Re: How to Block MSN ... [7:30891]
off. Brian wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You could lock down the boxes, you know secure case monitoring, use nt/2k so only superuser can install software, disable floppy. I knew a company that tried that once. Turned out, the tech-savvy dudes responded by just bringing in their own personal laptops and used that to do the objectionable behavior - messenger, porn, Napster, games, whatever. It was pretty much untraceable when wireless Metricom Ricochet was still around. But even when that died, they just concealed themselves with a bunch of http proxies. And, now that I think about it, you don't even need to bring in your own computer at all. I heard of one guy who took his company PC and got into its BIOS (I believe he did a password-recovery to bypass the BIOS password the company set up), and he set the computer to boot from CD. He then went down to the local CompUSA, bought himself a super-cheapo hard-drive, hooked it to his company PC, and then, using his personal Windows CD, installed a fresh copy of Windows on that 2nd drive, dual-boot. So when he needed to access company resources, he would boot into the company-sanctioned Windows. When he wanted to 'do his thang', and he just needed internet access and not any company resources, he would boot into his renegade windows. The point is, that attempting to deal with employee behavior through purely technical means, without serious backing from HR, often results in a cat-and-mouse game, where, at the end of the day, users who want to goof off will eventually find a way to goof off no matter what. The larger your organization, the better the chance of being one guy working there who knows IT better than the IT department does. And like I said, once he figures out a way to beat the system, he invariably tells his buddies how, who then tell their buddies how, and before you know it the situation has pretty much reverted to what it was previously. Of course, I'm of the opinion that all this employee tracking is basically bullshi* anyway. If a guy is doing good work, who really cares if he spends all his time on IM? You might say that in some jobs, it is difficult to tell who's doing a good job and who isn't. But I would respond that in such situations, it is more productive to spend your time devising a method to measure job performance rather than spending time playing Big Brother with your employees. Bri - Original Message - From: Jarmoc, Jeff To: Sent: Friday, January 04, 2002 7:20 AM Subject: RE: How to Block MSN ... [7:30891] But truly the best way is to simply have company policy that bans messenger. Because we all know that always works, right? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31010t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block MSN ... [7:30891]
It seems so easy - just block the default control port (1863), and you're done, right? Wrong. This is because the Microsofties, those little devils, have decided to make MSN Messenger compatible with firewalls. Therefore, it will try port 1863 first. If this doesn't fly, it will then imitate web-traffic (port 80). So blocking out port 1863 will only disable some of the advanced features, like voice chat. But not the basic Messenger functionality. If you are using an application-proxy like SOCKS for all your users web-browsing then you could manipulate the SOCKS config to disable Messenger connections.Another (inelegant) way is to block out access to the Microsoft messenger servers by IP address - access-lists, routes to Null, that kind of thing. Just be careful that you don't inadvertently block out access to web pages at the Microsoft website, cuz it would suck if you denied your NT/2000 sysadmins the crucial ability to consult Microsoft for techsupport. Yet another way is to change the DNS config files to send Messenger requests to a bogus address. Of course this works only if you're running your own DNS servers, and not using your providers. But truly the best way is to simply have company policy that bans messenger. Engelhard M. Labiro wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It uses TCP port 1863. See the detail at MSN page itself http://messenger.msn.com/support/firewall.asp HTH Can anyone tell me how can I block msn messanger on my network..What port in the access list should I block to stop workers from using msn messanger ??Does it uses a fix port ?I am using 2503 router with NAT enabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30904t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to Block MSN ... [7:30891]
But truly the best way is to simply have company policy that bans messenger. Because we all know that always works, right? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30929t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block MSN ... [7:30891]
It's not a case of choosing something that works all the time. It's more a case of turning it from a technical problem to an HR problem. Because let's face it. Even if you do manage to find a way to block out messenger for most people in your office you're always going to have one employee who knows a lot about computers, and will figure out a way to circumvent whatever roadblocks you've put in his way. For example, he'll set up a proxy at his home computer and get to messenger that way. Then of course that employee will inevitably tell others how to do it, and you'll pretty much wind up with the same situation as before. Then you'll have a grand old time trying to find and ban all the proxies, and whenever you ban one, another one will inevitably pop up. It becomes like the amusement-park game of Cisco whack-a-mole, with the difference being that there's no teddy bear if you win. Jarmoc, Jeff wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... But truly the best way is to simply have company policy that bans messenger. Because we all know that always works, right? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30983t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block MSN ... [7:30891]
Not that I think doing this type of stuff on employees is a good idea I've been in positions where it was needed. By making the HR policy and have midlevel managers reinforce its existence in meetings you've done a good part of warning. Then by *allowing* the application's default behavior you can monitor usage. With monitored usage contacting folks personally with a hey we know what you're doing and it's braking company policy message; this can be a great task for NOC personnel in the downtime. The final step is using those managers which have surely exposed themselves as supporters of this policy. Make the list of violators available as a matter of record and they'll do all the dirty work for you. Word of these examples will spread and usage tends to all but stop. I've found this much easier and more rapid than outright prevention which is a very difficult war to win in today's corporate networks which don't depend upon proxies and bastions to interact with the outside world. nrf wrote: It's not a case of choosing something that works all the time. It's more a case of turning it from a technical problem to an HR problem. Because let's face it. Even if you do manage to find a way to block out messenger for most people in your office you're always going to have one employee who knows a lot about computers, and will figure out a way to circumvent whatever roadblocks you've put in his way. For example, he'll set up a proxy at his home computer and get to messenger that way. Then of course that employee will inevitably tell others how to do it, and you'll pretty much wind up with the same situation as before. Then you'll have a grand old time trying to find and ban all the proxies, and whenever you ban one, another one will inevitably pop up. It becomes like the amusement-park game of Cisco whack-a-mole, with the difference being that there's no teddy bear if you win. Jarmoc, Jeff wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... But truly the best way is to simply have company policy that bans messenger. Because we all know that always works, right? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30989t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block MSN ... [7:30891]
You could lock down the boxes, you know secure case monitoring, use nt/2k so only superuser can install software, disable floppy. Its not perfect but that plus a policy is what you need. Bri - Original Message - From: Jarmoc, Jeff To: Sent: Friday, January 04, 2002 7:20 AM Subject: RE: How to Block MSN ... [7:30891] But truly the best way is to simply have company policy that bans messenger. Because we all know that always works, right? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31000t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block MSN ... [7:30891]
googled for msn messenger ports and got http://messenger.msn.com/support/firewall.asp Brian Sonic Whalen Success = Preparation + Opportunity On Fri, 4 Jan 2002, Ziyaad wrote: Hi all Can anyone tell me how can I block msn messanger on my network..What port in the access list should I block to stop workers from using msn messanger ??Does it uses a fix port ?I am using 2503 router with NAT enabled Regards Ziyaad Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30896t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block MSN ... [7:30891]
It uses TCP port 1863. See the detail at MSN page itself http://messenger.msn.com/support/firewall.asp HTH Can anyone tell me how can I block msn messanger on my network..What port in the access list should I block to stop workers from using msn messanger ??Does it uses a fix port ?I am using 2503 router with NAT enabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30897t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]