Protecting Computers on small WIN95 LANs or Standalone by using System Policies

Protecting Computers on small WIN9x LANs or Standalone by using System Policies

by Terry King ...In The Woods In Vermont tking@together.net 02/12/2000 1.03
NOTE: Please inform me of any problems or errors in this document.

Schools, Libraries and similar organizations often install simple low-cost local area networks, typically using Ethernet and Windows 9x. There may also be standalone machines, some with dial-up capability. Even with reasonable supervision, often there are problems with users modifying system settings such as displays, wallpaper, screen savers etc., and with intentional tampering with system files.

Microsoft Networking provides a facility called System Policies that can limit the changes a user can make to the system they are logged on to. It is usually assumed that you will have a Windows NT server on your network when using System Policies, but we have learned how to use System Policies on a small network with ONLY WIN95 machines, and on standalone machines. You can prevent users from accessing the Control Panel, Display settings, DOS Prompt, Network Settings, etc. by setting up a System Policy file. You can have different users with different logon names have different privileges. STUDENT can be restricted, while LIBRARIAN can have complete access, for example.

These instructions assume that you have installed a WINDOWS95 peer network, and that you have enabled file sharing on your 'server' machine, and that the network is functioning OK. Your original WIN95 install CD contains the needed files for the following procedures.

OVERVIEW: To implement System Policies, you need to:

Install System Policy Editor on one machine
Create a System Policy file on that machine
Configure the other machines to use the System Policy file

STEP-BY-STEP:
SECTION 1: CREATING AND INSTALLING SYSTEM POLICIES

A: Define which computer will be the 'server'. This SHOULD be the most-secure machine you have, hopefully in a staff-only area. It should have a password known only to the staff. It will host the System Policy file, and be the ONLY machine which can normally run the System Policy Editor.

B: Install the System Policy Editor on your server machine: (Insert WIN95 CD)
   1. In the Add/Remove Programs option in Control Panel, click the Windows Setup tab, and then click Have Disk.
   2. In the Install From Disk dialog box, click Browse and specify the ADMIN\APPTOOLS\POLEDIT directory on the WIN95 CD. Click OK, Then OK again.
   3. In the Have Disk dialog box, make sure System Policy Editor is checked and then click Install. Then click OK to exit Add/Remove Programs.

C. On your server machine, create a folder on C: called C:\POLICIES
   1. (My Computer / C: / File / New / Folder) (Name the folder POLICIES)
   2. Right-Click on the folder, click Sharing
   3. Click Shared As, set Share Name to POLICIES
   4. Click Read Only, Click Apply, Click OK.

D. Run System Policy Editor:
( Start / Programs / Accessories / System Tools / System Policy Editor )
   1. Create a new Policy file: ( File / New )
   2. You should see two icons: "Default User" and "Default Computer" (You might want to set (View / Large Icons) to have it look cool.)
   3. Add a User (Use toolbar Icon, or (Edit / Add User)). Name it STUDENT
   4. Add a User (Use toolbar Icon, or (Edit / Add User)). Name it ADMIN
   NOTE: These will have default Policies initially, that are unrestrictive.
   5. SAVE (File / Save) MAKE SURE you navigate to C:\POLICIES, and then name your Policy File, such as COMPLAB or LIBRARY, making it's function clear. (If you get an error saving, you are probably saving it to the Desktop).
   6. Leave System Policy Editor running if desired.

E. DEFINE the privileges different users on the network will have. Here's how it works:

ADMIN (Or 'LIBRARIAN' etc.) will have full privileges and access to all tools

DEFAULT is used when a user logs on with a previously unknown name and password.

Privileges for DEFAULT should be as restrictive as STUDENT.

STUDENT Should have minimal access to 'things that can be messed up' such as the Control Panel, Network settings, Display settings etc.

???????? You can create other 'classes' of users with different privileges. You might allow more-trusted 'Researchers' to access DOS prompts etc.

F. Try Out setting the privileges of a User. Create a New User called TRYOUT.

(Later you can use (Edit / Remove) to get rid of it). Double Click on the TRYOUT icon to see how policies are set. You will see 5 categories:

   [ Control Panel / Desktop / Network / Shell / System ] each with a plus-sign
      next to it.
   1. Click on the + next to Control Panel
   2. Click on the + next to Display
   3. Notice the entry Restrict Display Control Panel is GRAYED OUT. This is important: There are THREE choices when clicking these boxes, NOT TWO. Try it out by clicking: (Checked / Unchecked / Grayed Out).
   WHAT THIS MEANS: (Checked)   : The policy will be implemented at user logon.
                    (UnChecked) : The policy will be disabled    at user logon.
               (GrayedOut) : The policy will be unchanged from last user logon.
                Use caution: See Windows95 Resource Kit book pp496 for details.
   4. Check the box: Restrict Display Control Panel. Notice that a box at the bottom of the Policy Editor has additional options you can check. For this test, disable and hide all these controls, then Click OK.
   5. Save the Policy File. Note it's exact name for later reference.

   NOTE: Later we will discuss these policies in more detail, and edit real working User Policies.

G. Configure Client Machines on the Network:

NOTE: You will need to be able to run System Policy Editor once at each machine. It is best to make a diskette that you can bring to each machine. The diskette must contain POLEDIT.EXE (from the C:\WINDOWS subdirectory) and ADMIN.ADM (from the C:\WINDOWS\INF subdirectory). You can do this easily by using (Start / Find / Files or Folders / POLEDIT.EXE) and then Right-click on POLEDIT.EXE and (SendTo / 3« Floppy A: ). Repeat for ADMIN.ADM The first time you Run System Policy Editor it will bring up a box asking for a Profile file. Select ADMIN.ADM

NOTE: It would be a Good Idea to add CFGBACK.EXE to this diskette, and use it to back up the Windows Registry on each machine BEFORE making these changes.

Now, Kid,

GO TO EACH MACHINE, where you must:

1. ENABLE USER PROFILES:
    a. In the Passwords option in Control Panel, click User Profiles
    b. Click to select the option named Users Can Customize Their Preferences and Desktop Settings.
    c. Click BOTH User Profile settings (Desktop etc, and Start Menu etc)
    d. Click OK, then shut down and restart the computer.
    e. Log on again; the computer will ask something like "Do you want to retain your settings each time you log on?" Answer Yes.

2. CONFIGURE MACHINE FOR MANUAL DOWNLOADING OF SYSTEM POLICIES:
    a. Run System Policy Editor from your diskette:
       (Start / Run / Browse / A: / POLEDIT.EXE / OK )
    b. In System Policy Editor, Click (File / Open Registry / Local Computer)
    c. Double-Click Network, Double-Click Update, Click Remote Update.
       In Settings, select Update Mode = Manual (Use specific path)
       In Path For Manual Update, enter UNC Path and Filename of the policy file you created earlier on your server machine.
       This is of the form: \\<YourServerName>\POLICIES\<PolicyFilename>
       EXAMPLE:              \\LIBSERV\POLICIES\LIB_STUD.POL
       SUGGESTION: Test that this is correct ahead of time by going to a DOS Prompt and entering DIR \\LIBSERV\POLICIES (Use your names. You should see your .POL file on your server).
    d. Click (File / Save / Exit)

H. Now, let's try it out!

   1. At the client machine, click:
      (Start / Shutdown / Close All Programs and Log On As a Different User)
   2. In the Enter Network Password Dialog:
     a. change User Name to: Tryout
     b. Enter a new password: Suggestion: trypass
     c. The computer will respond "You have not logged on at this computer before. Would you like this computer to retain your individual settings for use in the future..."? Click: Yes.
     d. Try to change display settings (Right-Click open desktop / Properties)
        You should get a popup: "Your system administrator disabled the Display Control Panel".

    If this works, you have System Policies working!! Now, all you have to do is create appropriate USERS and set their Policies.

SECTION 2: USER AND COMPUTER POLICY SETTINGS

System Policy Settings actually work by modifying settings in the Windows 95 Registry at the time a User logs on. The Win95 registry consists of two parts: USER.DAT is the part affected by System Policy settings for USERS. SYSTEM.DAT is the part affected by System Policy settings for COMPUTERS.

The default settings you can change are defined in the template ADMIN.ADM which should be adequate for almost any situation. Further information on the internals of System Policies is in the book "Microsoft Windows 95 Resource Kit" which also includes a CD with various utilities and data. Here, we will summarize the most obvious settings that seem appropriate for controlling user machines in school or similar environments.

---------------------------------------------------------------------------
USER System Policy Settings: Are in 5 categories:
        ( Control Panel / Desktop / Network / Shell / System)

If checked, these allow partial or complete restriction of access to settings

CONTROL PANEL: Allows you to:
- Restrict Display Control Panel: screen settings,wallpaper, screen saver etc.
- Restrictwork Control Panel: Identification page, Access Control etc.
- Restrict Password Control Panel: Hide password, user profiles, admin. etc.
- Restrict Printers Settings: Hide General/Details, disable add/delete
- Restrict System Control Panel: Hide Device Mgr/Profiles/File Sys/VM etc.

DESKTOP SETTINGS: Can restrict user access to:
- Wallpaper name / Tile / Color Scheme

NETWORK SETTINGS: Can restrict user access to:
- File sharing / Print Sharing

SHELL SETTINGS: Can customize User's desktop by defining:
- Programs Folder / Desktop Icons / Startup / Network Neighborhood / Start
- Restrict: Run command / Settings / Taskbar settings / Find command
- Hide: My Computer / Network Neighborhood / Desktop items
- Disable: Shut Down command / Saving of settings at exit

SYSTEM SETTINGS: Can restrict users access to:
- Registry Editor / Specific Windows applications / MSDOS Prompt

-----------------------------------------------------------------------------
COMPUTER System Policy Settings: Are in 2 categories: ( Network / System)

NETWORK SETTINGS:
- Access Control / Logon Banner / Microsoft and Netware Network setups
- Passwords / Dial-Up / Sharing / System Policy updates

SYSTEM SETTINGS:
- Enable User Profiles / Paths to Windows Setup
- Run / Run Once / Run Services

RECOMMENDED RESTRICTIONS / SETTINGS:
-----------------------------------
These are the restrictions and settings we are currently using for Students in a K-8 school in rural Vermont (Available for download as LIB_STUD.POL):

CONTROL PANEL:
- Disable Display Control Panel completely
- Disable Network Control Panel completely
- Disable Passwords Control Panel completely
- Disable Addition / Deletion of Printers (Show General/Details pages)
- Hide all of System Control Panel

DESKTOP: - Preset specific Wallpaper and Color Scheme

NETWORK: - Disable File and Print Sharing

SHELL:    - No Custom Folders. Restrict access to:
- Run and Find commands, Settings for Programs / Taskbar
- Hide Network Neighborhood. NOTE: This does not disable network settings,
    logged drives, etc. that were previously set up.
- Do NOT save settings at exit.

SYSTEM: Restrict access to: Registry Editor / DOS Prompt / Single MODE DOS Apps

MISCELLANEOUS NOTES:

1. If a Username that existed prior to setting up System Policies has NO PASSWORD (Any password will work), delete or rename the users .PWL file in C:\WINDOWS and the next time they logon they can enter a password that will be effective.

2. To prevent a determined person from rebooting a system with a diskette, if possible, set the computers BIOS Setup to boot only from C:, or "C: followed by A:". THEN set the BIOS Password so Setup can't be messed with. Now, a person with minimal priviledges can not:
   a. Reboot the system from diskette
   b. RUN programs from diskette
   c. Modify any important system settings or delete any system files.

--------------------------------------------------------------------------

Protecting a STANDALONE WIN95 Computer using System Policies

Sometimes you have a computer that is NOT connected to a LAN which needs to be protected against changes and tampering. System policies can be made to work on a standalone computer, and have different users with different priviledges. You can restrict access to Dial-Up networking, for example. The same methods of setting up a System Policy file detailed above apply here also. And you can COPY an existing System Policy file to the standalone machine(s) that you have already set up the way you want it.

So, Step-By-Step:

A. ENABLE USER PROFILES:
a. In the Passwords option in Control Panel, click User Profiles
b. Click to select the option named Users Can Customize Their Preferences and Desktop Settings.
c. Click BOTH User Profile settings (Desktop etc, and Start Menu etc)
d. Click OK, then shut down and restart the computer.
e. Log on again; the computer will ask something like "Do you want to retain your settings each time you log on?" Answer Yes.

B. Create a folder called C:\POLICIES (as above)

C. Either:
1. Copy an existing System Policy file into C:\POLICIES , or
2. Run POLEDIT.EXE from the diskette (as above), and create a new System Policy File. Save it in C:\POLICIES with the .POL extension. Note the exact name. Example: C:\POLICIES\DIALUP1.POL

D. Set up the machine to run a Local System Policy file:
1. Run POLEDIT.EXE from diskette
2. Click ( File / Open Registry )
3. Double-Click Local Computer, Double-Click Network, Double-Click Update
4. Click Remote Update, Set Mode to be Manual (Use Specific Path)
5. In the Path box, enter your System Policy path and filename
     EXAMPLE: C:\POLICIES\DIALUP1.POL
6. Click OK
7. Click ( File / Save )
8. Exit System Policy Editor.
9. Restart Windows95
E. Log on as each USER you defined in the System Policy file. Get the passwords right! In Between each logon you do:
   ( Start / ShutDown / Close all programs and log on as a different User )
At this point, the system should provide different priviledges for the different users.

Downloads:
Maximum.pol: contains suggested policies for maximum network and desktop security.
Standard.pol contains suggested policies for moderate network and desktop security.
Lib_Stud.pol is the policy file used in these examples.

You can load the .POL files in System Policy Editor to view and change contents. To implement the custom settings specified in
the STANDARD.POL policy file, you must replace the placeholders for custom folders with the correct UNC path names for the network
location that contains your custom folders for Programs, Startup, Network Neighborhood, and Start Menu.

For more information about policies and System Policy Editor, see the System Policies information in the Windows 95 Resource Kit.

--------------------------------------------------------------------------
Please send comments, updates, problems, suggestions to: tking@together.net