?
Solved

How to prevent a user to download or use Chat programs

Posted on 2005-03-06
21
Medium Priority
?
288 Views
Last Modified: 2008-03-04
I would like to know if there is a local or domain policy that prohibits a user from downloading or using Chat programs, like yahoo messenger.

Thanks
0
Comment
Question by:Chuckbuchan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
21 Comments
 
LVL 5

Expert Comment

by:Magus_opus
ID: 13472637
you could always load up a firewall to block off the ports which are used by these chat mediums, and lock it with a password.
0
 

Author Comment

by:Chuckbuchan
ID: 13472655
how do you process this?

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13472785
How do you find the ports you mean?!

1. The easy way / lucky way :: Go to the chat program web page, or look in google to find out wich ports are being used by the corresponding chat program

2. Use an application to listen on your ports so you find out which ports are being used when that chat app is loaded. You can use netstat or tcpview (freeware - you find it in google)

Cheers.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 11

Expert Comment

by:rafael_acc
ID: 13472787
More specific to your question ... the answer is: NO. There's no local/domain policy which prohibits you using chat programs.
Cheers.
0
 
LVL 3

Expert Comment

by:ihotdesk
ID: 13472854
Hi,

You could use a domain policy which prevents the apps from even launching.
I use this to great effect, with MSN, AIM, Yahoo!, ICQ, and IRC apps.

Launch ADUC, goto the appropriate OU, and right click, properties.  The under the group policy yab create a new one.
Then edit this new policy and go to :

I personally add the policy against the PC, not the user (but that is your choice)

Windows Settings
         Software Restriction Policies  (richt click, and create new restriction policy)
             
                      Additional Rules  (Richt Click, and select new hash rule)

Then browse to the app you want to block.  In this case I would use MSN as an example.  Find the .exe and select ok.
Make sure you set the policy to disallowed, and then you have the rule you need.

Basically this will take an MD5 hash of the exe file and so even if it is renamed it will not be executed.

You will need to get your hands on the exe that is used per app, and add a new rule per one.

All I can sugest is that you now, use a sperate test network, or if not possible use a test OU, and see if stops you from using the app.  Fully test before you deploy to the LAN.



Tony
                                 

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13472866
However, this feature is available in Windows 2003 server only.
Cheers.
0
 

Author Comment

by:Chuckbuchan
ID: 13478849
I guess it is available on WXP also
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13479016
Hopefuly you are right. Though, I don't believe so.
Cheers
0
 

Author Comment

by:Chuckbuchan
ID: 13479697
Wxp has this option
in GPO editor:
Computer configuration/windows setting/software setting\additional rules.

But Windows 2000 doesn't have it.

How can I find the executable of yahoo.messenger through search ? do you have its extension in mind?

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13479958
Just look at the shortcut in your computer ;)
This is not a solution however. You must be sure however that a hash is being generated from the binary exe file .. The windows 2003 server policy does that. Otherwise, one could just change the name of the executable file, right?

Cheers.
0
 

Author Comment

by:Chuckbuchan
ID: 13480166
I know that enabling a policy in the local computer it's not a good idea. by the way is there any download for w2000 server so that it will have that feature of w2003 server? at least this feature for now?

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13480281
I don't believe so! If there were downloads to add w2003 features to a w2000 DC, then what's the point on buying w2003?!
Cheers.
0
 

Author Comment

by:Chuckbuchan
ID: 13486133
I tried what ihotdesk  suggested but didn't work for me.
in WXP machine with local admin account I set up a new hash rule and new path rule to Disallow for the yahoo messenger executable file, but I still can run it with a different user account which is not a local admin account.

0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13486350
OK. Let me try that at home on my winxp. I'll let you know ...
Cheers
0
 

Author Comment

by:Chuckbuchan
ID: 13510177
I am waiting to find out about the results of the test you migh have tried home.

thanks
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13511685
good to have reminded me ... Thanks. I'll start doing it now.
:)

Cheers
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 13511756
You said before ...
"Wxp has this option
in GPO editor:
Computer configuration/windows setting/software setting\additional rules."

Well ... I have winxp installed and it happens I just don't have it ... I'll try to install now an update or something like that

0
 
LVL 11

Accepted Solution

by:
rafael_acc earned 500 total points
ID: 13512431
I found it ...

About the same topic but for windows 2003
   http://support.microsoft.com/default.aspx?scid=kb;en-us;310791&FR=1&PA=1&SD=HSCH

Step by step ...
   http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx#EIAA

I'll paste here what I think is relevant for your case:

A) Its very important to notice the order in which each kind of rule is applied:
 • Hash rule
 • Certificate rule
 • Path rule
 • Internet zone rule
 • Default rule

B) This type of path rule is called a registry path rule. The registry path is formatted as follows:
%[Registry Hive]\[Registry Key Name]\[Value Name]%

Note: Any registry path rule suffix should not contain a \ character immediately after the last % sign in the rule.

• The registry path must be enclosed in percent signs ("%").
• The registry value must be a REG_SZ or REG_EXPAND_SZ. You cannot use HKLM as an abbreviation for HKEY_LOCAL_MACHINE, or HKCU as an abbreviation for HKEY_CURRENT_USER.
• If the registry value contains environment variables, these will be expanded when the policy is evaluated.
 ...................................................................................................................................

According to your post and what i've been reading you could follow two approaches:

1. You want to allow or disallow a specific version of a program :: Use a Hash rule
2. You want to identify a program that can be installed anywhere on client machines :: Registry path rule

Hopefuly, diferent version for your chat programs or whatever.... are not being installed in diferent registry path (one for each version). Therefore, I believe the second approach is safer. If you use the first one, you would have to redefine and reaply the policy if the user downloads another version than the one you have the hash of.

So ...what I did: I first looked out for the msn messenger in the registry so I could identify where it is instaled. The key in my computer was "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Clients\MSN Messenger". I did notice that the last part simply disapears once the program is uninstalled (the "Clients" path is empty!!).

Then I defined a path rule for the registry path "%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Clients%" and set the security level to "disallow".

If you want to test your policy immediately, instead of waiting for the next Group Policy refresh interval, run gpupdate.exe and log on again to test your policy. That's what I'm gonna do now ... So I don't know yet if it does work.


C u soon.


 
0
 

Author Comment

by:Chuckbuchan
ID: 13554787
I ran regedit, up to this level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\

then there are 03 nodes:
Policies
session manager
            Apps    

there is nothing else about yahoo
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question