Another post with the subject of "M$N Messenger Blocking"

[ommy]

Hey all ...
well its another post with the subject "Blocking Msn Messenger"..I have already gone through almost all the similar posts on the AO. I have also "googled" the issue. Got some ideas from there. I am listing these ideas alongwith problems. I hope anyone can come up with a better solution.
1) Blocking specific ports for these softwares i.e. :1863 works no more..because of the port roaming feature of this IM utility (M$N Messenger).It has the ability to tunnel the connection through port 80 that is used for http traffic.Blocking port 80 would mean no life on m network. No http traffic, blocking genuine users.
2) Blocking socks wouldnt be a good idea, coz many applications here uses these ports, again would result in blocking legal appliations.
3) Blocking all traffic to messenger.hotmail.com for all the ip's of my network wont work.Courtesy proxy servers.
4) entry to \etc\hosts files is'nt effcient enough. Because there are numerous Name servers for instant messaging. I tried to block the range of 64.4.0.0 to 64.4.63.255 ( knows to be the ip range for the name servers for IM utility)But they keep on adding new servers and automatic execution of updates add those servers when connecting to the the servers.
5) Someone suggested to have an NIDS like Snort and when a Syn packet is sent , it should be repied with a spoofed packet so that the connection could be dropped. Not comfortable with Snort yet , new to it. Any sugestions.
6) Application Blockers is a good idea but none of them is free to implement on my network.
Thank you for reading all along. Any help would be really appreciated.
By the way its a win2k server with almost 60 computers on the primary domain and almost 25 to 30 pc's on the sub domain. Registry is restricited to ordinary users, so they cannot install softwares.But you know by passing the registry is fun for users. so they always do it. I am also workin out on it.Thank you all along.
Plz do reply..
Bye
Ommy

[groovicus]

Good questions!!!! Unfortunately, I don't think I can help with any I do have one question though... how are the bypassing the registry? I don't know much about win2k, but I thought one was able to lock everything down to prevent bypassing?

[CXGJarrod]

Ommy: How are those computers accessing the net? Are they all 2000 machines? Are you using Active Directory? What we do is look for that kind of traffic on the ISA server that everyone accesses to get on the internet. If we see it, then we look it up in the logs to see which IP address and user. Then we will contact the user and give the user a warning and remove the IM program. If they are caught again, then we use Group Policy to restrict them so that they can only open .exe files that I approve. That usually gets them to stop using IM.

[Jehnny]

Just wondering, why do you want to restrict access to MSN Messenger services?

And can't you just restrict anything in the domain of hotmail.com and that work?

[Sm0kinP0t]

At first i thought he was mistaking 'messenger' for 'msn messenger', but i think he knows the difference.

Only reason i see that to be necessary is if you have dumb ppl accepting everything (virii included) they receive from users on msn or if a certain company doesn't want their employers wasting time on that IM...

But do clarify us, i'm curious also.

[stanger]

hi,ommy...i sent you the pm related to this post:
http://www.antionline.com/showthread...hreadid=247855
but however...i hope it does some help.
==========
can't you block oscar.aol.com ?

[ommy]

Hey Thank you all...
Well groovicus..bypassing the registry is always a little fun for some of the users...there is a little script , when executed allows the installation of the softwares. Other way to do that is with the help of Registry Monitoring tools. They get hold of every key being inserted ino the registry at homes, then they come up with a .reg file in the college and execyte it to insert every key manually.Even they have written some piece of code for that. I am not completely sure about the later one.
CXGJarrod, We have an ISA server that have two NIC cards to connect it to the network and for looping as well. The DSL modem is connected to this ISA server. All the traffic is routed through this server. We have also another server to avoid Single Point Of Failure. Yes, we do use Active Directory. Servers have Win2k OS. All the clients have Windows XP.Well monitoring logs is something that can be done. But you know there has to be smarter solutions then that.

Jehnny and Sm0kinP0t, answer to your question is that we have a restricted environment here at college. It is not the policy of administration to have IM over here. Students ar supposed to do research and assignments in the lab, but no chatting. The other factor is recieving virii and worms over the MSN IM utility. Although the corporate AV editin works well for these kind of virii. But you know, there are many trojans and worms written every day that are still updated as quick.
Sm0kinP0t..yes i know the difference between the messenger servics and MSN messenger. Probablly i should have used a better term.
Thanx I hope every one will give it a thought again.

[allenb1963]

Supposedly opening the run dialog in the start menu and entering "RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove" will remove messenger. I haven't tried it myself, but it was what google gave me when I did a search for "uninstalling messenger".

[groovicus]

College atmosphere...hmmm....that makes it interesting.

DISCLAIMER: I have nothing to do with Network Security, but here's my take...(hopefully I have learned something from here)

Well, I was just going to give a long winded discourse on what I thought you should do, but then it ocurred to me...is it possible to set up a couple machines for casual use? Even an old box or 2 for damaging? It would be much easier to watch those machines? Give them machines to with which to play, and maybe they will leave the others alone? Give them an opportunity to learn how to reformat a damaged hard drive?

I'd presume the machines have an A drive. Even if you disabled the A drive to prevent proggies from being brought in, as a user I would email the apps to myself for easy retrieval.
I know you can block installation of applications if necessary, and you can block downloading of .exe. I'd wager someone clever would still find their way around.

As far as the rest, I think you will need some monitoring software, and a user policy that has some bite....I'd hate to think of being too restrictive in a learning enviorment though.

[ommy]

well groovicus you might be right. But you know rules are rules. I am still trying to keep this thread alive. Looking for real solutions.People at AO please speak out. I am really desparate to solve the probbie.
Thanx