Enhancing Windows 95 Security Maximum Method Michael Hayman
Publicly accessible computers, such as those in schools, require a significant degree of security to prevent abuse. The Windows 95 CD-ROM provides the tool you need to implement restrictive policies on such machines in the form of the Policy Editor application. Unfortunately, the Windows 95 Resource Kit doesn't tell you how to use the Policy Editor for stand alone computers, so I developed a method of my own:
Prepare the System. Use Explorer to make backup copies of USER.DAT and SYSTEM.DAT, in case of emergency. make sure you have at least 10 MB free on the Windows 95 drive to hold user profile information.
Enable User Profiles. Launch the Password applet in Control Panel. Click the User Profiles tab, click the option Users can customise..., and check the two check boxes. Click OK; Windows will restart.
Create Profiles. When Windows restarts, log on as 'USER' and allow Windows to create folders to hold your profile information. Shut down and log on again as 'ADMINISTRATOR', with a suitably obscure password and again allow Windows to create profile folders. Don't forget this password !
Restrict User Access to Programs. While logged on as ADMINISTRATOR, use Explorer to navigate to C:WINDOWSPROFILESUSERSTARTMENU. In this folder, and those below it, delete any shortcuts to programs the user shouldn't be allowed to run, including every shortcut in the Recent folder. Be sure to delete shortcuts to the Policy Editor, Registry Editor and (optionally) Explorer.
Install Policy Editor. Launch the Add/Remove programs applet in Control Panel, click the Windows Setup tab and press the 'Have Disk' button. Navigate to the ADMINAPPTOOLSPOLEDIT folder of the Windows 95 CD-ROM and install POLEDIT.INF. This will install POLEDIT and put it on the ACCESSORIESSYSTEM TOOLS submenu of the Programs menu. It will also place the critical policy template file ADMIN.ADM in the C:WINDOWSINF folder. If you don't have the CD, you can download POLEDIT from Microsoft or CIS MSWIN.
Define Default User Policy. Launch POLEDIT, create a new file and add new users named 'USER' and 'ADMINISTRATOR'. Double-click on the Default User icon, select System | Restrictions and check all four boxes. Select Shell | Restrictions and check the four boxes whose captions begin with Remove, plus the two that say Hide All Items on Desktop and Don't Save Settings at Exit. Do not check the Disable Shut Down command. Use Explorer to create a folder named DUMMY in the C:WINDOWSPROFILES folder. Back in POLEDIT, select Shell | Custom Folders and check all the boxes, filling in the dummy folder name you just created for those that require paths. Click OK and save the file as CONFIG.POL.
Define User Policy. Load the example policy file MAXIMUM.POL, click on the Default User icon and choose Copy from the Edit menu. Reload CONFIG.POL and click on the User icon and select Paste from the Edit menu. Double-click the User icon and choose Shell | Custom Folders. Click on the text of each check box in turn and, if an edit box appears below, replace C:WINDOWS with C:WINDOWSPROFILESUSER. Make sure all boxes remain checked. Select Control Panel | Passwords and check the Restrict box; then check the other four boxes that appear below. Under Shell | Restrictions, check Remove Run command, Remove Find command, Hide Drive in My Computer and Don't Save Settings at Exit. Consult the Windows Resource Kit Help to determine what other restrictions you may wish to add, but be sure not to check Disable Shut Down command. Now go to the Shell | Restrictions and chang any grey check boxes to blank.
Define Administrator Policy. Double click the Administrator icon and go through the entire list of restrictions, setting every check box to blank, not grey. This protects the Administrator Policy from being affected by the Default User policy.
Define 'no user' Policy. Log on again, but press Esc to close the log-on rompt. Run POLEDIT, select open Registry from the File menu and double click Local User. Apply all the same restrictions you applied to Default User. Then log on as 'ADMINISTRATOR' again.
Enable Policy Loading. Load CONFIG.POL in POLEDIT, open the Default Computer icon, select System and check Enable User Profiles. Under NetworkUpdate, check Remote Update. Select Manual for the Update Mode and enter C:WINDOWSCONFIG.POL as your path. Save CONFIG.POL. Now select Open Registry form the File menu, double-click Local Computer and make the same change ot the network update mode. Save changes and exit POLEDIT.
Test Policies. Log on as 'USER'; check that the policy restrictions you specififed are in place. Now shut down, and log on again, but use a new name and password. There should be no icons on the desktop and no programs available(other than those you left there) from the Start menu. There should be nothing to do except but log on again. This time press [ESC] at the password dialog. Again you should have no option but to log out.
Protect your Policies. Log on as 'USER' and confirm that there is no way to run POLEDIT. For greater safety, change the file named ADMIN.ADM (in the C:WINDOWSINF folder) to something else. Use the DOS commadn ATTRIB to remove the read-only, hidden and system attributes from the file MSDOS.SYS (located in the root of your boot drive) and load it into notepad. Find the heading [OPTIONS] and add a line Bootkeys=0. Save the file and restore it's attributes. This change prevents the user from breaking out of Windows 95's boot process. Finally, if the system BIOS allows it, use it's SETUP program to disable booting from a floppy drive.
Take extra precaution. Install shutdown by unzipping into a temporary folder and right-clicking on the file INSTALL.INF and selecting "install" from the pop-up menu. Then allow all users of the computer to log in. Now, run the utility from the Start Menu and highlight the users you want to enable to log in.
