4

We have a windows (7 pro) workstation LAN, managed via Group Policy. Lots of our users run Dropbox. Security concerns aside, one of our netadmins says that our routers/firewalls are handling and blocking tons of UDP broadcast traffic, and they want it to stop. We tracked the traffic to Dropbox's LAN Sync functionality.

Most users on our network don't use LAN Sync (they only have one workstation on the network), but almost everyone with Dropbox, it seems, has it turned on.

Is there a way to centrally disable LAN Sync for Dropbox, for all Windows workstations in a GPO-managed LAN?

The solution doesn't have to be nice and state-based like a true GPO; it can be as simple as a scheduled task that runs something on all workstations daily to disable LAN Sync. Heck, the solution doesn't even have to be a GPO--we can use PS_EXEC to push programs to workstations from the domain controllers. I am just hoping to avoid manually reconfiguring all users' Dropbox applications. Users are local admins, so if they really want to turn LAN Sync on, they can.

Aside: there is literally zero chance of getting management to agree to ban/remove either Dropbox or users' admin privileges.

What I've Tried:

Initially, I figured there would be a GPO-manageable registry key for it. No dice, it turns out; Dropbox keeps all of its configs in a SQLite file.

Then I tried using this script to modify the SQLite file, but newer versions of Dropbox don't seem to have an externally-modifiable config.

Zac B
  • 841
  • 1
  • 15
  • 27
  • 1
    "Aside: there is literally zero chance of getting management to agree to ban/remove either Dropbox or users' admin privileges." - This being the case, are you sure it is ok to mess with Dropbox's connectivity with the outside or is management going to get upset? Considering what you said, you may want to clear whatever you are going to do with management first. – August Oct 31 '12 at 14:45
  • That's not a problem, since nobody uses the LAN sync functionality. That functionality is only useful if you have two workstations on the same LAN with your dropbox installed on both. Management is okay with it, mostly because the netadmins have a fair amount of clout. – Zac B Oct 31 '12 at 14:48
  • I'm intrigued by the desire of network admins to disable LAN Sync (my own included). The traffic I see generated by DropBox LAN Sync is 1 packet every 30 seconds per user, of about 100-300 Bytes (average is about 150B). That's ~5B/s/person, 2 packets/minute/person. Even with 1000 users on a single network its not *that* much? I would have thought this'd be such a trivial amount of traffic for most networks that it's not even worth investing time to turn it off? – drfrogsplat Mar 18 '13 at 05:42
  • @drfrogsplat there might not be a technical issue with this one thing as such, but a bit here and a byte there on dozens and dozens of "I don't see what harm it's doing" type apps across 1000 machines and pretty soon you're talking about real traffic. If we're being asked by the business to maintain a level of quality of service for "important" traffic on a LAN then eliminating un-needed traffic is justifiable. There's also another very serious concern over the suitability (and in some areas, the legality) of using personal cloud storage such as dropbox, skydrive, etc. in business scenarios. – Rob Moir Mar 18 '13 at 09:03
  • Further to my previous comment, it looks like the main concern (for my IT administrator anyway) is the **wifi broadcasting**. Apparently this takes up a noticeable chunk of 'airtime' as the broadcasts have to happen at the slowest speed the AP supports (or something to that effect) so affects wifi more significantly than one might assume from small, occasional packets. – drfrogsplat Mar 26 '15 at 01:50

2 Answers2

5

One alternative would be to create a rule in Widows Firewall that blocks outbound traffic to the port ranges (or even from the actual program creating the traffic) you are seeing in group policy. That would take the load off the network devices.

Create an Outbound Port Rule on Windows 7, Windows Vista, Windows Server 2008 or Windows Server 2008 R2

This may/should also result in DropBox itself disabling LAN Sync (based on the DropBox LAN Sync help page):

If Dropbox detects a firewall preventing access to your LAN, it will turn off LAN sync in your Dropbox preferences automatically.

drfrogsplat
  • 103
  • 3
August
  • 3,114
  • 15
  • 17
1

Create a GPO to block the dropbox.exe file from opening.

User Configuration > Policies > Admin Templates > System > Policy > Don't run specified Windows applications.

We use this to also block a lot of the instant messaging apps for a particular department.


Chetan Bhargava
  • 245
  • 5
  • 15
user160067
  • 11
  • 1
  • 1
    This goes a bit beyond what was requested, in that it'll entirely prevent the use of dropbox synchronisation (which doesn't seem to be the intent of the question). – drfrogsplat Mar 26 '15 at 01:46