This week I received a question from Scott:
“Hi Steve,
Management at my company wants to block AIM (AOL Messenger) on all computers. Because some of the machines are not joined to the domain I want a way to do this from a script. The port is 4099 TCP btw. Thanks!”
I spoke with Scott, and I determined that all of his systems are running Vista or Windows 7 (Important since this tip won’t work on XP).
This can be done by adding an outbound rule to the built in firewall.
But like Scott said, he wants to do it from the command line.
This is easy using the ‘netsh’ command.
To block it we would call it like this:
netsh advfirewall firewall add rule name="BlockAIM" protocol=TCP
dir=out remoteport=4099 action=block
Let me explain each setting:
name = The name of the rule. (Pick something descriptive)
protocol = The protocol we are going to block (UDP or TCP for most cases)
dir = The direction of the block. Can be IN or OUT
remoteport = The port of the remote host that is going to be blocked
action = Could be block or allow. In our case we want to block the connection
Once you execute the above code, all outbound requests to any host on port 4099 will be blocked, and it adds an entry to the Windows firewall:
If you want to remove the rule from the command line, you can call netsh like this:
netsh advfirewall firewall delete rule name="BlockAIM"
That is all there is to it. One line to add a rule, and one line to remove.
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools
{ 4 comments… read them below or add one }
I think a firewall would be a much more robust solution steve.
Hello Mike,
Yes a firewall would be better. But in Scott’s case, he did not have control over the network these computers would reside on (They are laptops). In addition, they are not joined to the domain – so he could not use group policy
Finally, I did not write it in the article…he was asked by management to make this happen without spending any money on hardware or software.
So I think with those conditions in place, it is an ideal solution. True it will never stop the technical users…but at least you have something in place.
Thanks for the tip steve. Like you said there are more ideal solutions, but hey when your options are limited this is better than nothing.
i was wondering if you can do this, on a LAN and block TCP Port 80.but Block the MAC Address instead?