Re: Blocking Instant Messaging Applications

From: Gaddis, Jeremy L. (
Date: 11/22/05

  • Next message: Murad Talukdar: "secure disposal of backup tapes"
    Date: Mon, 21 Nov 2005 19:59:46 -0500
    To: Neksus <>

    Neksus wrote:
    > A solution that I implemented in the past (for MSN) is as follow:

    Unfortunately, a number of these won't work for our situation. Not sure
    if I mentioned it in the original post or not, but I'm dealing with an
    academic environment in this case. They like things to be "open" and as
    least restrictive as possible.

    > 1. Install a firewall, block everything that is a direct connection
    > from the desktop.

    While we do have (multiple) firewalls in place, we simply can't do this.
      It would never fly.

    > 2. Install a proxy for FTP, web and https (20/21/80/443). Only the
    > proxy server should be allowed to directly connect to the internet.

    We recently started doing transparent proxying for port 80/TCP. Since
    this is a "test", I can't get a couple of more machines to do
    redundancy/failover. If the one machine dies, the transparent proxying
    can quickly be turned off. Apparently, squid has issues is you try to
    transparently proxy HTTPS, for example. For this reason, I can't use
    GPOs to configure the proxy settings, as it would take too long to get
    changes out to machines if the proxy died and we had to disable
    proxying. Not to mention that a number of these are personal machines
    (e.g. students'). Trying to do something where they had to configure
    the proxy server for every application would result in an exponential
    increase in the number of calls to the help desk.

    > 3. Put the MSN domain name in your own DNS to prevent the application
    > from reaching the server by hoping on port 80. I forgot what is the
    > domain name off the top of my head.

    This is what I'm doing currently. I have "authoritative" entries for,,, and a
    number of others all pointing to This will only last until
    someone figures it out, however.

    > 4. Block access to the local hosts file to avoid clever users from
    > adding the IP in the file (Windows will read this file first, then
    > DNS). Users should not be admins of their own machine.

    True, but when the users own those machines (see above, some of them
    belong to students), I can't control them. For faculty and staff, it's
    not a problem. Policy dictates that they don't use IM.

    > 5. Install an internal server if you have a large user base (country
    > wide or international). Microsoft has one that is easy to setup but
    > you'll need to use Windows Messenger instead of MSN messenger. They
    > also release Windows Communicator or something close that is Windows
    > Messenger on steroids.

    We don't use IM, internally, so no need.

    > There might be other ways. I'm just giving you my own recipe.

    Understood. Please don't think that I'm "bashing" any of your
    suggestions -- it's simply that they won't work in the environment I'm
    dealing with. This is something I've been struggling with for a lengthy
    period of time, with no solution having yet been found.


    Jeremy L. Gaddis, GCWN
    "If it's not on fire, it's a software problem."

  • Next message: Murad Talukdar: "secure disposal of backup tapes"

    Relevant Pages

    • Re: Why wont MS and some other sites load on Vista and W2K?
      ... All Windows 2000 (3 machines) and 2 Vista machines have this trouble. ... cannot access MSN or other Microsoft websites on any of their W2K or Vista ...
    • Re: Proxy Server
      ... >> believe that it is not selected by default on Windows 2000)... ... I have noticed that some machines at my ... >>> out passed the proxy server. ...
    • Re: Win200 gateway blocking FBSD html?
      ... > machines on this network can browse the web ... >> Is it somehow possible that the Windows gateway only allows Internet ... If you have Microsoft Proxy server ... installed with Proxy client on each of the machines, ...
    • Re: [opensuse] Re: apache log full of wpad.dat
      ... proxy set to manual and the operating systems the wpad lookup service is ... I have "no proxy" set on the windows machines ... I have set in hosts on both machines: ... which stops the log entries. ...
    • Re: Windows Update V5 Error 80200011 - Cannot download anything!!
      ... Two machines, both Windows XP service pack 2, behind a proxy. ... > installation history shows each failed download with error code 80200011. ...