Protecting Users from Themselves

By Brien M. Posey, MCSE

Published in TechRepublic's Windows Support Professional (TechRepublic.com)

If you're responsible for supporting Windows 95 or Windows 98 workstations for your company, chances are good that many—if not the majority—of the trouble calls result from problems that the users have caused themselves. If this is the case, the most effective way to lighten your workload is to limit what the end users are able to do to their machines. In this article, we'll show you how to secure Windows 95 and Windows 98 against curious users with self-destructive tendencies. As we do, we'll explain the pros and cons of implementing such restrictions.

What to restrict

As we said before, users who don't necessarily have malicious intent can accidentally cause PC problems through their actions. For example, they may load a program that contains a virus or load a buggy screen saver that causes random GPF faults. Other actions may cause more serious problems. For example, how many times have you seen a user try to free more hard disk space by deleting all the files that they don't recognize (such as DLLs and executable files)? To avoid such problems, you must configure each PC in such a way that it prevents users from running unauthorized programs or deleting system files, while still allowing the users to do their jobs.

Many administrators refer to this as the "Hitler" approach to networking, because unless your users are basically computer illiterate, chances are good that they won't like it one bit. No one likes having their freedom stripped away. Because of this, and because of the difficulty and risks involved in setting up this security, you should only use this approach if absolutely necessary.

Before you begin

Before you begin implementing any form of extra security, we should point out that this procedure is dangerous. If you don't follow our instructions exactly , you can lock yourself out of the PC you're trying to configure. Therefore, you need to make a full backup of each PC before you begin configuring it. (If you happen to have a spare PC lying around, it might be a good idea to use it the first time you set up the configuration we describe. That way, you can get a good feel for the procedure without endangering a production machine.)

Next, you should make sure your PC has plenty of free disk space. The amount of disk space required depends on how many people will be using the PC and how many programs you let them use. On average, this configuration requires about 20 MB of free space, but it may need more or less depending on your environment.

When you've backed up a PC and made sure that you have plenty of free hard disk space, it's time to begin the security implementation. Note that we'll use Windows 98 in all the procedures we'll cover in this article. However, Windows 95 is similar enough that you shouldn't have too much trouble adapting the procedure.

Implementing user profiles

The first step in our procedure is to implement user profiles. User profiles let users logging on to the PC have their own desktops and maintain unique individual settings. Because you'll want some accounts to be tightly restricted, whereas other accounts—such as the Administrator account—have full access, multiple profiles are essential.

To enable user profiles, open the Control Panel and double-click the Password icon. When the Password Properties sheet opens, click the User Profiles tab. Now, select the radio button corresponding to the option to allow users to customize their preference and desktop settings, as shown in Figure A. You should also select both check boxes. Click OK to continue. Next, click Yes when Windows asks if you want to reboot your computer.

Establishing the initial profiles

When your computer reboots, log on as the user who will be using the computer most often. We'll refer to this user throughout the article as the normal user. As you log on, Windows will tell you that you haven't logged onto this computer before, and will ask you if you want to retain all your individual settings for future use. Click Yes. When you do, Windows will automatically create a directory whose name matches the user's logon name and place the directory in the \Windows\Profiles directory.

At this point, log out of Windows, and log on as Administrator. When you do, you'll see the message indicating that you haven't logged onto this computer before. Click the Yes button to create a profile for the Administrator.

Removing shortcuts to programs

Now, open Windows Explorer and go to the \Windows\Profiles\Normal\Start Menu\Programs folder (where Normal is the logon name of the normal user). When you've opened this folder, delete the shortcuts to any programs you don't want the normal user to have access to. For example, several programs are listed in Figure B. Unless you delete them, all these programs will appear on the normal user's Start menu. So, if you didn't want the user to have access to Microsoft Excel, you'd delete the shortcut.

Next, go to the \Windows\Profiles\Normal\Recent folder. As you can see in Figure C, this folder contains a list of all the recently opened documents. If this folder is left unchecked, the normal user could double-click on a recently opened document and gain access to a restricted program. For example, suppose you removed the shortcut to Microsoft Excel. If Excel worksheets appeared in the recently opened documents folder, the user could double-click on the worksheet and Windows would open Excel. From there, the user could simply close the document while leaving Excel open and do anything he wanted. Therefore, it's important to delete the entire contents of the Recent folder.

The System Policy Editor

At this point, it's time to install the System Policy Editor. You'll use the System Policy Editor to enforce the regulation you impose on your users. To install the System Policy Editor, open the Control Panel and click the Add/Remove Programs icon. When the Add/Remove Programs Properties sheet appears, select the Windows Setup tab. Next, click the Have Disk button and insert your Windows 98 CD.

Windows will now ask for the location of the file. The System Policy Editor is located in your Windows 98 CD's \Tools\Reskit\Netadmin\Poledit directory. Enter this path and click OK. When you do, Windows will give you a choice of which options to install. Select the System Policy Editor option, as shown in Figure D, and click Install to continue. Windows will now install the System Policy Editor.

The default user policy

Now that you've installed the System Policy Editor, you can run it by typing POLEDIT at the Run prompt. When the System Policy Editor opens, select the New Policy command from its File menu. Icons for the Default User and the Default Computer should appear.

Select the Add User command from the Edit menu. When the Add User dialog box opens, type Administrator and click OK. Now, select the Add User command again and enter the name of the normal user. When you've done so, your System Policy Editor screen will resemble the one shown in Figure E.

Before you begin placing restrictions on the accounts you've created, you must impose some restrictions on the Default User. Windows 98 uses the Default User policy if you haven't created a special policy for the person who's logging on. To restrict this account, follow these steps:

1. Double-click the Default User icon. Navigate to Windows 98 System | Restrictions | and select all four check boxes, as shown in Figure F.

2. Navigate to Windows 98 System | Shell | Restrictions and select the check boxes shown in Figure G. You can select additional check boxes if you want to—just be sure not to select the Disable Shut Down Command check box.

3. Open Windows Explorer and create a directory called Default under the \Windows\Profiles directory.

4. Switch back to the System Policy Editor and navigate to the Windows 98 | Shell | Custom Folders section. Select each check box within that section. Some of the checkboxes have a corresponding Path text box that will appear at the bottom of the System Policy Editor. Each time you see this text box, enter c:\windows\profiles\default, as shown in Figure H.

5. Navigate to Windows 98 System | Control Panel and select the check boxes shown in Figure I. Be sure to mark all the extra check boxes that appear at the bottom of the System Policy Editor for each item. You should also take care not to select the Hide Remote Administration Page and the Hide User Profiles Page under the Restrict Password Control Panel check box, or you could cause problems in the long run.

6. Click OK. Save the policy you've created by choosing the Save As command from the File menu; call the policy Config.pol.

The normal user policy

Now that you've set up a default user policy, it's time to establish a policy for the normal user. To do so, select the Open Policy command from the File menu and open the following file from your Windows 98 CD:

\Tools\Reskit\Netadmin\Poledit\Maximum.pol

When the policy loads, follow these steps:

1. Select the Default User and then select Copy from the Edit menu.

2. Load the Config.pol file you created earlier. Select the normal user and choose Paste from the Edit menu. When Windows asks if you want to paste the contents of the clipboard into the policy, click Yes.

3. Double-click on the normal user policy and navigate to Windows 98 System | Shell | Custom Folders. Select the text beside each check box in the custom folders section (not the check box itself) to view the contents of any corresponding text boxes at the bottom of the window.

4. You must now edit the contents of each text box to place files in the correct location. Insert the string \Profiles\Normal (where Normal is the logon name of the normal user) between c:\Windows and whatever follows. For example, if the text box contains c:\Windows\Start Menu\Program, you'll change it to c:\Windows\Profiles\Normal\Start Menu\Programs.

5. Verify that all check boxes are still checked.

6. Navigate to Windows 98 System | Shell |Control Panel and impose the same restrictions that you did for the default user.

7. Go through the entire restriction tree and change any gray boxes to white by clicking on them twice. By default, Windows ignores gray boxes. If a restriction is set for the default user but not for the normal user, and you leave the corresponding box gray, the default restrictions will be applied.

8. Click OK to continue.

The Administrator policy

Setting up the Administrator policy is easy. To do so, double-click the Administrator policy. When you do, go through the entire restriction tree and turn all check boxes to white. No checkboxes should be gray or selected (have a check mark).

The "not logged in" policy

Up to now, you've set up policies that will dictate Windows behavior to anyone who logs in. However, it's still possible for someone to press the [Escape] key at the logon prompt and bypass all the policies you've created. To avoid this behavior, you must establish a "not logged in" policy. To do so, select the Open Registry command from the File menu to display a new set of icons. Apply the same permissions to the Local User as you applied set to the default user. When you've done so, save your changes via the Save command.

Switching on the policies you've created

Now that you've created all the necessary policies, you must activate them. To do so, load your Config.pol file. When the policy loads, double-click the Default Computer icon. Now, navigate to Windows 98 System | User Profiles and select the Enable User Profiles check box. Go to Windows 98 Network | Update and select the Remote Update check box. Then, enter the options shown in Figure J in the Settings For Remote Update section. Click OK to continue.

Next, select the Open Registry command from the File menu and double-click on the Local Computer icon. Set the Update mode the same way you did for the Config.pol file. Click OK to close the Local Computer Properties sheet, and then save your changes via the Save command.

Testing the PC

Before you turn potentially chaotic users loose on the PC, you need to test your policies. Begin by logging in as the Administrator and making sure you have full rights to everything. Next, log on as the main user of the PC. When you do, make sure they have only the icons and menu options you intended. You should also check for document history lists that could potentially grant the user access to unauthorized programs. Finally, try running programs such as Windows Explorer, the Registry Editor, the System Policy Editor and the MS-DOS prompt. When you're satisfied with your security, log out and press the Escape key at the logon prompt. When you do this, Log off and Shut Down should be the only available Windows options.

What if something goes wrong?

Because of the complexity of these procedures, there's always a chance that something could go wrong during the setup. For example, you could accidentally enable an incorrect restriction or leave out a step. If this happens to you, you may be able to recover your PC without restoring your backup.

If you're running Windows 95, begin by booting your PC to Safe Mode. As you're probably aware, Safe Mode loads Windows with a minimal set of drivers and instructions so that you can correct boot problems. When Windows loads, you can continue with the procedure in the following "Recovery" section.

If you happen to be running Windows 98 (or some modified versions of Windows 95), booting to Safe Mode to bypass the policies isn't an option. To get around this, boot your PC with a DOS startup disk. Next, copy the c:\Windows\Config.pol file to a floppy disk. Load the System Policy Editor onto another PC and use it to load the policy file from your floppy disk. Now you can make the changes suggested in the "Recovery" section. When you're done, save your changes and copy the policy file from the floppy disk back to its original location.

Recovery

To begin recovering your system, run the System Policy Editor by typing POLEDIT at the Run prompt. Next, load the Config.pol file you created earlier. Navigate to Default Computer | Windows 98 System | User Profiles and click the Enable User profiles check box until it turns white, as shown in Figure K. Next, double-click on the Default Computer icon and go to Windows 98 Network | Update | Remote Update. Disable the remote update and save your changes.

You should also verify that the paths are correct for each user under the Shell | Custom Folder section. If the paths aren't correct, it's possible for some restrictions to still apply.

Next, select the Open Registry command from the File menu, double-click the Default Computer icon, and go to Windows 98 Network | Update | Remote Update. Disable the remote update and save your changes. Doing so will keep your PC from enforcing the System Policies you imposed.

Complications with passwords

After setting up a configuration such as the one we've described above, you've implemented two types of security: network security and local security. Network security controls user access to your servers and other shared resources, whereas local security protects the computer from which a user is actually logging on. Because there are two types of security, there are two accounts with the same name.

For example, suppose you log on with the account Brien_Posey. The Brien_Posey account already exists on your server; it's used to control access to network resources. However, When Windows tells you this is the first time you've logged on at this computer and asks if you want to keep your settings, it's actually building you a local account. The local account information is stored in a .pwl file in the Windows directory. For example, the Brien_Posey account would have a corresponding .pwl file named Brien_~1.pwl.

Because there are two accounts, there are two different passwords. If your network passwords are set to expire periodically, you must provide your users with the rights and the knowledge to change their local passwords. When a network password expires, a user should go ahead and change it. They must then go into the Password icon in Control Panel and change the Windows password (but not the network password, because it's already been changed). This is a fairly straightforward process.

You should also keep in mind that each PC has a profile for the Administrator. If you change the Administrator's password (or logon name) on the server, you'll have to change it on each PC to match.

Additional users

Unfortunately, enforcing extra local security effects any user who wants to use the PC to log onto the network. As you may recall, each user we set up with the System Policy Editor has her own policy and her own profile directory. If a user who hasn't been set up on the machine tries to log on, the log on will be successful, because he has rights to the server. However, after the network logon completes, local security kicks in and the user is given the same permissions as the "not logged in" user.

To allow an additional user to access the PC, the Administrator must create a policy for the user. If the user had previously tried to log on, Windows has already created a profile directory for him. The easiest way to create a new user policy is as follows:

1. Go into Policy Editor and load the Config.pol file you created earlier.

2. Click the Add User button and type in the logon name of the new user. When you do, Windows will create a policy for the new user based on the default policy.

3. Select a user who has rights comparable to the ones you wish to assign to the new account and choose the Copy command from the Edit menu.

4. Select the new account and choose the Paste command from the edit menu. Doing so will copy the existing user's rights to the new account.

5. Change the paths under the Custom Folders section to match the correct profile directory, as shown in Figure L, and save your changes. The new user should now be able to access the PC.

Additional protection

After you've configured your PC and it's working correctly, you should make a backup copy of the Config.pol file and put it in a safe place. Now, it's time to protect that PC once and for all. To do so, disable floppy disk boot from your CMOS editor and password protect the CMOS. If you've got a dual-boot configuration, you should also disable it, to prevent someone from booting to an alternate operating system to gain access to restricted files.

Conclusion

In this article, we've explained how user's actions can accidentally cause PC problems. As we did, we showed you a way to lock down a PC to prohibit tampering. Keep in mind that this procedure can be dangerous to set up, and you should back up everything before doing so.

Brien M. Posey is an MCSE and a freelance technical writer. He also works as a network engineer for the Department of Defense. You can contact him via E-mail at Brien_Posey@xpressions.com. (Because of the large volume of E-mail that he receives, it's impossible for him to respond to every message. However, he does read them all.)

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.