[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Group policy to block msn messenger, yahoo, aol, ICQ

Posted on 2004-10-29
8
Medium Priority
?
20,895 Views
Last Modified: 2012-08-13
I want to apply a policy to the entire domain that will not allow these im clients to run.

I see there is a built in policy to shut down msn but can i edit that policy to include the others or should I create seperate policies, how do I do it??
0
Comment
Question by:michaelkirk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 18

Expert Comment

by:luv2smile
ID: 12444455
The built in policy you see is for disabling the builtin windows messenger...not the instant messenger program.

You run into several problems with this.

You can use software restriction policies to block these particular programs....but this isn't fool proof. Someone can simply rename the .exe file and then run it. So I guess if this would work for you would depend on how computer "savy" your users are.

Also remember that these all have "web" versions and software restriction policies won't stop users from using the web version to still instant message.

If you use software restriction policies...also block trillian and other such programs that combone all of those instant messengers into one.

The other option you have is if you have a firewall is to try to block ports associated with these programs, but this can get very tricky and complicated to effectively do without blocking necessary ports and the fact that these programs  will try very hard to get thru on some open port.

See this thread:

http://www.experts-exchange.com/Security/Firewalls/Q_20610865.html
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12444481
0
 
LVL 1

Author Comment

by:michaelkirk
ID: 12444790
There is a admin template in group policy on my 2003 server to stop the msn messenger from running.
Can I modify the built in policy of restricting MSN Messenger to include the others??

When you say they can rename the exe are we talking about the install or the exe that is used to run the program??
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:michaelkirk
ID: 12444885
I go to AD then right click my domain then goto group policy then default doman policy under computer/admintemplates/windowscomponents/windows messenger/ then do not allow to start or run.

When I enable this and do a gpupdate it affects about 99% of my computers correctly and it does not run but on 2 or 3 machines can still IM with it but I can uninstall manually on those two.

This works good enough for me I just wish I could include yahoo and iCQ and AIM to this template somehow.


When I tried to go under users to no allow windows applications to run and gave it , ypager.exe icq.exe aim.exe msmgs.exe and did a gpupdate msn messenger still starter up.

I must be horribly confused about creating and applying group policies to the whole domain.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12445257
You are confusing windows messenger with msn messenger. These 2 are NOT the same program. Windows messenger is a built in component of Microsoft Windows....this is not the msn instant messenger program which is downloaded from msn.
0
 
LVL 18

Expert Comment

by:luv2smile
ID: 12445292
There is NO group policy that specifically blocks msn instant messenger......the only way to do this via group policy is to use software restriction policies...and as I stated above...this is not fool proof.

Here is an article on software restriction policies

http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
0
 
LVL 18

Accepted Solution

by:
luv2smile earned 2000 total points
ID: 12445591
When you set the policy for "windows messenger".....this is NOT going to stop the running of the msn instant message program that is downloaded from the web.
0
 
LVL 7

Expert Comment

by:Focusyn
ID: 12445657
We use firewalls and a program called WebSense in combination to block these programs, but another easy way, albeit not quite as effective at first, is to make a company rule against it and send a broadcast email in that regard.  At the same time, create your own group policy to prevent running all the .exe's for programs and installers.  Then, run a packet sniffer/logger like ethereal with a script to log AOL, yahoo, MSN etc traffic in a seperate file.  At that point, you will have logged evidence of any use of any of these software programs with date, time, user info, and in most cases even the text of the messages.  The upsides to this type of action are that number 1, you have notified all users that ALL instant messaging software and use thereof is prohibited.  This prevents users from installing jabber, trillion etc and saying "Hey, only yahoo, AOL and MSN are against policy." etc etc, prevent HR lawsuits.  The bigger upside to just telling the users not to and then logging the traffic is that no matter what program or even operating system they use to connect to say AOL Instant messenger, it has to use the same ports and protocols as the original, and thus they are busted.  Even if someone ran Linux and the GAIM client, your packet log would tell on them.  You get the picture...  Like I said, it's not quite as effective at first, because there will always be some users who think they can outsmart you by using a third party client like trillian.  Imagine their surprise when you or their supervisor comes with a log of their conversation and asks them if they have any justified reason for it.  You will see the general attitude of your user population change drastically once a couple of examples are set.

PS - If you go that route, I also recommend blocking all common proxy ports on your firewall.  I've only found it once so far in my 25,000+ user organization since we started running WebSense, but I found a young kid working part time in the architecture department who was a computer geek that had set up a proxy at his home broadband account and changed all his TCP/IP settings so that basically all his traffic went in and out through his home PC.  I would block network settings and MSIE proxy settings in group policy as well.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question