Protecting Computers on small
WIN9x LANs or Standalone by using System Policies
by Terry King ...In The Woods In Vermont tking@together.net
02/12/2000 1.03
NOTE: Please
inform me of any problems or errors in this document.
Schools, Libraries and similar organizations often install simple low-cost
local area networks, typically using Ethernet and Windows 9x. There
may also be standalone machines, some with dial-up capability. Even
with reasonable supervision, often there are problems with users modifying
system settings such as displays, wallpaper, screen savers etc., and with
intentional tampering with system files.
Microsoft Networking provides a facility called System Policies that can limit
the changes a user can make to the system they are logged on to. It
is usually assumed that you will have a Windows NT server on your network
when using System Policies, but we have learned how to use System Policies
on a small network with ONLY WIN95 machines, and on standalone machines.
You can prevent users from accessing the Control Panel, Display settings,
DOS Prompt, Network Settings, etc. by setting up a System Policy file.
You can have different users with different logon names have different privileges.
STUDENT can be restricted, while LIBRARIAN can have complete access, for
example.
These instructions assume that you have installed a WINDOWS95 peer network,
and that you have enabled file sharing on your 'server' machine, and that
the network is functioning OK. Your original WIN95 install CD contains
the needed files for the following procedures.
OVERVIEW: To implement System Policies, you need to:
- Install System Policy Editor
on one machine
- Create a System Policy file
on that machine
- Configure the other machines
to use the System Policy file
STEP-BY-STEP:
SECTION 1: CREATING AND INSTALLING SYSTEM POLICIES
A: Define which computer will be the 'server'. This SHOULD be the most-secure
machine you have, hopefully in a staff-only area. It should have a password
known only to the staff. It will host the System Policy file, and be the ONLY
machine which can normally run the System Policy Editor.
B: Install the System Policy Editor on your server machine: (Insert WIN95
CD)
1. In the Add/Remove Programs option in Control Panel, click
the Windows Setup tab, and then click Have Disk.
2. In the Install From Disk dialog box, click Browse and specify
the ADMIN\APPTOOLS\POLEDIT directory on the WIN95 CD. Click OK, Then
OK again.
3. In the Have Disk dialog box, make sure System Policy Editor
is checked and then click Install. Then click OK to exit Add/Remove
Programs.
C. On your server machine, create a folder on C: called C:\POLICIES
1. (My Computer / C: / File / New / Folder) (Name the folder
POLICIES)
2. Right-Click on the folder, click Sharing
3. Click Shared As, set Share Name to POLICIES
4. Click Read Only, Click Apply, Click OK.
D. Run System Policy Editor:
( Start / Programs / Accessories / System Tools / System Policy Editor
)
1. Create a new Policy file: ( File / New )
2. You should see two icons: "Default User" and "Default Computer"
(You might want to set (View / Large Icons) to have it look cool.)
3. Add a User (Use toolbar Icon, or (Edit / Add User)). Name
it STUDENT
4. Add a User (Use toolbar Icon, or (Edit / Add User)). Name
it ADMIN
NOTE: These will have default Policies initially, that are unrestrictive.
5. SAVE (File / Save) MAKE SURE you navigate to C:\POLICIES,
and then name your Policy File, such as COMPLAB or LIBRARY, making it's function
clear. (If you get an error saving, you are probably saving it to the Desktop).
6. Leave System Policy Editor running if desired.
E. DEFINE the privileges different users on the network will have. Here's
how it works:
- ADMIN (Or 'LIBRARIAN' etc.)
will have full privileges and access to all tools
- DEFAULT is used when a user
logs on with a previously unknown name and password.
Privileges for DEFAULT should be
as restrictive as STUDENT.
- STUDENT Should have minimal
access to 'things that can be messed up' such as the Control Panel, Network
settings, Display settings etc.
- ???????? You can create
other 'classes' of users with different privileges. You might allow more-trusted
'Researchers' to access DOS prompts etc.
F. Try Out setting the privileges
of a User. Create a New User called TRYOUT.
(Later you can use (Edit / Remove) to get rid of it). Double
Click on the TRYOUT icon to see how policies are set. You will see 5
categories:
[ Control Panel / Desktop / Network / Shell / System ] each with
a plus-sign
next to it.
1. Click on the + next to Control Panel
2. Click on the + next to Display
3. Notice the entry Restrict Display Control Panel is GRAYED
OUT. This is important: There are THREE choices when clicking these
boxes, NOT TWO. Try it out by clicking: (Checked / Unchecked / Grayed
Out).
WHAT THIS MEANS: (Checked) : The policy will be implemented
at user logon.
(UnChecked) : The policy will be disabled at user logon.
(GrayedOut) : The policy will be unchanged from last user logon.
Use caution: See Windows95 Resource Kit book pp496 for details.
4. Check the box: Restrict Display Control Panel. Notice that
a box at the bottom of the Policy Editor has additional options you can check.
For this test, disable and hide all these controls, then Click OK.
5. Save the Policy File. Note it's exact name for later reference.
NOTE: Later we will discuss these policies in more detail, and
edit real working User Policies.
G. Configure Client Machines on the Network:
NOTE: You will need to be able to run System Policy Editor once at each
machine. It is best to make a diskette that you can bring to each machine.
The diskette must contain POLEDIT.EXE (from the C:\WINDOWS subdirectory)
and ADMIN.ADM (from the C:\WINDOWS\INF subdirectory). You can do this
easily by using (Start / Find / Files or Folders / POLEDIT.EXE) and then
Right-click on POLEDIT.EXE and (SendTo / 3« Floppy A: ). Repeat
for ADMIN.ADM The first time you Run System Policy Editor it will bring up
a box asking for a Profile file. Select ADMIN.ADM
NOTE: It would be a Good Idea to add CFGBACK.EXE to this diskette, and use
it to back up the Windows Registry on each machine BEFORE making these changes.
Now, Kid,
GO TO EACH MACHINE, where you must:
1. ENABLE USER PROFILES:
a. In the Passwords option in Control Panel, click User
Profiles
b. Click to select the option named Users Can Customize
Their Preferences and Desktop Settings.
c. Click BOTH User Profile settings (Desktop etc, and Start
Menu etc)
d. Click OK, then shut down and restart the computer.
e. Log on again; the computer will ask something like "Do
you want to retain your settings each time you log on?" Answer Yes.
2. CONFIGURE MACHINE FOR MANUAL DOWNLOADING OF SYSTEM POLICIES:
a. Run System Policy Editor from your diskette:
(Start / Run / Browse / A: / POLEDIT.EXE
/ OK )
b. In System Policy Editor, Click (File / Open Registry
/ Local Computer)
c. Double-Click Network, Double-Click Update, Click Remote
Update.
In Settings, select Update Mode = Manual
(Use specific path)
In Path For Manual Update, enter UNC
Path and Filename of the policy file you created earlier on your server
machine.
This is of the form: \\<YourServerName>\POLICIES\<PolicyFilename>
EXAMPLE:
\\LIBSERV\POLICIES\LIB_STUD.POL
SUGGESTION: Test that this is correct
ahead of time by going to a DOS Prompt and entering DIR \\LIBSERV\POLICIES
(Use your names. You should see your .POL file on your server).
d. Click (File / Save / Exit)
H. Now, let's try it out!
1. At the client machine, click:
(Start / Shutdown / Close All Programs and
Log On As a Different User)
2. In the Enter Network Password Dialog:
a. change User Name to: Tryout
b. Enter a new password: Suggestion: trypass
c. The computer will respond "You have not logged
on at this computer before. Would you like this computer to retain your individual
settings for use in the future..."? Click: Yes.
d. Try to change display settings (Right-Click open
desktop / Properties)
You should get a popup: "Your
system administrator disabled the Display Control Panel".
If this works, you have System Policies working!! Now,
all you have to do is create appropriate USERS and set their Policies.
SECTION 2: USER AND COMPUTER POLICY SETTINGS
System Policy Settings actually work by modifying settings in the Windows
95 Registry at the time a User logs on. The Win95 registry consists
of two parts: USER.DAT is the part affected by System Policy settings
for USERS. SYSTEM.DAT is the part affected by System Policy settings
for COMPUTERS.
The default settings you can change are defined in the template ADMIN.ADM
which should be adequate for almost any situation. Further information
on the internals of System Policies is in the book "Microsoft Windows 95
Resource Kit" which also includes a CD with various utilities and data.
Here, we will summarize the most obvious settings that seem appropriate for
controlling user machines in school or similar environments.
---------------------------------------------------------------------------
USER System Policy Settings: Are in 5 categories:
( Control Panel / Desktop
/ Network / Shell / System)
If checked, these allow partial or complete restriction of access to settings
CONTROL PANEL: Allows you to:
- Restrict Display Control Panel: screen settings,wallpaper, screen
saver etc.
- Restrictwork Control Panel: Identification page, Access Control
etc.
- Restrict Password Control Panel: Hide password, user profiles, admin.
etc.
- Restrict Printers Settings: Hide General/Details, disable add/delete
- Restrict System Control Panel: Hide Device Mgr/Profiles/File Sys/VM
etc.
DESKTOP SETTINGS: Can restrict user access to:
- Wallpaper name / Tile / Color Scheme
NETWORK SETTINGS: Can restrict user access to:
- File sharing / Print Sharing
SHELL SETTINGS: Can customize User's desktop by defining:
- Programs Folder / Desktop Icons / Startup / Network Neighborhood
/ Start
- Restrict: Run command / Settings / Taskbar settings / Find
command
- Hide: My Computer / Network Neighborhood / Desktop items
- Disable: Shut Down command / Saving of settings at exit
SYSTEM SETTINGS: Can restrict users access to:
- Registry Editor / Specific Windows applications / MSDOS Prompt
-----------------------------------------------------------------------------
COMPUTER System Policy Settings: Are in 2 categories: ( Network / System)
NETWORK SETTINGS:
- Access Control / Logon Banner / Microsoft and Netware Network setups
- Passwords / Dial-Up / Sharing / System Policy updates
SYSTEM SETTINGS:
- Enable User Profiles / Paths to Windows Setup
- Run / Run Once / Run Services
RECOMMENDED RESTRICTIONS / SETTINGS:
-----------------------------------
These are the restrictions and settings we are currently using for Students
in a K-8 school in rural Vermont (Available for download as LIB_STUD.POL):
CONTROL PANEL:
- Disable Display Control Panel completely
- Disable Network Control Panel completely
- Disable Passwords Control Panel completely
- Disable Addition / Deletion of Printers (Show General/Details pages)
- Hide all of System Control Panel
DESKTOP: - Preset specific Wallpaper and Color Scheme
NETWORK: - Disable File and Print Sharing
SHELL: - No Custom Folders. Restrict access
to:
- Run and Find commands, Settings for Programs / Taskbar
- Hide Network Neighborhood. NOTE: This does not disable network settings,
logged drives, etc. that were previously set up.
- Do NOT save settings at exit.
SYSTEM: Restrict access to: Registry Editor / DOS Prompt / Single MODE
DOS Apps
MISCELLANEOUS NOTES:
1. If a Username that existed prior to setting up System Policies has NO PASSWORD
(Any password will work), delete or rename the users .PWL file in C:\WINDOWS
and the next time they logon they can enter a password that will be effective.
2. To prevent a determined person from rebooting a system with a diskette,
if possible, set the computers BIOS Setup to boot only from C:, or
"C: followed by A:". THEN set the BIOS Password so Setup can't be messed
with. Now, a person with minimal priviledges can not:
a. Reboot the system from diskette
b. RUN programs from diskette
c. Modify any important system settings or delete any system
files.
--------------------------------------------------------------------------
Protecting a STANDALONE WIN95 Computer using System Policies
Sometimes you have a computer that is NOT connected to a LAN which needs to
be protected against changes and tampering. System policies can be made to
work on a standalone computer, and have different users with different priviledges.
You can restrict access to Dial-Up networking, for example. The same methods
of setting up a System Policy file detailed above apply here also.
And you can COPY an existing System Policy file to the standalone machine(s)
that you have already set up the way you want it.
So, Step-By-Step:
A. ENABLE USER PROFILES:
a. In the Passwords option in Control Panel, click User Profiles
b. Click to select the option named Users Can Customize Their Preferences
and Desktop Settings.
c. Click BOTH User Profile settings (Desktop etc, and Start Menu etc)
d. Click OK, then shut down and restart the computer.
e. Log on again; the computer will ask something like "Do you want
to retain your settings each time you log on?" Answer Yes.
B. Create a folder called C:\POLICIES (as above)
C. Either:
1. Copy an existing System Policy file into C:\POLICIES , or
2. Run POLEDIT.EXE from the diskette (as above), and create a new
System Policy File. Save it in C:\POLICIES with the .POL extension.
Note the exact name. Example: C:\POLICIES\DIALUP1.POL
D. Set up the machine to run a Local System Policy file:
1. Run POLEDIT.EXE from diskette
2. Click ( File / Open Registry )
3. Double-Click Local Computer, Double-Click Network, Double-Click
Update
4. Click Remote Update, Set Mode to be Manual (Use Specific Path)
5. In the Path box, enter your System Policy path and filename
EXAMPLE: C:\POLICIES\DIALUP1.POL
6. Click OK
7. Click ( File / Save )
8. Exit System Policy Editor.
9. Restart Windows95
E. Log on as each USER you defined in the System Policy file. Get the passwords
right! In Between each logon you do:
( Start / ShutDown / Close all programs and log on as a different
User )
At this point, the system should provide different priviledges for the different
users.
Downloads:
Maximum.pol: contains suggested policies for
maximum network and desktop security.
Standard.pol contains suggested policies
for moderate network and desktop security.
Lib_Stud.pol is the policy file used in
these examples.
You can load the .POL files in System Policy Editor to view and change contents.
To implement the custom settings specified in
the STANDARD.POL policy file, you must replace the placeholders for custom
folders with the correct UNC path names for the network
location that contains your custom folders for Programs, Startup, Network
Neighborhood, and Start Menu.
For more information about policies and System Policy Editor, see the System
Policies information in the Windows 95 Resource Kit.
--------------------------------------------------------------------------
Please send comments, updates, problems, suggestions to: tking@together.net