locked
Can group policy to block steaming audio and video on a Windows Server 2003 RRS feed

  • Question

  • I have a task to reduce or block streaming audio and video in a work environment. There ia a Cisco PIX firewall in the network; however it is controlled by another consultant He is a little difficult to work with. However, I would like to save a few guys jobs by preventing then from the internet radio. Can I accomplish with a group policy?

    Thanks,
    ecscomp
    Wednesday, May 27, 2009 7:04 PM

Answers

  • Streaming media servers can use:

    HTTP (80/8080)
    RTMP (1935) Macromedia Flash Media Server
    PNM/PNA (7070) RealAudio (older versions)
    RTSP:RTSPU/RTSPT[RTP/RDT] (554)
    MMS:MMSU/MMST (1755) Microsoft Media Services

    You could attempt to block by port or protocol on the firewall, although HTTP streaming would still be available. Therefore, you're only options to control that would be to:

    1. Block Flash/WMP/other
    2. Implement site whitelists/blacklists
    3. Go full out with deep packet inspection


    With the first option, you can use group policy (software restriction policy) to accomplish the task. The second, could be done with group policy, but not an optimized solution (large hosts files or many restricted sites in Internet Explorer will slow machines down). The third option will be the most effective at blocking video/audio traffic and can be done with Cisco PIX:

    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8057f042_ps2030_Products_White_Paper.html


    Although, blocking Flash would probably be the easiest/most effective, as most sites use it for audio/video, and probably doesn't serve much of a business function in most organizations. Moreover, you might be able to deploy with group policy (if it doesn't interfere with legitimate use) by blocking files by extension (.avi, .mov, .wmv, .mp4, .mpg, .mpeg, .mp3, etc...) using software restriction policy.

    • Edited by Ryan Capp Thursday, May 28, 2009 7:18 AM
    • Marked as answer by Mervyn Zhang Thursday, June 4, 2009 1:10 AM
    Thursday, May 28, 2009 6:54 AM
  • Yes, You can use certain GPO's to block access to Windows Media Player, and in combination with IPSec to block to ports from going in/out your server.


    Or you just delete software when deploying an OS. Should be possible. Control Panel > Software > Add/Remove Windows Components. See here how to do that. The must be some this to intergrate that in a logon script.

    See here how to do that for an XP Client:

    http://support.microsoft.com/default.aspx/kb/934372
    Certifications: MCSA 2003 Studying for MCSE 2003
    Friday, May 29, 2009 2:07 AM
  • Hi,

    Thank you for posting here.

    According to your description, I understand that you would like to reduce or block streaming audio and video in a work environment by Group Policy. If I have misunderstood the problem, please don't hesitate to let me know.

    I agree with Ryan, considering you cannot control the Cisco PIX firewall directly, Software Restriction Policies is the best option for you. If you would like to try Software Restriction Policies, you have two choices:

    1.    Restrict Software:

    Add Real Player, Flash Player, Media Player and their ActiveX control files to restricted list. Add other software if necessary. If so, users will not be able open those software and cannot play media locally.

    2.    Restrict media files:

    Add selected streaming file types (.avi, .mov, .wmv, .mp4, .mpg, .mpeg, .mp3, etc.) to Designated File Types to restrict them so that users could play files of allowed types.

    To balance restriction and flexibility, it’s also suggested configuring Mandatory Internet Explorer Settings policies to restrict some websites. To do so:

    1.    The Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance policy processing setting must be configured to process settings even if they have not been changed.

    2.    All of the settings in the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel node must be enabled.

    3.    Configure [User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings], add sites to Restricted Sites.

    If you need more information or advice, please let us know.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, June 4, 2009 1:10 AM
    Friday, May 29, 2009 3:22 AM

All replies

  • Streaming media servers can use:

    HTTP (80/8080)
    RTMP (1935) Macromedia Flash Media Server
    PNM/PNA (7070) RealAudio (older versions)
    RTSP:RTSPU/RTSPT[RTP/RDT] (554)
    MMS:MMSU/MMST (1755) Microsoft Media Services

    You could attempt to block by port or protocol on the firewall, although HTTP streaming would still be available. Therefore, you're only options to control that would be to:

    1. Block Flash/WMP/other
    2. Implement site whitelists/blacklists
    3. Go full out with deep packet inspection


    With the first option, you can use group policy (software restriction policy) to accomplish the task. The second, could be done with group policy, but not an optimized solution (large hosts files or many restricted sites in Internet Explorer will slow machines down). The third option will be the most effective at blocking video/audio traffic and can be done with Cisco PIX:

    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8057f042_ps2030_Products_White_Paper.html


    Although, blocking Flash would probably be the easiest/most effective, as most sites use it for audio/video, and probably doesn't serve much of a business function in most organizations. Moreover, you might be able to deploy with group policy (if it doesn't interfere with legitimate use) by blocking files by extension (.avi, .mov, .wmv, .mp4, .mpg, .mpeg, .mp3, etc...) using software restriction policy.

    • Edited by Ryan Capp Thursday, May 28, 2009 7:18 AM
    • Marked as answer by Mervyn Zhang Thursday, June 4, 2009 1:10 AM
    Thursday, May 28, 2009 6:54 AM
  • Yes, You can use certain GPO's to block access to Windows Media Player, and in combination with IPSec to block to ports from going in/out your server.


    Or you just delete software when deploying an OS. Should be possible. Control Panel > Software > Add/Remove Windows Components. See here how to do that. The must be some this to intergrate that in a logon script.

    See here how to do that for an XP Client:

    http://support.microsoft.com/default.aspx/kb/934372
    Certifications: MCSA 2003 Studying for MCSE 2003
    Friday, May 29, 2009 2:07 AM
  • Hi,

    Thank you for posting here.

    According to your description, I understand that you would like to reduce or block streaming audio and video in a work environment by Group Policy. If I have misunderstood the problem, please don't hesitate to let me know.

    I agree with Ryan, considering you cannot control the Cisco PIX firewall directly, Software Restriction Policies is the best option for you. If you would like to try Software Restriction Policies, you have two choices:

    1.    Restrict Software:

    Add Real Player, Flash Player, Media Player and their ActiveX control files to restricted list. Add other software if necessary. If so, users will not be able open those software and cannot play media locally.

    2.    Restrict media files:

    Add selected streaming file types (.avi, .mov, .wmv, .mp4, .mpg, .mpeg, .mp3, etc.) to Designated File Types to restrict them so that users could play files of allowed types.

    To balance restriction and flexibility, it’s also suggested configuring Mandatory Internet Explorer Settings policies to restrict some websites. To do so:

    1.    The Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance policy processing setting must be configured to process settings even if they have not been changed.

    2.    All of the settings in the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel node must be enabled.

    3.    Configure [User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings], add sites to Restricted Sites.

    If you need more information or advice, please let us know.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, June 4, 2009 1:10 AM
    Friday, May 29, 2009 3:22 AM
  • Hi,

    Have you tried the suggestions? Any update is welcomed. If there is any problem, please let us know the detailed error message.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, June 2, 2009 9:32 AM
  • I searched on google how to block flash through Software Restriction Policy.  I have added following two paths as blocked in SRP\Additional Rules:

    C:\WINDOWS\system32\Macromed\Flash

    C:\WINDOWS\SysWOW64\Macromed\Flash

    And in SRP\Enforcement, I have selected "All Software files" instead of "All software files except libraries (such as DLLs)"

    But this does not block Flash.  Is there anything I am missing?

    Monday, May 14, 2012 5:31 PM