Blocking programs from Internet Access?

[Lars]

Hi,

I know this is a difficult task, but I am trying to block _some_ Windows XP
Pro PC's in a corporate environment, from using various programs that access
the internet. Particularly chat softwares like AOL Instant Messenger and
the likes. I have a Linux proxy/firewall between inside and the outside
world. Inside is a Windows 2000 domain. Does anyone have any suggestions.
I've searched around on the newsgroups and web, but I haven't found a clear
and manageable way to achieve this. I've looked at trying an IPSec policy
to try and explicitly close and open ports, from the Win 2K DC, but I am not
sure I understand how to implement such a policy.

thank you,
~Lars

 

[hal]

I don't know how to do it with gpo. I do know it will work from the
firewall router (I just had to do this at home). You need to block the
ports that AIM and others messengers programs use. AIM is 5190. yahoo uses
5050 and 5100. this has worked for me.

regards

Hal

 

[Lars]

Thank you for the reply. I think I figured out how to create a GP from the
Win 2K DC to block the ports. This allows me to apply to computers in a
specific OU. The only problem now, is that AIM will search for any
available port it can find. Blocking that is a tough one. I may just break
down and get zone alarm on the PC's in question.

btw - for the reference of others, I started with
How to Block Specific Network Protocols and Ports by Using IPSec
http://support.microsoft.com/default.aspx?kbid=813878

~Lars

 

[Steven Umbach]

You also might want to try adding the aim executable to the disallowed Windows
Applications list for those users in user configuration/administrative
templates/system. That is not foolproof if they figure out they can rename the
executable. Also add install.exe and setup.exe if you want to inhibit them from
installing applications. If you have any XP Pro computers on the network you can
use Software Restriction Policies to prevent the use of unauthorized
applications. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://www.securityfocus.com/infocus/1559 --- another good source on ipsec
filtering.

 

[Lars]

Hi Steven,

Your recommendations are just the tools needed. It looks like the Software
Restriction Policy is a powerful tool to handle this. Unfortunately, it
will take a lot of tweaking to make it bullet proof because I tested and
found some loop holes. I think I know how to make the lockdown tighter.
btw - Software Restriction Policies are only available in XP and 2003. I
have a 2000 domain with XP clients, but I can just set local policies on the
client for now. Thanks again.

~Lars

 

[Steven Umbach]

Hi Lars.

FYI, you can manage Software Restriction Policies and other XP computer policies
in a W2K domain from one of your XP Pro computers which should make it a lot
easier for you. SRP does take a lot of experimenting but you can really lockdown
a computer. See the link below on managing XP Pro computers in a W2K
omain. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;307900
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mngwinxp.mspx

 

[Lars]

That's really great! Thank you very much for the follow up.
~Lars