The most brainless way to stop IM/P2P clients is to block all Internet access except for ports 80 and 443. Theoretically, this should stop most P2P/chat software from working. But the bad news is that many of these programs are smart enough at this point to use ports 80 and 443 to attempt to open links to the outside world (AOL Instant Messenger is one such program).
Ultimately, it's a pretty ineffective method and may do more harm than good. There are many other legitimate services that run on ports other than 80 or 443 -- FTP, for instance -- and it may not be practical to block such services to end users. A user might need to obtain a document from an FTP repository somewhere, and if it's unavailable because port 21 is blocked (that's the default port for FTP), that'll be a source of frustration.
If you're determined to block everything except the most legitimate ports, you can go to the IANA (Internet Assigned Numbers Authority) for a list of common and IANA-approved port assignments. Still, it might be better to think about a more sophisticated approach that doesn't require blocking specific ports.
Blocking IM and P2P
Step 1: The "easy, but stupid" approach
Step 2: The "block the nexus" approach: IM
Step 3: The "block the nexus" approach: P2P
Step 4: The "block the application" approach
More information from SearchWindowsSecurity.com
|ABOUT THE AUTHOR:|
|Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well! Copyright 2005 TechTarget|
This was first published in January 2006