block the use of AIM, MSN Messenger, Yahoo Instant Messenger and ICQ by URL filtering

With what do you like to block it ?
If you have a proxy deny CONNECT method. and if you use also a firewall only allow proxied traffic.
if you only have a firewall block except port 80 for surfing.

forget trying to block it with an iron fist, there are too many ways around it, your best bet is to go ahead and block the application based ports and have available, in writing, the disciplinary repricussions for using unauthorized software within the standard policy/guidelines.  then setup a snort (or whatever) alert for signatures of said chat traffic.  make an example of someone you really don't need.

Could you detail what sort of network and firewall you have?

Are you on a home lan with a PC running Internet connection sharing as a gateway, do you have a router with a built in firewall etc..

Does your network have a domain with roaming profiles?

Thanks

Yahoo is the most difficult to block. I blocked it denying access to *.msg.*.yahoo.com on my proxy.
All other clients are easy to block, just block the associated TCP/Ports.

A very good document which explian how to block every IM client is here:

http://www.iss.net/support/documentation/whitepapers/xforce.php

Sure that's all you need.

Good luck!

Hi,

tim_holman is quite right - many newer IM clients will try to tunnel over port 80, and they're getting quite good at disguising their traffic as legitimate HTTP traffic. Or, as the vendors call it, "firewall friendly applications". Not necessarily administrator friendly though... ;o)

You can try blocking the known port numbers, hostnames and IP addresses. But the vendors can change these at will - and in the past, they have done so. It's a moving target.

Droby_10's suggestion of using an IDS, such as Snort, is exactly how I deal with the problem. I can trace the communication back to a specific IP address, prove how long the chat session was open, then contact the user's HR officer with the evidence and a copy of the relevant section of the Acceptable Use Policy.

An even better (read: more expensive) solution is one of the new  server appliances that claim to intercept and inspect all IM traffic (e.g. WebWasher). Like an IDS, they use signatures to detect IM traffic. But then like a proxy server, they deny access to users who aren't on an "approved" list.

Beluga

He is right but I can hardly imagine that companies open up port 80. Mostly it goes over a proxy and then you can avoid these tools by disabling CONNECT method.
And if you have a good workstation policy it can be pretty hard to install tools on your desktop.
Anyhow the solution will not be done on one component only

lots of unaccepted questions lately

The only Bueller I know is the one that had a day off - what you talking about sirbounty ??  ;)

Thank you all of you. It works almost fine.

.. Everyone left out the obvious:
Download blocking software from:
http://www.grc.com/stm/shootthemessenger.htm
- this also halts usage on the LAN.

Then you have the DCOM leakage:
http://www.grc.com/dcom/
and PnP hole:
http://www.grc.com/unpnp/unpnp.htm

Greg has helped a number of agencies in security issues - and I recommend his site on your list of favourites.

knuthf,

I think you might be confusing the Windows Messenger service with Instant Messaging (which includes MSN Messenger). Windows Messenger offers a broadcast-based one-way communication. Instant messaging offers a connection-based two-way communication.

Steve Gibson's "shoot the messenger" program does not affect Instant Messaging (as noted on the web page, under the heading "Windows Messenger Service"). It won't "block the use of AIM, MSN Messenger, Yahoo Instant Messenger and ICQ", which was the subject here.

For an explanation of the differences, the following from Caltech's web site might be helpful:
http://www.its.caltech.edu/its/security/users/windows_messenger.shtml

Just realised that Microsoft refer to the Instant Messaging program that's bundled with XP as "Windows Messenger", which only adds to the confusion! The Windows Messenger *service* is something different, and is the one addressed by "shoot the messenger".

Get TerminatorX to do the job for you.

http://blockmsn.port5.com/

TerminatorX doesn't block Trilian...  ;)

Even if you block it with TerminatorX or block it with a firewall you won't be blocking web based chat such evreywhere msn (eMsn).... These tools are completly web based and they use http port such any web site... You could block domain but you gonna fall in a infinite "domain blocking" war since these tools are build like an applet....

Droby_10's suggestion is the ONLY completly bullet proof way to block users from chatting.. trust me, they try to block me and they never succed...

An iron fist approach for MSN Messenger is to create a registry key that will prevent the application from running.

HKEY_LOCAL_MACHINE\software\policies\microsoft\

create a new key called Messenger. Create another key under Messenger called Client.  Then create a DWORD under client, call it PreventRun and give it a value of 1.  this key can be exported to a file and imported into the registry of other computers.

If you are working in a Active Directory domain environment, you could also use the group policy in the domain to prevent the running of specific windows programs.  See Microsoft Knowledge Base Article 323525.  For example if you want to prevent the use of Yahoo Messenger then the program to inlcude is YPager.exe,  if you want to prevent the use of MSN Messenger then the program to include is msmsgs.exe

Good Luck.

http://upload.jibranilyas.com/files/activedir.JPG

check this screenshot plz... how come i don't have "Don't run specified windows applications"

You are looking at the wrong place in the domain policy.  "Don't run specifiied windows applications" is under "User Configuration>Administrative Templates>Systems" folder and not "User Configuration>Administrative Templates>Systems>Group Policy".

Alternatively, look into deploying an ISA server 2000 or even better 2004 - which can allow you to much more with regards to blocking programs, websites, instant messaging, etc from users, computers, groups, etc.

Good luck.

yah i should have stopped at system..thanks,,,

i m using windows 2003 server and i wants to block yahoo messanger from some selected machines.. i used no proxy,,

plz start a new question ... ~EE courtesy

to block selected computers, create a new OU container within the AD and move the computers into the new OU container, then create a new GPO preventing the execution of the yahoo messenger and apply the policy to the new OU container containing the group of computers.

I think the best way to stop any messager servers is to have your router or proxy send the request to a messanger service (example login.oscar.aol.com) to a bad private IP address. This will make it as the messanger client will never reach the server and make it stop trying to get there....

Won't that mean no computers will get access? he only wants selected computers to not get access I think.
I already posted my own thread about this https://www.experts-exchange.com/questions/21385047/Vigor-2600-vg-firewall.html

well yes that will block access for all computers on the network. It was never really stated if it was for a single pc, multi-PCs, or a whole network. The only other thing you can try is to see if you can do blocking via IP addreess or MAC address and then create filters for those pc(s).

The best way to block all these (not to decipline) is to incorporate either Websense or SurfControl, and at the same time block every port except 80/443. I cannot really imagine why a normal user needs more than just these 2 ports.

You can find out more about them on their websites. They are very similar software and supported by many firewalls. They work as a filter, but based on domain name/ip address. You can set up to block different category such as no access to Adults, Sex, or Internet Chat. Those companies are doing all the hunting work and they update their database very often.

Here's what happens if I try to use Windows Messenger.

time=Wed Apr 13 08:34:35 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=207.46.110.249
protocol=    "http"
url=         "http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://XYZ/dumass"
bytes sent=0 bytes received=0 duration=0


Here's what happens if I try to use webchat on yahoo or msn.

time=Wed Apr 13 08:37:28 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=66.163.172.116
protocol=    "http"
url=         "http://messenger.yahoo.com/"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


time=Wed Apr 13 08:40:08 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=207.46.110.252
protocol=    "http"
url=         "http://webmessenger.msn.com/"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0

Oh, these software keep a !@@# load of log too. So, if you want to decipline somebody, just pull up the log.

that is great, but, AIM will still be able to got out port 80 or 443. So then you will still need to block the AIM messanger.......

It does not matter because the Websense listens at port 80 or 443.

Please look at the examples I posted. When I use Windows Messenger, it tries to go through port 80 but is blocked by Websense.

Here's what happens if somebody is trying to use Yahoo Messenger. You can see this YM is trying to go through Port 80 just like AIM and WIM, but is not successful.

I don't have AIM so I cannot check, but in principle, my suggestion will block any AIM user too.

time=Thu Apr 14 08:31:00 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=68.142.231.252
protocol=    "http"
url=         "http://insider.msg.yahoo.com/ycontent/?&getgp=0&intl=us&os=win&ver=6,0,0,1922"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


time=Thu Apr 14 08:31:00 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=68.142.231.252
protocol=    "http"
url=         "http://insider.msg.yahoo.com/ycontent/?&getwc=0&intl=us&os=win&ver=6,0,0,1922"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


time=Thu Apr 14 08:31:00 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=66.218.71.196
protocol=    "http"
url=         "http://mtab.games.yahoo.com/messenger/prefs"
port=        "80"
category=    14     (GAMES)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0

If you do what I suggested:
1. block every port except 80 and 443
2. set up either Websense or SurfControl to block web chat and IM
3. set up either Websense or SurfControl to block proxy servers

The only way a user can get through is to build a Port 80 VPN with his home computer and tunnel through that, but that will be very fancy, and I think if he can do that, you should recruit him to your IT team.

Guys (and gals),

Given that an answer to this question was accepted nearly a year ago, and dcanard (author of the question) hasn't posted here since, is he still reading this? Dcanard - do you still need advice, and if so, what?

In all my years on EE, this is the longest lasting *closed* question ever!!

It was not properly answered before.

Do you wnat to prevent thim runing using a gateway or you can also install an Agnet on each PC that has the software indicated ...

Thank

Piankiller

No, you do neither.

Websense sits on a server within your network (can be in different subnets or even Internet). Your firewall, which is your gateway typically, intercepts every request and before it allows the request to go through, it checks with the Websense server. If the Websense server decides to deny, no traffic will go through.

If  you need to know more about the setup, please leave an email address or something that i can contact you.

You can Use Trustware Antimalware product with the BufferZone that will prevent anything not in your policy to run on the machine .. it's central management and you can create policies to user and allow or prevent runing software .... please be aware that the BufferZone tech allow you to let users run programs with out damaging the windows system by creating a virtual world of this programmes that they will be able to run however without any possiblility to effect any info or system attributes ..

Painkiller

Acctualy netminder The comments after the question was "closed" helped me find a resolution to a question I have had for a while. It saved me from posting this same question again.

I suspect with the advent of sites such as Meebo
and the propensity of messenger and others to propagate over 80 - that we're fighting a losing battle here.

but meebo can be blocked on a domain by modifying your local DNS server - add meebo.com as a forward lookup zone and they will be redirected to the default site on your domain.