Novell Cool Solutions: Trench
Digg This -
Posted: 20 Feb 2001
Looking for ways to effectively block students (and staff) from accessing Napster from school computers? You're definitely not alone. School districts and universities (as well as corporations and government offices) are clamping down on people using their computers to download and share copyrighted music files without paying for them. In light of the recent litigation, this is becoming a very hot issue, and the poor beleaguered sys admins are feeling the heat. No matter how you feel personally about the issues, our guys are in need here. Here is how other sys admins are solving this problem. If you have other ideas or comments, please let us know.
- Tommy Mikkelsen
- Donald Hew
- Pete Gustafson
- Will Lamb
- Michael Molbech
- Derek Schostag
- Kim Ly
- Bob Munds
- Derek Reed
- Gert-Jan de Boer
- Vincent Szabang
- David Gerrish
- Joop van Buuren
- Jeff Farr
- Brian Fischer
- Martin Hugo
- Chuck Bass
- Jeff Ferrell
- Trevor Forrest
- Jimmy Benson
- Mike Henderson
- Erik Varn Semey
- Patrick Koppanen
- Chris Y. Valdez
- David Winget
- Ty Theierl
- Wayne Sprouse Posted April 3, 2001
What About Http Tunneling?
Here's a simple one.
Create a ZEN app that deletes the following keys from the registry:
By making this Forced Run, Run Always, Napster will not start, instead it'll launch your browser to start a download of the software again.
Only problem is, that once installed, Napster will run OK, but at the next reboot, it's gone again.
If you have any questions you may contact Tommy at email@example.com.
I have used a combination of Border Manager (BM) access rule and ZENworks.
Using BM access rule to block URL to http://*.napster.com/* would prevent students from downloading the software using the school's computer.
Create a Force Run NAL object and deliver a 1-byte file called Napster to C:\Program Files (this is provided that the software is not already installed on the computer). This will prevent students from installing the software on the computers. I have successfully used this method to prevent ICQ being installed as well. BTW, I use NAL as shell instead of explorer and uses ZENworks policy to hide C: (and other) drives.
Lastly, use the acceptable policy which should include something like... used the internet for educational purposes that are appropriate to the classroom teachers...
If you have any questions you may contact Donald at firstname.lastname@example.org
Being a school district we dealt with this several months ago. As a foundation we have every person use SSO to get access to the internet. Second we created an access rule, for students only, that blocks napster.
Students have tried to work around it, however we have not heard them getting there yet. Also, we run a batch file once a week checking all student directories for mp3 files and deleting them.
If you have any questions you may contact Pete at PGustafson@wclark.k12.in.us
The trick to mislead the students away from Napster is to put a fake DNS entry into the server or the windows hosts file. That way whenever they try to access Napster they are instantly misdirected to somewhere like http://www.riaa.com.
If you have any questions you may contact Will at Will@ProFutures.com
The simplest way to block Napster is to block TCP port 8875. This is a "location" port for a Napster server. The Napster application can't contact Napster servers to find an available server and data port if this port is blocked. Simple solution.
We have blocked this port and users efficiently out of Napster, but we have problems with IMESH, Gnutella, etc. We can't figure out how to block these.
If you have any questions you may contact Michael at email@example.com
Here's an article in Information Security Magazine.
Scroll down to the middle - near the end and find the section where you can block the IP addresses of Napsters servers. There are also links to products that help restrict the use of P2P apps.
If you have any questions you may contact Derek at firstname.lastname@example.org
Use a product called NetNanny. It blocks out porn sites for us. Maybe you can configure it to block Napster. Just install NetNanny on one image or make a ZEN snAppShot to configure it to block the url.
If you have any questions you may contact Kim at email@example.com
With BorderManager this one is pretty easy.
- TID: 2954488
How to block download of files by extension
Create an access rule of type URL with the following syntax: http://*/*.mp3
- TID: 2954664
How to use wildcards in BorderManager 3.x
Create an access rule of http://www.napster.com/*
If you have any questions you may contact Bob at firstname.lastname@example.org
This is not a ZENworks solution, however blocking internet access to specific sites can be achived by URL filtering at the firewall or in some cases the boundary routers. Some firewalls also provide key word filtering also.
To block Napster, use a sniffer. We use Elron Web Inspector.
One of the easiest ways to neutralize any popular executable file (such as Napster's .exe) is to put an APPPATHS entry for its executable in the registry so that Windows will substitute something innocuous, such as rundll32.exe (with no arguments).
(That's HKLM/SW/MS/WIN/CV/APP PATHS)
I use this to 'neutralize' popular programs in the RUN key, such as Yahoo pager (ypager.exe, I think) and AOL Instant Messenger (AIM95.exe, I think).
At our school we use BorderManager for internet access. This can also block Napster for students. We find this works fine.
We've tried a lot of things here on BorderManager but there seem to be two problems why Napster blocking is so difficult.
- Napster always uses different ports, when you block off one port, it simply goes to another one so that won't work.
- Other problem is that you can't block the Napster URL, it just prevents downloading the Napster software but you can get the software from a lot of places around the world.
Tried a lot of other things but no solutions yet. We can block mp3's on the router or on the e-safe but we want to have a more dynamic solution (BorderManager?).
Looking forward to answers.
The way we block users from accessing Napster is to use this file (Kill.exe) in our WS policies.
To do this:
- Add an action in the policy, eg. kill Napster.
- Set up the schedule to run when you wish.
- Go to advanced settings, then to Impersonation and set to system.
- Then under the Actions tab, set the name to point to kill.exe, and under parameters set it to -fNapster*.
What this will do is force kill anything with Napster in the title of any dialog boxes at the time you specified in the schedule.
If you have any questions you may contact David at dgerrish@NuEdge.com
Run ZENworks Application Launcher as shell, and set a policy that only allows NALWIN32.exe to run on the PC. This will stop the students from installing/running Napster as well as similar software.
If you have any questions you may contact Joop at vanBuuren@coh.fgg.eur.nl
Trick the workstation by creating an entry in the hosts file pointing www.napster.com to something like 127.0.0.1 or some other html or webpage address rather than the real IP?
Q158474 from Microsoft knowledge base provides Registry Keys to force the order of resolution. IE, to be sure the hosts resolves before the DNS lookup.
Remember, this is untested. But worth a try.
If you have any questions you may contact Jeff at JFarr@onitconsulting.com
- Setup a User Policy.
- Check "NT User System Policies"
- Click "Details" (or double-click on it)
- Under "default user" go to: "System" | "Restrictions" | "Run only allowed Windows applications" and put a check in it.
- Click on "Show"
- Add the .EXEs you want to allow.
This is tedious work because you have to allow all system files too. Your OS may need to run an .EXE that you didn't include and that could cause problems. What I did to get the list of .EXEs was this:
- I set up a test station and installed all the apps that I wanted users to have.
- Then I went to a command prompt and typed in the following command: c:\>dir *.exe /s > c:\temp\exelist.txt
- This created a text file with a list of .EXEs on the computer.
- Now include those .EXEs in your list.
The tedious part is that you could have 1,000 - 2,000 .EXEs to enter. I'm currently trying to look for a way to make the process easier. (There is an NDS Exporter that can export the list, maybe there is an NDS importer that can import the data?)
The result is that your computers will only run the .EXEs that you tell it to. All others including setup.exe, install.exe, .EXEs from the internet, .EXEs from e-mail, and Napster.exe will fail to run.
Now here's the pitfall if you have really smart users: They can take an e-mail .EXE and rename it to one that you allowed (i.e. rename napster.exe to winword.exe). Once it's renamed, it will run. Hopefully your users won't figure out how you have restricted them.
Try to figure out how to take away the rename rights on all .EXEs and then you've got it made. All our users have admin rights rights to the desktop, revoking those will probably work.
If you have any questions you may contact Brian at BFischer@MANHARD.COM
It really is a no-brainer. Just have your filtering software block access to the site. Don't have filtering software in place? Oops, OK, just set your Windows security package (Fortres, Foolproof etc) so that it does not allow saves to the HD, only to floppies (can't get a tune on a floppy). Don't run any kind of workstation security package? Well, better start looking for a new job because you have a lawsuit waiting to happen.
What I did here was snap a Napster install, then generate reverse AOT. I associated it with all users. It runs at login and looks to see if the Napster registry exists, and if so, if removes all the registry entries and tries to uninstall the app silently. It's by no means fool proof, but it stops most users.
Here is a copy of the .axt.
If you have any questions you may contact Chuck at Chuck.Bass@liebert.com
If you are using NAL, you could do a simple force run silent application to delete or rename the napster.exe file. Just ensure your NAL windows are auto refreshing so it will continue to delete or rename the file as they will surely try to reinstall it. Hope this helps or points you in the right direction.
Currently we take an interesting view of restricting napster traffic. We determined that napster consumed about 50% of the bandwidth of our 6 T1 line. To fix this problem we installed a Packeteer packet shaper and reduced the available bandwidth for napster and about four other traffic types to about 700kB\s across all links.
So in effect students could still get to napster but the download times were unacceptable as far as they were concerned. This solution did not kill the service it merely discouraged the usage because of poor performance. We also reclaimed our available bandwidth. The Packet Shaper allows us to do this with virtually any traffic type.
If you have any questions you may contact Trevor at email@example.com
For Jimmy Benson's ingenious tools to fight Napster, Gnutella, and other programs like them, see this article.
I did a transition from one proxy to another recently. The default route and http proxy was set to one proxy going out. The default route to our network came to the other proxy. This worked great for Napster type programs as a connection could not be made. It was like going out one door and coming in another.
About blocking Napster, Gnutella and related Peer 2 Peer services: The company Packeteer makes Packetshaper that makes it possible to block only certain applications.
I would suggest a product that will scan all incoming and outgoing http traffic (stop internal users from uploading files), e.g. Tumbleweed MMS.
The MMS Web Filter provides organizations with the ability to reduce their corporate liability by monitoring and controlling submissions to Internet message boards and Web-based e-mail services such as Yahoo! Mail and Hotmail. In addition, WorldSecure/Web provides an integrated, centrally managed security solution that includes countermeasures to detect malicious mobile code (Java and ActiveX applets), restrict access to specific Web sites and content, control downloads of inappropriate files and software, and protect against Web-borne viruses. By defining and enforcing policies for Web usage, companies are able to reduce their legal liability, improve employee productivity, and enhance the efficiency and integrity of their networks.
If you're behind a firewall, you can block access to ports, 6689, 6699, 8899. These are IP ports used by Napster and MusicCity for their download clients.
At our school, we have found that Napster is not the only problem with the internet access. It is downloads in general such as screen savers and wallpaper, etc. While looking for a solution, I discovered a free downloadable program at http://www.mybestsoft.com/iesec/ called Internet Explorer Security. The program enhances the security in IE, including control of file downloads, access to the Internet Options, and many other features. I have not located software to control Netscape yet. Any ideas?
After searching the net for the various ports and IP addresses associated with Napster (and there are a ton!), I tried to block access at the firewall by denying all access to, through, and from these specific ports and addresses. Sometimes it would work but other times the program would find a way through. I don't know why. What I did discover though, using a packet sniffer, was that the program will always look to DNS to find a server at napster.com.
So instead of going through the time consuming process of updating and applying filters at my firewall. I created a separate primary zone on our internal DNS server for napster.com. I gave this zone an resource record for www and pointed it to a bogus IP address. Result, no more Napster access.
This will work for any environment which maintains their own internal DNS server. If your clients are configured to look to your internal DNS first then they will not be able to resolve this outside to the Internet. The only way around it, that I have found, is to specify my ISP's DNS server before our internal DNS server in the TCP/IP configuration. But this could easily be blocked with ZEN policies that would restrict access to the Network settings in Control Panel. Additionally, you could specify all of your DNS settings to be passed from your DHCP server.
Though this is not a 100% ZENworks solution. I did manage to incorporate some of its features.
If you have any questions you may contact Ty at firstname.lastname@example.org
I have found a good way to block Napster at my school district. I use a ZEN App to uninstall Napster and similar applications and then set a BorderManager rule to block the downloading of the Napster client (*://*/*napv*.exe). I used the *napv*.exe because on every release of the Napster client napv is always in it. You then find common characters in all the others and block them the same way.
I also use Jim Benson's solution to insure that if somehow a student gets Napster back onto a computer his solution will lock it down and my solution will then check every two minutes and uninstall Napster.
If you have any questions you may contact Wayne at email@example.com
I'm not a novell Admin, I'm a student experienced with networks and admin, (I have a RHCE for Linux machines, and am currently obtaining an CCNA, and am looking at possible a CNE after that)
While some of the suggestions are good here are some ways around them:
- Our school uses laptops running '98, so many of the App blocking solutions don't work.
- They don't do app blocking for Napster because they are too sure that nobody can use it.
- So I tunnel SOCKS through BorderManager so I can tunnel HTTP to use VNC and the like for remote admin of my servers. I could be using it for Napster even easier.
I have been looking for solving the Napster usage by our students too. What I came up with is the program mentioned below. Http-tunneling can be used to get almost anything through your firewall.
ICQProxy is an application that allows people behind a firewall which allows only web-surfing (HTTP port 80) to use ICQ. HTTP-Tunnel is an extension of the technology developed for ICQProxy which allows users to use ANY internet application from behind a firewall.
How can we stop this?
See Jimmy Benson's solution. He has written a program that will look for all the MP3 file sharing programs, and will also look for the new troublesome software: HTTP-Tunnel, ICQProxy, and VCM software. If it finds this software running, it shuts it down without a prompt.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com