9 replies to this topic

[shaig85]

HI GUYS
i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT
THANKS IN ADVANCE

[Lethe]

First thing coming to mind is just implement a software restriction policy (path or even hash if you are sure everyone is running a specific version of skype) to block the executable.

As these little beasts are both powerful and dangerouns I invite you to have a good read of the following article :

http://technet.micro...y/bb457006.aspx

Test the implementation plan and you should be good to go

Cheers Lethe.

[shaig85]

no to restrict throug GPO THROUGH CASH

[talent pk]

HI GUYS
i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT
THANKS IN ADVANCE

My experience says that if you dont want any thing to traverse your Precious WAN connection then why not block it from the top most Application Layer instead of just allowing an unwanted app all the way down to the network layer then letting router to filter it n waste extra amount of router CPU cycles.

Yes from Group Policy you can do it. Just open the Organizational unit of restricted users which you wana block in active directory
1. Open User Configurations\Administrative Templates
2. then scroll all the way down to the System.
3. There you will see Don't Run Specified Windows Applications
4. DoubleClick on it then Click Enable. Then click Show
5. You will find empty box. Click Add and write the .exe of Skype which is im sure Skype.exe
6. Click on the ok and Apply

there you go the app is blocked from the Group Policy

Edited by talent pk, 13 May 2011 - 08:38 PM.

[Lethe]

no to restrict throug GPO THROUGH CASH

Eh?

[kamtec1]

HI GUYS
i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT
THANKS IN ADVANCE

Hi shaig85 .


Do you have windows 2008 and windows 7 in your company

If yes , its way better to block skype.

If no , you can do this stage :

* Go to the http traffic policies and block:
http://*.skype.com*
http://ui.skype.com*
http://*skype.com*
LogIn servers:

80.160.91.5, 80.160.91.11, 80.160.91.13, 80.160.91.25

As i mean, block all skype IPs and DN .

Lethe

Posted 24 May 2011 - 09:37 PM

shaig85, on 13 May 2011 - 01:18 PM, said:
no to restrict throug GPO THROUGH CASH


Eh?

That is why you must use a Hash rule ,no CASH , in the user configuration. Because hash rules recognized the file by a unique algorithm of that executable, and not by its filename or path.

One thing about Software Restriction using a hash rule:
Make sure users cannot install other versions of Skype them selfs, by using installation packages.

(By the way, to your concern. As long as these users are not! a member of the local group 'Administrators' or 'Power Users', then they can not make changes at all in the Program files and the Windows folders and most of the keys in the registry).


Good luck .

[chrcel]

@Kamtec1
well from what I've seen on Skype reverse engineering nothing @ network level (ISO stack, all 7 layers) would block it. We have had many request from our customers to block Skype on network and we were always able to get it run, as long as we had at least power user for the PC. It seems much more effective to block the name of executable, it's stupid and easy to work around. But the effort when compared to other solutions is stunning! Oh I didn't know about hash rules (still our most advanced CUs use XPSP3...).

[MarkinManchester]

In your AV suite EPO, Kaspersky etc you can mark executables as restricted so the local AV on the PC will not allow skype to run.

Just another way

Mark

[kamtec1]

HI GUYS
i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT
THANKS IN ADVANCE

Hi .


Did some post and ways to block it (skype)
But still not complete one .. trying the best
--------------------------------
1) Block IP Addresses to Skype Authentication Servers
Block 80.160.91.5 & 80.160.91.13. This won't affect people who have already signed up and saved their Skype credentials on their PC. It only works for new users that try to authenticate for the first time. So for new users that first install Skype, it should prevent them from authenticating and thus, they won't be able to get in. I have not verified this "tip" still works today. It updates all the time and have many new features .. . To test uninstall Skype (to similate a fresh install), block the IPs, then reinstall Skype.

2) Block Skype using ISA Server 2006
If you use ISA Server 2006 proxy server you can block various IM software clients including AOL Instant Messenger, MSN Instant Messenger, Yahoo Instant Messenger, and ICQ. It might also work with Skype as well, but Skype can be tricky to block. Although this awesome ISA Server 2006 article titled "Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter" seems to indicate using ISA Server 2006 to block Skype can be difficult. But it's a great resource for blocking other IM clients and even .torrent files.

3) Block Skype using Group Policy (corporate environments)
Go to Computer Configuration / Windows Settings / Security Settings - Software Restriction Policies - Additional rules. Then create rules for the hash of the specified .exe to block no matter where it launches from. Problem with this is that Skype updates regularly, so you'd have to keep on it. So alternatively, block a specified directory, i.e. \program files\skype and disallow anything from launching from within that directory.


And the way that need to pay ...
Alternative methods for blocking Skype

1)NetSpective from Verso Technologies - Can be configured to block over 20 P2P and Instant Messaging programs, including Skype. NetSpective is available in enterprise and carrier versions. Verso has supplied China Telecom with their carrier class of NetSpective.
2)Packeteer's PacketShaper - detects Skype and other P2P traffic and allows the administrator to apply Quality of Service regulations or block it completely.
3)SonicWall's Unified Threat Management appliances - SonicWall has a PDF presentation on how to block Skype with their hardware, or you can read the HTML version in the Google cache or on the web site .
4)Fortigate from Fortinet - capable of blocking Skype and other P2P applications.
5)Check Point's InterSpect - Using InterSpect with Check Point's SmartDefense system can identify and block P2P applications including Skype.
6)Cisco equipment running IOS version 12.4 (4) T - This is the "free" option, providing that your network already uses a Cisco product with this IOS version. See Cisco Tips & Tricks for the instructions on there site and fenitooo skype:))) .
7) Blocking Skype Using Squid system
8) Blocking Skype Using OpenBSD software.



P.S. Its not he end of the war with skype ....
The last thing is to write the hash rule and he can block it very well


Good luck ,

[techie2300]

There is a GPO here with around 300 peer-2-peer programs ready to block.

https://www.itscforu...2P-Applications

I am not sure if Skype is on the list, but it should be easy to extend.

Edited by techie2300, 28 January 2012 - 06:47 AM.