Logging into hotmail will circumvent Windows Messenger GPO restriction

Discussion in 'Windows Live Messenger' started by RRE, Feb 10, 2009.

  1. RRE

    RRE Guest

    Hi,

    A customer of ours showed a way to circumvent the applied Domain-GPO which
    prevents use of Windows Messenger for some of their domain users and
    computers. They have also applied software restrictions on certain files
    that MSN or Windows Live Messenger make use of to tighten this even further.

    But when a user logs on to to their hotmail on the web to view their
    personal e-mails using their ownWindows Live ID, this somehow triggers the
    installed MSN/Windows Live Messenger application to execute and get started
    though there is a GPO applied that should prevent this!

    How can this be, is it a bug? Is it because there are certain settings in
    the messenger application (under tools/options/security settings) that may
    trigger this behaviour? How can we prevent this form happening so it won't
    execute when an user logs on to hotmail? We still want the MSN/Windows Live
    Messenger to be installed on the local computer. Is there any special .adm
    template available to tighten messenger usage even further?

    Thanks in advance for any help and assistance
    Regards,
    Richard
     
    RRE, Feb 10, 2009
    #1
    1. Advertisements

  2. Greetings Richard,

    I guess it depends what they're using in these GPOs. As I'm sure you know, there's no
    special Messenger GPOs for anything beyond Windows Messenger (and MSN Messenger/Windows Live
    Messenger just ignore the Windows Messenger ones).

    The reason why this might work is because Messenger is called in Hotmail by its COM control,
    which automatically starts it up. This might circumvent the normal execution process (note
    I'm not in a position to test this thoroughly at the moment) and software restriction
    policies (I'm guessing that's the GPO setting you're referring to).

    Fortunately you can actually block Hotmail (any other related Microsoft site) from starting
    Messenger. Pop open IE on any machine with Messenger, choose the Tools menu, Manage Add-ons
    and Enable or Disable Add-ons. Show the entries that run without requiring permission and
    the specific entry you'll want to disable is "Windows Live", which corresponds to the
    "MSGSC1~1.DLL" file which in the latest 2009 release will correspond to \Program
    Files\Windows Live\msgsc.14.0.8050.1202.dll and CLSID is
    {E1771B7F-98BE-407F-BA67-AA16ADA5D0C5}.

    Now beyond this UI to disable this in IE, there's registry entries and GPOs, The GPO can be
    found in the policy editor at: Computer Configuration or User Configuration, expand
    Administrative Templates, expand Windows Components, expand Internet Explorer, expand
    Security Features, and then click Add-on Management.

    There's a KB article that goes into detail:
    http://support.microsoft.com/kb/883256

    If you need more help, post back.

    --
    Jonathan Kay
    Microsoft MVP - Windows Live Messenger
    MSN Messenger/Windows Messenger
    MessengerGeek Blog: http://www.messengergeek.com
    Messenger Resources: http://messenger.jonathankay.com
    (c) 2009 Jonathan Kay - If redistributing, you must include this signature or citation
    --
     
    Jonathan Kay [MVP], Feb 11, 2009
    #2
    1. Advertisements

  3. RRE

    RRE Guest

    Hi Jonathan,

    Thanks very much for your help and assistance.

    I was wrong regarding the software restrictions GPO. What was configured at
    the actual customer was "don't run specified Windows Applications" under
    user configuration->Adm templates and System and then msmsgs.exe and
    msnmsgr.exe were applied as the execution files. But what I know of these
    will only be "protected" if you run them through the explorer, and not if
    you ie. try to execute them through the command line, I'm right?

    I will take a close look at your suggestions and will post back if I might
    have any follow up questions.

    Regards,
    Richard
     
    RRE, Feb 11, 2009
    #3
  4. Hi Richard,

    I'm not sure about the Command Line vs Explorer, although I believe it should be the same.
    I'm sure you can test this out on your own and is a bit beyond the scope of this newsgroup
    anyway.

    One thing I'm wondering is if this is the only way they're blocking Messenger in their
    environment. What's to stop someone from using a third-party Messenger client from a USB
    drive for instance?

    --
    Jonathan Kay
    Microsoft MVP - Windows Live Messenger
    MSN Messenger/Windows Messenger
    MessengerGeek Blog: http://www.messengergeek.com
    Messenger Resources: http://messenger.jonathankay.com
    (c) 2009 Jonathan Kay - If redistributing, you must include this signature or citation
     
    Jonathan Kay [MVP], Feb 12, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.