HIT: Windows secuirty and desktop protection

[Michael Ming, Hung]

I post this question in 1998, sorry for that I have forgotten to post this
HIT until this day. Wah! 1.5years later.


***********
X-Sender: lstrauss at mail.myhost.com
Date: Sun, 11 Oct 1998 23:38:58 -0400
To: "Michael Ming, Hung" <mmhung at HKNET.COM>
From: Linda Strauss <lstrauss at myhost.com>
Subject: Re: Win95 desktop protection
X-MIME-Autoconverted: from quoted-printable to 8bit by topaz.hknet.com id
MAA28770

Windows 95 has (on the CD, or it can be downloaded from the Microsoft site)
system policies.  There was an article in PC Magazine a few summers ago with
very easy step by step directions on how to set it up.  I have the article
filed in school (I'm home, now) but this might give you what you need. 
Otherwise, tell me your snail mail address and I'll send a copy of the article
to you.
Linda

System Policy Editor
Use this tool to create or edit system policies to standardize the appearance
and capabilities of Windows 95 for a single user, a group of users, or the
entire network. 
You can create new policy files, or use the sample policy files included in
the
ADMIN\RESKIT\SAMPLES\POLICIES folder.
To install this tool on your local hard disk, or to install support for group
policies, use the Add/Remove Programs option in Control Panel, select the
Windows Setup tab, click the Have Disk button, and install from the
ADMIN\APPTOOLS\POLEDIT directory.
For more information about system policies and System Policy Editor, see those
topics in the Windows 95 Resource Kit (WIN95RK.HLP).
This directory contains sample policy files and a sample custom policy
template
for Windows 95 networks
*  MAXIMUM.POL contains suggested policies for maximum network and desktop
security. 
*  STANDARD.POL contains suggested policies for moderate network and desktop
security. 
*  SAMPL1.ADM shows definitions of all custom controls that can be defined in
.ADM files.  
You can load the .POL files in System Policy Editor to view and change
contents. To implement the custom settings specified in the STANDARD.POL
policy
file, you must replace the placeholders for custom folders with the correct
UNC
path names for the network location that contains your custom folders for
Programs, Startup, Network Neighborhood, and Start Menu.
You can also view SAMPL1.ADM using System Policy Editor.  This sample file is
provided only for examining how such files are created. It is not intended
as a
source for managing policies.  All text in sample controls appears in English
only.
For more information about policies and System Policy Editor, see the System
Policies information in the Windows 95 Resource Kit.

To create a new policy file
1 On the File menu, click New File.
2 To add a user, click the Edit menu, click Add User, and then type the
name of
the person you want to set policies for. 
 To add a computer name, click Add Computer, and then type the name of the
computer you want to set policies for. 
 To add a group of users, click Add Group, and then type the name of the group
you want to set policies for. 
3 To set policies for a user, group, or computer, click the icon you want to
set policies for, click the Edit menu, and then click Properties. Double-click
a book icon to see what settings are available. 

If a policy is checked, the policy will be implemented. For example, if
Disable
File Sharing Controls is checked, then the user will not be able to share
folders over the network.

Tips

If a setting appears gray, it is ignored by Windows. This saves time when
logging on because Windows does not process every entry.
For more information about system policies, see the Windows95 Resource Kit.


A user profile consists of user-specific information contained in the file
USER.DAT, which is one of the two files in the Windows 95 Registry.
Optionally,
a user profile can also contain special Windows 95 directories. The
benefits of
using user profiles are summarized in this section.
Multiple users on a computer can retain their personal settings.
“Roving” users can log on to the network from any computer and work with the
same desktop settings as long as the computer is running a Windows 95 32-bit,
protected-mode network client.
Windows 95 automatically maintains each user’s profile.
Whether profiles are stored locally or on the network, you need to enable user
profiles only for the computers where they will be used.
Mandatory profiles can be used to enforce consistent desktops.
System policies allow you to override local Registry values for user or
computer settings. Policies are defined in a policy (.POL) file, usually
called
CONFIG.POL. When a user logs on, system policy settings overwrite default
settings in the Registry. You can also set system policies to contain
additional custom settings specific to the network.
Unlike SYSTEM.DAT and USER.DAT (the two files that make up the Registry),
CONFIG.POL is not a required component of Windows 95 Setup and, when
implemented, is stored on the logon server, not the local computer. The
following list summarizes the benefits of system policies.
System policies can be used to enforce system configuration.
You can restrict what users are allowed to do from the desktop and what they
are allowed to configure using Control Panel. Also, you can use system
policies
to centrally configure network settings, such as the network client
configuration options and the ability to install or configure File and Printer
Sharing services. Finally, policies can be used to customize certain parts of
the desktop, such as Network Neighborhood or the Programs folder.
Registry settings can be changed by using System Policy Editor.
You can use System Policy Editor to change many common Registry settings,
either for an individual local or remote computer. You can use these settings
in a system policy file to change Registry values on multiple computers.
System policies can be applied individually or per group.
You can use group policies to define a set of policies to be applied on the
basis of membership in the groups already defined on a NetWare or Windows NT
network. Group policies make computer management on the corporate network
easier by leveraging the current administrative organization of users.
Windows
95 provides a set of policies that you can use to specify settings for users.
You can also add new Registry settings to this set of policies or you can
modify policy templates to create new custom policies for any applications
that
use the Windows 95 Registry.
You can use system policies or mandatory user profiles to enforce user
settings. You should choose to use one method or the other, but not both. The
two features differ in the following ways:
· System policies let you mandate user-specific and computer-specific
settings.
Mandatory user profiles let you mandate only user-specific settings.
· System policies let you selectively determine a subset of user settings to
control, and each user controls the remaining settings. Mandatory user
profiles
always control every user-specific setting.

Before implementing user profiles, you should consider the following issues:
· Do you want to use system policies for user settings? If so, you must enable
user profiles on the computer. 
· What do you want to include in user profiles? For example, you might choose
to include the desktop, Start menu, or Network Neighborhood in the user
profile.
· Do you want user profiles to work across the network so that they are
available to roving users? If so, the computers must be running a 32-bit,
protected-mode network client. Also, you must make sure that each user has a
home directory on the network.
· Should mandatory user profiles be used? If so, you must copy the necessary
files to each user’s home directory.
If you want to make user profiles available on the network (rather than on
individual computers), you must perform the following preliminary steps:
· Install and run a 32-bit, protected mode networking client (such as Client
for NetWare Networks or Client for Microsoft Networks) on the computers.
· Make sure that the server supports long filenames for full user profile
functionality. If the server doesn’t support long filenames, only USER.DAT
will
follow a user around the network. Users will not be able to download other
folders (such as those that support the Start menu and Network Neighborhood
configuration).

· For Microsoft networks, make sure that a network home directory exists for
each user because this is where user profiles are placed. (On Novell®
NetWare®
networks, profiles are placed in the MAIL/user_ID directory,
which always
exists.)
· For each computer, use the same names for the directory and the hard disk
drive in which Windows 95 is installed. If Windows 95 is installed in
C:\WINDOWS on one computer and in C:\WIN95 on another computer, some
components
of the user profile will not be transferred between the two computers. This is
also true if Windows 95 is installed on different hard disks on different
computers (for example, C:\WINDOWS on one computer, and D:\WINDOWS on
another).


Before implementing system policies, you should consider the following issues:
· What types of restrictions and settings would you like to define and manage
centrally? For example, do you want to limit access to the MS-DOS prompt and
other applications or to Control Panel options, or do you want to implement a
standard desktop for all users?
· Do you want to use one set of standard settings for all users and computers,
or do you want to customize settings by groups of users? Also, do you want to
maintain individual settings for users and computers? Typically, you customize
settings by groups, where the majority of users are in groups such as
Accounting, Marketing, and so on, and a small group of individuals (such as
administrators) have special privileges. If so, you must install special files
to support group policies.
· Will you be using user system policies (as opposed to defining only computer
policies)? If so, user profiles must be enabled on the computers running
Windows 95, which in turn requires that the computers use 32-bit,
protected-mode network clients. 
· Do system policies in Windows 95 meet your system administration needs,
or do
you need a more sophisticated system? If you need a high level of
administrative control, you might want to consider using a more sophisticated
management software tool, such as Microsoft Systems Management Server, rather
than System Policy Editor. For information, see Microsoft Systems Management
Server.

If you want to use system policies, you must perform the following preliminary
steps:
· On the administrator’s computer, install System Policy Editor from the
ADMIN\APPTOOLS\POLEDIT directory on the Windows 95 compact disc. Decide which
users can install and have access to this tool for modifying policies. For
most
client computers, you probably will not install System Policy Editor.
· On the client computers, enable user profiles to ensure full support for
system policies. If user profiles are not enabled, only the computer settings
in any system policy will be written to the Registry.
· Install support for group policies on the client computers if your site will
use these. For information, see System Policy Editor.

Tip  You can enable user profiles and related settings automatically when
installing Windows 95 by using custom setup scripts. For information, see
MSBATCH.INF Parameters.

In Windows 95, user profiles contain configuration preferences and options for
each user. They are particularly useful when users are encouraged to customize
their computing environment, yet are forced to share computers with others who
are also customizing their environments. User profiles are also beneficial to
network administrators or help desk personnel who typically roam around,
accessing the network from a variety of locations. Such users can work
anywhere
as if they were sitting at their own desks.
User profile settings include everything in the Hkey_Current_User section of
the Windows 95 Registry, such as the following:
· Control Panel settings and preferences for the Windows 95 user interface,
including settings for desktop layout, background, font selection, colors,
shortcuts on the desktop, the Start menu, and so on. 
· Settings for persistent network connections, plus information for recently
used resources, including documents, Find Computer results, installation
locations for setup, and printer ports.
· Application settings (for applications that can write directly to the
Windows
95 Registry), including settings for the accessories and applications
installed
with Windows 95, menu and toolbar configurations, fonts, and so on.
Each user profile includes several parts: a USER.DAT file, a backup USER.DA0
file, a Desktop folder, a Recent folder, and a Start Menu folder, plus the
Programs folder under Start Menu. These folders are in the directories for
each
user, which are in the Windows Profiles directory, as shown in the following
illustration. 

When user profiles are enabled, users get their own configuration when they
log
on to a computer. Users can define their own preferences by customizing their
desktops. Alternatively, you can define a standard user profile for use across
the network or for a set of specific users.
Each user’s preferences are saved to a user profile that Windows 95 uses to
configure the desktop each time that user logs on. When a second user logs on
to the same computer with a different user name, Windows 95 creates a separate
user profile for that user. A roving user’s profile is stored on a network
server and downloaded to any computer on the network to which the user logs
on.
This occurs automatically on a NetWare and a Windows NT network. However,
although Windows 95 offers the ability for roving users to move from one
computer running Windows 95 to another, it does not offer the ability to move
between a computer running Windows NT and one running Windows 95.

Important  Although a user profile is based on the USER.DAT file that makes up
part of the Windows 95 Registry, this file cannot be edited with a text
editor.
To define and manage user profiles, you must use the Windows 95 tools such as
Control Panel for setting configuration options, and perform the procedures
described in the following sections.

In the PROFILES subdirectory of the Windows directory, a folder is created for
each user who has a profile on that computer. Each of these folders contains
the following:
· A USER.DAT file that contains the user portion of the Registry
· A USER.DA0 file that contains the backup for USER.DAT
· A Desktop folder that contains the contents of Desktop
· A Recent folder that contains the contents of the Documents option on the
Start menu
· A Start Menu folder that contains the contents of the Start menu, and
includes the Programs folder

How Do User Profiles Work?Each time the user logs on to a computer, Windows 95
searches the Registry under the following key to determine whether the user
has
a local profile:Hkey_Local_Machine\Software\Microsoft\Windows\Current Version
 \Profile ListWindows 95 also checks for the user profile in the user’s home
directory on the server. If the user profile on the server is the most
current,
Windows 95 copies it to the local computer for use during the current session,
and then it loads the settings in this local copy into the Registry. If no
local user profile exists, Windows 95 copies the server version to the local
computer. If no profile is found, Windows 95 creates a new user profile on the
local computer using default settings. If the user doesn’t log on, then
Windows
95 automatically uses the default user profile.Both the local and network
copies of the user profile are automatically updated with current settings
when
the user logs off. If the user is logged on at more than one computer at the
same time, any changes made to the profile on the computer where the user
first
logs off will be overwritten when the user logs off the other computer. In
other words, the last logoff is saved, and no merging of changes occurs.
You can enable user profiles after Windows 95 is installed, either locally
on a
single computer or for multiple computers. You can avoid having to go to each
computer to enable user profiles by creating a system policy that can be
downloaded automatically when the initial Windows 95 installation is complete.
For information about enabling user profiles centrally on multiple computers,
see System Policies Overview.

 To enable user profiles on a local computer after setup
1. In the Passwords option in Control Panel, click the User Profiles tab.
2. Click to select the option named Users Can Customize Their Preferences And
Desktop Settings.
3. Click the options you want under User Profile Settings. These options
describe what should be included as part of the user profile.
4. Shut down and restart the computer.

Tip  If you include desktop icons in your user profile, only the shortcuts
(icons that represent links) will be available when you log on to the network
from another computer. Actual files on your desktop are part of your local
user
profile only.

 To disable user profiles on a local computer
· In the Passwords option in Control Panel, click the User Profiles tab. Make
sure the option named All Users Of This PC Use The Same Preferences And
Desktop
Settings is selected.
Note  If an application is installed after user profiles are enabled with the
option to include the Start menu and Programs in the profile, only the user
who
was logged on when the application was installed will have an entry for that
application on the Programs menu. Other users will have to create shortcuts to
the application on their Programs menus.
You can use user profiles with Windows 95 on a Windows NT network if the
computer is configured to use Client for Microsoft Networks.
Note  Windows 95 does not use the PROFILES directory on a Windows NT server;
that directory is used only for Windows NT profiles.
 You can use user profiles with Windows 95 on a NetWare network if the
computer
is configured to use Microsoft Client for NetWare Networks.  When a user
account is created on a NetWare server, a subdirectory of the MAIL
directory is
automatically created for that user. Windows 95 uses this directory to store
user profiles.

 To set up user profiles for a Novell NetWare network
1. For each computer, make sure that user profiles are enabled, as
described in
Enabling User Profiles. 
2. In the Network option in Control Panel, make sure Client for NetWare
Networks is selected as the Primary Network Logon client.
3. Make sure each user has an established MAIL directory.
When the user logs off, Windows 95 automatically places an updated copy of the
user profile in the user’s assigned MAIL directory on the NetWare network, as
indicated in the following. (The user’s 8-digit ID can be determined by using
the NetWare SYSCON utility.)
\\preferred_server\sys\mail\user_id

***************

  I think this one will cost some money, but I've heard that it's used
  quite a bit on PCs.

  	Fortres
	http://www.fortres.com/

  Good luck!

  Gabe :-)
---------------------------------
GABE GANCARZ, Assistant Librarian
Glenbard East High School
Lombard, IL
gancarz at enteract.com


****************
Hope this help!

mmhung
***************************************************************************
michael hung   ICQ=6638008
SKH Bishop Mok Sau Tseng Secondary School, Librarian
HK Professional Teachers' Union, Teacher-librarians' Group, Chairman

Jesus Christ, is the same Yesterday and Today and Forever. ~Hebrew 13:8
Homepage = http://www.school.net.hk/~mmhung/
michael email: mmhung at school.net.hk [or] mmhung at hknet.com
ida email: idachan2 at hknet.com                          ida & michael Hung
***************************************************************************