-----Original Message----- From: Sturgis, Grant [mailto:Grant.Sturgis@arraybiopharma.com] Sent: 29 January 2004 22:57 To: Frédéric Poulet; suse-security@suse.com Subject: RE: [suse-security] hotmail messager
To block MSN Messenger (what you are calling hotmail messager), you must either know all the IP addresses that MS will use for this (all of loginnet.passport.msn.com) and be willing to change them every time MS makes changes (which is frequently) or you must use an HTTP proxy. Other options include other application firewalls, but we can ignore them for now.
Do you let all your clients surf the web directly? If so, then you probably will have to opt for the blocking of all the IP addresses. Please note that this will also break Hotmail and any other Passport related websites.
One question is obvious: Are your users subject to a (computer) Acceptable Use Policy (AUP) as part of a contract of employment? If so, and if the restriction of Hotmail Messenger access is a rule set down by management, ask your manager about the possibility of using the AUP to impose a withdrawal of web access for any employees found to use Hotmail Messenger (or similar). Tell employees this is happening, and that you're monitoring network access for abuse of the AUP, and then enforce it a few times to make a hint that you're serious. At all times make sure you're not breaking any privacy laws (or reasonable expectations). I've magnificently failed to restrict MSN (etc.) Messenger access by IP restriction, as the ports change too frequently, so I started to crack down on users. It was _NOT_ a popular move, but it was a reasonable request from my boss so I did it... Tom.