Securing Stand-Alone Workstations
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Windows 95 Professional
A publication of The Cobb Group
Published February 1998
Stand-alone PCs in public places, such as libraries, book stores, and record stores, are becoming more common place. In such environments, it's necessary to protect the PC from tampering. Unfortunately, Windows 95 doesn't offer an obvious solution to this problem. However, there's a relatively easy procedure you can use to secure stand-alone Windows 95 workstations. In this article, we'll demonstrate this procedure and show you how to implement it.
On This Page
Precautions
Enable user profiles
Creating a profile
Restricting access to programs
Installing the Policy Editor
Creating a default user policy
Creating a public policy
Creating an administrator policy
Defining a "not logged in" policy
Enabling the policies
Testing the policies
Securing the policies
Conclusion
Precautions
Before you enable security on a PC, you should take a few steps to prepare the system. First, you need to make a backup copy of your entire hard disk including the Registry. The procedure we're about to guide you through is risky, and it's very easy to accidentally lock yourself out of your PC if you make a mistake.
Next, you need to verify that you have at least 20MB of hard disk space free so that Windows 95 can store user account information. Although most implementations will use much less space than this, you should reserve at least 20MB just to be safe.
Enable user profiles
Now you're ready to begin implementing the procedure. At this point, you must enable user profiles. User profiles allow each user to have their own desktop or allow an administrator to force users to use a predefined desktop. To enable user profiles, open Control Panel and double click the Passwords icon. When the Passwords Properties sheet appears, select the User Profiles tab. Then, click the second option button and select both check boxes, as shown in Figure A. Click OK, and Windows 95 will ask you to restart your computer. Click Yes to reboot.
.gif "Cc751417.w9p9822a(en-us,TechNet.10).gif")
Figure A: Click the second option button and select both check boxes.
Creating a profile
When your computer reboots, log in as Public. When you do, Windows 95 will automatically create a folder for the Public account and prompt you to confirm Public's password. If you didn't enter a password in the initial login screen, simply press [Enter] to create the account without a password. Windows 95 will then tell you that you haven't logged in to the computer before and will ask if you want to retain the account's settings. Click Yes to continue.
At this point, log out of Windows 95 and log back in as Administrator. You should assign the Administrator account an obscure password you won't forget. Then, click Yes once again when Windows asks if you want to retain the account's settings.
Restricting access to programs
While you're logged in as Administrator, open Windows Explorer and go to the Windows\Profiles\Public\Start Menu\Programs folder. Once you've opened this folder, delete the shortcuts to any programs you don't want the Public account to have access to. For example, in Figure B, you can see that the Start Menu folder contains a shortcut to WinZip. If you don't want the Public account to have access to WinZip, simply delete its shortcut from the Start Menu folder.
After you delete any shortcuts you don't want the Public account to access from the Start Menu\Programs folder, go to the Windows\Profiles\Public\Recent folder and delete its contents. As you can see in Figure C, this folder contains a list of the documents you've opened recently. If you don't delete the shortcuts in this folder, someone could use them to access an unauthorized application. For example, suppose you wanted to restrict access to Microsoft Word. If a Word document appeared in the list of recently opened documents, a user could simply double-click the document, and Windows 95 would launch Word.
.gif "Cc751417.w9p9822b(en-us,TechNet.10).gif")
Figure B: You'll need to delete any shortcuts you don't want the Public account to have access to.
.gif "Cc751417.w9p9822c(en-us,TechNet.10).gif")
Figure C: Empty the contents of the Windows\Profiles\Public\Recent folder.
Installing the Policy Editor
Now that you've deleted the unwanted shortcuts, it's time to install the Policy Editor. To do so, first close Windows Explorer and open Control Panel. Then, double-click the Add/Remove Programs icon to open the Add/Remove Programs Properties sheet. Select the Windows Setup tab and then click the Have Disk… button. When the Install from Disk dialog box opens, enter E:\Admin\Apptools\Poledit in the Copy Manufacturer's Files From dialog box, where E is the letter of your CD-ROM drive. Now, insert your Windows 95 CD in the drive and click OK. Select the System Policy Editor from the Components window, as shown in Figure D, and click Install. Finally, click OK to close the Add/Remove Programs Properties sheet.
.gif "Cc751417.w9p9822d(en-us,TechNet.10).gif")
Figure D: Select the System Policy Editor and click Install.
Creating a default user policy
Once you've installed the Policy Editor, launch it by selecting the Run… command from the Start menu, typing poledit in the Open text box, and clicking OK. When the Policy Editor opens, select the New File command from the File menu. You should see icons representing the Default User and the Default Computer. Simply select the Add User… command from the Edit menu, enter Administrator in the Type the Name of the User to Add text box, and click OK. Then, repeat the process and add a user called Public. At this point, the System Policy Editor screen should resemble the one shown in Figure E.
.gif "Cc751417.w9p9822e(en-us,TechNet.10).gif")
Figure E: The System Policy Editor should display the users you've created.
Now that you've created your accounts, it's time to restrict the default user. To do so, double-click the Default User icon. When the Default User Properties sheet appears, navigate to Default User/System/Restrictions and select all four check boxes, as shown in Figure F. Then, select Default User/Shell/Restrictions and select the check boxes shown in Figure G. Make sure you don't accidentally select the Disable Shut Down Command check box.
.gif "Cc751417.w9p9822f(en-us,TechNet.10).gif")
Figure F: Select these check boxes in Default User/System/Restrictions.
.gif "Cc751417.w9p9822g(en-us,TechNet.10).gif")
Figure G: Be sure you don't select the Disable Shut Down Command check box.
At this point, leave the System Policy Editor open and switch to Windows Explorer. Create a directory called C:\Windows\Profiles\Dummy, where Windows is the name of your Windows 95 directory. Next, switch back to the System Policy Editor, navigate to Default User/Shell/Custom Folders, and select all the check boxes under this location. As you select the various check boxes, the System Policy Editor will prompt you for the paths that correspond to the options. At each prompt, enter C:\Windows\Profiles\Dummy in the text box provided, as shown in Figure H. Click OK to close the Default User Properties sheet. Finally, select the Save As… command from the File menu and save the policy as C:\Windows\Config.pol. After you save the changes, the System Policy Editor will close the policy.
.gif "Cc751417.w9p9822h(en-us,TechNet.10).gif")
Figure H: Enter C:\Windows\Profiles\Dummy at the various prompts.
Creating a public policy
You've defined a default user policy, so now it's time to define the Public policy. To do so, select the Open File… command from the System Policy Editor's File menu and open the file \Admin\Reskit\Samples\Policies\Maximum.pol from your Windows 95 CD. Once the policy loads, select Default User and choose the Copy command from the Edit menu. Then, reload the Config.pol file you created earlier, select Public, and choose the Paste command from the Edit menu. When Windows 95 asks if you want to paste the contents of the Clipboard to the user Public, click Yes. Now, double-click the Public icon.
Then, navigate to Public/Shell/Custom Folders and click on the text beside each check box (not the check box itself). After you click on each item, check to see if there's a corresponding text box below the tree. If there is, replace the existing text with C:\Windows\Profiles\Public, where Windows is your Windows 95 directory, as shown in Figure I. When you finish, verify that all check boxes are still checked.
.gif "Cc751417.w9p9822i(en-us,TechNet.10).gif")
Figure I: Change all corresponding text boxes to C:\Windows\Profiles\Public.
At this point, navigate to Public/Control Panel/Passwords and select the Restrict Passwords Control Panel check box. When you do, you'll see four additional check boxes appear at the bottom of the window. Select these four check boxes, then navigate to Public/Shell/Restrictions and select the check boxes shown in Figure J. You can also add any other restrictions you find helpful, but make sure you don't to select the Disable Shut Down Command check box.
Now go to Public/System/Restrictions and change any gray check boxes to white by clicking them twice. By default, Windows 95 ignores items with gray check boxes to save loading time. Changing the gray check boxes to white keeps the Default User policy from imposing unwanted restrictions on the account. Once you've finished, click OK to close the Public Properties sheet.
.gif "Cc751417.w9p9822j(en-us,TechNet.10).gif")
Figure J: Select these check boxes to keep the Default User policy from imposing unwanted restrictions.
Creating an administrator policy
Once you've defined the Public policy, you can begin setting up the Administrator policy. First, double-click the Administrator icon. Open each subtree associated with the Administrator account and change all the check boxes from gray to white by clicking them twice. As before, changing the check boxes to white protects the various permissions from being overridden by the Default User account. If a check box contains a check mark, you should remove it. Click OK to close the Administrator Properties sheet, then save the policy and close the System Policy Editor.
Defining a "not logged in" policy
Although you've created user accounts with the necessary restrictions, it's still possible for someone to reboot the PC and click Cancel at the login screen. Since no one would be officially logged in in such an instance, none of the policies would be in effect. Fortunately, there's a way to protect your system against such an intrusion. To establish a "not logged in" policy, log out of Windows 95. When you see the first prompt to log back in, press [Esc] to abort the login process. Then, run the System Policy Editor by selecting Run… from the Start menu, typing poledit in the Open text box, and clicking OK. Next, select the Open Registry command from the System Policy Editor's File menu. Finally, double-click the Local User icon and apply the same permissions to the Local User that you applied to the Default User. When you've finished, save your changes, log out, and log back in as Administrator.
Enabling the policies
Now that you've created all the necessary policies, you must activate them. To begin, open the System Policy Editor and load the Config.pol file you created earlier. When the policy finishes loading, double-click the Default Computer icon. Then, select the Enable User Profiles check box under Default Computer/System and select the Remote Update check box located under Default Computer/Network/Update. As soon as you select this check box, you'll notice two text boxes at the bottom of the window. You should set the Update Mode option to Manual and set the Path for Manual Update option to C:\Windows\Config.pol, as shown in Figure K. Click OK to close the Default Computer Properties sheet and then save your changes.
At this point, select the Open Registry command from the File menu. When the System Policy Editor loads the Registry, double-click the Local Computer icon and set the Update Mode and Path for Manual Update options, as you did for the Config.pol policy. Click OK to close the Local Computer Properties sheet. Then, save your changes and close the System Policy Editor.
.gif "Cc751417.w9p9822k(en-us,TechNet.10).gif")
Figure K: Set the Update Mode to Manual and use the path C:\Windows\Config.pol.
Testing the policies
Before you turn the Public account loose on your PC, you should test the policies you've created. To do so, you first need to log out and log in as Public so you can verify that Public has no access to forbidden shortcuts or menu items and that there's no way to run programs such as the System Policy Editor or the Registry Editor. Then, log out and click Cancel at the login prompt. (You shouldn't have access to anything at this point; however, you should be able to log out.) Finally, log in as Administrator and make sure that you have full rights to your system.
If you find that any of the accounts you've created allow unwanted access, log in as Administrator and open the System Policy Editor. Next, verify the various permissions and corresponding directories for the malfunctioning account. When you've found the permission causing the problem, correct it, log out, and retest the account.
Securing the policies
Presently, your accounts should be functional. However, keep in mind that setting up a few user accounts never stopped a good hacker. To further protect your system, you should use your PC's CMOS setup to disable the PC's ability to boot from a floppy disk. The method for doing so will vary according to the brand of PC.
Finally, if you've configured your PC to dual-boot to DOS, you should remove the dual-boot capability. For detailed instructions on doing so, see our article "A Simple Way to Multiboot" in the July 1997 issue.
Conclusion
In environments where stand-alone PCs are available to the public, it's necessary to secure the PC to prevent tampering. In this article, we've shown you how to secure a Windows 95 workstation. Although our method isn't foolproof, it should stop all but the most determined hackers.
The article entitled "Securing stand-alone workstations" was originally published in Windows 95 Professional, February 1998. Copyright © 1988, The Cobb Group, 9420 Bunson Parkway, Louisville, KY 40220. All rights reserved. For subscription information, call the Cobb Group at 1-800-223-8720.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement , and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.