Win95 Security – or lack thereof

Q: I have a problem that I'm trying to solve, and I thought you might have an answer, or you might want to do an article on this. I have been helping my neighbor try and solve a problem she is having with her son. He has been spending so much time on the computer...surf'n on the internet, installing and playing games etc, etc, etc, that his grades are starting to slip in school. She asked if I could help. So what I did was...rebuild their system from scratch (they wanted a clean start), then I installed the policy editor for win95, and set each household member's security restrictions. I set her son up to have very limited access. I only gave him access to certain programs, and limited access to the control panel. I also removed the Run, and Find option...well, you get the idea. I even set up a warning banner during startup...hoping that might deter him from go any deeper. Welllll, I'm sure you can guess what happened. I knew the security was week for win95...but, this is just too easy! He made it past the security in a few minutes. I knew he would. I figured, if I can do it...so can he!

What I want to know is, is there any program available that can help win95 with it's poor security? I was hoping for something that wouldn't change to overall look and feel of the interface, but would give some real security. Maybe even something that would restrict the time spent on the computer. I was so close with the policy editor, but, I couldn't do anything about signing on with a new name, and bypassing all of the security setup...or just hitting the ESC.

This would probably make a great article, because I'm sure there are a lot of parents trying to figure this out!! I know...there's always Windows NT, but we were trying to work with what we had. Any help you can offer, would be greatly appreciated.

A: Yeah, that ESC key is a bit of an easy backdoor. Here's a possible solution (which also works for Win98, by the way), adapted from a posting on Usenet: Publicly accessible computers, such as those in schools, require a significant degree of security to prevent abuse. The Windows 95 CD-ROM provides the tool you need to implement restrictive policies on such machines in the form of the Policy Editor (POLEDIT) application. Unfortunately, the Windows 95 Resource Kit doesn't tell you how to use POLEDIT for standalone computers, so I developed a method of my own:

• Prepare the System. Use Explorer to make backup copies of USER.DAT and SYSTEM.DAT, in case of emergency. Make sure you have at least 10MB free on the Windows drive to hold user profile information.

• Enable User Profiles. Launch the Password applet in Control Panel. Click the User Profiles tab, click the option Users Can Customize…, and check the two boxes. Click OK; Windows will restart.

• Create Profiles. When Windows restarts, log on as User and allow Windows to create folders to hold your profile information. Shut down and log on again as Administrator, with a suitably obscure password, and again allow Windows to create profile folders. Don't forget this password!

• Restrict User Access to Programs. While logged on as Adminstrator, use Explorer to navigate to C:\WINDOWS\PROFILES\USER\STARTMENU. In this folder and those below it, delete any shortcuts to programs the user shouldn't be allowed to run, including every shortcut to the Recent folder. Be sure to delete the shortcuts to POLEDIT, Regedit, and Explorer.

• Install Policy Editor. Launch the Add/Remove Software applet in Control Panel, click the Windows Setup tab, and press the Have… button. Navigate to the ADMIN\APPTOOLS\POLEDIT folder of the Windows 95 CD-ROM and install POLEDIT.INF. This will install POLEDIT and put it on the Accessories\System Tools submenu of the Programs menu. It will also place the critical policy template file ADMIN.ADM in the C:\WINDOWS\INF directory. If you don't have the CD, you can download POLEDIT from www.microsoft.com or CIS MSWIN.

• Define Default User Policy. Launch POLEDIT, create a new file, and add new users named User and Administrator. Double-click the Default User icon, select System|Restrictions, and check all four boxes. Select Shell|Restrictions and check the four boxes whose captions begin with Remove, plus the two that say Hide All Items on Desktop and Don't Save Settings on Exit. Do not check the Disable Shutdown command. Use Explorer to create a folder named C:\WINDOWS\PROFILE\DUMMY. Back in POLEDIT, select Shell|Custom Folders and check all the boxes, filling in the dummy folder name you just created for those that require paths. Click OK and save the file as CONFIG.POL.

• Define User Policy. Load the example policy file MAXIMUM.POL, click on the Default User icon, and chose Copy from the Edit menu. Reload CONFIG.POL, click on the User icon, and select Paste from the Edit menu. Double-click the User icon and choose Shell|Custom Folders. Click on the text of each check box in turn and, if an edit box appears below, replace C:\WINDOWS with C:\WINDOWS\PROFILES\USER. Make sure all boxes remain checked. Select Control Panel | Passwords and check the Restrict box; then check the other four boxes that appear below. Under Shell | Restrictions, check the Remove Run command, Remove Find command, Hide Drives in My Computer, and Don't Save Settings on Exit. Consult the Windows Resource Kit Help to determine what other restrictions you may wish to add, but be sure not to check Diable ShutDown Command. Now go to the Shell | Restrictions and System | Restrictions and change any gray check boxes to blank.

• Define Adminstrator Policy. Double-click the Administrator icon and go through the entire list of restrictions, setting every check box to blank, not gray. This protects the Administrator policy from being affected by the Default User policy.

• Define "no user" Policy. Log on again, but press ESC to close the log-on prompt. Run POLEDIT, select Open Registry from the File menu, and double-click Local User. Apply all the same restrictions you applied to Default User. Then log on as Adminstrator again.

• Enable Policy Loading. Load CONFIG.POL in POLEDIT, open the Default Computer icon, select System, and check Enable User Profiles. Under Network\Update, check Remote Update. Select Manual for the Update Mode, and enter C:\WIINDOWS\CONFIG.POL as your path. Save CONFIG.POL. Now select Open Registry from the File menu, double-click Local Computer, and make the same change to the network update mode. Save changes and exit POLEDIT.

• Test Policies. Log on as User; check to see that the policy restrictions you specified are in place. Log on as Administrator and check that there are no restrictions. Now shut down and log on again, but use a new name and password. There should be no icons on the desktop and no programs available from the Start menu (nothing to do but log on again). This time press ESC at the log-on prompt to bypass entering a user name. Again you should have no option but to shut down and log on again.

• Protect Policies. Log on as User and confirm there is no way to run POLEDIT. For greater safety, change the file named ADMIN.ADM (in the C:\WINDOWS\INF folder) to something else. Use the DOS command ATTRIB to remove the read-only, hidden, and system attributes from the file C:\MSDOS.SYS, and load it into your favorite editor. Find the heading [Options] and change the bootkeys= key to bootkeys=0. If this key is not present under [Options], simply add it. Save the file and restore its read-only, hidden, and system attributes. This change prevents the user from breaking out of Windows 95's startup process. Finally, if the system BIOS permits, use its SETUP program to disable booting from a floppy disk.