menreeq
asked on
Restrict AIM with GPO now that it installs in random directory name
I installed the newest AIM on two different computers and it installs the exe file under what looks like a string of random numbers folder name. For example on one machine it installed itself on
c:\program files\common files\aol\1139541093\ee\ai
and another computer the numbers were different. So i can't stop this IM running from GPO with a standard path rule. Anyone else know of any other way to stop it from running on the domain?
c:\program files\common files\aol\1139541093\ee\ai
and another computer the numbers were different. So i can't stop this IM running from GPO with a standard path rule. Anyone else know of any other way to stop it from running on the domain?
Oh yeah... if they update the executable (like say using a different version due to an AIM upgrade) you might want to try and use the Registry rule also - check the same link.
ASKER
How do you figure out what the HASH is for the program?
ASKER
Ok, i got the hash think working but that won't work well for reasons that you already stated, so how about the registry, how do i know which registry items to block?
4. Click Browse to find a file, or paste a precalculated hash in the File hash box. <---- In your case, you would just browse to the file you do not wish users to run (the AIM executable) and press OK. The hash is created then.
Oh the path that you browse to makes no difference in the HASH as the program just looks at the file itself... and not where the file is.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
If I block the port can i just block it to any destination ip, any reason why i need to figure out the ip address AIM uses?
You can block it to any destination...
You typical rule on the firewall would look like this....(not windows firewall...your mail gateway firewall)
Rule Source Destination Service
DENY LAN WAN AIM
Then you might have to define the service.
AIM = Port 5190, protocol=TCP.
Depending on the firewall, the way you do it is different but you get the idea right.....?
Vinod.
You typical rule on the firewall would look like this....(not windows firewall...your mail gateway firewall)
Rule Source Destination Service
DENY LAN WAN AIM
Then you might have to define the service.
AIM = Port 5190, protocol=TCP.
Depending on the firewall, the way you do it is different but you get the idea right.....?
Vinod.
I'm sorry, i meant to say your MAIN firewall or gateway firwall..
Vinod.
Vinod.
ASKER
I have it configured and it's working, but I told it to block that port to * destination. Any good reason why I should limit that, can are these ports perhaps used for legitimate purpose so that I should discover the AIM server and block them specifically?
Nope. You are fine...AS far as i know only AIM uses those ports...
Unless you have custom application, the possibilities are lean....even with custom apps, they use ports over 10,000. So you shouldnt have any problems..
Vinod.
Unless you have custom application, the possibilities are lean....even with custom apps, they use ports over 10,000. So you shouldnt have any problems..
Vinod.
Here is a list of well defined ports for your reference...
http://www.networksorcery.com/enp/protocol/ip/ports05000.htm
You can clearly see ports 5190-5193.
Usually if its a well defined port, nobody will use it.
Vinod.
http://www.networksorcery.com/enp/protocol/ip/ports05000.htm
You can clearly see ports 5190-5193.
Usually if its a well defined port, nobody will use it.
Vinod.
The problem with the port blocking approach is that AIM can use port 80 (as well as any other port it can find open) to send/receive IM messages. Another problem is AIM Express (their web based chat program) which can bypass any GPO policy and firewall port block. If you find your users using AIM express, the only way to block that is to circumvent the webpage address itself - either using a custom local hosts file or editing your DNS server to point "aimexpress.aol.com" to a blackhole ip.
limesmj,
Even if you block aim.exe, the web version might still run as it doesnt use the .exe file locallly but just an activex control.
Also in 1 network i blocked all outgoing ports except 80 and 443 and user complained that their AIM is not working....so AIM doesnt seem to automatically try port 80. I know MSN does this....but havent seen AIM do it.... I had to open port 5190-5193 for them to use AIM. Only then it would work..
I dont know if there is a manual configuration where you can switch but AIM doesnt seem to do it automatically.
Vinod.
Even if you block aim.exe, the web version might still run as it doesnt use the .exe file locallly but just an activex control.
Also in 1 network i blocked all outgoing ports except 80 and 443 and user complained that their AIM is not working....so AIM doesnt seem to automatically try port 80. I know MSN does this....but havent seen AIM do it.... I had to open port 5190-5193 for them to use AIM. Only then it would work..
I dont know if there is a manual configuration where you can switch but AIM doesnt seem to do it automatically.
Vinod.
You can set the port manually... or have AIM look for you.
From AIM's website:
Q: Why am I unable to connect to AIM through my company LAN? In the past, I made the connection with no problem.
A: Ask your system administrator to update login.oscar.aol.com on the LAN's DNS table. Also, ask the administrator to make sure that Port 5190 is open for outbound TCP connections. (Other ports can also be used. If your administrator decides on a different port, then you can specify it in Connection preferences.)
Also, the whole reason I mentioned the DNS block was to prevent people from even getting to the AIM Express site since the Registry HASH will be bypassed as you mentioned.
All in all... it is pretty impossible to prevent savvy AIM users from chatting online as in spite of all the mentioned options in this dialogue, they can always use an external proxy server and/or use programs such as Trillian to sneak past everything.
From AIM's website:
Q: Why am I unable to connect to AIM through my company LAN? In the past, I made the connection with no problem.
A: Ask your system administrator to update login.oscar.aol.com on the LAN's DNS table. Also, ask the administrator to make sure that Port 5190 is open for outbound TCP connections. (Other ports can also be used. If your administrator decides on a different port, then you can specify it in Connection preferences.)
Also, the whole reason I mentioned the DNS block was to prevent people from even getting to the AIM Express site since the Registry HASH will be bypassed as you mentioned.
All in all... it is pretty impossible to prevent savvy AIM users from chatting online as in spite of all the mentioned options in this dialogue, they can always use an external proxy server and/or use programs such as Trillian to sneak past everything.
You can block users from enabling or entering their own proxy by group policy also...
Vinod.
Vinod.
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
That link shows you how.
Good luck.