Solved

Group policy to block msn messenger, yahoo, aol, ICQ

Posted on 2004-10-29
20,784 Views
Last Modified: 2012-08-13
I want to apply a policy to the entire domain that will not allow these im clients to run.

I see there is a built in policy to shut down msn but can i edit that policy to include the others or should I create seperate policies, how do I do it??
0
Question by:michaelkirk
    8 Comments
     
    LVL 18

    Expert Comment

    by:luv2smile
    The built in policy you see is for disabling the builtin windows messenger...not the instant messenger program.

    You run into several problems with this.

    You can use software restriction policies to block these particular programs....but this isn't fool proof. Someone can simply rename the .exe file and then run it. So I guess if this would work for you would depend on how computer "savy" your users are.

    Also remember that these all have "web" versions and software restriction policies won't stop users from using the web version to still instant message.

    If you use software restriction policies...also block trillian and other such programs that combone all of those instant messengers into one.

    The other option you have is if you have a firewall is to try to block ports associated with these programs, but this can get very tricky and complicated to effectively do without blocking necessary ports and the fact that these programs  will try very hard to get thru on some open port.

    See this thread:

    http://www.experts-exchange.com/Security/Firewalls/Q_20610865.html
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    0
     
    LVL 1

    Author Comment

    by:michaelkirk
    There is a admin template in group policy on my 2003 server to stop the msn messenger from running.
    Can I modify the built in policy of restricting MSN Messenger to include the others??

    When you say they can rename the exe are we talking about the install or the exe that is used to run the program??
    0
     
    LVL 1

    Author Comment

    by:michaelkirk
    I go to AD then right click my domain then goto group policy then default doman policy under computer/admintemplates/windowscomponents/windows messenger/ then do not allow to start or run.

    When I enable this and do a gpupdate it affects about 99% of my computers correctly and it does not run but on 2 or 3 machines can still IM with it but I can uninstall manually on those two.

    This works good enough for me I just wish I could include yahoo and iCQ and AIM to this template somehow.


    When I tried to go under users to no allow windows applications to run and gave it , ypager.exe icq.exe aim.exe msmgs.exe and did a gpupdate msn messenger still starter up.

    I must be horribly confused about creating and applying group policies to the whole domain.
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    You are confusing windows messenger with msn messenger. These 2 are NOT the same program. Windows messenger is a built in component of Microsoft Windows....this is not the msn instant messenger program which is downloaded from msn.
    0
     
    LVL 18

    Expert Comment

    by:luv2smile
    There is NO group policy that specifically blocks msn instant messenger......the only way to do this via group policy is to use software restriction policies...and as I stated above...this is not fool proof.

    Here is an article on software restriction policies

    http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
    0
     
    LVL 18

    Accepted Solution

    by:
    When you set the policy for "windows messenger".....this is NOT going to stop the running of the msn instant message program that is downloaded from the web.
    0
     
    LVL 7

    Expert Comment

    by:Focusyn
    We use firewalls and a program called WebSense in combination to block these programs, but another easy way, albeit not quite as effective at first, is to make a company rule against it and send a broadcast email in that regard.  At the same time, create your own group policy to prevent running all the .exe's for programs and installers.  Then, run a packet sniffer/logger like ethereal with a script to log AOL, yahoo, MSN etc traffic in a seperate file.  At that point, you will have logged evidence of any use of any of these software programs with date, time, user info, and in most cases even the text of the messages.  The upsides to this type of action are that number 1, you have notified all users that ALL instant messaging software and use thereof is prohibited.  This prevents users from installing jabber, trillion etc and saying "Hey, only yahoo, AOL and MSN are against policy." etc etc, prevent HR lawsuits.  The bigger upside to just telling the users not to and then logging the traffic is that no matter what program or even operating system they use to connect to say AOL Instant messenger, it has to use the same ports and protocols as the original, and thus they are busted.  Even if someone ran Linux and the GAIM client, your packet log would tell on them.  You get the picture...  Like I said, it's not quite as effective at first, because there will always be some users who think they can outsmart you by using a third party client like trillian.  Imagine their surprise when you or their supervisor comes with a log of their conversation and asks them if they have any justified reason for it.  You will see the general attitude of your user population change drastically once a couple of examples are set.

    PS - If you go that route, I also recommend blocking all common proxy ports on your firewall.  I've only found it once so far in my 25,000+ user organization since we started running WebSense, but I found a young kid working part time in the architecture department who was a computer geek that had set up a proxy at his home broadband account and changed all his TCP/IP settings so that basically all his traffic went in and out through his home PC.  I would block network settings and MSIE proxy settings in group policy as well.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Course: MongoDB Object-Document Mapper for NodeJS

    NodeJS (JavaScript on the server) is awesome, but some developers get confused about NoSQL when it comes to working in Node with MongoDB (NoSQL database). Do you need a better explanation of how to use Node.js with MongoDB? The most popular choice is the Mongoose library.

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    911 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now