Re: Blocking Instant Messaging Applications

At the PIX or firewall, or wherever your ACLs are kept, block incoming
or outgoing traffic to oscar.aol.com, the messenger login servers,
trillian, yahoo, etc etc etc.

You should be able to pull those from the connection logs. The clients
initiate contact with those authentication services, and if they can't
reach them, then they cannot logon and use them.

Cleanest and easiest to me. If people cant logon to the service, then
you have rendered it useless.



On 11/21/05, Neksus <neksus@gmail.com> wrote:
> Jeremy,
>
> A solution that I implemented in the past (for MSN) is as follow:
>
> 1. Install a firewall, block everything that is a direct connection
> from the desktop.
>
> 2. Install a proxy for FTP, web and https (20/21/80/443). Only the
> proxy server should be allowed to directly connect to the internet.
>
> 3. Put the MSN domain name in your own DNS to prevent the application
> from reaching the server by hoping on port 80. I forgot what is the
> domain name off the top of my head.
>
> 4. Block access to the local hosts file to avoid clever users from
> adding the IP in the file (Windows will read this file first, then
> DNS). Users should not be admins of their own machine.
>
> 5. Install an internal server if you have a large user base (country
> wide or international). Microsoft has one that is easy to setup but
> you'll need to use Windows Messenger instead of MSN messenger. They
> also release Windows Communicator or something close that is Windows
> Messenger on steroids.
>
> 6. Relax and enjoy.
>
> There might be other ways. I'm just giving you my own recipe.
>
> (N)