Solved

Block MSN on Windows NT 4.0 server and Windows 98 clients

Posted on 2003-12-02
12
6,081 Views
Last Modified: 2013-12-23
Hi,

I work in a school.

We have a Windows NT 4.0 server, Microsoft Proxy 2.0, IIS 4.0

And we have several clients on windows 98 SE

What I want to do is to block students installing and using MSN for messages and chat... while they are supposed to be working!!!

I have been very surprised to learn that MSN works on the win98 computers since I have not installed the Winsock Proxy Client...

I would like to block MSN with the software I already have... if possible...

Is there an group of IP adresses I can block in the server's proxy???

Thank You

Yan Bergeron
Montréal, Québec
0
Comment
Question by:yanbergeron24
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 18

Expert Comment

by:JConchie
Comment Utility
If, on your router or firewall, you block ports 135 thru 139, that should do the trick for Messenger.  Also just going into services on the workstations and setting the messenger service to "disabled"
0
 

Author Comment

by:yanbergeron24
Comment Utility
Hmmm...

I have found that if I deny the address 65.54.226.254 (Loginnet.passport.com) In the "Permission" shared service of  Microsoft Proxy 2.0..... Students are unable to connect to MSN... great!!!

But teachers nor can access to Hotmail.Com via internet Explorer...

Hmm... a lot of teachers here use hotmail...

Is there a way to just block MSN???
0
 
LVL 18

Expert Comment

by:JConchie
Comment Utility
If you just want to block MSN IM, disable the messenger service.
0
 

Author Comment

by:yanbergeron24
Comment Utility
JConchie,

There are no firewall or router here...

There is one firewall at the schoolboard, for the 55 school, but I would have liked to block MSN by myself, at the school... if possible...

If eventually the schoolboard blocked the ports 135 thru 139... would it affect something else than MSN???

> If you just want to block MSN IM, disable the messenger service.

Where??? On each clients computers??? (Win98)

If so, the students will uninstall MSN, and Reinstall... and I suppose it will work again...

Thank You

Yan

 
0
 
LVL 18

Expert Comment

by:JConchie
Comment Utility
Yes, on each client computer..........and if you don't give them local admin rights, they cannot change the service back to automatic........and they also will not be able to uninstall or install apps
0
 

Author Comment

by:yanbergeron24
Comment Utility
JConchie, I think you're talking about Win XP clients...

I have only Win98 clients... and there is no local admin rights on that Os... I think???

Except with poledit... But even with poledit installed and all the restrictions applied... they still can install software...

Yan
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 18

Expert Comment

by:JConchie
Comment Utility
Sorry, didn't realize you had Win98 clients........not reading very well this morning!! :-)
But since you do, this Technet article is just the thing for you!  Have a look at
"Protecting Users from Themselves" at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/win98/tips/protuser.asp
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
Comment Utility
ok, yanbergeron24, lets do what you want. at first, we should analyse how msn messenger works then give a right way for you.

msn messenger 6 changed a lot on passing through firewall for its text chatting and file transfer, so it is hard to block the outbound msn traffic because it can use http proxy (port 80) to forward its communications (chat even file transfer). here are the ports it uses:

for logging on: it uses port 1863 and 443 or port 80 and 443 (all TCP, all outgoing).
for basic IM: it uses port 1863 or 80 (all TCP).
for webcam: it uses port 9000 or 80.
for audio/video conference: it uses ports 5004 through 65535 UDP.

you can see, almost all kind of its communication can pass over port 80 which is widely used by web browsing, that is a sad news for network admins.

so here is the solution for you:

1. enable all kind of outbond traffic after enabling full log for days, the means you allow all msn messengers work well, then check the log to determine what are the hosts that msn messenger talks with, record them in your bad-host-list.
2. disable all the outbond traffic listed above except port 80 (unless you want to disable web browsing at all.:-))
3. disable all the outbond traffic to those specific hosts in your bad-host-list.
4. as for those udp ports fro a/v conference, forget them since they will not work before msn messenger loging on. the loging on has been disabled at step 2 and 3
5. keep to check the log for days, to determine if your policy works well, if there is other back-doors there for msn messengers, hehe... :))

btw, keep to check log is a good habit for net admins.

hope it helps,
bbao
0
 
LVL 1

Expert Comment

by:todoservices
Comment Utility
bbao hit the nail on the head
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
todoservices, thanks for your comment. i think it will be a FAQ later since msn 6 has really caused some admins worried a lot, so i had a study on it last month.
0
 

Author Comment

by:yanbergeron24
Comment Utility
Finally, I have been able to block MSN and let Hotmail work.

as you said... bbao... I studied logs and I found that blocking 207.46.104.20 (gateway.messenger.hotmail.com) blocks MSN and not Hotmail...

Great

Thank you all

Yan
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
congratulations and thanks for your grade A points! :-))

cheers,
bbao
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now