always popular (Score:2, Insightful)
Re:The easy way isn't always popular (Score:5, Informative)
Re:The easy way isn't always popular (Score:2)
For the life of me, I can't remember white collar workers ever striking. They usually just file a wrong termination suit or somesuch. I might be wrong, tho, I admit I haven't lived much.
As for hatred, meh... Managers will almost always be hated/mistrusted by the managed.
Re:The easy way isn't always popular (Score:2)
Tell that to Boeing. [go.com]
Re:The easy way isn't always popular (Score:3, Informative)
Instant messaging could be considered to be inappropriate use of company resources. That's pretty serious. It's also a security vulnerability because someone could send you a trojan. Violating the company's security policies is pretty serious too. Aren't there rules about the logging of business communications? Could the company get in trouble with the SEC if th
Re:The easy way isn't always popular (Score:2)
Try this. (Score:5, Informative)
On your web proxies (if you have them), block HTTP messages with the mime type "application/x-msn-messenger" and turn off HTTP CONNECT support for port 1863.
Turn off SOCKS for port 1863, too.
Re:Try this. (Score:4, Interesting)
There are a few commercial companies providing this support, and pretty much everyone can set up their own tunnel. While it's not that hard to track down the commercial stuff, I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet.
Re:Try this. (Score:5, Informative)
Of course, they blocked anything apart from 80, 443 and 25, and checked the type of protocol that went over it. 80 only accepted http. Which was real handy, condidering we were an internet company, and had support contracts we had to fulfil. Not. No SSH, no newsgroups to look for answers, no remote admin tools...
So I took httptunnel, and tunneled ssh over it. My boss was ecstatic. Now we didn't have to use the phone anymore to connect to the internet in earnest. We could actually help out customers!
Moral of this story: when people get as resourceful to tunnel through your firewall, consider that it's time to review your policy: they obviously perceive a need to do so. A 'block anything that goes in and block anything that goes out' policy doesn't really work in many cases, other than frustrating the work.
</rant>
Re:Try this. (Score:4, Interesting)
The product would try to go contact our company's webserver for some kind of content, but it wasn't proxy-aware. And they still wouldn't put us out on the internet.
We never had to escalate it, 'cause of some employees taking it into their own hands, but that was incredible. Blew my damn mind.
Re:Try this. (Score:2)
Because of stuff like this, seems like the best way to control the problem is to control what software gets installed on the machines in your office, and don't let users install software. I know that's pretty hard, and makes extra work for the admins.
Higher Management? (Score:2, Insightful)
I did this with my old company. They had a very strict firewall policy, and to get a port open, you had to get through higer management.
Geez. Try baking the sysadmin some cookies, give him a case of Guiness/Bawlz, or take the poor guy to lunch.
Re:Try this. (Score:2)
Man, where do you work? My users--if the app isn't in the dock, it may as well not exist. But yours are installing their own http redirectors?
Re:Try this. (Score:2)
Re:Try this. (Score:5, Informative)
Re:Try this. (Score:2, Insightful)
I assume you ownzor the DNS that client PCs will use!
Re:Try this. (Score:2)
Packeteer (Score:5, Informative)
packet shaping (Score:4, Interesting)
Re:packet shaping (Score:2, Interesting)
Simple (Score:3, Informative)
Re:Simple (Score:4, Informative)
Re:Simple (Score:2)
Re:Simple (Score:5, Interesting)
Re:Simple (Score:2)
Re:Simple (Score:2)
Re:Simple (Score:2)
The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.
Re:Simple (Score:4, Informative)
The firewall blocks all packets to/from messenger.hotmail.com. The XFR packet never gets there.
But if a user has already previously connected to messenger.hotmail.com and received an XFR, the client will cache the IP address given to it by the XFR. Therefore blocking only messenger.hotmail.com (the dispatch server), and not all the possible notification servers, "won't work for people who have ever connected before."
I'm assuming of course direct connections through messenger.hotmail.com. Blocking gateway.messenger.hotmail.com will block access through the HTTP proxy (at least until the IP address changes).
Re:Simple (Score:2)
The only problem then would be some sort of VPN tunnel across the firewall to an open box. Still,
Re:Simple (Score:3, Interesting)
what about a script that queries DNS for messenger.hotmail.com, then blocks the IP address returned?
Won't work. Messenger.hotmail.com is only contacted the first time you connect. After that you are redirected to a new IP address which is based on your username. That's how Microsoft load balances the connections.
So what's to stop you blocking the IP? (Score:2)
Walla? (Score:2)
Do you, perchance, mean "voila," the French word? Yes, I know it should have accents on it but I'll be damned if I can figure out how to type them.
Walla indeed!
Re:Walla? (Score:3, Funny)
LOL, that reminded me of this gem from Dilbert newsletter #43 [dilbert.com]:
Brute force (Score:3, Interesting)
Also, you could try looking for the location that the MSN client fetches the server list from and block that IP. If the list is stored locally, it'd be even easier to find and block those servers.
Of course, the above approach assumes that the router can handle blocking X amount of IPs. I wouldn't put it past MS to have hundreds or thousands of servers out there.
Tell people not to use it... (Score:5, Interesting)
Kill the software. (Score:2, Funny)
An alternative approach (Score:5, Funny)
The only problem is that they will move on to the next messenger that works (like Yahoo! etc).
If you wanted to be really insidious and get people to self police themselves, log all messenger messages and put a new section on your companies Intranet user customised page - something like "Hello xxxx, here are your last few messenger messages:
[bIcycleSExfiEND] w00t!
[cute^babe7599] SO BABEE U WANA C MY PIC?
[bIcycleSExfiEND] yeah - send it
[cute^babe7599] http://www.crackparty.com/showpictrojanisemachine
...
Please contact the helpdesk if you would like a complete log.
Have a nice day."
...and below that:
Here are your last few web accesses:
Re:An alternative approach (Score:2, Interesting)
Each URL was cheked on certain domains and keywords when the URL matched a non.productive rule the line would be set in red. ex playboy.com would be viewed as ar red line.
After some days even the boss stopped surfing to certain sites
Re:An alternative approach (Score:2, Funny)
You know, it makes me wonder...how many people went to that link and were dissapointed when they got a 'Connection Refused' error, and couldn't see cute^babe's pic...
Okay, I admit it.
Re:An alternative approach (Score:3, Funny)
Re:An alternative approach (Score:3, Insightful)
Something like that would make me very happy - Because I would have instant feedback about whether or not my attempts to circumvent stupid network usage policies had succeeded, and if so, did they work anonymously.
Mind you, I don't care about vising playboy.com from work - I never understood the point of porn at work anyway, since every work environment I've ever encountered made killing kittens all but impossible while there. But c
Re:An alternative approach (Score:2)
Very very easy. For example so long as your intranet is set to use user authentication, then you know the user
Why block MSN? (Score:3, Insightful)
The real question here is why block MSN? What about people who use instant messaging for legitimate business purposes?? People chat on telephones, and I don't see many offices rushing to ban them. Fire unproductive people, and let the rest of us communicate.
Re:Why block MSN? (Score:3, Informative)
It's done in order to prevent some obvious abuses.
Re:Why block MSN? (Score:5, Informative)
RTFP. He's a sysadmin in the financial business, where IM that's not encrypted and securely logged is basically illegal (per SEC regulations). There are some (non-free) IM solutions that offer that functionality, though.
Re:Why block MSN? (Score:2, Interesting)
Re:Why block MSN? (Score:2, Insightful)
Gotta say, I agree. I've visited a number of large corps and all of them had computers using Im of some sort. Beats the heck out of walking to another building or even making a phone call. (Phones are so annoying.)
What really bugs me is that if
Re:Why block MSN? (Score:3, Insightful)
and when you get there, you'll find that all the same regulations about being able to record all conversations/encrypt it etc still apply and so you'd still have to block MSN.
Re:Why block MSN? (Score:2)
I disagree. We can't use IM here at work (well, we could use MSN, but we all like AIM too much and don't really care to switch) and it does restrict what we say in emails because...
1) Emails get logged in at least three places...your computer, the recipient(s) computer, the server. Possibly a router log too, depending.
2) IMs will only get logged going across a router. I'm sure someone keeps a rou
Re:Why block MSN? (Score:3, Interesting)
so somtimes I want to block MSN because the connection gets too slow for legitimate use, and I know most of the people in the office are just chatting with friends and getting no real work done, and, eventually, preventing me from doing my work, which requires being 90% of the time online.
SEC rules (Score:3, Insightful)
Financial institution's have to record and hold all elctronic communications for years now. The specific number of years eludes me atm.
If you think some E-mails people send are incriminating, imagine what IM's traded around an office would expose.
It's much easier to stop the people from using IM services than to try to capture/record/log/preserve it all. At least for financial institutions which theoretically could face billion dollar lawsuits.
Management by IP Filter (Score:2)
In college I worked as a projectionist. We
Re:Why block MSN? (Score:2)
The answer is really simple: compliance.
At a 'financial institution', if it's a bank, you are working with traders. A lot of countries have very very strict requirements as to the communications of brokers and traders--this includes having every single phone on the floor where they work (in my last company it wasn't just the trading floor, but the whole 3d floor) specially monitored.
A lot of banks and exchanges also do this to protect themselves from claims by associates/customers that they "were told a
Why? Beacuse its againt the rules, and law. (Score:3, Informative)
In 99% of normal businesses, its NOT needed to have outside IM access, peroid.. If you need IM communication between your employees, great, then you use a secure internal IM setup, with no outside server access.. For people outside the firwall like sales guys, they vpn back in.
Its not in best business interest to let you talk to your wife, or friend down the street about where to go for lunch. Regardless o
Group Policies (Score:4, Interesting)
you can block stuff like this using Group Policies (GPO's). I think you should start asking at news.microsoft.com at their group policy newsgroups.
If you have windows XP's as a member of your domain, you can easily block it using GPO.
Don't block it, sniff it. (Score:5, Funny)
Tell everyone that you're sniffing MSN messenger traffic, and that you can trace it to a person esaily. Wait a day. Post a few innocuous messages between people on the noticeboard to prove it. Add a scrawled note on the bottom of the message saying "and , FatShaft42, you are one SICK Bastard! I'll be passing *your* messages onto HR!!" for maximum effect.
Re:Don't block it, sniff it. (Score:4, Interesting)
Of course , all the girls in the office wanted to hire him but it did nothing for his professional appeal. Well, if we were an escort agency maybe it would have.....
Kill them all. (Score:5, Funny)
How to stop MSN Messenger? You kidding? (Score:4, Insightful)
I think it would be easier to lock down a linux box to prevent installations of gaim, Gabber, etc than it would be to putz around with your firewalls trying to kill MSN Messenger.
Re:How to stop MSN Messenger? You kidding? (Score:3, Insightful)
Re:How to stop MSN Messenger? You kidding? (Score:2, Informative)
Im using MSN from linux right now on this machine
Re:How to stop MSN Messenger? You kidding? (Score:2)
If you allow www (Score:3, Insightful)
Re:If you allow www (Score:2)
By letting port 80 though, programs like HTTPort can tunnel through (unless your proxy/firewall doesn't support normal proxy CONNECT messages).
Brrrr technological fix.... (Score:3)
I now it's not generally accepted in most larger companies, but I always question bad and lazy management decisions like this one. Management is usually paid generously enough to compensate for the occasional difficult talk with a bothersome employee. Besides, talking has a lot less negative (or even positive, depending on the person doing the talking) effect on the work atmosphere and might alleviate a general feeling of "us against the managers" in employees.
Block one, block them all? (Score:3, Informative)
Alternatively, a mass block of Microsoft's IP address range(s) should help stop people being able to connect (and you'll also kill hotmail, passport and a lot of other of their useless services with the same stone).
Installl Messenger mandatory and lock it down (Score:5, Informative)
I used group policy software distribution to force the install of Windows Messenger on all computers. Windows Messenger is a slightly different version than MSN Messenger but it can also connect to the IM system of Exchange. We use that in house as our instant messaging system.
When once installed you can use Group Policies to lock the Windows messenger down. With registry keys embedded in the policies you can disable file transfer, video chat and even outside communications (to the internet, not intranet) of the client.
We disabled file transfer to avoid viruses slipping in via this way.
If I am correct you can even set Windows messenger to have priority on MSN messenger, thus disabling the MSN version. In this way you should have full control over the IM system. Check the knowledge base and technet for the necessary info. If necessary, contact me.
Very easy (Score:5, Interesting)
http://www.winguides.com/registry/display.php/9
Or group policy
http://www.subvers.com/technobabble/html/tweaks
If you have wildcat machines that people just setup on their own, you have a larger problem.
linux/ipchains (Score:2, Informative)
ipchains -A input -p TCP -b --sport 1863 -j DENY
ipchains -A input -b -d 64.4.13.0/24 -j DENY
now the extremely persistant Yahoo IM is something I still haven't nailed down yet.....
Just block running of unauthorized programs (Score:2)
If you dont know how to do that, then you have got some basic windows admin skills to learn.
Via Global policy (Score:2)