Block MSN on Windows NT 4.0 server and Windows 98 clients

Hi,

I work in a school.

We have a Windows NT 4.0 server, Microsoft Proxy 2.0, IIS 4.0

And we have several clients on windows 98 SE

What I want to do is to block students installing and using MSN for messages and chat... while they are supposed to be working!!!

I have been very surprised to learn that MSN works on the win98 computers since I have not installed the Winsock Proxy Client...

I would like to block MSN with the software I already have... if possible...

Is there an group of IP adresses I can block in the server's proxy???

Thank You

Yan Bergeron
Montréal, Québec
yanbergeron24Asked:
Who is Participating?
 
bbaoIT ConsultantCommented:
ok, yanbergeron24, lets do what you want. at first, we should analyse how msn messenger works then give a right way for you.

msn messenger 6 changed a lot on passing through firewall for its text chatting and file transfer, so it is hard to block the outbound msn traffic because it can use http proxy (port 80) to forward its communications (chat even file transfer). here are the ports it uses:

for logging on: it uses port 1863 and 443 or port 80 and 443 (all TCP, all outgoing).
for basic IM: it uses port 1863 or 80 (all TCP).
for webcam: it uses port 9000 or 80.
for audio/video conference: it uses ports 5004 through 65535 UDP.

you can see, almost all kind of its communication can pass over port 80 which is widely used by web browsing, that is a sad news for network admins.

so here is the solution for you:

1. enable all kind of outbond traffic after enabling full log for days, the means you allow all msn messengers work well, then check the log to determine what are the hosts that msn messenger talks with, record them in your bad-host-list.
2. disable all the outbond traffic listed above except port 80 (unless you want to disable web browsing at all.:-))
3. disable all the outbond traffic to those specific hosts in your bad-host-list.
4. as for those udp ports fro a/v conference, forget them since they will not work before msn messenger loging on. the loging on has been disabled at step 2 and 3
5. keep to check the log for days, to determine if your policy works well, if there is other back-doors there for msn messengers, hehe... :))

btw, keep to check log is a good habit for net admins.

hope it helps,
bbao
0
 
JConchieCommented:
If, on your router or firewall, you block ports 135 thru 139, that should do the trick for Messenger.  Also just going into services on the workstations and setting the messenger service to "disabled"
0
 
yanbergeron24Author Commented:
Hmmm...

I have found that if I deny the address 65.54.226.254 (Loginnet.passport.com) In the "Permission" shared service of  Microsoft Proxy 2.0..... Students are unable to connect to MSN... great!!!

But teachers nor can access to Hotmail.Com via internet Explorer...

Hmm... a lot of teachers here use hotmail...

Is there a way to just block MSN???
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
JConchieCommented:
If you just want to block MSN IM, disable the messenger service.
0
 
yanbergeron24Author Commented:
JConchie,

There are no firewall or router here...

There is one firewall at the schoolboard, for the 55 school, but I would have liked to block MSN by myself, at the school... if possible...

If eventually the schoolboard blocked the ports 135 thru 139... would it affect something else than MSN???

> If you just want to block MSN IM, disable the messenger service.

Where??? On each clients computers??? (Win98)

If so, the students will uninstall MSN, and Reinstall... and I suppose it will work again...

Thank You

Yan

 
0
 
JConchieCommented:
Yes, on each client computer..........and if you don't give them local admin rights, they cannot change the service back to automatic........and they also will not be able to uninstall or install apps
0
 
yanbergeron24Author Commented:
JConchie, I think you're talking about Win XP clients...

I have only Win98 clients... and there is no local admin rights on that Os... I think???

Except with poledit... But even with poledit installed and all the restrictions applied... they still can install software...

Yan
0
 
JConchieCommented:
Sorry, didn't realize you had Win98 clients........not reading very well this morning!! :-)
But since you do, this Technet article is just the thing for you!  Have a look at
"Protecting Users from Themselves" at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/win98/tips/protuser.asp
0
 
todoservicesCommented:
bbao hit the nail on the head
0
 
bbaoIT ConsultantCommented:
todoservices, thanks for your comment. i think it will be a FAQ later since msn 6 has really caused some admins worried a lot, so i had a study on it last month.
0
 
yanbergeron24Author Commented:
Finally, I have been able to block MSN and let Hotmail work.

as you said... bbao... I studied logs and I found that blocking 207.46.104.20 (gateway.messenger.hotmail.com) blocks MSN and not Hotmail...

Great

Thank you all

Yan
0
 
bbaoIT ConsultantCommented:
congratulations and thanks for your grade A points! :-))

cheers,
bbao
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.