Group policy to block msn messenger, yahoo, aol, ICQ

I want to apply a policy to the entire domain that will not allow these im clients to run.

I see there is a built in policy to shut down msn but can i edit that policy to include the others or should I create seperate policies, how do I do it??
LVL 1
michaelkirkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

luv2smileCommented:
The built in policy you see is for disabling the builtin windows messenger...not the instant messenger program.

You run into several problems with this.

You can use software restriction policies to block these particular programs....but this isn't fool proof. Someone can simply rename the .exe file and then run it. So I guess if this would work for you would depend on how computer "savy" your users are.

Also remember that these all have "web" versions and software restriction policies won't stop users from using the web version to still instant message.

If you use software restriction policies...also block trillian and other such programs that combone all of those instant messengers into one.

The other option you have is if you have a firewall is to try to block ports associated with these programs, but this can get very tricky and complicated to effectively do without blocking necessary ports and the fact that these programs  will try very hard to get thru on some open port.

See this thread:

http://www.experts-exchange.com/Security/Firewalls/Q_20610865.html
0
luv2smileCommented:
0
michaelkirkAuthor Commented:
There is a admin template in group policy on my 2003 server to stop the msn messenger from running.
Can I modify the built in policy of restricting MSN Messenger to include the others??

When you say they can rename the exe are we talking about the install or the exe that is used to run the program??
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

michaelkirkAuthor Commented:
I go to AD then right click my domain then goto group policy then default doman policy under computer/admintemplates/windowscomponents/windows messenger/ then do not allow to start or run.

When I enable this and do a gpupdate it affects about 99% of my computers correctly and it does not run but on 2 or 3 machines can still IM with it but I can uninstall manually on those two.

This works good enough for me I just wish I could include yahoo and iCQ and AIM to this template somehow.


When I tried to go under users to no allow windows applications to run and gave it , ypager.exe icq.exe aim.exe msmgs.exe and did a gpupdate msn messenger still starter up.

I must be horribly confused about creating and applying group policies to the whole domain.
0
luv2smileCommented:
You are confusing windows messenger with msn messenger. These 2 are NOT the same program. Windows messenger is a built in component of Microsoft Windows....this is not the msn instant messenger program which is downloaded from msn.
0
luv2smileCommented:
There is NO group policy that specifically blocks msn instant messenger......the only way to do this via group policy is to use software restriction policies...and as I stated above...this is not fool proof.

Here is an article on software restriction policies

http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
0
luv2smileCommented:
When you set the policy for "windows messenger".....this is NOT going to stop the running of the msn instant message program that is downloaded from the web.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FocusynCommented:
We use firewalls and a program called WebSense in combination to block these programs, but another easy way, albeit not quite as effective at first, is to make a company rule against it and send a broadcast email in that regard.  At the same time, create your own group policy to prevent running all the .exe's for programs and installers.  Then, run a packet sniffer/logger like ethereal with a script to log AOL, yahoo, MSN etc traffic in a seperate file.  At that point, you will have logged evidence of any use of any of these software programs with date, time, user info, and in most cases even the text of the messages.  The upsides to this type of action are that number 1, you have notified all users that ALL instant messaging software and use thereof is prohibited.  This prevents users from installing jabber, trillion etc and saying "Hey, only yahoo, AOL and MSN are against policy." etc etc, prevent HR lawsuits.  The bigger upside to just telling the users not to and then logging the traffic is that no matter what program or even operating system they use to connect to say AOL Instant messenger, it has to use the same ports and protocols as the original, and thus they are busted.  Even if someone ran Linux and the GAIM client, your packet log would tell on them.  You get the picture...  Like I said, it's not quite as effective at first, because there will always be some users who think they can outsmart you by using a third party client like trillian.  Imagine their surprise when you or their supervisor comes with a log of their conversation and asks them if they have any justified reason for it.  You will see the general attitude of your user population change drastically once a couple of examples are set.

PS - If you go that route, I also recommend blocking all common proxy ports on your firewall.  I've only found it once so far in my 25,000+ user organization since we started running WebSense, but I found a young kid working part time in the architecture department who was a computer geek that had set up a proxy at his home broadband account and changed all his TCP/IP settings so that basically all his traffic went in and out through his home PC.  I would block network settings and MSIE proxy settings in group policy as well.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.