Block MSN on Windows NT 4.0 server and Windows 98 clients

Hi,

I work in a school.

We have a Windows NT 4.0 server, Microsoft Proxy 2.0, IIS 4.0

And we have several clients on windows 98 SE

What I want to do is to block students installing and using MSN for messages and chat... while they are supposed to be working!!!

I have been very surprised to learn that MSN works on the win98 computers since I have not installed the Winsock Proxy Client...

I would like to block MSN with the software I already have... if possible...

Is there an group of IP adresses I can block in the server's proxy???

Thank You

Yan Bergeron
Montréal, Québec
yanbergeron24Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JConchieCommented:
If, on your router or firewall, you block ports 135 thru 139, that should do the trick for Messenger.  Also just going into services on the workstations and setting the messenger service to "disabled"
yanbergeron24Author Commented:
Hmmm...

I have found that if I deny the address 65.54.226.254 (Loginnet.passport.com) In the "Permission" shared service of  Microsoft Proxy 2.0..... Students are unable to connect to MSN... great!!!

But teachers nor can access to Hotmail.Com via internet Explorer...

Hmm... a lot of teachers here use hotmail...

Is there a way to just block MSN???
JConchieCommented:
If you just want to block MSN IM, disable the messenger service.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

yanbergeron24Author Commented:
JConchie,

There are no firewall or router here...

There is one firewall at the schoolboard, for the 55 school, but I would have liked to block MSN by myself, at the school... if possible...

If eventually the schoolboard blocked the ports 135 thru 139... would it affect something else than MSN???

> If you just want to block MSN IM, disable the messenger service.

Where??? On each clients computers??? (Win98)

If so, the students will uninstall MSN, and Reinstall... and I suppose it will work again...

Thank You

Yan

 
JConchieCommented:
Yes, on each client computer..........and if you don't give them local admin rights, they cannot change the service back to automatic........and they also will not be able to uninstall or install apps
yanbergeron24Author Commented:
JConchie, I think you're talking about Win XP clients...

I have only Win98 clients... and there is no local admin rights on that Os... I think???

Except with poledit... But even with poledit installed and all the restrictions applied... they still can install software...

Yan
JConchieCommented:
Sorry, didn't realize you had Win98 clients........not reading very well this morning!! :-)
But since you do, this Technet article is just the thing for you!  Have a look at
"Protecting Users from Themselves" at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/win98/tips/protuser.asp
bbaoIT ConsultantCommented:
ok, yanbergeron24, lets do what you want. at first, we should analyse how msn messenger works then give a right way for you.

msn messenger 6 changed a lot on passing through firewall for its text chatting and file transfer, so it is hard to block the outbound msn traffic because it can use http proxy (port 80) to forward its communications (chat even file transfer). here are the ports it uses:

for logging on: it uses port 1863 and 443 or port 80 and 443 (all TCP, all outgoing).
for basic IM: it uses port 1863 or 80 (all TCP).
for webcam: it uses port 9000 or 80.
for audio/video conference: it uses ports 5004 through 65535 UDP.

you can see, almost all kind of its communication can pass over port 80 which is widely used by web browsing, that is a sad news for network admins.

so here is the solution for you:

1. enable all kind of outbond traffic after enabling full log for days, the means you allow all msn messengers work well, then check the log to determine what are the hosts that msn messenger talks with, record them in your bad-host-list.
2. disable all the outbond traffic listed above except port 80 (unless you want to disable web browsing at all.:-))
3. disable all the outbond traffic to those specific hosts in your bad-host-list.
4. as for those udp ports fro a/v conference, forget them since they will not work before msn messenger loging on. the loging on has been disabled at step 2 and 3
5. keep to check the log for days, to determine if your policy works well, if there is other back-doors there for msn messengers, hehe... :))

btw, keep to check log is a good habit for net admins.

hope it helps,
bbao

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
todoservicesCommented:
bbao hit the nail on the head
bbaoIT ConsultantCommented:
todoservices, thanks for your comment. i think it will be a FAQ later since msn 6 has really caused some admins worried a lot, so i had a study on it last month.
yanbergeron24Author Commented:
Finally, I have been able to block MSN and let Hotmail work.

as you said... bbao... I studied logs and I found that blocking 207.46.104.20 (gateway.messenger.hotmail.com) blocks MSN and not Hotmail...

Great

Thank you all

Yan
bbaoIT ConsultantCommented:
congratulations and thanks for your grade A points! :-))

cheers,
bbao
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.