Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
shaig85

block skype from GPO?HOW TO DO IT?

Recommended Posts

HI GUYS

i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT

THANKS IN ADVANCE

  • Upvote 1
  • Downvote 2

Share this post


Link to post
Share on other sites

First thing coming to mind is just implement a software restriction policy (path or even hash if you are sure everyone is running a specific version of skype) to block the executable.

 

As these little beasts are both powerful and dangerouns I invite you to have a good read of the following article :

 

http://technet.microsoft.com/en-us/library/bb457006.aspx

 

Test the implementation plan and you should be good to go :)

 

Cheers Lethe.

  • Upvote 1
  • Downvote 1

Share this post


Link to post
Share on other sites

HI GUYS

i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT

THANKS IN ADVANCE

My experience says that if you dont want any thing to traverse your Precious WAN connection then why not block it from the top most Application Layer instead of just allowing an unwanted app all the way down to the network layer then letting router to filter it n waste extra amount of router CPU cycles.

 

Yes from Group Policy you can do it. Just open the Organizational unit of restricted users which you wana block in active directory

1. Open User Configurations\Administrative Templates

2. then scroll all the way down to the System.

3. There you will see Don't Run Specified Windows Applications

4. DoubleClick on it then Click Enable. Then click Show

5. You will find empty box. Click Add and write the .exe of Skype which is im sure Skype.exe

6. Click on the ok and Apply

 

there you go the app is blocked from the Group Policy

Edited by talent pk
  • Upvote 1

Share this post


Link to post
Share on other sites

HI GUYS

i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT

THANKS IN ADVANCE

 

Hi shaig85 .

 

 

Do you have windows 2008 and windows 7 in your company :)

 

If yes , its way better to block skype.

 

If no , you can do this stage :

 

* Go to the http traffic policies and block:

http://*.skype.com*

http://ui.skype.com*

http://*skype.com*

LogIn servers:

 

80.160.91.5, 80.160.91.11, 80.160.91.13, 80.160.91.25

 

As i mean, block all skype IPs and DN .

 

 

 

Lethe

 

Posted 24 May 2011 - 09:37 PM

 

shaig85, on 13 May 2011 - 01:18 PM, said:

no to restrict throug GPO THROUGH CASH

 

 

Eh?

 

That is why you must use a Hash rule ,no CASH , in the user configuration. Because hash rules recognized the file by a unique algorithm of that executable, and not by its filename or path.

 

One thing about Software Restriction using a hash rule:

Make sure users cannot install other versions of Skype them selfs, by using installation packages.

 

(By the way, to your concern. As long as these users are not! a member of the local group 'Administrators' or 'Power Users', then they can not make changes at all in the Program files and the Windows folders and most of the keys in the registry).

 

 

Good luck .

  • Upvote 2

Share this post


Link to post
Share on other sites

@Kamtec1

well from what I've seen on Skype reverse engineering nothing @ network level (ISO stack, all 7 layers) would block it. We have had many request from our customers to block Skype on network and we were always able to get it run, as long as we had at least power user for the PC. It seems much more effective to block the name of executable, it's stupid and easy to work around. But the effort when compared to other solutions is stunning! Oh I didn't know about hash rules (still our most advanced CUs use XPSP3...).

  • Upvote 1

Share this post


Link to post
Share on other sites

HI GUYS

i want to blocj skype in my network i couldnt do it from kerio firewall because it is impossible can some one here explain me how one can do it through GPO ?PLEASE EXPLAIN THE PROCEDURE STEP BY STEP OR GIVE ME A LINK FOR IT

THANKS IN ADVANCE

 

Hi .

 

 

Did some post and ways to block it (skype) :)

But still not complete one :( .. trying the best :)

--------------------------------

1) Block IP Addresses to Skype Authentication Servers

Block 80.160.91.5 & 80.160.91.13. This won't affect people who have already signed up and saved their Skype credentials on their PC. It only works for new users that try to authenticate for the first time. So for new users that first install Skype, it should prevent them from authenticating and thus, they won't be able to get in. I have not verified this "tip" still works today. It updates all the time and have many new features .. . To test uninstall Skype (to similate a fresh install), block the IPs, then reinstall Skype.

 

2) Block Skype using ISA Server 2006

If you use ISA Server 2006 proxy server you can block various IM software clients including AOL Instant Messenger, MSN Instant Messenger, Yahoo Instant Messenger, and ICQ. It might also work with Skype as well, but Skype can be tricky to block. Although this awesome ISA Server 2006 article titled "Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter" seems to indicate using ISA Server 2006 to block Skype can be difficult. But it's a great resource for blocking other IM clients and even .torrent files.

 

3) Block Skype using Group Policy (corporate environments)

Go to Computer Configuration / Windows Settings / Security Settings - Software Restriction Policies - Additional rules. Then create rules for the hash of the specified .exe to block no matter where it launches from. Problem with this is that Skype updates regularly, so you'd have to keep on it. So alternatively, block a specified directory, i.e. \program files\skype and disallow anything from launching from within that directory.

 

 

And the way that need to pay ...

Alternative methods for blocking Skype

 

1)NetSpective from Verso Technologies - Can be configured to block over 20 P2P and Instant Messaging programs, including Skype. NetSpective is available in enterprise and carrier versions. Verso has supplied China Telecom with their carrier class of NetSpective.

2)Packeteer's PacketShaper - detects Skype and other P2P traffic and allows the administrator to apply Quality of Service regulations or block it completely.

3)SonicWall's Unified Threat Management appliances - SonicWall has a PDF presentation on how to block Skype with their hardware, or you can read the HTML version in the Google cache or on the web site .

4)Fortigate from Fortinet - capable of blocking Skype and other P2P applications.

5)Check Point's InterSpect - Using InterSpect with Check Point's SmartDefense system can identify and block P2P applications including Skype.

6)Cisco equipment running IOS version 12.4 (4) T - This is the "free" option, providing that your network already uses a Cisco product with this IOS version. See Cisco Tips & Tricks for the instructions on there site and fenitooo skype:))) .

7) Blocking Skype Using Squid system

8) Blocking Skype Using OpenBSD software.

 

 

 

P.S. Its not he end of the war with skype ....

The last thing is to write the hash rule and he can block it very well :)

 

 

Good luck ,

  • Upvote 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×