Stoplight for Win 95 review

Bill Moseley moseley at netcom.com
Mon Jul 8 14:47:26 EDT 1996


A number of people have asked me to post a review of Stoplight for Windows
95 (by Safetynet http://www.safe.net/saftey/).  Stoplight is still a beta
program.

(I tested Win 95 versions of Fortres and Stoplight over the weekend.)


Stoplight works differently than most Windows security software.  Most
security programs work by limiting (or password protecting) what programs
can be run -- a menuing type of setup -- and what features can be used (such
as exit to DOS).  

Stoplight includes many of these features -- for example, you can disable
floppy reads or writes, prevent copying/renaming .exe/.com files (I was able
to bypass the security in Fortres by renaming COMMAND.COM), and prevent
attribute changes. Stoplight has a screen with probably a dozen check-boxes
for different security options.

I think the real security magic with Stoplight is how you can define file
and directory permissions on a user-by-user basis.  You can set up
directories (or files within a directory) with permission settings of read,
write, create, delete, and execute.

For example, you can turn off the execute permission for the entire C: drive
and then specify a few programs as read and execute.  This means that if
someone, somehow downloaded a program onto the computer they couldn't run it.

If you have a number of different users you can give each user a directory
(and all subdirs of that directory) as a private directory.  The directory
would not be available to other users that don't have permission to that
directory.  With multiple users the computer asks for a username and
password when booted.

If you don't have a number of different users (for example, a public access
computer) you can set it up to boot with a standard security setup.

Stoplight seems like it works more at the system level than at the shell
level like other security programs.  Fortres, for example, allows you to
"Disable the Start Menu", where in Stoplight you would set permissions on
the \windows\start menu\ directory.  Also, other security programs that
limit what programs can be accessed at the shell level (menu style programs)
don't do much for security once the program is running.  A user running
Netscape, for example, could setup a Netscape helper application to run
another program like COMMAND.COM.

The file permissions provided by Stoplight will sound very familiar to
Windows NT users.  It seems to me a lot like NT in setting up permissions.

One thing I look at is when evaluating security software is can you protect
the Windows directory?  It would seem to make sense that you would want to
make the Windows directory off limits since so many important configuration
and program files are stored there.

The problem is that the security software can't tell if it is the Windows OS
that is trying to access a file, or if it is some user's program.  Stoplight
has a web page that talks about setting up protection for the Windows
directory, but it reveals the holes in the security.

[ Now, I did look at a security program called IconHideIt for *Windows 3.1*
that did seem to prevent access to the Windows directory.  They have a beta
Win 95 version, but I haven't seen it.  (see
http://www.mclellansoft.com/iconhideit/)  Their Win 3.1 security program
basically limited access to a subset of Program Manager groups. ]

Stoplight also offers an audit log.  You can print reports of who and when
someone attempted something they shouldn't do.  (It's actually kind of a
cool tool - you can set it to log every file access and then go back and see
all the file operations going on in the computer.)

The installation of Stoplight was very smooth, but I did receive a GPF
during uninstall, but all that wasn't uninstalled was a reference in the
registry.

I've looked at a half dozen security programs now, and I think that
Stoplight is the best.  It does take more planning on how to setup the
permissions, but is probably more secure that other packages -- probably
because it works at the file level of the operating system instead of the
shell level of the user interface.  Check it out.

For a public access computer it seems like using the DOS hidden and readonly
attributes on files, making directories hidden, and using the built in
security features of Windows one can build a rather secure computer without
the need for security software -- espicially if you don't mind using the
Program Manager shell instead of the Explorer shell.  

But if you use your PC for many different users then something like
Stoplight is probably best.

Okay, if you made it this far here is some extra credit:

Before you buy security software take a look at the Policy editor that comes
on the Win 95 CD-ROM.  It includes the same Explorer shell security features
offered by many programs.

Plus, please use you CMOS security features that are built into your
computer.  The hard disk locking software provided with most security
programs will not protect your computer (for example, from a virus
infection) without using these features.  See your computer's manual for
details.


Bill Moseley
mailto:moseley at netcom.com



More information about the Web4lib mailing list