Securing WIN9x Workstations with Policy Editor

Features:
* Low cost, zero setup school Proxy Server
* Lots of useful stuff about networks
* Guide to MS Outlook scheduling
* How to setup email validation using DNS.
* How to secure WIN9x workstions with Poledit.
* Complete set of Linux manuals and How-To's.
* Eric & Randy: Not_Works archives.
Original source was an on-line discussion hosted by PC Magazine (Date ??\??\??). Most of the procedures came from Richard Turner, Augusta, Georgia (email unknown). This modified and extended version was posted by SAAS in June 1999. As usual, all kudos to Richard and all feedback or complaints to SAAS ;^).

Introduction:
Shared PC workstations, such as those in schools, often require a high degree of system protection to prevent abuse. The Windows 95 and 98 CD-ROM distributions include a tool to implement restrictive policies on such machines by using the Policy Editor (POLEDIT) software application.

There are a whole range of third party utilities claiming to offer solutions for secure operation of WIN9x workstations - most of them are either OK but costly, incomplete, or simply re-badged hacks of the POLEDIT programme itself.

Schools using Novell IntraNetware versions 4.11 and later may prefer the Novell Z.E.N. Works © (ZENWorks) management software - a lite version is available for free download from Novell.

Most of the workstation policies provided by ZENWorks are identical to those available in WIN9x Policy Editor... except that the Registry Editing and Policy editing is done from within the NDS management interface (NWAdmin95 and similar) instead of using POLEDIT directly.

Unfortunately, ZENWorks includes no detailed documentation about the local registry changes on WIN9x workstations, and the Windows 9x Resource Kit, Poledit documentation doesn't tell you how to use POLEDIT for the protection of standalone computers!

For anyone who doesn't have the time to learn the intricacies of Novell ZENWorks or Policy Editor for network administration, here is a (relatively) simple way (if you methodically follow the steps below) to to use Policy Editor for control of both Standalone and Networked WIN9x workstations.

The following is designed to meet the needs of the average computer co-ordinator - stuck between a rock and a hard place: Novell Administrators who already have expertise in using ZENWorks and\or Policy Editor probably won't need to use the following procedures.

This solution works best for stand alone PC's that are shared by a small number of users - or shared by a large number of users with generic login names. The down-side is, that for this to work properly requires that you turn on WIN9x User Profiles. It can also result in increased admin overhead, password security issues and significant loss of disk space... Using ZENWorks results in similar, serious but non obvious, problems.

Turning on User Profiles does allow users to store personal preferences in their home directories on the server instead of on the local HDD and this is definitely the best way to use this solution if you have lots of users sharing a few workstations (the additional settings required to control that are not included as part of this discussion).

If you intend to use this setup for computers that will connect to a network, it is best to do disconnect the workstation from your network during the setup procedure. After your new worksation setup is complete, it is OK to re-connect the workstation to your network in the normal manner.

After connecting to the network, depending on how you have set up your client software, you may find that unique user preferences are being stored on the server (in each user's home folder). At any time in future, you may safely delete these preferences (while the user is off-line) ; A new set of (clean) preferences will automatically be created (based on the default settings created below) the next time the user logs in to the network.

WARNING!: Use of the Policy Editor may completely destroy life as you know it. No guarantee or responsibility is given\taken for any disasters that may eventuate. In the event you break something, the only guarantee is that you get to keep all the pieces - if you can find them ;^).

Workstation Security Using The Win9x Policy Editor

  1. First Things First - Backup!:
    Make backup copies of your current C:\WINDOWS\USER.DAT and C:\WINDOWS\SYSTEM.DAT files to clean floppy disks, or to a new folder created for that purpose on the local HDD. If all else fails, or if you totally stuff up the following procedures, you should be able to restore all original settings by copying these two files back to their original location, (over-writing your newly stuffed up files of the same name), and then re-boot!
  2. Disk Preparation:
    Note that after following the steps below, each attempt by a user to log on with a new name will create a new folder inside C:\WINDOWS\PROFILES which will containing a copy of USER.DAT. You'll want to periodically delete all such folders except Student, Administrator, and Dummy . You can automate that by including appropriate commands in the C:\AUTOEXEC.BAT file.

    In addition to the above, you should have at least 32MB free on the local Windows HD drive (to hold any new user profile information).

  3. Turn On WIN9x User Profiles:
    Launch the Password applet in Control Panel. From Control Panel, enable User Profiles. Click the User Profiles tab, click the option Users can customize..., and check the two check boxes. Click OK; Windows will restart.
  4. Create New User Profiles:
    When Windows restarts, log on as a new MSWindows user called Student using a blank (or similarly easy) password. Allow Windows to create new folders to hold your profile information. Shut down and log on again as a new MSWindows user called Administrator (use a secure password!) and, again, wait for Windows to create the new profile folders. Don't forget your new Administrator password!
  5. Restrict Access to Programs:
    While still logged on as Administrator, use MS Explorer to navigate to C:\WINDOWS\PROFILES\USER\START MENU. In this folder and any folder below it; delete any shortcuts in the Recent folder and shortcuts to programs such as Poledit, Regedit, and Explorer... and to any other programs that other users should notbe able to run.
  6. Install Policy Editor:
    Install a copy of WIN98 Policy Editor (see below): The WIN98 copy is preferred - even if you are running WIN95 (as it allows loading of multiple *.adm configuration files). The WIN95 copy is OK to use for WIN95 machines that don't have WIN98 Policy editor available. If you don't have a icopy of the WIN9x CD, you can download POLEDIT from http://www.microsoft.com/.

    To install Poledit, run the Add/Remove Software applet in Control Panel, click the Windows Setup tab, and press the Have... button. Navigate to the POLEDIT folder on the CD-ROM (or in your download folder), Right Click on POLEDIT.INF and choose Install. This will install POLEDIT and place it on the Accessories\System Tools submenu of the Programs menu. It will also place the critical policy template file ADMIN.ADM in the C:\WINDOWS\INF directory.

    If you are using the POLEDIT released with WIN98 you can load multiple *.adm files: That allows you to set additional policies for products such as Internet Explorer, MSOffice etc: HINT - Search your software distributions for additional *.adm files!

  7. Define a Default User Policy:
    Run POLEDIT and from the File menu, create a new Policy (*.pol) file. Add at least two new users - named Student and Administrator. Double-click the Default User icon, select System | Restrictions , and check all four boxes. Select Shell | Restrictions and check the four boxes whose captions begin with Remove, plus the two that say Hide All Items on Desktop and Don't Save Setting at Exit.

    Do not check the Disable Shut Down box.

    Next, use Explorer to create a folder named C:\WINDOWS\PROFILES\DUMMY

    In POLEDIT, select Shell | Custom Folders and check all the boxes, filling in the path to the Dummy folder you just created (for those boxes that require that you to supply a path). Click OK and save the file using the filename CONFIG.POL.

  8. Define The Student Policy:
    Find and load the example policy file called MAXIMUM.POL (this example file is supplied as part of the Poledit software distribution). Click on the Default User icon, and choose Copy from the Edit menu.

    Reload CONFIG.POL, click on the Student icon, and select Paste from the Edit menu. Doubleclick the Student icon and choose Shell | Custom Folders. Click on the text of each check box in turn and, if an edit box appears below, replace the path C:\WINDOWS with the new path C:\WINDOWS\PROFILES\STUDENT. Make sure all boxes remain checked. Select Control Panel | Passwords and check the Restrict box; then check the other four boxes that appear below it.

    Under Shell | Restrictions, check Remove Run command, Remove Find command, Hide Drives in My Computer, and Don't Save Settings at Exit . Consult the Windows Resource Kit Help to determine what other restrictions you may wish to add.

    Again, be sure not to check Disable Shut Down command.

    Now go to Shell | Restrictions and System | Restrictions and change any grey check boxes to blank white.

  9. Define the Administrator Policy.
    Double-click the Administrator icon and go through the entire list of restrictions, setting every check box to blank white, not grey. This protects the Administrator policy from being affected by the restrictions placed on the Default User policy.
  10. Define the Unauthorised User Policy.
    Start to Log on again , but before you logon, press the [Esc] key . When you press [ESC], the log-on prompt should close and windows should start. After windows loads, run POLEDIT, select Open Registry from the File menu, and double-click Local User.

    Apply all the same restrictions to Local User that you applied to Default User above.

    Finally, quit windows and log on as Administrator again.

  11. Enable Policy Loading:
    Run POLEDIT and load the CONFIG.POL file. Open the Default Computer icon, select System, and check Enable User Profiles. Under Network\Update, check Remote Update. Select Manual for the Update Mode, and enter C:\WINDOWS\CONFIG.POL as the path. Save the CONFIG.POL file into the C:\WINDOWS folder. Now select Open Registry from the File menu, double-click Local Computer, and make the same path change to the Network Update Mode. Save the changes and exit POLEDIT.
  12. Test The New Policies:
    Log on to WIN9x as Student; check to see that the policy restrictions you specified are in place.

    Log on to WIN9x as Administrator and check that you have full, unrestricted access to all programs and settings applets (Control Panel).

    Now shut down and log on again, but use a new name and password. There should be no icons on the desktop and no programs available from the Start Menu (no other option but to log on again or turn off the machine!).

    Log on in to WIN9x again, but instead of supplying a user name, press the [Esc] key at the log-on prompt (to bypass entering a user name). When Windows loads, you should have no option but to shut down and start all over again!

  13. Protecting Your New Policies:
    Log on as Student, experiment and confirm that there is no way to run POLEDIT (move Poledit.exe to a floppy disk, and run it from floppy instead of from HDD when making future changes if you prefer).

    For increased safety, also move the C:\WINDOWS\INF\ADMIN.ADM file off of the HDD and onto the floppy disk you use for poledit.exe (as mentioned above) or change the file named ADMIN.ADM (in the C:\WINDOWS\INF folder) to some other name (HarmLess.adm for example!). You should also store a backup copy of your new C:\WINDOWS\CONFIG.POL file on the same floppy disk.

    Make the following changes:

    Edit C:\CONFIG.SYS to include the lines:
    BREAK = OFF (disables CTL+C)
    SWITCHES= /F /N (disables SHIFT+F5 and SHIFT+F8)

    and...

    SWITCHES /N in the D*SPACE.INI ( help to prevent users pressing CTL+F5 and\or CTL+F8 to bypass D*SPACE.BIN at startup).

    Use the DOS command ATTRIB (or your favourite properties editor) to remove the Read-only, Hidden, and System attributes from the file C:\MSDOS.SYS. Then load C:\MSDOS.SYS into an ASCII text editor. In the file, look for a heading called [Options] and change the Bootkeys =   key to   Bootkeys=0

    If the [Options] key is missing, simply add it and then enter the extra Bootkeys information yourself! Save the file and then restore the Read-only, Hidden, and System attributes to the C:\MSDOS.SYS file.

    Finally, use the BIOS\CMOS SETUP program to disable boot from floppy (if that - or a similar option - is available), and then password protect your new CMOS settings and re-start with your new setup.

    All the changes in the above section help prevent the use of CTL+C and other key press combinations to break out of the WIN9x startup process but don't forget that all of these changes can reversed by a knowledgeable and determined user!

  14. Enjoy!

No Frames! | Search | About SAAS | Clients | Courses | Solutions | Feedback | Bookmark | Translate

Telephone: +61-2-9981-6864 - Fax: +61-2-9981-4771

Copyright © 1992-2001 Studio of Arts And Sciences.
    W3C code validation

  Site Menu
       home
       about us
       projects
       clients
       solutions
       training
       feedback
       search
       schoolRadio
       bookmark