?
Solved

How to prevent a user to download or use Chat programs

Posted on 2005-03-06
21
Medium Priority
?
293 Views
Last Modified: 2008-03-04
I would like to know if there is a local or domain policy that prohibits a user from downloading or using Chat programs, like yahoo messenger.

Thanks
0
Comment
Question by:Chuckbuchan
19 Comments
 
LVL 5

Expert Comment

by:Magus_opus
ID: 13472637
you could always load up a firewall to block off the ports which are used by these chat mediums, and lock it with a password.
0
 

Author Comment

by:Chuckbuchan
ID: 13472655
how do you process this?

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13472785
How do you find the ports you mean?!

1. The easy way / lucky way :: Go to the chat program web page, or look in google to find out wich ports are being used by the corresponding chat program

2. Use an application to listen on your ports so you find out which ports are being used when that chat app is loaded. You can use netstat or tcpview (freeware - you find it in google)

Cheers.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 11

Expert Comment

by:rafael_acc
ID: 13472787
More specific to your question ... the answer is: NO. There's no local/domain policy which prohibits you using chat programs.
Cheers.
0
 
LVL 3

Expert Comment

by:ihotdesk
ID: 13472854
Hi,

You could use a domain policy which prevents the apps from even launching.
I use this to great effect, with MSN, AIM, Yahoo!, ICQ, and IRC apps.

Launch ADUC, goto the appropriate OU, and right click, properties.  The under the group policy yab create a new one.
Then edit this new policy and go to :

I personally add the policy against the PC, not the user (but that is your choice)

Windows Settings
         Software Restriction Policies  (richt click, and create new restriction policy)
             
                      Additional Rules  (Richt Click, and select new hash rule)

Then browse to the app you want to block.  In this case I would use MSN as an example.  Find the .exe and select ok.
Make sure you set the policy to disallowed, and then you have the rule you need.

Basically this will take an MD5 hash of the exe file and so even if it is renamed it will not be executed.

You will need to get your hands on the exe that is used per app, and add a new rule per one.

All I can sugest is that you now, use a sperate test network, or if not possible use a test OU, and see if stops you from using the app.  Fully test before you deploy to the LAN.



Tony
                                 

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13472866
However, this feature is available in Windows 2003 server only.
Cheers.
0
 

Author Comment

by:Chuckbuchan
ID: 13478849
I guess it is available on WXP also
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13479016
Hopefuly you are right. Though, I don't believe so.
Cheers
0
 

Author Comment

by:Chuckbuchan
ID: 13479697
Wxp has this option
in GPO editor:
Computer configuration/windows setting/software setting\additional rules.

But Windows 2000 doesn't have it.

How can I find the executable of yahoo.messenger through search ? do you have its extension in mind?

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13479958
Just look at the shortcut in your computer ;)
This is not a solution however. You must be sure however that a hash is being generated from the binary exe file .. The windows 2003 server policy does that. Otherwise, one could just change the name of the executable file, right?

Cheers.
0
 

Author Comment

by:Chuckbuchan
ID: 13480166
I know that enabling a policy in the local computer it's not a good idea. by the way is there any download for w2000 server so that it will have that feature of w2003 server? at least this feature for now?

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13480281
I don't believe so! If there were downloads to add w2003 features to a w2000 DC, then what's the point on buying w2003?!
Cheers.
0
 

Author Comment

by:Chuckbuchan
ID: 13486133
I tried what ihotdesk  suggested but didn't work for me.
in WXP machine with local admin account I set up a new hash rule and new path rule to Disallow for the yahoo messenger executable file, but I still can run it with a different user account which is not a local admin account.

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13486350
OK. Let me try that at home on my winxp. I'll let you know ...
Cheers
0
 

Author Comment

by:Chuckbuchan
ID: 13510177
I am waiting to find out about the results of the test you migh have tried home.

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13511685
good to have reminded me ... Thanks. I'll start doing it now.
:)

Cheers
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13511756
You said before ...
"Wxp has this option
in GPO editor:
Computer configuration/windows setting/software setting\additional rules."

Well ... I have winxp installed and it happens I just don't have it ... I'll try to install now an update or something like that

0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 500 total points
ID: 13512431
I found it ...

About the same topic but for windows 2003
   http://support.microsoft.com/default.aspx?scid=kb;en-us;310791&FR=1&PA=1&SD=HSCH

Step by step ...
   http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx#EIAA

I'll paste here what I think is relevant for your case:

A) Its very important to notice the order in which each kind of rule is applied:
 • Hash rule
 • Certificate rule
 • Path rule
 • Internet zone rule
 • Default rule

B) This type of path rule is called a registry path rule. The registry path is formatted as follows:
%[Registry Hive]\[Registry Key Name]\[Value Name]%

Note: Any registry path rule suffix should not contain a \ character immediately after the last % sign in the rule.

• The registry path must be enclosed in percent signs ("%").
• The registry value must be a REG_SZ or REG_EXPAND_SZ. You cannot use HKLM as an abbreviation for HKEY_LOCAL_MACHINE, or HKCU as an abbreviation for HKEY_CURRENT_USER.
• If the registry value contains environment variables, these will be expanded when the policy is evaluated.
 ...................................................................................................................................

According to your post and what i've been reading you could follow two approaches:

1. You want to allow or disallow a specific version of a program :: Use a Hash rule
2. You want to identify a program that can be installed anywhere on client machines :: Registry path rule

Hopefuly, diferent version for your chat programs or whatever.... are not being installed in diferent registry path (one for each version). Therefore, I believe the second approach is safer. If you use the first one, you would have to redefine and reaply the policy if the user downloads another version than the one you have the hash of.

So ...what I did: I first looked out for the msn messenger in the registry so I could identify where it is instaled. The key in my computer was "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Clients\MSN Messenger". I did notice that the last part simply disapears once the program is uninstalled (the "Clients" path is empty!!).

Then I defined a path rule for the registry path "%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Clients%" and set the security level to "disallow".

If you want to test your policy immediately, instead of waiting for the next Group Policy refresh interval, run gpupdate.exe and log on again to test your policy. That's what I'm gonna do now ... So I don't know yet if it does work.


C u soon.


 
0
 

Author Comment

by:Chuckbuchan
ID: 13554787
I ran regedit, up to this level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\

then there are 03 nodes:
Policies
session manager
            Apps    

there is nothing else about yahoo
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question