Solved

Blocking AIM/YIM/MSN/ICQ & Trillian

Posted on 2004-08-11
20
1,942 Views
Last Modified: 2012-08-14
OK I am managing a win2k network with about 25 clients (XP & 2000) connected to the internet via a nexland 800 proturbo router.  I would like to block as much IM traffic as I can.  Currently I have most of the login servers for IM redirected on my DNS server to 127.0.0.1 and this seems to work well for blocking alot of the clients.  Unfortunately Trillian just navigates around this somehow, does anyone have an idea of how to block this w/o installing additional software or changeing user rights?

Thanks, E
0
Comment
Question by:EWilson12
  • 6
  • 6
  • 5
  • +2
20 Comments
 
LVL 6

Expert Comment

by:vand
Comment Utility
If your users are using the Exchange IM client (which looks similar to, but is implemented differently from, the standard Windows Messenger and MSN Messenger), see the Microsoft article "XFOR: How to Configure Instant Messaging Client System Policy Settings" (http://support.microsoft.com/?kbid=264472). In particular, you can configure the Exchange IM client to connect to Exchange servers only by setting the ExchangeConn registry value of data type REG_DWORD to 2 under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies registry subkey. The best way to apply this setting is to use an Active Directory (AD) group policy.
If your users are using the Windows Messenger client with plugins that allow Exchange access, you'll have to create a group policy to add two new registry values to the HKEY_CURRENT_USER\Software\Policies\Microsoft\Messenger\Client registry subkey. Both values are named Disabled, are of data type REG_DWORD, and should be set to 1. To turn off the Microsoft .NET Messenger Service plugin, add a value named Disabled to the {9b017612-c9f1-11d2-8d9f-0000f875c541} registry subkey; to turn off the Communications Services plugin, add a value named Disabled to the {83D4679F-B6D7-11D2-BF36-00C04FB90A03} registry subkey.
If you simply want to block the IM traffic, block all TCP port 1863 access to any host in the msgr.hotmail.com domain. To turn off IM and chats only, block UDP ports 13324 and 13325.
0
 
LVL 6

Accepted Solution

by:
vand earned 500 total points
Comment Utility
You could also set a group policy to prevent the exe from launching:

5495 » How do I restrict users from running specific Windows programs in Windows 2000?



NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q323525 contains:

IMPORTANT : This article contains information about editing the registry. Before you edit the registry, make sure that you understand how to restore it if a problem occurs. For information about how to do this, see the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.


IN THIS TASK
SUMMARY
Method 1: How to Restrict Users from Running Specific Windows Programs by Using Group Policy
Edit the Local Policy on a Windows 2000-Based Computer
Edit the Group Policy in a Domain
Method 2: How to Restrict Users from Running Specific Windows Programs by Editing the Registry
Troubleshooting
REFERENCES


SUMMARY
This step-by-step article describes two methods that you can use to restrict users from running specific Windows programs on a Windows 2000-based computer. You can restrict users from running specific programs by either using Group Policy or editing the Windows registry.

back to the top

Method 1: How to Restrict Users from Running Specific Windows Programs by Using Group Policy
To use Group Policy Object Editor to restrict users from running specific Windows programs, use the procedure that is described in the section that is appropriate to your situation.

back to the top
Editing the Local Policy on a Windows 2000-Based Computer
To restrict users from running specific Windows programs on a standalone Windows 2000-based computer:
Click Start , and then click Run .


In the Open box, type gpedit.msc , and then click OK .


Expand User Configuration , expand Administrative Templates , and then expand System .


In the right pane, double-click Don't run specified Windows applications .


Click Enabled , and then click Show .


Click Add , and then type the executable file name of the program that you want to restrict users from running. For example, type iexplore.exe .


Click OK , click OK , and then click OK .

NOTE : If domain-level policy settings are defined, they may override this local policy setting.


Quit Group Policy Object Editor.


Restart the computer.


back to the top
Editing the Group Policy in a Domain
To edit a domain-wide policy to restrict users from running specific Windows programs:
Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users and Computers .


Right-click your domain, and then click Properties .


Click the Group Policy tab.


In the Group Policy Object Links box, click the group policy to which you want to apply this setting. For example, click Default Domain Policy .


Click Edit .


Expand User Configuration , expand Administrative Templates , and then expand System .


In the right pane, double-click Don't run specified Windows applications .


Click Enabled , and then click Show .


Click Add , and then type the executable file name of the program that you want to restrict users from running. For example, type iexplore.exe .


Click OK , click OK , and then click OK .


Quit Group Policy Object Editor, and then click OK .

NOTE : Group Policy changes are not immediately enforced. For more information, see the Troubleshooting section.


back to the top
Method 2: How to Restrict Users from Running Specific Windows Programs by Editing the Registry
WARNING : Using Registry Editor incorrectly can cause serious problems that may require that you reinstall your operating system. Microsoft cannot guarantee that problems that result from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, see the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Microsoft recommends that you back up the registry before you edit it. If you are running Windows NT or Windows 2000, Microsoft also recommends that you update your Emergency Repair Disk (ERD).

To restrict users from running specific Windows programs by editing the registry, follow these steps:
Click Start , and then click Run .


In the Open box, type regedit , and then click OK .


Create a DWORD value named DisallowRun. To do so:


Locate and then click the following registry key:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer
On the Edit menu, point to New , and then click DWORD Value .


Type disallowrun , and then press ENTER.


Double-click the DisallowRun value that you created in the previous step.


Type 1 in the Value data box, and then click OK .


Create a new HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun subkey. To do so:


Right-click the following registry key, point to New , and then click Key :


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer
Type disallowrun , and then press ENTER.


For each program that you want to prevent users from running, create a new string value in the DisallowRun subkey that you created in step 4. Use consecutive numbers to name the string values (starting with 1), and use the executable file name for the program as the data for the string value.

For example, if you want to restrict users from running Microsoft Internet Explorer:


Right-click the following registry key, point to New , and then click String Value :


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\DisallowRun
Type 1 , and then press ENTER.


Double-click the 1 value that you created in the previous step.


Type iexplore.exe in the Value data box, and then click OK .


Quit Registry Editor, and then restart the computer.


back to the top
Troubleshooting
Group Policy background processing can take up to 5 minutes to be refreshed on domain controllers and up to 120 minutes to be refreshed on client computers. To force background processing of Group Policy settings, use the Secedit.exe tool:
Click Start , and then click Run .


In the Open box, type cmd , and then click OK .


Type secedit /refreshpolicy user_policy /enforce , and then press ENTER.


Type secedit /refreshpolicy machine_policy /enforce , and then press ENTER.


Type exit , and then press ENTER to quit the command prompt.


back to the top



REFERENCES
For additional information about using Secedit, click the article number below to view the article in the Microsoft Knowledge Base:

Q227302 Using Secedit to Force a Group Policy Refresh Immediately
For additional information about Group Policy, visit the following Microsoft Web site:
http://www.microsoft.com/TechNet/prodtechnol/windows2000serv/deploy/walkthru/seconfig.asp






       
 
 


0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. does anyone have an idea of how to block this w/o installing additional software or changeing user rights?
no software, no other rights, no change. Except you pill the internet wire ;-)

If you don't want to change the clients, neither software nore any permissions, then you need a sophisticated application level firewall.. Are you prepared for $$$$$?
0
 
LVL 1

Author Comment

by:EWilson12
Comment Utility
Actually the suggestion from Vand sounds promising and I will test it tomorrow.  I don't want to install software because it can be costly and would add to the support load.  I have 1 peice of critical network software that requires the users to have local machine admin rights and that was what I was referring too when I said I didn't want to change user rights.

Thanks, E
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> .. users to have local machine admin rights ..
then simply forget about any solution to stop a user to modify his/her client to do anything you don't want, imposible.
0
 
LVL 1

Author Comment

by:EWilson12
Comment Utility
modifying the Active Directory Group Policy should work though.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> > users to have local machine admin rights ..
what should AD help there?
0
 
LVL 1

Author Comment

by:EWilson12
Comment Utility
Using the disallowrun registry edit in the group policy should work even if they have local machine rights.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
You are correct EWilson12, in fact, I commonly will allow the domain users group admin access to the local machine, and restrict them through the domain.  This prevents 5000 daily calls for trivial rights issues, while still allowing you to lock down the workstation.

Leave the authenticated and everyone group in the local users group to prevent users from logging in locally to try to damage their local machine, if they are inclined to do so.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> users to have local machine admin rights ..
and
> .. group to prevent users from logging in locally
how should this work?
Either a person (I mean the human, not a electronic user) knows the local admin password, or not. And if the password is known, and this admin (the account) can login locally, then domain policies never apply. Dot.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:EWilson12
Comment Utility
No one logs on locally, if they did they wouldn't have access to any of our business specific productivity apps on the network.  So if to get around my IM block they decided to log on locally for a few hours every day it means that they absolutely wouldn't be getting any work done whatsoever and would be pitched out the door in short order.

Thanks, E
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
You are correct ahoffmann.  My statement made 2 assumptions:
1. The pcs were not always in a domain and therefore had local user accounts.
2. They are using some other known local account or shady method to gain access

What I was stating is the fact that if a user somehow did gain local access by some means other than authenticating to the domain, they would be regulated to very restrictive "local user" rights.

Lets take a look at what I'm suggesting

"You are correct EWilson12, in fact, I commonly will allow the domain users group admin access to the local machine, and restrict them through the domain.  < Here I have told the PC that anyone who successfully logs in with a Domain user account and password has admin rights to the PC, except for whatever restrictive policy I have applied via group policy.

This prevents 5000 daily calls for trivial rights issues, while still allowing you to lock down the workstation.

Leave the authenticated and everyone group in the local users group to prevent users from logging in locally to try to damage their local machine, if they are inclined to do so." < Here I have modified the default local groups to regulate anyone who is not an authenticated Domain user to only have Local user privledges.

Hope that clears it up
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
>  No one logs on locally, ..
in theory. But in praxis they can, and hence circumwent any policy.
So if fireing them is an option, you're fine. :-)) Arn't you?
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
The only free, effective way, is to setup network monitoring (or look at firewall logs) and ensure that any traffic destined to IM servers is blocked.  Eventually you'll get a list of about 40-50 IM servers, that you just block with a firewall rule and the problem will go away.

Redirecting DNS doesn't really help - users can circumvent by hard coding IM server IP addresses into applications.


0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
aah, sounds like my very first comment http:#11777644 gets into mind, slowly .. ;-)
and no, a (traditional network, aka packetfilter) firewall itself *cannot* block all IM traffic
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
I disagree, if you block the exe from executing, IM cannot run.

You can use group policy editor to block access to
MSN/Windows Messenger by setting a policy and enforcing for the
required groups.
0
 
LVL 6

Expert Comment

by:vand
Comment Utility
This thread is getting off track, EWilson12 please try applying the policy and let me know what happens. If you need help on how or what policies to apply, just post here again. I will respond to any questions you have.
0
 
LVL 1

Author Comment

by:EWilson12
Comment Utility
Vand, your solution is awesome!!!! but... there is 1 huge loophole in it:

Users can rename the exe and run it that way ;(

Fortunately your advice is now leading me down a similar road.  I am seriously considering using an allowed programs list for even tighter security this should eliminate a ton of spyware type progs in addition to time waster progs from running.  As far as the user logging on locally to run crap I may change it so that they must validate to the domain to access the internet this in combination with an allowed programs list would make our environment far more secure for very little effort and no hard $ costs.  Of course I would bet money that if a user renamed a program so that it matched one on the allowed programs list it would still run.

Thanks for the help, E
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
> Users can rename the exe and run it that way ;(

Not if whatever program you use to control exe access uses signature-based checking...

For example, Websense CAM has a database of program signatures, so knows what they are by looking at file headers, rather than program names.  This means users can rename programs, but still, they won't be able to run.

There are other ways of doing this too - it's a pretty well-researched subject and there are a lot of products out there that can help.
0
 

Expert Comment

by:jibranilyas
Comment Utility
interesting topic.. i got some tips from it..
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now