Logging into hotmail will circumvent Windows Messenger GPO restriction

Hi,

A customer of ours showed a way to circumvent the applied Domain-GPO which
prevents use of Windows Messenger for some of their domain users and
computers. They have also applied software restrictions on certain files
that MSN or Windows Live Messenger make use of to tighten this even further.

But when a user logs on to to their hotmail on the web to view their
personal e-mails using their ownWindows Live ID, this somehow triggers the
installed MSN/Windows Live Messenger application to execute and get started
though there is a GPO applied that should prevent this!

How can this be, is it a bug? Is it because there are certain settings in
the messenger application (under tools/options/security settings) that may
trigger this behaviour? How can we prevent this form happening so it won't
execute when an user logs on to hotmail? We still want the MSN/Windows Live
Messenger to be installed on the local computer. Is there any special .adm
template available to tighten messenger usage even further?

Thanks in advance for any help and assistance
Regards,
Richard

Greetings Richard,

I guess it depends what they're using in these GPOs. As I'm sure you know, there's no
special Messenger GPOs for anything beyond Windows Messenger (and MSN Messenger/Windows Live
Messenger just ignore the Windows Messenger ones).

The reason why this might work is because Messenger is called in Hotmail by its COM control,
which automatically starts it up. This might circumvent the normal execution process (note
I'm not in a position to test this thoroughly at the moment) and software restriction
policies (I'm guessing that's the GPO setting you're referring to).

Fortunately you can actually block Hotmail (any other related Microsoft site) from starting
Messenger. Pop open IE on any machine with Messenger, choose the Tools menu, Manage Add-ons
and Enable or Disable Add-ons. Show the entries that run without requiring permission and
the specific entry you'll want to disable is "Windows Live", which corresponds to the
"MSGSC1~1.DLL" file which in the latest 2009 release will correspond to \Program
Files\Windows Live\msgsc.14.0.8050.1202.dll and CLSID is
{E1771B7F-98BE-407F-BA67-AA16ADA5D0C5}.

Now beyond this UI to disable this in IE, there's registry entries and GPOs, The GPO can be
found in the policy editor at: Computer Configuration or User Configuration, expand
Administrative Templates, expand Windows Components, expand Internet Explorer, expand
Security Features, and then click Add-on Management.

There's a KB article that goes into detail:
http://support.microsoft.com/kb/883256

If you need more help, post back.

--
Jonathan Kay
Microsoft MVP - Windows Live Messenger
MSN Messenger/Windows Messenger
MessengerGeek Blog: http://www.messengergeek.com
Messenger Resources: http://messenger.jonathankay.com
(c) 2009 Jonathan Kay - If redistributing, you must include this signature or citation
--

"RRE" <> wrote in message
news:44C364F7-7211-4F5E-B016-...
> Hi,
>
> A customer of ours showed a way to circumvent the applied Domain-GPO which
> prevents use of Windows Messenger for some of their domain users and
> computers. They have also applied software restrictions on certain files
> that MSN or Windows Live Messenger make use of to tighten this even further.
>
> But when a user logs on to to their hotmail on the web to view their
> personal e-mails using their ownWindows Live ID, this somehow triggers the
> installed MSN/Windows Live Messenger application to execute and get started
> though there is a GPO applied that should prevent this!
>
> How can this be, is it a bug? Is it because there are certain settings in
> the messenger application (under tools/options/security settings) that may
> trigger this behaviour? How can we prevent this form happening so it won't
> execute when an user logs on to hotmail? We still want the MSN/Windows Live
> Messenger to be installed on the local computer. Is there any special .adm
> template available to tighten messenger usage even further?
>
> Thanks in advance for any help and assistance
> Regards,
> Richard
>

Hi Jonathan,

Thanks very much for your help and assistance.

I was wrong regarding the software restrictions GPO. What was configured at
the actual customer was "don't run specified Windows Applications" under
user configuration->Adm templates and System and then msmsgs.exe and
msnmsgr.exe were applied as the execution files. But what I know of these
will only be "protected" if you run them through the explorer, and not if
you ie. try to execute them through the command line, I'm right?

I will take a close look at your suggestions and will post back if I might
have any follow up questions.

Regards,
Richard
"Jonathan Kay [MVP]" <> wrote in message
news:%...
> Greetings Richard,
>
> I guess it depends what they're using in these GPOs. As I'm sure you
> know, there's no special Messenger GPOs for anything beyond Windows
> Messenger (and MSN Messenger/Windows Live Messenger just ignore the
> Windows Messenger ones).
>
> The reason why this might work is because Messenger is called in Hotmail
> by its COM control, which automatically starts it up. This might
> circumvent the normal execution process (note I'm not in a position to
> test this thoroughly at the moment) and software restriction policies (I'm
> guessing that's the GPO setting you're referring to).
>
> Fortunately you can actually block Hotmail (any other related Microsoft
> site) from starting Messenger. Pop open IE on any machine with Messenger,
> choose the Tools menu, Manage Add-ons and Enable or Disable Add-ons. Show
> the entries that run without requiring permission and the specific entry
> you'll want to disable is "Windows Live", which corresponds to the
> "MSGSC1~1.DLL" file which in the latest 2009 release will correspond to
> \Program Files\Windows Live\msgsc.14.0.8050.1202.dll and CLSID is
> {E1771B7F-98BE-407F-BA67-AA16ADA5D0C5}.
>
> Now beyond this UI to disable this in IE, there's registry entries and
> GPOs, The GPO can be found in the policy editor at: Computer Configuration
> or User Configuration, expand Administrative Templates, expand Windows
> Components, expand Internet Explorer, expand Security Features, and then
> click Add-on Management.
>
> There's a KB article that goes into detail:
> http://support.microsoft.com/kb/883256
>
> If you need more help, post back.
>
> --
> Jonathan Kay
> Microsoft MVP - Windows Live Messenger
> MSN Messenger/Windows Messenger
> MessengerGeek Blog: http://www.messengergeek.com
> Messenger Resources: http://messenger.jonathankay.com
> (c) 2009 Jonathan Kay - If redistributing, you must include this signature
> or citation
> --
>
> "RRE" <> wrote in message
> news:44C364F7-7211-4F5E-B016-...
>> Hi,
>>
>> A customer of ours showed a way to circumvent the applied Domain-GPO
>> which
>> prevents use of Windows Messenger for some of their domain users and
>> computers. They have also applied software restrictions on certain files
>> that MSN or Windows Live Messenger make use of to tighten this even
>> further.
>>
>> But when a user logs on to to their hotmail on the web to view their
>> personal e-mails using their ownWindows Live ID, this somehow triggers
>> the
>> installed MSN/Windows Live Messenger application to execute and get
>> started
>> though there is a GPO applied that should prevent this!
>>
>> How can this be, is it a bug? Is it because there are certain settings in
>> the messenger application (under tools/options/security settings) that
>> may
>> trigger this behaviour? How can we prevent this form happening so it
>> won't
>> execute when an user logs on to hotmail? We still want the MSN/Windows
>> Live
>> Messenger to be installed on the local computer. Is there any special
>> .adm
>> template available to tighten messenger usage even further?
>>
>> Thanks in advance for any help and assistance
>> Regards,
>> Richard
>>
>

Hi Richard,

I'm not sure about the Command Line vs Explorer, although I believe it should be the same.
I'm sure you can test this out on your own and is a bit beyond the scope of this newsgroup
anyway.

One thing I'm wondering is if this is the only way they're blocking Messenger in their
environment. What's to stop someone from using a third-party Messenger client from a USB
drive for instance?

--
Jonathan Kay
Microsoft MVP - Windows Live Messenger
MSN Messenger/Windows Messenger
MessengerGeek Blog: http://www.messengergeek.com
Messenger Resources: http://messenger.jonathankay.com
(c) 2009 Jonathan Kay - If redistributing, you must include this signature or citation
--

"RRE" <> wrote in message
news:E9C0DD0D-DD8B-424C-9C86-...
> Hi Jonathan,
>
> Thanks very much for your help and assistance.
>
> I was wrong regarding the software restrictions GPO. What was configured at the actual
> customer was "don't run specified Windows Applications" under user configuration->Adm
> templates and System and then msmsgs.exe and msnmsgr.exe were applied as the execution
> files. But what I know of these will only be "protected" if you run them through the
> explorer, and not if you ie. try to execute them through the command line, I'm right?
>
> I will take a close look at your suggestions and will post back if I might have any follow
> up questions.
>
> Regards,
> Richard
> "Jonathan Kay [MVP]" <> wrote in message
> news:%...
>> Greetings Richard,
>>
>> I guess it depends what they're using in these GPOs. As I'm sure you know, there's no
>> special Messenger GPOs for anything beyond Windows Messenger (and MSN Messenger/Windows
>> Live Messenger just ignore the Windows Messenger ones).
>>
>> The reason why this might work is because Messenger is called in Hotmail by its COM
>> control, which automatically starts it up. This might circumvent the normal execution
>> process (note I'm not in a position to test this thoroughly at the moment) and software
>> restriction policies (I'm guessing that's the GPO setting you're referring to).
>>
>> Fortunately you can actually block Hotmail (any other related Microsoft site) from
>> starting Messenger. Pop open IE on any machine with Messenger, choose the Tools menu,
>> Manage Add-ons and Enable or Disable Add-ons. Show the entries that run without requiring
>> permission and the specific entry you'll want to disable is "Windows Live", which
>> corresponds to the "MSGSC1~1.DLL" file which in the latest 2009 release will correspond to
>> \Program Files\Windows Live\msgsc.14.0.8050.1202.dll and CLSID is
>> {E1771B7F-98BE-407F-BA67-AA16ADA5D0C5}.
>>
>> Now beyond this UI to disable this in IE, there's registry entries and GPOs, The GPO can
>> be found in the policy editor at: Computer Configuration or User Configuration, expand
>> Administrative Templates, expand Windows Components, expand Internet Explorer, expand
>> Security Features, and then click Add-on Management.
>>
>> There's a KB article that goes into detail:
>> http://support.microsoft.com/kb/883256
>>
>> If you need more help, post back.
>>
>> --
>> Jonathan Kay
>> Microsoft MVP - Windows Live Messenger
>> MSN Messenger/Windows Messenger
>> MessengerGeek Blog: http://www.messengergeek.com
>> Messenger Resources: http://messenger.jonathankay.com
>> (c) 2009 Jonathan Kay - If redistributing, you must include this signature or citation
>> --
>>
>> "RRE" <> wrote in message
>> news:44C364F7-7211-4F5E-B016-...
>>> Hi,
>>>
>>> A customer of ours showed a way to circumvent the applied Domain-GPO which
>>> prevents use of Windows Messenger for some of their domain users and
>>> computers. They have also applied software restrictions on certain files
>>> that MSN or Windows Live Messenger make use of to tighten this even further.
>>>
>>> But when a user logs on to to their hotmail on the web to view their
>>> personal e-mails using their ownWindows Live ID, this somehow triggers the
>>> installed MSN/Windows Live Messenger application to execute and get started
>>> though there is a GPO applied that should prevent this!
>>>
>>> How can this be, is it a bug? Is it because there are certain settings in
>>> the messenger application (under tools/options/security settings) that may
>>> trigger this behaviour? How can we prevent this form happening so it won't
>>> execute when an user logs on to hotmail? We still want the MSN/Windows Live
>>> Messenger to be installed on the local computer. Is there any special .adm
>>> template available to tighten messenger usage even further?
>>>
>>> Thanks in advance for any help and assistance
>>> Regards,
>>> Richard
>>>
>>
>