Block 'net send' messenger

Stky10

I'm wondering if its possible to set up on a windows 2003 server domain controller that the messenger service that allows domain users to send 'net send' commands can be permanently turned off and not to be used. The users
here have local administrator rights, so I dont think there is any point in
trying to turn off or uninstall the service, as they'd probably just reinstall
it or manually turn it back on.

In past experience I've found that telling people something isn't allowed
is nowhere near as good as just preventing them from doing it.

Anyway, is there a security profile I can use it to block this??

Kevin_rc_ie

funnily enough i want to unblock this service because i can't get it to work anymore.

fatherdougalmag

Any use?

Kevin_rc_ie

(hijack) helped me turn mine on so i'll say thanks. (/hijack)

osmethod

I don't know if you can restrict net send specifically...

You could perhaps create an admin user, not a member of the Administrators group and give ownership/permissions to net.exe to this user only...

osmethod

Stky10

fatherdougalmag wrote:

Any use?

Looks more promising. The users are pretty technical and they're
damned determined so I'm pretty sure just stopping the service wouldnt
be enough. I'll try the GPO first...

Cheers

Out of interest why do you want to stop them using it? The only reason I would turn it off would be to prevent spam.

maxheadroom

Stky10 wrote:

Looks more promising. The users are pretty technical and they're
damned determined so I'm pretty sure just stopping the service wouldnt
be enough. I'll try the GPO first...

Cheers

Is there any way to filter the messages at an IP level - configure your switch / other associated network hardware to block comms on that port for instance?

Stky10

Deleted User wrote:

Out of interest why do you want to stop them using it? The only reason I would turn it off would be to prevent spam.

Some muppets in a clique spend their day sending each other messages
and interuppting others.

Havent gotten around to much about this yet, came back to read the
relative webpage again. I dont think blocking ports is much of an option
as it would block netbios as well.

Capt'n Midnight

add this to login script if there is one - even if local admin will annoy
net stop messenger [edit]

xpantispy has an option to remove ms messanger from the system

If it's external communication then it should be blocked at the firewall in any case.

this will really annoy - any complaints => refer to organisation policy
net send User "rebooting because of system compromise"
if errorlevel 1 shutdown \\computername

Stky10

Capt'n Midnight wrote:

add this to login script if there is one - even if local admin will annoy
net stop alerter

From a microsoft page

"Stop the Alerter service that sends alert messages to specified users that are connected to the server computer. Alert messages warn users about security, access, and user session problems."

I don't think that would bother them. Starting the service on the other
hand might piss them off more. I want to stop the messenger service
and stop them from restarting it. I've even gone as far as blocking ports 135,
137-139, 445 to stop Netbios and it still doesnt work. So much for this

http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html#netsend

Capt'n Midnight wrote:

xpantispy has an option to remove ms messanger from the system

Its not MSN Messenger I want to get rid of. I've shown them I can read
MSN messenger messages by monitoring what goes through the firewall,
so they've switched to the messenger service instead.

Capt'n Midnight wrote:

If it's external communication then it should be blocked at the firewall in any case.

No its internal only.

Capt'n Midnight wrote:

this will really annoy - any complaints => refer to organisation policy
net send User "rebooting because of system compromise"
if errorlevel 1 shutdown \\computername

I dont see how it would work. I've more to do than try and detect every
message they send each other and then reboot their machine. I want to
stop it so they cant do it. I'll keep looking I think.

Capt'n Midnight

Stky10 wrote:

The users here have local administrator rights, so I dont think there is any point in trying to turn off or uninstall the service, as they'd probably just reinstall it or manually turn it back on.
...
The users are pretty technical and they're damned determined so I'm pretty sure just stopping the service wouldnt be enough. I'll try the GPO first...

Even if you manage to block the messenger and do all sorts of fancy stuff in Active Directory , they will just move on to some thing they downloaded off the net that uses a different port / method. eg: They could also add NetBEUI to thier machines and use a private network that bypasses IP. eg: In linux you can define the text inside ping packets so it's possible to sneak messages past just about anything if someone was really determined and could find the right app.

Point is if they have Admin rights in windows there is nothing a sysadmin can do to stop them abusing thier machines somehow, it's a management (as in suits) issue not a technical one. If a techno fix is needed then they should be dropped to power users. And besides even if you could block every port they will find other ways to waste time..

Another option would be to hide the machines from each other - but they can see thier IP addresses so that ain't gonna work unless you have amazing network switches and besides that sort of one off network setup always comes back to bite you.

Stky10

Capt'n Midnight wrote:

Point is if they have Admin rights in windows there is nothing a sysadmin can do to stop them abusing thier machines somehow, it's a management (as in suits) issue not a technical one. If a techno fix is needed then they should be dropped to power users. And besides even if you could block every port they will find other ways to waste time..

I'm beginning to think that myself. I'll have a look at the difference between
local administrator vs power user privileges. I'm busy enough as is without
having to nurse people through to a stage where they do what they're told.