"Bombproofing" Win95 User PCs (II) (fwd)

Roy Tennant rtennant at library.berkeley.edu
Thu Apr 25 13:02:30 EDT 1996


A link to this message has been added from the "Best of Web4Lib" section 
of the Library Web Manager's Reference Center at:

http://sunsite.Berkeley.EDU/Web4Lib/faq.html

Thanks Ulrich,
Roy Tennant
Web4Lib Owner

---------- Forwarded message ----------
Date: Thu, 25 Apr 1996 08:21:09 -0700
From: Ulrich Babiak <v9100055 at athena.rrz.uni-koeln.de>
To: Multiple recipients of list <web4lib at library.berkeley.edu>
Subject: "Bombproofing" Win95 User PCs (II)

Hi all,

quite a while ago I asked for methods to set up User PCs with
Win95; I didn't get many responses (mostly suggesting additional security
software) and now after some experimenting I thought I'd just summarize 
what I did and how it works  for us without additional software.

Be forewarned, it's quite long and detailed ....

The bottom line is: You can use built-in windows tools and batch routines
to achieve some satisfying level of tamper-resistance, but some really
important holes remain.

Any additional suggestions are appreciated.

Uli 

here we go ---------------------------------------

We have:
3 User-PCs, 2 Staff-PCs and a small (only 16 M RAM) NT Server (if the
numbers seem small to you: we had to keep the internet-connected network
separate from the library office communication and OPAC network...)

Now here's what I did to set up the user PCs:
Basic stuff: disabling floppy boot, setting a BIOS password, setting
"BREAK OFF" in autoexec.bat, and also inserting a line "BootKeys=0" into
msdos.sys so that no user can interrupt the Win95 boot process, not
even by pressing F8.
Now for the Windows-specific stuff:
(note that I don't know the exact terminology of the english version
 of poledit; whatever I say here is derived from the german version and
 my knowledge of some microsoft-specific vocabulary ...)
0. Created a user "public" on the server with minimal rights
1. Installed the policy editor (poledit.exe) on the server
   and set permissions adequately so that only admins can run it
   (to get it clear: it is a Win95 program - I just keep it safe by storing
   the executable on the server. You can also keep it on a local hard drive)
   Installation of poledit (only available on the CD-ROM version of Win95) 
   can be done with the control panel: Software-WindowsSetup-HaveDisk;
   it is somewhere in \admin\apptools or so on the CD-Rom
   To use poledit, you have to set up user-based security and enable
   user profiles in the control panel (under "passwords")
2. Edited the local registry of all user PCs (using the "open registry"
   feature of poledit):
   In the "local machine" section I enabled the requirement of network
   login at startup, so only users who are registered on the server can
   log in and use the PC. Otherwise, not only my predefined user "pubic"
   would be accepted by Windows95, but also any username typed in the login
   dialog box.
    (Downside: if the server is down, the machines are locked unless you
     reverse some of the security measures described before)
   In the "network" section I set up a login banner telling the users
   which login name and password to use.
   Finally, and most important, in the "update" section I enabled the
   "remote" option, so that the config.pol file (see below) is imported
   from the server into the local registry at login time
3. Created a file named config.pol with poledit.exe and placed it in the
   "netlogon" directory (share) on the NT server. You can do this with Novell,
   too, in the Mail directory, i think. In Config.pol, I created
   the user "public" (and other users). With poledit, restricting access
   to system-specific features of Win95 is quite easy. You can limit
   access to the control panel, to DOS programs, you can remove the desktop
   icons and the "programs" folder from the start menu, disable the "Run ..."
   Dialog box, hide the explorer and much more.  Go ahead and try! But be
careful not to set
   conflicting options in the local registry and in config.pol.
   So with config.pol I stripped down the user "public" and the default user
   to minimal access permissions - you could even go so far and explicitly
   list the programs they are allowed to execute.
   Be sure that at least one additionial user exists who has all the
regular permissions
4. Logged in as user "public" and made all the settings in every application
   that user is allowed to execute (well, EVERY application means Netscape
and    Telnet currently ...)
   All these settings are stored in the user.dat file of that specific user,
   in this case "public", in \windows\profiles\<user>
5. Logged off into DOS mode and made a copy of this user.dat 
6. Inserted  a command in autoexec.bat to replace the user.dat of the
   public user with the backup copy created in step 5 (first you have
   to take care of the attributes of user dat with "attrib -r -s -h")
 Now every time the PC is rebooted, all the settings are restored, so
 if someone changed for example the startup homepage or some important
 network settings these changes are discarded
7. Write protected the bookmark file
8. Ooof, that was it ....

Still unresolved: the ability to do all kinds of nice things
with the right mouse button within the "file-open" ore "save-as" 
dialog boxes in Netscape. Why not use one-button-mouses?  :-))
Ulrich Babiak             |       Buero ubabiak at stbib-koeln.de   
Dipl.-Netzer :-)          |       privat  v9100055 at athena.rrz.uni-koeln.de
StadtBibliothek Koeln     |       http://www.dom.de/FreiRaum/uli/ub.html




More information about the Web4lib mailing list