Blocking Hotmail, yahoo and Messenger Services 4

[sqladmin99]

Hi All,

We have network of 20 computer under one domain. Operating systems are W2K Server and W2K Pro. We have one T1 line coming in through some kind of router (I don't have access to this router. ISP maintain it) and all of the computers are connected to router through the switch with 25 ports.

Recently my manager asked me to block 'hotmail' and 'yahoo' website. He doesn't want anyone to use any kind of messengers (yahoo, MSN, ICQ, AOL) service too. He also want me to configure one computer on network which can be used to access all of the blocked websites (hotmail and yahoo) and messenger services.

What would be the best way to handle this.
I appreciate your suggestions.

Thank you,
RS

 

[ksukenny]

setup a group policy to block those websites and block your users from having the ability to install applications.

 

[Elminster]

Your answer for blocking the different messenger reside in the Fire Wall. From there you can block any port on your computer/server. I’m not sure if you can block specific web site, but I’m sure you can block specific port and that will successfully disable any messenger.

ICQ = Port 4000
Yahoo = Port 5010

Not sure for MSN or AOL.

Good luck!

 

[sqladmin99]

Thanks 'ksukenny' and 'Elminster' for showing your interest in my post.

'Elminster', I tried port blocking but it seems like yahoo and MSN works on more than one port. They also keep changing their port on every new version.

'Ksukenny', Which group policy I need to change in order to block certain web-sites.

Appreciate your help.

RS

 

[ksukenny]

if you really want to lock the computer down you can apply a group policy that only allows apps you allow to run - in GP go to user configuration->administrative templates->system and in the details pane configure "run only allowed windows applications" - not sure if this setting is in w2k, i have xp The downside is that you have to list the exe for each application you want to run. There is also a setting to block apps as well "don't run specified windows applications"

 

[cranebill]

There is also a group setting to block certain .exe files from being run. This is much easier since you only want to block a few... as far as blocking webistes id like to know the answer to this one as well... shop guys keep searching porn. Temporarily i disabled Internet Expolorer on their machines but they still need to access the net and it puts someone else out when they have to come into the offices to use ours and be monitored.

Bill

Bill

 

[Elminster]

Does any of you tried the Security setting in the Explorer Internet Options? If you add the URL in the Restricted sites will it still be accessible? Can anyone change it back after? Just a thought.

 

[ksukenny]

elminster, you beat me to it. you can set a policy computer configuration->admin templates->win components->internet explorer and in the details plane enable the policy "security zones: do not allow users to add/delete sites"

 

[cranebill]

Can you set these setting via a script or something or does it have to be done locally?

Bill

 

[Seaspray0]

You can block the ip address of their servers on your internet connection. If you are using a nic on the server to get out to the internet, right click my network neighborhood, properties, right click the network connection, properties, highlight tcp/ip protocol, properties, advanced, options, tcp/ip filtering, properties.

You can filter out the ip addresses to their servers. Unfortunately, they may use servers in a round robin so you will need to ping them several times by dns name to obtain all their server ip's they are using.

try ping -n 1000

http://www.yahoo.com

that'll ping em 1000 times. hopefully, you'll get all their ip's with that.

 

[ksukenny]

if you have active directory implemented you can create a gpo with these settings configured and apply it to the users you want this enforced on. just create an ou and put the users in there and you should be all set and you will only need to do this once or you can apply it at the domain level if you want it to be a company wide policy

 

[cranebill]

Which GPO setting?

 

[ksukenny]

the ones that were referenced earlier in the post

 

[dth71]

Greetings.

One other thing you can do is to setup a proxy server. I have setup a freebsd server with squid proxy software to filter the internet to block certain web sites etc.

 

[Knutern]

MSN uses port 1863 TCP for instant messaging.

Cheers
Knut Erik
MCSE

 

[ReddLefty]

For yahoo, simply block mail.yahoo.com






"In space, nobody can hear you click..."

 

[ReddLefty]

This may help... all in one page:

Protocol/Port TCP/1863
Description msnp - MSNP (used my Microsoft Messenger Service)
* * *
Protocol/Port TCP/5010
Description yahoo - Yahoo! Messenger
* * *
Protocol/Port TCP/5190
Description aol - America-Online (AOL Instant Messenger), ICQ





"In space, nobody can hear you click..."

 

[rmunizus]

hi there, might be able to help you out with AOL instant messenger. The basic problem with isntant messenger is it uses almost any open port. After some research, I found an article that advised that what you need to do is block access to the logon server. The URL for the logon server is logon.oscar.aol.com. Run an nslookup, and it'll give you the IP addresses. You can then write a rule on your firewall that will block traffic to it. My rule looks a bit like Deny>Default>Lan>*>Wan>IP address of login.oscar.aol.com. This is on a sonicwall pro, and might look diffrent for a checkpoint or other firewall. I also understand that this cahnges once in a while, and you might need to revisit the rule every couple of months and make sure everything is still good. I also raised living hell with the subjects involved, and that will probably be the last time they intall soemthing they shouldn't on their systems. Hope this helps. Rich

 

[veeran]

hi guyz

just 1 question.

doe your clients have to be able to route through the router. The reason for this question is as follows.

in order to block all ports except 80 you will need to close each one of them manually and there are a few out there.

What i have done is setup a firewall / proxy server I proxyplus for this.

Removed the gateway from all the ps's and forced them to use a proxy server in their web browser and this automatically does everything that you need and more.

just a few questions.

Do you have you own mail server or is it at your ISP 's
Do you have a webserver or is it your ISP's

if you ans yes to the above then are they on the same server or on different ones.

In order for me to answer your questions totally i am going to need to this info

 

[Seaspray0]

If you're clients are resolving through your DNS to get to the internet, you can also block by editing the hosts file. Just add entries to a default ip address for all the sites you wish to block. I've seen 127.0.0.1 used as the default which redirects the user to use his own computer as the source ip for the dns address. You can change the default to an ip address you create on your IIS with a default web page telling the user that the site has been blocked. Look here for some details on a list you can download that will block over 10,000 sites...

http://www.smartin-designs.com/