Windows 95 Security: The Basics

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This chapter presents an overview of the security features provided with Windows 95 and describes how to use them in a networking environment.

You can use Windows 95 security to prevent unauthorized access to the network and to shared resources on computers in a network. The following security features are built into Windows 95.

Unified logon prompt.

With Windows 95, users can log on to all networks and Windows 95 at the same time. If a user's password for Windows 95 or for another network is the same as the password for the primary logon client, Windows 95 automatically logs the user on to Windows 95 and all networks using that password. For more information, see "Using the Windows 95 Logon Password " later in this chapter.

Windows 95 logon security.

With system policies, you can prevent users from logging on to Windows 95 if their Windows NT or Novell® NetWare® network logon is not validated. To require validation by a Windows NT domain controller or NetWare server before allowing access to Windows 95, you must use system policies to enable Require Validation By Network For Windows Access. For more information, see Chapter 15, "User Profiles and System Policies."

User-level or share-level security for peer resource sharing.

When a computer is running Windows 95 with File and Printer Sharing services, other users can connect to shared printers, volumes, directories, and CD-ROM drives on that computer. To protect these shared resources, Windows 95 provides user-level and share-level security. With user-level security, a user's request to access a shared resource is passed through to a security provider, a Windows NT or NetWare server, which grants or denies the request. With shared-level security, users assign passwords to their shared resources, and any user who can provide the correct password can access the shared resource.

Note: You can use user-level security without installing File and Printer Sharing services, such as when using the Remote Registry service.

Password caching.

When a user first types and saves a password when connecting to a password-protected resource, Windows 95 caches the password in the password list file. Logging on with a Windows 95 password unlocks the password list file and associates those passwords with the Windows 95 password. To the user, it seems as if the passwords for Windows 95 and for password-protected resources are the same. If password caching is disabled, users must type the password each time they connect to a password-protected resource.

Password List Editor.

This tool allows you to view and delete the contents of users' password list files.

Password controls in system policies.

You can use system policies to enforce a password policy with greater restrictions, including the following:

  • Disable password caching

  • Require alphanumeric Windows 95 logon password

  • Require minimum Windows 95 logon password length

Other system policies.

You can define policies to prevent users from enabling peer resource sharing services and to enforce other security components, such as preventing users from configuring system components. For more information, see Chapter 15, "User Profiles and System Policies." See also "Using System Policies to Enforce Password Security" later in this chapter.

On This Page

Windows 95 Security: The Issues
Windows 95 Network Security Overview
Setting Up Security for Shared Resources
Using Share-Level Security
Using User-Level Security
Using the Windows 95 Password Cache
Using Password List Editor
Using the Windows 95 Logon Password
Using Windows 95 with NetWare Passwords
Using System Policies to Enforce Password Security
Guidelines for Setting Password Policy

Windows 95 Security: The Issues

Before you integrate Windows 95 security into your network security model, you should consider the following issues:

  • What kind of logon security do you need? Do you want to require that users log on to Windows 95 and the network with the same password? Do you want to require alphanumeric or minimum-length passwords for the Windows 95 logon password? Do you want to require that users be validated by the network security provider before being able to log on to Windows 95?

    For both Windows NT and NetWare networks, you can use system policies to require validation by a Windows NT or NetWare server before allowing access to Windows 95 and to specify other Windows 95 password restrictions.

  • What kind of resource protection do you need on Microsoft networks? If you allow users to enable peer resource sharing, then you must decide whether users can protect those resources with share-level or user-level security. User-level security provides greater security because the network security provider must authenticate the user name and password before access to the resource is granted. (Share-level security is not available for File and Printer Sharing for NetWare Networks.)

  • What kinds of access rights will users have to resources protected by user-level security? You can specify the types of rights users or groups of users have to resources by setting Access Control properties in the Network option in Control Panel. For example, you can restrict other users to read-only access to files or give them read and write access to files.

  • How do you want to enable user-level security? You can enable security in a setup script, in the Network option in Control Panel, or in system policies. If you enable user-level security in either a setup script or in the Control Panel, then Remote Administration is enabled by default for domain administrators on a Windows NT network and for supervisors on a NetWare network.

  • Do you want to disable password caching for password-protected resources? You can use system policies to disable password caching and require users to type a password each time they access a password-protected resource.

  • Do you want users to be able to configure system components, their desktops, applications, or network connections in Control Panel? You can use system policies to restrict users' ability to configure components.

  • Do you need to control access to a computer's hard disk drive? Because Windows 95 uses network-based security instead of workstation security, an individual computer running Windows 95 is vulnerable to someone accessing data stored on the hard disk by starting the computer using Safe Mode or a floppy disk. If specific data requires greater levels of security, you should store critical files on a secure server. If computers require greater levels of security, Windows NT Workstation is recommended because it provides a means to protect resources on a hard disk based on a user's identity.

  • Do you need to prevent users from modifying computer settings or from running certain applications? To implement this type of security, you should use system policies as described in Chapter 15, "User Profiles and System Policies."

Windows 95 Network Security Overview

Windows 95 provides shared-level and user-level security for protecting shared resources on computers running Windows 95 with File and Printer Sharing services.

  • Share-level security protects shared network resources on the computer running Windows 95 with individually assigned passwords. For example, you can assign a password to a directory or a locally attached printer. If other users want to access it, they need to type in the appropriate password. If you do not assign a password to a shared resource, every user with access to the network can access that resource. (This option is not supported with File and Printer Sharing for NetWare Networks.)

  • Pass-through user-level security protects shared network resources by requiring that a security provider authenticate a user's request to access resources. The security provider, such as a Windows NT domain control or NetWare server, grants access to the shared resource by verifying that the user name and password are the same as those on the user account list stored on the network security provider. Because the security provider maintains a network-wide list of user accounts and passwords, each computer running Windows 95 does not have to store a list of accounts.

    Note: If you are running File and Printer Sharing for Microsoft Networks, the security provider must be the name of a Windows NT domain or Windows NT workstation. If you are running Microsoft File and Printer Sharing for NetWare Networks, the security provider must be either a NetWare server or a NetWare 4.x server running bindery emulation.

The following illustration shows how user-level security works on a computer running File and Printer Sharing service and Client for Microsoft Networks. The numbers are explained following the illustration.

Cc751093.rk14_03(en-us,TechNet.10).gif

  1. A user tries to access a shared resource protected by pass-through user-level security.

  2. A request is passed to the security provider to verify the user's identity.

  3. The security provider sends a verification to the computer running Windows 95 if the user name and password combination is valid.

  4. Windows 95 grants access to the shared resource, and gives permission to use the resource according to rights assigned to the user in Sharing properties for that Windows 95 resource. The user's rights are stored on the computer running Windows 95.

Planning and implementing security in a Windows 95 networking environment requires the following basic kinds of steps:

  • Defining user accounts on a network server or domain controller for user-level security. For more information, see the documentation for the software on the network security provider.

  • Installing File and Printer Sharing services and enabling user-level or share-level security. For more information, see Chapter 11, "Logon, Browsing, and Resource Sharing."

  • Defining access rights for resources protected by user-level security.

  • Making the Windows 95 logon password and network logon password the same, disabling password caching if you do not want this feature. For more information, see "Using the Windows 95 Password Cache" and "Using the Windows 95 Logon Password " later in this chapter.

  • Defining system policies to restrict users' ability to configure the system or shared resources, and to enforce password policies. For information, see Chapter 15, "User Profiles and System Policies."

Setting Up Security for Shared Resources

Before a user can share a resource on a computer running Windows 95, the computer must be configured for share-level or user-level security, and File and Printer Sharing services must be installed by using the Network option in Control Panel. Configuring share-level or user-level security is described briefly in the following sections, and in Chapter 11, "Logon, Browsing, and Resource Sharing."

Note: Share-level security is not available on computers running Microsoft File and Printer Sharing for NetWare.

To set up share-level security for a single computer

  1. Install File and Printer Sharing for Microsoft Networks, as described in Chapter 11, "Logon, Browsing, and Resource Sharing."

  2. In the Network option in Control Panel, click the Access Control tab, and then click Share-Level Access Control.

To set up user-level security on a computer on a NetWare network

  1. Install File and Printer Sharing services for NetWare Networks, as described in Chapter 11, "Logon, Browsing, and Resource Sharing."

  2. In the Network option in Control Panel, click the Access Control tab, and then click User-level Access Control.

  3. In the User-level Access Control box, type the name of the NetWare server, and then click OK.

To set up user-level security on a computer on a Microsoft network

  1. In the Network option in Control Panel, click the Access Control tab, and then click User-level Access Control.

    Cc751093.rk14_04(en-us,TechNet.10).gif

  2. Type the name of the Windows NT domain or Windows NT workstation where the user accounts reside, and then click OK.

For information about specifying values for security in custom setup scripts, see Appendix D, "MSBATCH.INF Parameters." For information about using System Policy Editor to set user-level security and other security options, see Chapter 15, "User Profiles and System Policies."

Using Share-Level Security

You can restrict access to a shared directory or printer by either defining it as read-only or assigning a password to it.

To share a directory or printer with share-level security

  1. In Windows Explorer or My Computer, right-click the icon for the directory or printer you want to share and, in the context menu, click Sharing.

  2. Click the Sharing tab. Then click Share As, and type the resource's share name.

    The shared resource name will be the computer name plus the share name. For example, in the following illustration, if the computer name is mycomputer, then this shared resource in \\mycomputer\adamt.

    Cc751093.rk14_05(en-us,TechNet.10).gif

  3. Specify whether you want users to have read-only or full access to this resource.

  4. Optionally, type the password (or passwords) for read-only or full access, and click OK.

Tip You can share a directory but hide it from the Network Neighborhood browsing list by adding a dollar-sign character ($) to the end of its share name (for example, PRIVATE$).

Using User-Level Security

For each network resource or service governed by user-level security, there is a list of users and groups that can access that resource.

To share a directory or printer with user-level security

  1. In Windows Explorer or My Computer, right-click a resource and, in the context menu, click Sharing.

  2. In the resource's properties, click Add.

  3. In the Add Users dialog box, click a user or group, and then assign access rights as described in the following section.

For each user, there is a set of rights assigned for a resource. The kinds of rights that you assign depend on the kind of resource you are securing:

  • For shared directories, you can allow a user to have read-only access, full access, or custom access. Within custom access, you can grant the user any or all of the following rights: read, write, create, list, delete, change file attributes, and change access rights.

  • For shared printers, a user either has the right to access the printer or not.

  • For remote administration, a user either has the right to be an administrator or not as defined in the Passwords option in Control Panel.

Permissions are enforced for a resource as follows:

  • If the user has explicit rights to the resource, then those rights are enforced.

  • If the user does not have explicit rights to the resource, then the permissions are determined by taking all of the rights of each group to which the user belongs.

  • If none of the groups to which the user belongs has any rights to that resource, then the user is not granted access to the resource.

When you do not explicitly assign access rights to a file or directory, Windows 95 uses implied rights. Implied rights are those assigned to a file or directory's nearest parent directory. If none of the parent directories (up to and including the root directory of the drive) have explicit rights, no access is allowed.

Note: Implied rights are displayed automatically in the properties dialog boxes of the shared file or directory.

Specifying Directory Access Rights in User-Level Security

Access rights specify what a user can do in a directory protected by user-level security. The access rights you define for a directory apply to all of its subdirectories. You cannot, however, assign permissions to individual files in Windows 95. (Both Windows NT and NetWare allow you to assign permissions to files.)

For each directory, you can assign read-only, full, or custom access. (Read-only and full access are equivalent to the same values used by Windows for Workgroups with share-level security.) Custom access allows you to further specify exactly what each user or group can do in the directory, as specified in the following list.

File operation

Required permissions

Read from a closed file

Read files

See a filename

List files

Search a directory for files

List files

Write to a closed file

Write, create, delete, change file attributes

Run an executable file

Read, list files

Create and write to a file

Create files

Copy files from a directory

Read, list files

Copy files to a directory

Write, create, list files

Make a new directory

Create files

Delete a file

Delete files

Remove a directory

Delete files

Change directory or file attributes

Change file attributes

Rename a file or directory

Change file attributes

Change access rights

Change access control

To define custom access

  1. Open the Add Users dialog box in a shared resource's properties as described in the preceding procedure.

  2. In the Add Users dialog box, click a user or group, click Custom, and then click OK.

  3. In the Add Users dialog box, click a user or group from the Name list, and then click Custom.

  4. In the Change Access Rights dialog box, click the type of rights the user or group of users can have in the directory, and then click OK.

  5. To remove a user or group of users, click the user or group of users, and then click Remove.

  6. To edit the access rights for a user or group of users, click the user or group of users, and then click Edit.

Managing User Lists

Windows 95 user-level security depends on a list of accounts and groups located on a security provider. You cannot add or remove users and groups from the security provider list by using Windows 95 tools. However, you can do this by running User Manager for a Windows NT domain, SYSCON for NetWare 3.x, and NETADMIN for NetWare 4.x. in a NetWare bindery environment. You can use these tools on a computer running Windows 95. These tools are provided by the respective vendors and not by Windows 95.

Under Windows 95, you specify what rights users have to specific resources on the local computer as described in the preceding section. For more information about changing a user's access rights, see "Specifying Directory Access Rights in User-Level Security " earlier in this chapter.

Note: Although Windows NT networks allow multiple domains, a computer running Windows 95 can specify only one domain for user-level security. To use a trust relationship to access multiple domains, you should consult the Windows NT Server 3.5 Concepts and Planning Guide that is part of the Windows NT Server documentation set.

Security for Windows 95 in NetWare Bindery Environments

NetWare 3.x servers store all the information about users, groups, passwords, and rights in a database stored on the server called the bindery. NetWare 4.x servers can appear to have a bindery through bindery emulation, a feature which is enabled by default. There is a separate bindery for each NetWare server. Windows 95 can use the bindery of only one NetWare server as the security provider.

It is common for a company to have one or more NetWare servers per department, where users log on to the server for their department. This scenario can pose a problem when the list of accounts differs from one NetWare server to another.

For example, Sue and Bob log on to the Sales server and Fred logs on to the R&D server. Because Sue is running Windows 95 and can specify only one server for pass-through validation, she specifies Sales (the server she uses for logon). She can now grant access to shared resources on her computer to Bob but cannot grant access to Fred.

The only way to solve this problem is to include all user accounts for all servers on one NetWare server. This server should be specified as the security provider for every computer running Windows 95 with File and Printer Sharing for NetWare Networks.

Note: User-level security in Windows 95 does not support the use of NetWare domains and the NetWare Name Service (NNS), an Add-On service for NetWare 4.x servers to obtain user lists. Windows 95 does support NetWare 4.x with bindery emulation to obtain user lists.

Using the Windows 95 Password Cache

Keeping track of multiple passwords can be a problem for users. Often, they either forget the passwords or write them down and post lists of passwords near their computers. When this happens, the security policy is no longer doing the job it was meant to do — to allow access to those who should have it and to deny access to those who shouldn't.

Windows 95 solves this problem by storing passwords for resources in a password list file (.PWL). This file stores passwords for the following network resources:

  • Resources on a computer running Windows 95 protected by share-level security

  • Applications that are password-protected: these applications must be specifically written to the Master Password API

  • Windows NT computers that don't participate in a domain, or the Windows NT logon password if it isn't the Primary Network Logon

  • NetWare servers

The password list file is stored in the Windows directory on the local computer. Each resource typically has its own password. The password file is encrypted by using an algorithm. An unencrypted password is never sent across the network.

Caution: If you delete .PWL files, you will lose all previously stored passwords. You will need to retype each password.

Password caching is enabled by default when you install Windows 95. When you access a password-protected resource for the first time, make sure the Save This Password In Your Password List option is checked to save the password to the password list file.

Cc751093.rk14_07(en-us,TechNet.10).gif

Note: If, during logon, you click the Cancel button to bypass the logon screen, the cache will not be opened and you will be prompted for a password each time you attempt to use a protected resource.

You can disable password caching by using System Policy Editor.

To disable password caching by using system policies

  1. In System Policy Editor, double-click the Local Computer icon.

  2. In the Local Computer Properties, click Network, and then click Passwords.

  3. Click the policy named Disable Password Caching.

    For more information, see Chapter 15, "User Profiles and System Policies."

Note: If you have any share-level security servers and you disable password caching and are running Client for Microsoft Networks, you should not use the Quick Logon feature in the Network option in Control Panel.

Using Password List Editor

If password caching is enabled, Windows 95 caches passwords in the password list file when you connect to a password-protected network resource. Password List Editor (PWLEDIT) allows you to view the resources listed in a user's password list file (.PWL). It does not allow you to view the actual passwords, but it allows you to remove specific password entries if problems are encountered using a cached password.

Password List Editor works only if the password list file is unlocked, that is, if the user is logged on. It can be used to view only the contents of the logged-on user's password list file, so you should run it on the user's computer.

Password List Editor can be found in the ADMIN\APPTOOLS\PWLEDIT directory on the Windows 95 compact disc.

To install Password List Editor

  1. In the Add/Remove Programs option in Control Panel, click the Windows Setup tab, and then click Have Disk button.

  2. In the Install From Disk dialog box, click Browse. Type the path name to \ADMIN\APPTOOLS\PWLEDIT\PWLEDIT.INF, and then click OK.

  3. In the Have Disk dialog box, click Password List Editor, and then click Install.

To run Password List Editor

  • From the Start menu, click Run, and type pwledit.

Using the Windows 95 Logon Password

With Windows 95, users can log on to all networks and Windows 95 at the same time. The first time a user starts Windows 95, logon dialog boxes appear for Windows 95 and for each network client on that computer. This is useful for you as a network administrator because you can use existing user accounts on a network security provider to validate access to the network for users running Windows 95. For more information, see Chapter 11, "Logon, Browsing, and Resource Sharing."

If a user's password for Windows 95 or for another network is the same as the password for the primary logon client, Windows 95 logs the user on to Windows 95 and the network automatically using that password. When a user logs on to other networks with different passwords and chooses to save them, the passwords are stored in the password list file. The Windows 95 password unlocks this password list file. Thereafter, Windows 95 uses the passwords stored in the password list file to log a user on to other networks so no additional passwords need to be typed.

The Passwords option in Control Panel provides a way to synchronize logon passwords for different networks. This allows users to use the password for whatever logon dialog box appears first (the primary network logon client or Windows 95 logon) for logging on to all the other network clients.

You can also use the Passwords option to change individual passwords to other network resources to be different than the Windows 95 logon password.

To change a password for a network resource to be the same as the Windows 95 logon password

  1. In the Passwords icon option in Control Panel, click Change Windows Password.

  2. In the Change Windows Password dialog box, check the other passwords you would like to change to use the same password as the Windows 95 password, and then click OK.

    To appear in this list, the related software must include a function that allows its password to be changed.

    Cc751093.rk14_06(en-us,TechNet.10).gif

  3. In the second Change Windows Password dialog box, type the current (old) Windows 95 password, type a new password, and then, in the Confirm New Password box, type the new password again.

Note: The Windows Screen Saver passwords option will show up here only if the Windows screen saver has been turned on and the password-protected option has been selected.

You can maintain separate passwords for a network resource and require users to type a password each time they access it.

To change a password for a network resource

  1. In the Passwords option in Control Panel, click Change Other Passwords.

  2. In the Select Password dialog box, click the password you want to change, and then click Change.

  3. In the Change Password dialog box, type the current (old) password, type a new password, and then in the Confirm New Password box, type the new password again. Click OK.

    You now must type a separate password to access the resource.

Using Windows 95 with NetWare Passwords

To log on to a NetWare network, you must type the name of the preferred server on which the related user account is stored. After the user name and password are validated by the network server, you can use resources shared on that server. If you are not validated, you will be prompted to enter a password whenever connecting to a NetWare server during this work session.

The first time you attempt to connect to a NetWare server other than the preferred server, the NetWare server searches the Windows 95 password list file for a user name and password to that server. If the user name and password pair are not valid, NetWare displays a dialog box and asks you to type a user name and password. If there is no NetWare user name and password in the password list file, NetWare tries using the Windows 95 logon password. You can disable this automatic attempt to log on to NetWare resources.

To avoid use of automatic NetWare logon

  • Use system policies to enable the policy named Disable Automatic NetWare Login. For information, see Chapter 15, "User Profiles and System Policies."

To change your password on a NetWare server

  1. At the command prompt, use the net use command to connect to the NetWare server's SYS volume. For example, for a server name NWSVR2, you would type:

net use * \nwsvr2\sys

  1. At the command prompt, change to the drive for the NetWare server, and then make the PUBLIC directory the current directory. For example, if the drive is mapped to drive N, type:

n:

Then type:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">

mdcd \public

**Note**: If you want to change your password on more than one server, connect to all affected servers before running the **setpass** command. Setpass is a utility provided by Novell and is not part of Windows 95.
  1. At the command prompt, type:

setpass

If the server on which you want to change your password is different from the one on the current drive, type **setpass** and the server name.

For example, to change your password on the server named NWSERVE1, type:

<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">

setpass nwserve1

  1. When you are prompted, type your old password, then type and confirm the new password.

  2. If you are connected to other NetWare servers that also use your old password, these servers are listed, and you are asked if you want to change your password on these servers also.

Using System Policies to Enforce Password Security

You can use system policies to increase security by forcing users to follow specific password guidelines. Using system policies, you can enforce the following password policies:

  • Require Validation By Network For Windows Access, to specify that each logon be validated by a server before access to Windows is allowed. This applies to Windows NT and NetWare networks.

  • Disable Automatic NetWare Login, to specify that when Windows 95 attempts to connect to a NetWare server, it does not automatically use the user's logon name and password or the password list file.

  • Minimum Windows Logon Password Length, to control the minimum number of characters accepted for a Windows 95 logon password.

  • Require Alphanumeric Windows Logon Password, to force a Windows 95 logon password to be a combination of numbers and letters.

  • Hide Share Passwords With Asterisks, to cause asterisks to replace characters that users type when accessing a shared resource. This setting applies only to share-level security and is enabled by default.

  • Disable Passwords Control Panel, to prevent access to the Passwords option in Control Panel.

  • Hide Change Passwords Page, to hide this properties dialog box in the Passwords option in Control Panel.

  • Disable Password Caching, to prevent saving of passwords for share-level resources, applications, and for NetWare passwords.

  • Disable Caching Of Domain Password, to prevent the caching of the network password.

For information about restricting settings with system policies, see Chapter 15, "User Profiles and System Policies."

Guidelines for Setting Password Policy

A good password policy helps users protect their passwords from other individuals. This helps to reduce the probability of someone logging on with another user's password and gaining unauthorized access to data.

The following guidelines should help you create a basic security policy:

  • Tell users not to write down their passwords.

  • Tell users not to use obvious passwords, such as their name, their spouse's name, the names of their children, and so on.

  • Do not distribute user accounts and passwords in the same communication. For example, if you are sending a new user's account name and password in writing, send the user name and the password at different times.

You can use the following Windows NT and NetWare security features to enhance Windows 95 security:

  • Enforce a reasonable minimum password length, which increases the number of permutations needed to randomly or programmatically guess someone's password. Additionally, you can enforce an alphanumeric password combination to achieve the same security.

  • Enforce maximum and minimum password age. A maximum password age forces the user to change the password, preventing someone else from discovering it as a result of the password being in use for a long time. A minimum password age prevents a user from immediately reverting back to a previous password after a change.

  • Enforce password uniqueness and maintain password history. This prevents users from toggling between their favorite passwords. You can specify the number of unique passwords that a user must have before that user can use a password that has previously been used.