Solved

How do I block aol, yahoo, msn from being accessed from my network?

Posted on 2004-07-31
13
12,990 Views
Last Modified: 2008-05-29
I have a client who is having a problem with her employees not doing enough work.  They are constantly on aol, yahoo, or msn.  How do I block them from accessing those programs/websites?  She also wants to see if there is a program to see what they are doing on their computer.  She said she can run a report telling her what her employees are accessing.  Is there a program that acts like big brother but she doesn't want her employees to find out.  
She is running XP Pro on 5 machines.  Server is Windows 2000 SP4
0
Comment
Question by:modriven
13 Comments
 

Expert Comment

by:steveoh
ID: 11685562

You didn't specify how you connect to the internet but more that likely you have some sort of routing device that is sharing your internet connection. To block these apps from working you need to close the ports they communicate over.  Find out what ports you need to block (for example AOL Instant Messenger is port 5190) and configure your routers firewall settings to block those ports.

Good Luck!
0
 
LVL 1

Expert Comment

by:jarjarbinx1979
ID: 11685613
Te easiet way of doing this (I had to do this)...is to get a product like ANS (Active Net Steward) this is a firewall and surfcontrol software on where it can block applications this is useful as it can be controled centrally by an administrator.

See linkhttp://www.securitydesigners.com

You can also use applications like McAfee Internet suit installed on the workstation but can't be centrally controlled.

Just blocking ports is not always the soltion as users can use iqc's and configure the port to the proxy or internet port that you have set!!

Hope this helps.

JJB
0
 
LVL 4

Expert Comment

by:net_sec_guru
ID: 11686229
From a previous EE posting:
http://www.experts-exchange.com/Security/Q_20968914.html

========================

Seeming all of these will tunnel through port 80 if all other ports are blocked, blocking port 80 isn't going to do much good, as you'll stop web browsing for everybody else....  
You need to block access to the AOL, MSN and Yahoo IP addresses directly.

from: http://infosecuritymag.techtarget.com/articles/february01/cover.shtml

Preventing IM traffic from leaving the network is also difficult. Like Napster, the major IM clients will work quite hard to find a port to exit your LAN, using HTTP if they have to. AIM needs to connect to the host login.oscar.aol.com in order to start up, so blocking traffic to this destination will effectively shut it down. However, at press time, the name login.oscar.aol. com points to the following IP addresses, according to a DNS lookup:

205.188.7.172
205.188.7.176
205.188.7.164
205.188.7.168

You'll need to block all of these and check for any new servers on a regular basis. Yahoo! Messenger can be blocked in a similar way, by killing off outbound access to the hosts answering to the following names:

msg.edit.yahoo.com
edit.messenger.yahoo.com
csa.yahoo.com
csb.yahoo.com
csc.yahoo.com

Each of the above names resolves out to multiple IP addresses-and, of course, Yahoo! can add new addresses at any time, making it an ongoing battle.

MSN Messenger can be blocked by blocking IP access to the Hotmail network range-64.4.0.0 through 64.4.63.255. Interestingly, this does not seem to totally block access to Hotmail's Web-based mail service.

========================


0
 
LVL 2

Expert Comment

by:MaxterJF
ID: 11686934
Well... for accessing those web page he could simply modify the c:\windows\system32\drivers\etc\hosts file typing like
msg.edit.yahoo.com
edit.messenger.yahoo.com         0.0.0.0
csa.yahoo.com                          0.0.0.0
csb.yahoo.com                          0.0.0.0
csc.yahoo.com                          0.0.0.0

and stuffs like that... no?

But if you want real access restrictions and stuffs like that, you should buy a firewall.  I know that Norton Internet Security can restrict access to some sites.  Is it easy to manage... no idea.
0
 
LVL 1

Expert Comment

by:evil-tech
ID: 11687289
I would recommend WinGate (corporate proxy). I'm using it for almost a year now and I'm very happy with it.

Recently I wrote an app which looks for window captions and terminates the application. You need to feed it with keywords like "yahoo", though.
0
 
LVL 4

Expert Comment

by:ashishdaga
ID: 11687632
Something of interest:

http://blockyahoo.port5.com/
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Expert Comment

by:DANNiED
ID: 11696786
honestly since yahoo and aol/aim offer "in browser" buddy lists its very hard to block the use of the control module in the browser. for instance you go to each computer uninstall yahoo messenger and aol's aim and even MSN and then set all there user rights to not allow install of programs/applications once they find out this wont work they will just use the "in browser" version now as "steveoh" stated to actully prevent them from useing it all you will need to block the port the ip address host name whatever. what we do at our oganization is block all users from any kind of internet signal with our firewall and then assign users who actully need the internet for productivity a static IP address. Then for your look in tool you can use a freeware called VNC or remote desktop within XP. good luck locking down those users oh by the way there gonna hate you for it but someone has to do the job!
0
 

Expert Comment

by:dllexport
ID: 11696919
Most of these IM programs can connect to their servers on an arbitrary port, so blocking ports isn't going to help. MSN can connect via HTTP as well (I'm sure others can as well). An easy way that doesn't require installing things on every workstation is to run a proxy server. Then you can block outgoing connections to all ports for everybody except the proxy server, and configure the proxy to disallow access to the IM login servers.
0
 
LVL 1

Accepted Solution

by:
jeremytse19 earned 125 total points
ID: 11698930
hi modriven,

from a previous question i answered:
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21053930.html

Again I can't vouch for the software, as I have never used it.

-------------------
Hi Ridek,

The link that I sent you actually talks about blocking the ports / servers that are used to chat. Having said that, the user can simply use another chat program / server / port. So it will require maintenance on your part as servers / ports become usable for messengers. (eg. HTTP wasn't able to be used before .. but now it is).

Another user suggested for XP " run secpol.msc, go to software restriction policies, additional rules, add rules that block ypager.exe (for Yahoo), do the same for other programs like ICQ and so on. Uninstall the program. Even after reinstalled, it will not run.".

However, if the user is smart enough, they can either rename the program, or use other software (such as Miranda or Trillian).

I'm not sure why yahoo and msn are excluded when you disable installs.

If you can't find out why, maybe you might want to consider this or something similar?
I can't vouch for it as I have never used it.

http://www.shareup.com/spyware/chatblocker.html

this also might be of interest ...
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21016380.html

hope any of this helps in you finding a solution.

http://www.shareup.com/spyware/chatblocker.html
0
 
LVL 3

Expert Comment

by:Mike R.
ID: 11699909
There are many programs which monitor program access and system usage.  Do some searches on the net to find the best ones.  Altiris, and even Microsoft SMS work well.

A firewall is what is necessary to prevent ports from being used, but AOL allows savvy users to change their connection port, even to use ones like 110, 21 and 23 (outgoing mail, incoming mail and telnet.)

The best course of action is a business policy.  Unless the employees are too many, or too daring, simply state that having AOL on the system is a terminatable offense.  Sucks to have to resort to any of the above, but one does what one must.

M
0
 
LVL 2

Expert Comment

by:MaxterJF
ID: 11731693
I believe routers with integrated firewalls could be something good.  More, I'd have Win2K or WinXP installed on every PCs with restristions applied to every users.  So the only one that could install softwares would be the Admin and for the rest, they would need to ask the admin to install anything.   For sites that don't need installation, you block them in the firewal of the router so it's like invisible to the users.  

Jean-Francois Trepanier
Computer technician, Programmer, Network Admin
BCE Emergis
0
 

Expert Comment

by:pimprich
ID: 11957999
Symantic has web filtering software that can filter out url's and file types that you may specify. it also enables a proxy that all users must route through in order to get to the web, so the users must login to access the internet. it disconnects the LAN option to disable proxy routing in IE. it works with active directory so you may put users that you want to monitor in a specific OU. you can process timely reports to track users web surfing history. check it out!

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=60
0
 
LVL 9

Expert Comment

by:Derek Schauland
ID: 11980324
I have found one of the easiest methods for containing IM clients is to create a DNS entry on your network for each services authentication server.  For example, if Aol IM uses login.aim.com as its authentication server you could set up a record in your DNS server named login.aim.com and point it to a local IP address.

This will not allow the IM client to authenticate as it will not be able to find an actual IM server at 192.168.1.2 or whatever local ip address you have entered.  

Keep in mind though that this will cause an IM outage for all who use that particular DNS server, but to eliminate a particular IM client at your company this should do the trick.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now