"There are not technical solution to Administrative problems."
Saw this some where......
Basically.......Policy says dont do it or else!!!
Printable View
"There are not technical solution to Administrative problems."
Saw this some where......
Basically.......Policy says dont do it or else!!!
I have found that the best policy is not "do not or else" but is "cannot at all".
I have found that the best policy is not "do not or else" but is "cannot at all".
You can make all your user restricted so they cannot install any software on there machine.
You can make all your user restricted so they cannot install any software on there machine.
I agree with what gypsygeek said "There are not technical solution to Administrative problems." In short unless you are backed up with a policy that has some teeth in it users will use web based chat. Depending on the firewall at least with one that I used a few years you could ban access based upon the program accessing the web even if it rode on top of the web browser. Better bet is not to block a server name but the IP address range, followed by the ports they use. Another alt way is to aduit the users of chats computers most if not all by default save a log (boy this can really bite a company), simply review the log and chat times etc then confront the user that is chatting and not working. Work is work play is play :) Unless they dig around logs will be there unless they have shut them off, also check out the really hidden M$ files they keep it all and takes much effort to find and remove those files, but do a google search and find out how to read them.
I agree with what gypsygeek said "There are not technical solution to Administrative problems." In short unless you are backed up with a policy that has some teeth in it users will use web based chat. Depending on the firewall at least with one that I used a few years you could ban access based upon the program accessing the web even if it rode on top of the web browser. Better bet is not to block a server name but the IP address range, followed by the ports they use. Another alt way is to aduit the users of chats computers most if not all by default save a log (boy this can really bite a company), simply review the log and chat times etc then confront the user that is chatting and not working. Work is work play is play :) Unless they dig around logs will be there unless they have shut them off, also check out the really hidden M$ files they keep it all and takes much effort to find and remove those files, but do a google search and find out how to read them.
Depending on how serious you are about enforcing the no chat policy (and hence your willingness to track everything down), you could set up the blocks to those ip's/domains and then log all those denies (or even the default port for the application). You would then know who tried to access it and you could take whatever actions are necessary to remove the messenger from the network.
As a side note, many IDS systems have signatures that detect the use of messengers, you could set it up to either log the events or even to kill the connections as it sees them (usually with a reset that is sent to both ends of the connection), but you need to be a little careful with that in that you might accidentally block legitimate traffic (depending on how good those signatures are).
/nebulus
Depending on how serious you are about enforcing the no chat policy (and hence your willingness to track everything down), you could set up the blocks to those ip's/domains and then log all those denies (or even the default port for the application). You would then know who tried to access it and you could take whatever actions are necessary to remove the messenger from the network.
As a side note, many IDS systems have signatures that detect the use of messengers, you could set it up to either log the events or even to kill the connections as it sees them (usually with a reset that is sent to both ends of the connection), but you need to be a little careful with that in that you might accidentally block legitimate traffic (depending on how good those signatures are).
/nebulus
I know there's different options to achive the same goal. Thats not what I was asking. Either way, best bet is to block their logon servers I guess. Simplest anyway, and doesn't give me a headache.
Thanks for all the replies though!