One Approach to Managing Workstations by Jim Fuller
and David Brown
(or ... "How to protect your workstations from 'fiddlers'.")
(With additional suggestions from a number of people at the bottom of this document.)
Outlined below is one strategy for 'locking' up your workstations to overcome the inherent desire of kids to 'play' with your computer's settings. This article is amed at schools, but it also has significance for parents who are frustrated at finding new backgrounds, wallpapers and screen savers every time they turn on the family computer.
I have had considerable experience with an Australian security product from PC Plus Systems called "PC Lockout". It is ideal for school use and will lock up your computer while still providing the standard Windows interface. Students are able to change all sorts of settings and even (as far as they are concerned) erase files. All of theses changes revert to the original as soon as the "master" password holder logs on. Lockout allows one directory to be nominated where users can save and modify their files. All other directories and actions are out of bounds. Lockout costs $500 for a site license and $5 per station from then on. For most schools with more than 20 or so computers it is the ideal way to go.
If Lockout is so good, why this article?? - Unfortunatley Lockout doesn't like some configurations of older machines. We are currently in the process of upgrading a couple of labs of IBM Valuepoint computers from Windows 3.11 to Windows95 (thanks to the new EDWA licensing agreement). Lockout definitely doesn't like the Valuepoints! The other consideration for smaller schools may perhaps be cost. Almost a thousand dollars appears to be a large outlay for security software, but wait until you've spent a few months fixing up systems that have been 'tampered' with and you'll quickly change your perspective!
Some Background about Policy Editor
Windows 9x has a feature called "policies" which can be set to restrict a variety of actions such as accessing the Control Panel, changing wallpaper, accessing the DOS prompt, changing network settings, etc, etc. (Previous versions of Windows allowed this sort of control using statements in PROGMAN.INI.) Policies may be set for individual users, or the system itself. Policies are changed using a utility called POLEDIT.EXE. Because of its potential power, Poledit is not automatically installed on a computer as part of the Windows 9x installation. You will need to locate it on your CD and transfer all the files in the Poledit directory to a floppy disk for convenience.
Using Poledit:
STEP 1 Launch Poledit by double-clicking its icon.
The System Policy Editor window will appear. (The first time you launch Poledit you will need to nominate admin.adm as your default administration file.)
STEP 2 Go to File/Open Registry from the menu bar.
The Local User and Local Computer icons appear within the Editor window...
It is unlikely you will want to change anything in the Local Computer settings. We will be concerned with the Local User only, in the following pages.
STEP 3 Double-click the Local User icon to open its Properties window...
STEP 4 Click on the 'plus' sign next to each property to expose the associated property 'check boxes'. Placing a 'tick' in a box activates that property. In the example below, the Wallpaper and Color scheme are 'set' by Poledit. . In this example the Color scheme has been set to "Windows Default" in the drop-down box. The Wallpaper can also be set to a specific file using a similar drop-down box that appears when the Wallpaper property is selected. It should be noted however that this does NOT mean that these features are 'locked' and cannot be changed by the user. It gets just a little more complicated. For the full story, read on ...
STEP 6 Continue working your way through the Properties check boxes until you have set all the properties you want to restrict. Click OK and then save your changes through File/Save. Exit Poledit. Your changes are automatically saved into the Windows diectory as a file called USER.DAT.
What Have you Just Done?
Depending on what you restricted the user will no longer have access to some of the 'normal' Windows9x features. If you restricted access to Control Panel for example, the user (including you) will no longer be able to access the Control Panel icon unless they use Windows Explorer. If you restricted access to DOS, the user will no longer be able to shell to the DOS prompt, and so on. It is important to understand that your changes don't actually 'lock' the user out of your system (as does software like PC Lockout). They are still able to make many changes, but generally they will need to follow a more indirect pathway to do it.
Now the Real Protection ...
In the past when using Windows 3.11, we adopted the technique of copying all the important windows settings from the Windows directory into a temporary directory and then copying them back into the Windows directory using AUTOEXEC.BAT at startup. This way, any changes made by students in a previous session were 'over-written' at startup and the system reverted to its original appearance. In Windows 3.11 the significant files are all the ".INI", ".CFG" and ".GRP" files. In principle, the same approach can be used with Windows9x using the USER.DAT file that you modified in the steps outlined above. We called our temporary directory "INIBACK". For this document the same convention will be used, but you could choose any name you wished.
STEP 1 Modify USER.DAT using Poledit as outlined above.
STEP 2 Copy the modified USER.DAT file into C:\INIBACK
STEP 3 Creat an AUTOEXEC.BAT file including the line: copy c:\iniback\user.dat c:\windows
... and that's all there is to it!! When your system restarts any changes made by the user (well some of them anyway) will be over-written by your backup user.dat file.
Unfortunately that's not quite all there is to it, but we're close!! The file user.dat is a VERY important file and is protected against accidental (and intentional) tampering by setting its file "attibutes" as a hidden, system, read-only achive file.This is why you will not usually be able to see user.dat using Windows Explorer. You can't delete it and you certainly can't 'replace' it in the way we want to unless you change its attributes.
The steps therefore become ...
STEP 1 Modify USER.DAT using Poledit as outlined above.
STEP 2 Creat a directory called c:\iniback and copy the modified USER.DAT file into C:\INIBACK (This may require you to change the setting in Windows Explorer so that you can 'view' system and hidden files.)
STEP 3 Create an autoexec.bat file where you first change the attributes of the user.dat file in the Windows and Iniback directories so that they can be maniplulated, copy the backup file from Iniback into the Windows directory and then change the attributes of the user.dat file in the Windows and Iniback directories back to what they were so that they are again protected.
A typical autoexec.bat file to do this would be:
ATTRIB C:\INIBACK\USER.DAT -a -h -r -s
ATTRIB C:\WINDOWS\USER.DAT -a -h -r -s
COPY C:\INIBACK\USER.DAT C:\WINDOWS
ATTRIB C:\INIBACK\USER.DAT +a +h +r +s
ATTRIB C:\WINDOWS\USER.DAT +a +h +r +s
Copy your autoexec.bat file and user.dat onto a floppy and you can automate the process of setting up multiple machines with a 'batch' file on a floppy disk such as:
(I usually call it something simple like: GO.BAT)
md c:\iniback
copy a:\user.dat c:\iniback
copy a:\autoexec.bat c:\
Sit down at each machine, insert the floppy, type GO, press Enter, restart the computer and it's all done!!
Good Luck,
Jim Fuller and David Brown (Computing Department Mandurah SHS)
jfuller@southwest.com.au
Some additional comments from Mike Leishman of Newman
College ...
(Based on recommendations posted on the Microsoft Site.)
An alternate solution is to run the Emergency Rescue Utility (on
the windows 95 CD) and then when the machine gets a bit messy, just run the recovery
program which restores all major system files.
As well, the msdos.sys file should be modified to prevent kids pressing F8 on
start-up. It is the same as the switches command in windows 3.x (See below.) Also remember
to activate the BIOS password before the kids do!
More information - such as the windows 95 and 98 resource kit can
be found at http://msdn.microsoft.com/library/default.htm
MSDOS.SYS - Special Startup Values:
Windows 95 Setup creates a hidden, read-only system file named MSDOS.SYS in the root of
the computer's boot drive. This file contains important paths used to locate other Windows
files, including the Registry. MSDOS.SYS also supports an [Options] section, which you can
add to tailor the startup process.
The following example shows a typical file with default values:
[Options]
BootGUI=1
[Paths]
WinDir=C:\WINDOWS
WinBootDir=C:\WINDOWS
HostWinBootDrv=C
Most values in the [Options] section are Boolean - that is, the value can be 1 (enabled)
or 0 (disabled). The following describes entries in MSDOS.SYS, using the typical default
values.
MSDOS.SYS Values:
[Paths] section:
HostWinBootDrv=c
Defines the location of the boot drive root directory.
WinBootDir=
Defines the location of the necessary startup files. The default is the directory
specified during Setup; for example, C:\WINDOWS.
WinDir=
Defines the location of the Windows 95 directory as specified during Setup.
[Options] section:
BootKeys=
Enables the startup option keys (that is, F5, F6, and F8). The default is 1. Setting
this value to 0 overrides the value of BootDelay=n and prevents anystartup keys from
functioning. This setting allows system administrators to configure more secure systems.
(The suggestion is to set it to 0).
WARNING: In the event of Win95 startup failure, a Win95 or Win98 startup disk (made with
"add/remove programs" in
control panel) with a DOS text editor is needed to change it back to 1 so the
administrator can press F8 on startup to get to DOS or safemode.
BootDelay=n
Sets the initial startup delay to n seconds. The default is 2. BootKeys=0 disables
the delay. The only purpose of the delay is to give the user sufficient time to press F8
after the Starting Windows message appears.
BootFailSafe=
Enables Safe Mode for system startup. The default is 0. (This setting is enabled
typically by equipment manufacturers for installation.)
BootGUI=
Enables automatic graphical startup into Windows 95. The default is 1.
BootMenu=
Enables automatic display of the Windows 95 Startup menu, so that the user must
press F8 to see the menu. The default is 0. Setting this value to 1 eliminates the need to
press F8 to see the menu.
BootMenuDefault=#
Sets the default menu item on the Windows Startup menu; the default is 3 for a
computer with no networking components, and 4 for a networked computer.
BootMenuDelay=#
Sets the number of seconds to display the Windows Startup menu before running the
default menu item. The default is 30.
BootMulti=
Enables dual-boot capabilities. The default is 0. Setting this value to 1 enables
the ability to start MS-DOS by pressing F4 or by pressing F8 to use the Windows Startup
menu.
BootWarn=
Enables the Safe Mode startup warning. The default is 1.
BootWin=
Enables Windows 95 as the default operating system. Setting this value to 0 disables
Windows 95 as the default; this is useful only with MS-DOS version 5 or 6.x on the
computer. The default is 1.
DblSpace=
Enables automatic loading of DBLSPACE.BIN. The default is 1.
DoubleBuffer=
Enables loading of a double-buffering driver for a SCSI controller. The default is
0. Setting this value to 1 enables double-buffering, if required by the SCSI controller.
DrvSpace=
Enables automatic loading of DRVSPACE.BIN. The default is 1.
LoadTop=
Enables loading of COMMAND.COM or DRVSPACE.BIN at the top of 640K memory. The
default is 1. Set this value to 0 with NovellŽ NetWareŽ or any software that makes
assumptions about what is used in specific memory areas.
Logo=
Enables display of the animated logo. The default is 1. Setting this value to 0 also
avoids hooking a variety of interrupts that can create incompatibilities with certain
memory managers from other vendors.
Network=
Enables Safe Mode With Networking as a menu option. The default is 1 for computers
with networking installed. This value should be 0 if network software components are not
installed.
And someone else's approach .... regbak.zip (With thanks to Garry for the information.)
And from John Agostinelli from Churchlands High School: " ... another consideration is to "ghost" ie make an image copy of a clean workstation and when idle hands have made modifications then format c: and copy the image back on. There are different versions that will enable multi ghosting and one that will create unique sids for NT machines. Of course you will lose any local information on the workstation."
And from Geoff Taylor ...
Disabling the ability to see Hidden Files under
Win95/98
========================================================
If you hide or write protect files under win95/98, then this takes away the ability to
change these attributes.
It involves a registry change as follows...
Removing the Advanced keys disables the functions...
This affects all explorer instances
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden
\NOHIDDEN
\NOHIDORSYS
\SHOWALL
Removing the key removes the item.
This one removes the function on the start but not the view menu.
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\\Policies\Explorer
[NoFolderOptions]
\NoFolderOptions