Blocking MSN Messenger (BorderManager Cool Solutions)

[an error occurred while processing this directive]

Blocking MSN Messenger

BorderManager Cool Solutions Article

Updated on 18 Feb 2004

Note: For ideas about how to block MSN Messenger 5, see this article.

There are lots of articles and information on the Cool Solutions sites on how to block Instant Messenger programs (the lowest form of code in a school admin's eyes). A firewall provides most protection for most programs via its ability to block traffic on ports.

Problem:

The most widely used messenger in many locations is MSN Messenger. Therein lies the program:

If you block the main port that it uses (1683) using a firewall, MSN is smart enough to send data on port 80 (the standard HTTP port). So how do you stop all that chatting?

Answer:

1. In the registry, navigate to: \HKUR\Software\Microsoft\MessengerService\

2. Find the item named Server: messenger.hotmail.com;64.4.13.50:1863. Change this value to Null;0.0.0.0:0

That's it. Combine this with a program that can perform this change, put it on a force run, and No More Chatting!

Other Suggestions

Klaus Plantius
Peter Schouten
Kevin Buckley
Anonymous
Brent Olton
Gert-Jan de Boer
David Procida NEW

Klaus Plantius

How to remove MSN messenger automatically (we didn't want our students to chat):

Put the following line in a login batch file or script:

if exist "c:\program files\messenger\*.*" 
RunDll32 advpack.dll,LaunchINFSection 
C:\WINDOWS\INF\msmsgs.inf,BLC.Remove,5
if exist "c:\program files\messenger\*.*" 
deltree /Y "c:\program files\messenger"

If you have any questions you may contact Klaus at klausito@zonnet.nl

Peter Schouten

If you have policies that prohibit the use of chat software etc., you'll want to put MSN in BorderManager also. However this doesn't work since hotmail uses the same server address. So on to the next option, putting port 1863 in your firewall, oops, MSN now uses port 80.

Here's the trick:

Put a line in your hosts file on the pc which tells the MSN Messenger to look for the MSN server on localloopback. Voila! 127.0.0.0 gateway.messenger.hotmail.com is the server address to use.

If you have any questions you may contact Peter at pschouten@hsbos.nl

Kevin Buckley

I have searched for solutions to block MSN messenger in Cool Solutions. I really wanted the solution to be a BorderManager implementation. I read where Messenger will change ports if you enforce rules to initially block it - so I tried creating an access rule to block the IP range when a user tries to sign in. I blocked 64.4.13.170- 64.4.13.190 as an access rule.

This worked great for me. When a user tries to sign in, they can't.

(I am sure other people have tried this, and it may be old news to some. But it works great.)

Anonymous

MSN is a nuisance and at the same time a great tool for me and my colleagues at the schools around our area. So for us, closing down MSN, ICQ or any other instant messaging system is not the answer.

But I do understand the problem. A better solution would be to teach the kids not to install software on the computers at school and to use chat and instant messaging as a worktool when it can be used as that.

Brent Olton

Much has been posted on this topic, but here's the three-minute solution.

We use DNS services from Netware. I have set up 'fake' DNS entries for gtwy.messenger.hotmail.com and messenger.hotmail.com pointing to the loopback address 127.0.0.1 (Similar to Peter Schouten's tip).

This is easier to implement, and is not dependent on policies, logins or host files.

In less than three minutes I have 3000 workstations blocked - Linux included!

This could be locked down even further by combining with other cool solutions, though I haven't yet found the need to do so.

If you have any questions you may contact Brent at beolton@tstt.co.tt

Gert-Jan de Boer

The solution is simple. Block all the IP ranges used by MSN Messenger. All versions seem to use different IP ranges. But this should do the trick:

Allow: 65.54.244.42
Block: 65.52.0.0 - 65.55.255.255
Block: 207.68.0.0 / 255.255.0.0
Block: 207.46.0.0 / 255.255.0.0

This way MSN Messenger is blocked, but Hotmail still works! Now the students can read their mail and the Messenger doesn't work.

I found that Hotmail and MSN Messenger both use the same initial server to connect: login.msn.com. I couldn't block that one, because hotmail wouldn't work anymore. A little bit more poking around found me a couple of IP addresses. Looking up the whois information I found an entire range bought by Microsoft. In this range they put their MSN servers. By allowing 1 IP address (hotmail) and blocking the rest of the ranges it should work now.

If you have any questions you may contact Gert-Jan at GJdeBoer@rocfriesepoort.nl

David Procida

Previous cool solutions have been close, but they have all been flawed. The lastest cool solution for blocking MSN Messenger also ends up blocking access to www.microsoft.com which is likely to be an unwanted side effect. Both the port and destination IP range need to be blocked.

EXAMPLE:

Block Port 1863
IP Address Range
207.46.110.0/255.255.255.0
64.4.13.0/255.255.255.0
65.52.0.0/255.255.0.0

**This block will not affect hotmail or microsoft.com access**

Similar restrictions can be put in place using Excelerator by blocking (or allowing for some users) the IP address ranges shown above using the Access Control List functionality in Excelerator.

In a BorderManager/Excelerator environment then the restriction can be handled on either or both devices, dependant on the organisations architecture.

Please note that in testing MSN Messenger6 it appears to only use the 207.46.110.X range if 1863 is blocked, so the blocking of destination IP ranges should not be the only rule relied on, TCP 1863 should be included. If TCP1863 is open then it will connect to a range of 207.46.X.X which includes the mircosoft.com site.

If you have any questions you may contact David at dprocida@goldcoast.qld.gov.au