Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: How do I block Skype on ISA 2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> RE: How do I block Skype on ISA 2006 Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: How do I block Skype on ISA 2006 - 11.Aug.2008 4:02:48 PM   
ahassim

 

Posts: 19
Joined: 10.Jun.2008
Status: offline
quote:

ORIGINAL: justmee

If you only allow a whitelist of HTTPS sites, you can kill Skype with ISA with no add-ons on it(I have assumed that you do not have an allow all rule in place, just the needed protocols to needed destinations, because Skype searches for any "open" port it can find). Anyway allowing "all" HTTPS web sites on ISA(with no add-on on it), is not a good idea, as if your users are smart, you can't really block anything.



Hi Paulo,

I was referring to the comments made by Jason however managing access to https sites will become a nightmare especially with 2000 users behind it.

I think the SSL decoder will definitely help in this regard but I will have to try it in a lab - not willing to risk my live environment with freeware.

Regards,
Aadil

(in reply to justmee)
Post #: 21
RE: How do I block Skype on ISA 2006 - 11.Aug.2008 5:04:27 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi,
If you want to allow your users to access two-three https sites, the whitelist will work.
If not, you can use Websense or GFI to filter allowed websites.
If you do not have any of these filtering capabilities, your users could simply establish a SSL tunnel to their home net, and then access any web sites, use IM or whatever favourite software they would have. ISA can do nothing, since it cannot see inside that SSL tunnel.
But that would be complicated for your users.
However, there are some services out there offered by some folks, and your users can purchase from them even a usb device with a portable version of Firefox, and doing so, they will use the https proxies offered by those funcky dudes to tunnel their web traffic through your ISA. Catch them if you can!

It's not all about SSL though, if you have an allow all policy on ISA, they might tunnel their data over "simple" tunnels, like Teredo for example.

I was reading the license agreement, which was saying something like I use it on my own risk, and if I found a bug or so, this may be fixed or not, this remain to be seen.
I do not mind doing that, given the value of the application, but at that moment I did not wanted to break anything on my ISA, even in my lab.

Regards,
J

(in reply to ahassim)
Post #: 22
RE: How do I block Skype on ISA 2006 - 11.Aug.2008 5:34:31 PM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		Has anyone ever thought of:

1. Uninstall Skype from the user's machine.  Pretty hard to run it if it is not there.  Then actually enforce Company Policy if users install unaproved software on the company owned machines.

2. Don't let the user's be local Admins (when possible),....this prevents many installations.

3.  Skype's address Range is 204.9.163.128 - 204.9.163.191.  Create an Address Range Set with this and add it to a Deny Rule at the top of the list that is assigned to All Users.  This should work against all Client Types.  Pretty hard to use Skype if you can't get to the website to download it,...and pretty hard to use Skype if the Client software if it needs to contact the Skype Servers and can't connect to the Skype Servers.  I don't know if it requires "Skype Servers" to operate,...I don't use it,..so that part is a guess. 

4. You don't always have to fully block something,...severly crippling something can be helpful to discourge users from using it,...and it will generate log entries that help you find the users who atempt to use it,...which can lead to the fun and exciting "Public User Beatings" that I love so much.

Sorry if I am too simplistic.



_____________________________

Phillip Windell
www.wandtv.com

(in reply to justmee)
Post #: 23
RE: How do I block Skype on ISA 2006 - 12.Aug.2008 1:57:54 AM   
ahassim

 

Posts: 19
Joined: 10.Jun.2008
Status: offline 		Hi Phillip,

Thank you for your input.

I have brought up the issue of using group policy to remove Skype from all machines but this is a bit of a challenge for my customer as many of their users are clever enough to log on using Windows cached logon credentials without being plugged onto the network and therefore not pulling down the group policy.

I have also made mention of removing local administrative rights from the user but this wasn't taken too seriously in the past - might be a good time to bring in up again. This will eliminate more than just Skype being installed on the machines.

Thanks for the Skype address range - I will definitely try add a rule to block it and advise if successful.

Thanks again for your input - appreciate it.

Regards,
Aadil


(in reply to pwindell)
Post #: 24
RE: How do I block Skype on ISA 2006 - 12.Aug.2008 2:59:36 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Not contesting all of the above, but keep in mind that users do not have to install anything, they can use a portable version of their software copied on a USB flash or on a CD.
So you might want to limit access to those too, if possible.
VMware made it simple for everybody to craft "portable" software, although that was not their intention with Thinapp.
Also many applications can be installed without admin rights.

Personal I gave up blocking Skype by destination IPs a while ago when I attempted to figure it out what Skype does. It always was a new one, and again another one, and another one.....
Might work though to block the Connect method with IP addresses, as clients will very likely use the Connect method with an IP address(p2p) and not a FQDN. Don't know how you do that with ISA though.
Regards,
J

< Message edited by justmee -- 12.Aug.2008 7:00:37 AM >

(in reply to ahassim)
Post #: 25
RE: How do I block Skype on ISA 2006 - 12.Aug.2008 8:07:41 AM   
Rob_the_swede

 

Posts: 29
Joined: 9.Aug.2008
From: SWEDEN!
Status: offline 		Do you have any antivirus-software that allows you to block Skype from running?
I use that approach to block acces to both sites and unwanted programs with Panda antivirus. Then you get the policy to be in affect even when the user is not connected to the network.  Just a tought.

_____________________________

Thatīs all folks!

(in reply to justmee)
Post #: 26
RE: How do I block Skype on ISA 2006 - 12.Aug.2008 9:15:40 AM   
paulo.oliveira

 

Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi,

from what I can tell Skype can be installed with no admin rights. About blocking the skype IP range to avoid download, this may not work if the usb drives are allowed.

Skype is a p2p application, so as far as I know thereīs no way to block skype using a particular IP range.

Regards,
Paulo Oliveira.

(in reply to pwindell)
Post #: 27
RE: How do I block Skype on ISA 2006 - 12.Aug.2008 10:06:54 AM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:


I have brought up the issue of using group policy to remove Skype from all machines but this is a bit of a challenge for my customer as many of their users are clever enough to log on using Windows cached logon credentials without being plugged onto the network and therefore not pulling down the group policy.


1. Group Policy doesn't have anything to do with it.

2. If they are not on the network Skype isn't going to be of much use.

Some have mentioned USB, DCs, VMs,...well if the users are that dedicated, and totally given over to, and absolutely driven to just screw off all day,...how is ISA ever going to be a babysitter for that?  It isn't, no way, not gonna happen.  If Management won't control their own people, forget it, your screwed, the war is over,..you lost.  If the Managers are too lazy to get off their rearends, walk over to the persons desk and "remedy the situation" you are wasting your time.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to ahassim)
Post #: 28
RE: How do I block Skype on ISA 2006 - 12.Aug.2008 11:38:14 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		A while ago, I was hired at a private company to lead their security team in a new project they implemented on their network.
They were running a mixed environment, an administrative nightmare.
Part of what I did, due to their concerns that people may use unallowed software on their network, was to provide some documentation about various programs and their behaviour, for example Skype was on the list.
Also I had to make practical demonstrations of evading techniques regarding the use of unapproved software on their network or to tunnel data through their firewalls.
And to identify how were users at that time bypassing their security policies.
Interesting, they suggested to block Skype with Kaspersky, on users' machines. However, I successfully bypassed that.
That's why it would be interesting to hear how Panda blocks Skype. I suspect in a similar fashion as Kaspersky.
We did find a couple of ways, above mentioned, to really block Skype for example.
As part of their end goals, specifically mentioned, was to have the technical means of blocking the use of certain applications, without underestimating users' inventivity, which at that time was causing them troubles due to relaxed firewall policies and misconfigured IPS rules. They were concerned about the possibility of the existence of an internal attack too, so they wanted to mitigate this possibility(but this is off-topic).
Funny though, we find stuff like this on their network.
Coming back to the original question of the topic, they use, part of the final solution, ISA Firewall 2006 with WebSense along with an in house crafted Snort IPS (they had a couple of talented Linux guys). Also ISA Firewalls were used to physically segment their internal nerwork, and to simplify management.
Doing so they benefited from a strong solution with immediate effects. They were very pleased with the final outcome.
After that, backed by technological means, management was working hard  to educate users. Actually I was chatting with them a few days ago, and they told me that now they observed an improvement regarding the education of their users, they obtain better results than in the past with the current design in place.
At the end of the day, you need to know what exactly you want to address at each level, how important are for you certain aspects and to find the right balance, as balance is the key word in everything IMHO.
Regards,
J

< Message edited by justmee -- 12.Aug.2008 12:04:33 PM >

(in reply to pwindell)
Post #: 29
RE: How do I block Skype on ISA 2006 - 20.Aug.2008 1:02:40 AM   
sthe

 

Posts: 19
Joined: 8.Dec.2005
Status: offline 		If you only allows authenticated users through the ISA, I guess you can block Skype like this: Find out what the process that access internet is called, I guess it is called Skype.exe. You can find it in the ISA firewall log. Then add it in the Firewall Client Application settings and disable it, i.e. Skype Disable=1. This way, the traffic from Skype will come to ISA as secure nat and be blocked.
I dont have Skype installed here and cant verify it though.

(in reply to ahassim)
Post #: 30
RE: How do I block Skype on ISA 2006 - 20.Aug.2008 9:44:37 AM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		First I'd like to give "justme" due credit for a well written account of what he has dealt with. Very well written.

Then...

quote:

he traffic from Skype will come to ISA as secure nat and be blocked.
I dont have Skype installed here and cant verify it though.


And there lies the key!  All this talk and attempts and various other greif of "how to block Skype" misses the entire source of the problem!  You can't test it because it is not on your machines,....and neither can the users use it if it isn't on their machines.

The source of the problem is in two parts:

1. The users are allowed to install anything they want on the machines and no one does anything about it

2. Skype is allowed to be left on the machine.

The solution is in two parts:

1. Remove Skype from the machines

2. Stop users from installing whatever they want on the machines without repercussions.  Have policy in place to deal with violators,...enforce it.

Think about it,...all this talk about security,...how secure is it to lets users install whatever they want on the machine?,...how secure is it for them to even have such abilities in the first place?  This should be the first place an admin starts,..not the last place he goes just whenever he get around to it.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to sthe)
Post #: 31
RE: How do I block Skype on ISA 2006 - 20.Aug.2008 1:31:49 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Hi Phillip,
I'll take the credit.
How about a beer ?

The problem is that you miss completely the problem IMHO.
When you give physical access to a person to a machine, that machine is no longer "yours".
The users do not have to install anything on their machines, Skype does not have to be "left" on any machine.
Skype is just a small part of the problem after all.
There are many types of "networks" out there.
There are a lot of people with different mentalities from different countries.
If a network admin is assigned a task, the network admin will have to fulfill it, not to tell the management to fix it, or just find a new job if this one sucks in his or her opinion.
Just because it works for you like so, it does not mean that will work for others.
I know places where is common practice for people to arrive at work and fire up their favourite "software". Go get them!

What are going to do:
- a night raid and whack all "malicious" software on the users machines.
- oh, you can fire all the employees, but wait a minute, next morning the office will be empty
- apply sanctions in mass, and for sure that will boost work productivity
- and might be people you really do not "control" like students or so, just try to educate these
- put a surveillance camera on every PC, or even better, hire a "bodyguard" for every PC, so you will know exactly what your users will do.
- go and manually inspect every day thousands of PCs.
- hire "nazy" managers to "uber fix" za problam.

It does not work like so IMHO.
You just assume that every user will be a good one and listen what "old big Phil"
says!
There will always be the problem of an "insider".
It's not only about users having bad intentions, it will be about what users can be convinced to do also, you can train and educate them all day long, even the con artist can be tricked by others, it's just the way it goes IMHO.

Wait a minute, why do big names in the industry add signatures for their IDS/IPSs and why WebSense or others add to their software the ability to detect and block certain programs.
Just to fool people about theoretical "dangers" and take their money.

There are serious problems that the management has to take care of. If management can't fix them, yes, security does not work.
However just saying that management would solve all of the them is so foolish.
Why do you think ISA itself has such a powerful HTTP filter, and Microsoft itself documented the blocking of IM for example?
Even if management can fix it(you can change completely all the management staff), it needs time and information about what users do.
What are you going to do, just let traffic flow until the issue will be fixed  by management ?
But wait a minte, you might not even know that certain traffic is passing through your firewall. You might find out about it at the end of the day or when logs are carefully analyzed. Management might fixed that, but the problem *is* that the traffic *already* passed.
Management will likely fix the problem only *after* the issue happened. And only if it knows about it.
Yes, management must educate and take care of the users from the first day, but only time will tell if management succeeded.
Many companies will find all the above as unacceptable IMHO.
The idea is to prevent it in the first place.
And for sure, ISA with the little help of some add-ons is so damn good fixing that. One of the best out there.
It's a big difference if management has to apply sanctions when something wrong happened and when something wrong attempted to happen, but it failed. Big big difference IMHO.

Endpoint control and endpoint security is just a part of the equation. A central point of control and security is also needed.
There are many solutions to various problems out there, if one man does not know or does not want to know how to use them, it does not mean they do not work or they are bad solutions.
Not only managers can be replaced, net admin too, if necessary.

And back to the original question please, how it can be blocked Skype with ISA.
IMHO, various answers were given to that.

(in reply to pwindell)
Post #: 32
RE: How do I block Skype on ISA 2006 - 20.Aug.2008 4:31:21 PM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		What are going to do:
- a night raid and whack all "malicious" software on the users machines.

That'd be a good start. But I'd do it during the day while they all watched so it would be known by everyone what is occuring and why.

- oh, you can fire all the employees, but wait a minute, next morning the office will be empty

Never suggested that.  I suggested "company policies",..I did not suggest the exact contents of the policy.   I suggested repercussions,..I never said what the repercussions had to be.  A busines can't survive if it cannot control the employees,...it can't survive as a free-for-all with the inmates running the asylum.

- apply sanctions in mass, and for sure that will boost work productivity

You sure can't apply them "piece-meal".

- and might be people you really do not "control" like students or so, just try to educate these

They aren't children or students,...they are adults,...I expect better dicipline from adults.  Education is great,..I love education,...but even teachers have to gain "control of the classroom" before they can teach anyone anything.

- put a surveillance camera on every PC, or even better, hire a "bodyguard" for every PC, so you will know exactly what your users will do.

Remove them from being Local Administrators. Letting users be local Admins is bad enough,...letting users be Local Admins who have such a lack of self dicipline that inclines them to install [and use] software on company machines that the company doesn't want them to do is just plain silly.

- go and manually inspect every day thousands of PCs.

Use Systems Management Services, or similar tools, or even creative login scripts that search for spesific executables and create report files of them.

So you are saying the LAN should be a complete free-for-all,..let the inmates run the asylum. Let them install & use whatever they want and no one should ever look to see what is running on their machine (becuase its too much trouble I guess).  God forbid we should be like "nazis" and try to stop them.  And in the end our only last hope of sanity is whatever we can "block" at the ISA Server?  Is that what you are saying?



_____________________________

Phillip Windell
www.wandtv.com

(in reply to justmee)
Post #: 33
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 9:06:54 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		If you insist....

No, definetely this is not what I'm saying.
Is what you think or read I'm saying.
In case you've missed it, I've said: "Endpoint control and endpoint security is just a part of the equation".
It's quite the opposite, as I'm saying that every little detail counts in the defense in depth strategy, as I've said in other threads too.

This is becoming so boring, but it is in the same time so amusing...
By the way, those "questions" were just jokes, which did not require any answers.

Dude, why don't you give a google search, say for "skype portable" or "yahoo messenger portable" or so.
Also read why do people "need" such applications, it's all out there, the "users" will tell you why.
Yes, because they run at work under a user with restricted permissions so they can't install "whatever they want" or they've been given a corporate laptop along with a user account with limited permissions.
You can't search for an application which you do not know its name, as they can simply rename it, or for an application at the time of the search does not exist on that machine.
So your "creative" defense mechanism might not work, whether you want to admit it or not.

Following your logic, for example there would be no car accidents.
In my country, for people to earn their driving licenses, they must pass a psychological exam, a medical exam, an intermediate theoretical exam, a final theoretical and practical exam.
They are told and they are aware of the fact, that if they broke the laws they can loose their licenses, pay fines or even go to jail.
Still, they broke the law, pay for that and do it again. They are adults, ordinary, normal people in the day by day life, not criminals or so.
They are watched by police, speed cameras or by cameras which make them a photo when they drive on read lights.
They know of the existence of these cameras and still broke the law.
Even worse, they know and saw it happening, that if they broke the law, people might die, innocent people and they can loose their own lives too.
And still, they keep on doing it, and people are killed.

What would be the logic of saying that management will educate people to conform to the company's security policy, therefore people will do so 'cause otherwise they will get sanctioned.
What would be the logic of saying that people would not install a tiny thing like Yahoo Messenger or Skype on their work computers because they are educated and they are afraid of sanctions, when some people put their lives and others lives as a bet.
What would be the logic of saying that you should not have hired such people in the first place, as bad drivers should have not obtain the driving license, it's only the management's faults, bad decisions were taken.
Bad might look as good, good may go bad, it's just human nature, it's happening for thousands of years, and it will happen in the future too.
Management (driving instructors, medical personel, the ones who make laws and so on) and police must do their job together, and not separated.

This is what I'm saying, management and the security department both should do their jobs, together, and not to function independent of each other.

For example, the use of IM applications on the corporate network might be considered a threat because:
- the users of such application were targeted by certain viruses.
- the users can chat with their buddies who are at home, on a computer already p0wned.
- the users can exchange files through such applications, so they can download on the corporate machine infected files or malicious software.
- if there is a new virus targeting these applications or hidden within the exchanged files, there is likely that the antivirus will not catch this virus, until a signature is released for it.
- users can talk with "anybody", a new "cool" person they met on usenets
- affect work productivity
- disrupt and consume network bandwitdth
........

In this case, the management should take care of users' education and give to the security department the resources(like money) to solve this issue at a technical level.
At the end of the day, you will have good users, like good drivers, and bad people, like bad drivers. Life's so.
Some will respect the company's policies, some will not. Education will never totally fix or totally control that.
Here is where the security department comes, and has to prevent, log when, from where and from who the company's policy was broken and inform the management, so that management can apply sanctions.
A simple thing that can be achieved with simple solutions. Just tell the IPS to block Skype for example.
We would always want police to prevent the accidents happening, rather than investigated it, same is true about the security department.
As there are bad users, there are bad managers and bad security departments too.

Also at the end of the day, we will not have technical means for everything.
That's what I'm saying, every network is different, it's a live entity, which must be studied and understood, before anything can be "applied".
If certain solutions will work on a network, for a certain company, this does not automatically mean that they will work everywhere, at least not as expected.

The security department does not tell/teach the management how to do their job, and the management does not tell/teach the security department how to do their job.
If this happens, then you have a bigger problem than hapless users.
The two work together closely, complement each other, develop company's security policies...., at least in theory(as does police with the driving instructors, with the ones who makes laws and so on).
In practice, this is where most of the time consultants come and get big bucks, taking on the management, on the company's security policies, on the security department, on the users and on the current security level. Find what's not working, if it's working as expected, and give solutions.
However, there are good and bad consultants too.

All of the above IMHO.

(in reply to pwindell)
Post #: 34
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 11:14:36 AM   
paulo.oliveira

 

Posts: 792
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline 		Hi Phillip,

agree with you about educate users, otherwise the network and the company itself will be a mess!
In the last company that I worked, the users had respect for the IT policies and most of them asked before doing something on their computers. I think thatīs the correct way to resolve unwanted installations.
In my opinion every single company should have meetings teaching the users what users can do and what they canīt do. Focus on this and you will have a better network safe from most of problems such as viruses, misconfigurations, angry people, etc.

About what you replied in here:

- put a surveillance camera on every PC, or even better, hire a "bodyguard" for every PC, so you will know exactly what your users will do.

Remove them from being Local Administrators. Letting users be local Admins is bad enough,...letting users be Local Admins who have such a lack of self dicipline that inclines them to install [and use] software on company machines that the company doesn't want them to do is just plain silly.

Skype have a problem, users CAN install it with no local admin permissions!! I once contact the skype support asking why is this possible and the say itīs not!
I tested myself install skype as a regular user.... and it works!!
The big difference is does not appear in the Add/Remove programs applet. It, of course, does not even copy to the %programfiles% folder.
Skype installs itself in the user profile!

So, did not found a way to not let users to install skype (too bad). Maybe using the windows software policies like you said before it can be done (never tested).

This is just my experience with skype.

Regards,
Paulo Oliveira.

(in reply to pwindell)
Post #: 35
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 11:59:59 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		Paulo,
Why do you think that "Skype have a problem, users CAN install it with no local admin permissions" ?
Many programs have this "problem", and will be installed in the user's folder.
After all, Skype is "evil" only for some.
For example small companies might use the normal Skype version in order to save money on phone calls.

(in reply to paulo.oliveira)
Post #: 36
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 1:56:51 PM   
pwindell

 

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		In the last company that I worked, the users had respect for the IT policies and most of them asked before doing something on their computers. I think thatīs the correct way to resolve unwanted installations.
In my opinion every single company should have meetings teaching the users what users can do and what they canīt do. Focus on this and you will have a better network safe from most of problems such as viruses, misconfigurations, angry people, etc.

Yes. Exactly what I had in mind.

Skype have a problem, users CAN install it with no local admin permissions!! I once contact the skype support asking why is this possible and the say itīs not!
I tested myself install skype as a regular user.... and it works!!
The big difference is does not appear in the Add/Remove programs applet. It, of course, does not even copy to the %programfiles% folder.
Skype installs itself in the user profile!

I was speaking more in general pinciples. Not letting users be an Admin covers most applications.

So, did not found a way to not let users to install skype (too bad). Maybe using the windows software policies like you said before it can be done (never tested).

Possibly using GPO based Software Restriction Policies (commonly used with Terminal Services) may be of use.  There are several ways that these GPOs "identify" and Application.

Also someone suggested this (maybe it was you, I can't remember):  Add the Skype.exe to the Firewall Client Exceptions which will keep it from using the Firewall Service which causes it to be forced to use the SecureNAT Service,...then by not having any "anonymous" Access Rules prevents the SecureNAT Service from making any connections,...hence stopping Skype.  SOmetimes SecureNAT Connections are required, but carefully crafting the Access Rules to be narrow in their scope whould still keep you out of trouble.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to paulo.oliveira)
Post #: 37
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 2:46:59 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		According to Tom:
quote:

Application Specifics
It would be nice if we could configure all computers as Firewall clients and leave it at that. However, like all good malware, these dangerous applications can allow outbound connections through alternative means. Many of these applications allow the user to configure them as Web Proxy or SOCKS 4 clients (ISA Server does not support SOCKS 5 out of the box).
In addition to having to deal with users who reconfigure their applications, you also have to deal with applications that can scan the network and find a hole. Some of the applications can use stealth techniques and grab the browser's Web Proxy client configuration without your knowledge. Therefore, you'll have to do more than just configure the mspclnt.ini file


When investigating how to block these applications, I was surprised to discover the various methods that each one used to get around the Firewall client configuration. What was even more interesting is how it appeared that some of them could get around the Web Proxy Service configuration and use SOCKS, while other ones could not get around the Web Proxy service.
I found the behavior of the MSN Instant Messenger to be particularly annoying. In the configuration dialog box for the network connection there is an option to use a proxy server. One would assume that if you choose to not use a proxy server, the client would have to use the Firewall client in order to connect to the ISA Server. However, the MSN IM'er was able to get around this on some machines, apparently probing the system for the browser proxy settings.

If you use Windows 2000 Professional network clients, you can block these applications through Group Policy. Group Policy allows you to prevent the execution of program files used for each of these Instant Messaging applications. However, users can get around this restriction by simply renaming the file.


http://www.isaserver.org/tutorials/How_to_Block_Dangerous_Instant_Messengers_Using_ISA_Server.html

Yes, GPO software restrictions with might work with a hash rule, so you do not have to worry about the location or file name, only if you have the hashes for every Skype version out there.

Da' competition has put a doc about Skype, scroll down and see how they block Skype:
http://www.securecomputing.com/index.cfm?skey=1602

< Message edited by justmee -- 21.Aug.2008 4:26:25 PM >

(in reply to pwindell)
Post #: 38
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 4:28:38 PM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline 		I do not want to be accused that I hide some stuff I know and only expose what I like, since you guys are down the application restriction and endpoint security way, there is a nice and practical program from Bit9 called Parity, which overcomes some of the limitations of Windows GPO software restriction policies:
http://www.bit9.com/products/parity.php
I do not know if you have ever used it, if not you may be pleasantly surprised, they give you a trial(it can take on USB devices too, although GFI Endpoint Security might help with those, http://www.gfi.com/endpointsecurity/esecfeatures.htm/).

(in reply to justmee)
Post #: 39
RE: How do I block Skype on ISA 2006 - 21.Aug.2008 6:29:05 PM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		I've had some good success with the Sanctuary products which are now owned by Lumension. They offer both device and applications control:

http://www.lumension.com/Sanctuary_AC_Endpoint_Security.jsp?rpLangCode=1&rpMenuId=118466

http://www.lumension.com/usb_security.jsp?rpLangCode=1&rpMenuId=118468

The device control product is also now OEM'd to PGP Corporation as PGP Endpoint.

Using Microsoft SRPs is just too limited for real-world use in my experience and you really need to look at third party solutions...

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to justmee)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> RE: How do I block Skype on ISA 2006 Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts