Windows 95 FAQ - Security

Windows 95 / NT Server Security Issues

This section comprises of two basic areas Windows 95 as a standalone - keeping your kids out of stuff and probably more important managing many Window 95 machines in say a school or training environment.

Security on a stand-alone system - hmmm do you really care?

Setting up security in Windows 95 Using the Policy Editor

Other Measures

Options and alternatives

Sentry

Quick-Menu IV

Other Security Tools

Security on a stand-alone system - hmmm do you really care?

This system of locking down Windows 95 is designed for standalone systems or system that are NOT configured with server - there will be (or may already be an update available for securing a system with an NT 4 Domain (demesne - damn it!) server. This section was based on a letter by Richard Turner of Augusta, Georgia. It is or will soon be available for download in *.PDF format. Sample Policies may also be made available or you may E-mail me using the request form.

1. Prepare the System. Use Explorer to make backup copies of USER.DAT and SYSTEM.DAT, in case of emergency. Make sure you have at least 10MB free on the Windows drive to hold user profile information.

2. One important thing to remember is where desktop items are stored. The are normally inside the Windows 95 directory as three distinct subdirectories called Desktop/ Recent/ and Startmenu/. If you are preparing a system that has not been configured with profiles before and has been used by a user you should make a point renaming these folders or clearing them before you commence the following steps.

C:\WINDOWS\DESKTOP Stores the contents of the desktop
C:\WINDOWS\RECENT Stores the recently accessed document list
C:\WINDOWS\STARTMENU Stores all alterable items in the start menu

3. If you wish to remove access to the clock control menu through right clicking the clock on the task bar right click the task bar itself and deselect the Show Clock entry.

4. Also if the change resolution button is showing (OSR2) you can also disable this in the Control Panel | Settings tab.

5. Enable User Profiles. Launch the Password applet in Control Panel. Click the User Profiles tab, click the option 'Users Can Customize' and check the two boxes. Also click the Include Start Menu and program groups in user settings. Click OK; Windows will restart.

6. Create Profiles. When Windows restarts, log on as User (giving it an appropriate password) and allow Windows to create folders to hold your profile information.

7. Shut down and log on again as Administrator, with a suitably obscure password, and again allow Windows to create profile folders. Don't forget this password!

Note the passwords here:-

User: ……………………………….. Administrator: …………………………………….

8. Restrict User Access to Programs. While logged on as Administrator, use Explorer to navigate to C:\WINDOWS\PROFILES\USER\STARTMENU. In this folder and those below it, delete any shortcuts to programs the user shouldn't be allowed to run, including every shortcut in the 'Recent' folder. Be sure to delete the shortcuts to Poledit, Regedit, and Explorer.

9. Install Policy Editor. Launch the Add/Remove Software applet in Control Panel, click the Windows Setup tab, and press the [Have Disk] button. Navigate to the ADMIN \ APPTOOLS \ POLEDIT folder of the Windows 95 CD-ROM and install POLEDIT.INF. This will install POLEDIT and put it on the 'Accessories \ System' Tools submenu of the Programs menu. It will also place the critical policy template file ADMIN.ADM in the C:\WINDOWS\INF directory. If you don't have the CD, you can download POLEDIT from http://www.microsoft.com.

10. If the Policy Editor refuses to install as it did in my case copy the entire folder to suitable location (somewhere reasonably well hidden - on the desktop isn't bad) and copy ADMIN.ADM in it's appropriate directory.

11. Define Default User Policy. Launch POLEDIT, create a new file, and add new users named User and Administrator.

12. Double-click the Default User icon, select System | Restrictions, and check all four boxes. Select Shell | Restrictions and check the four boxes whose captions begin with Remove, plus the two that say Hide All Items on Desktop and Don't Save Settings on Exit. Do not check the Disable Shutdown command. Use Explorer to create a folder named C:\WINDOWS\PROFILE\DUMMY. Back in POLEDIT, select Shell | Custom Folders and check all the boxes, filling in the dummy folder name you just created for those that require paths. Click OK and save the file as CONFIG.POL.

13. Define User Policy. Load the example policy file MAXIMUM.POL, (On the Windows 95 CD-ROM in 'Admin/Reskit/Samples/Policies') click on the Default User icon, and chose Copy from the Edit menu. Reload CONFIG.POL, click on the User icon, and select Paste from the Edit menu. Double-click the User icon and choose Shell | Custom Folders. Click on the text of each check box in turn and, if an edit box appears below, replace C:\WINDOWS with C:\WINDOWS\PROFILES\USER. Make sure all boxes remain checked. Select Control Panel | Passwords and check the Restrict box; then check the other four boxes that appear below. Under Shell | Restrictions, check the Remove Run command, Remove Find command, Hide Drives in My Computer, and Don't Save Settings on Exit. Consult the Windows Resource Kit Help to determine what other restrictions you may wish to add, but be sure not to check Disable ShutDown Command. Now go to the Shell | Restrictions and System | Restrictions and change any gray check boxes to blank.

14. Define Administrator Policy. Double-click the Administrator icon and go through the entire list of restrictions, setting every check box to blank, not grey. This protects the Administrator policy from being affected by the Default User policy.

15. Define "no user" Policy. Log on again, but press ESC to close the log-on prompt. Run POLEDIT, select Open Registry from the File menu, and double-click Local User. Apply all the same restrictions you applied to Default User. Then log on as Administrator again.

16. Enable Policy Loading. Load CONFIG.POL in POLEDIT, open the Default Computer icon, select System, and check Enable User Profiles. Under Network | Update, check Remote Update. Select Manual for the Update Mode, and enter C:\WIINDOWS\CONFIG.POL as your path. Save CONFIG.POL. Now select Open Registry from the File menu, double-click Local Computer, and make the same change to the network update mode. Save the changes and exit POLEDIT.

17. Test Policies. Log on as User; confirm that the policy restrictions you specified are in place. Log on as Administrator and check that there are no restrictions. Now shut down and log on again, but use a new name and password. There should be no icons on the desktop and no programs available from the Start menu (nothing to do but log on again). This time press ESC at the log-on prompt to bypass entering a user name. Again you should have no option but to shut down and log on again.

18. Protect Policies. Log on as User and confirm there is no way to run POLEDIT. For greater safety, change the file named ADMIN.ADM (in the C:\WINDOWS\INF folder) to something else.

19. Use the DOS command ATTRIB (attrib -s -h -r ) to remove the read-only, hidden, and system attributes from the file C:\MSDOS.SYS, and load it into your favorite editor. Find the heading [Options] and change the bootkeys=1 key to bootkeys=0. If this key is not present under [Options], simply add it. This disables keys like [F8] which give access to the system start-menu (& safe mode) and will allow the user to bypass all your security efforts. Save the file and restore its read-only, hidden, and system attributes (attrib +s +h +r ). This change prevents the user from breaking out of Windows 95's startup process.

20. Finally, if the system BIOS permits, use its SETUP program to disable booting from a floppy disk, and choose passwords for both Setup and System.

Write the BIOS Password here ......................................................................

Removing security from the system

1. Log into the system under the admin set-up.
2. Open the registry and remove all restrictions from the default user. (Vital!!!)
3. Delete the '*.PWL' files from the windows directory
4. Go to the passwords control panel and turn off individual settings.
5. Reboot and then remove remnant of various profiles in the windows/profiles directory.

Other Measures

Steps 19 and 20 talk about changing Bios settings and doing some MS-Dos tricky stuff which will probably not be important in a home environment - in fact once you have completed these steps and you forget say the bios password you are pretty stuffed so keep that in mind when you do this. Changing the way the system boots can be important not only for security reasons but also viri - if you accidentally leave a disk in the drive then at least you will not be infected if the C: drive boots before the A: drive common sense stuff which may not be immediately apparent. Depending on how far you go to lock down a system you may wish to restore the registry upon every boot we will discuss that in the case study which will be added to this section ASAP.

Options and alternatives

There are a series of commercial products which will lock down a system fairly tight also and indeed for the home user it may be preferable to use one of the these products rather than stuff around with things you'd rather not play with. There are I believe two primary products of note... I did some fairly extensive research and there are always new products coming to market so it would be worth while to check out some of the URL's listed at the end of this section.

Sentry (5.8)

Quickmenu IV (4.1) for Windows.

Sentry

Sentry is an excellent product which works well on Windows 3.11 and Windows 95. I played with it and I found it difficult to get into (crack) although nothing a screwdriver couldn't fix. Sentry has some features above and beyond what one can achieve manually. This is brief list of features as described by its author Mike Bobbitt.

Features of Sentry:

Allows up to 100 users.
Has normal and "SuperUser" access.
Allows privileged system maintenance for SuperUsers, including:

Creating new users

Deleting users

Viewing the list of current users, with their account settings

Changing a user's password

Granting or revoking SuperUser access

Setting an expiry date on an account

Setting an expiry date on an account's password

Setting the maximum number of times an account can be "attacked" before it is disabled

Viewing and clearing the log file

Moving the log file to the backup file

Modifying all Sentry initialization settings (preferences)

Sending a short message to any user

Protecting an executable file (see below)

Exporting the initialization settings to be imported to a future version

Logs all transactions (with time stamps), including:

Successful login attempts

Unsuccessful login attempts

Any changes to the Sentry initialization settings

Any attempts by the user to break out

Any attempts to log in as a SuperUser

All operations performed from the SuperUser menu

Log can be viewed for all users, or a single user to reduce clutter.
The log file is automatically moved to a backup when it reaches a user defined size.
Sets a DOS environment variable after login to allow custom programs to hook into Sentry.
Can detect viruses or virus-like activity on your system.
Disables CTRL-C, CTRL-BREAK, and CTRL-ALT-DEL key combinations in DOS and Windows DOS Boxes.
Has an automatic screen saver with password protection to avoid burn in.
Deletes files so that no sensitive info can be recovered.
Allows SuperUsers to protect executable files, with these options:

Protects DOS and Windows 95 files!

Logs when a file is protected

Logs who runs the protected file and when

Logs when the protected file execution stops

Allows only specified users to run protected files

Protected files have their own account structure and initialization settings

A mini messaging system allows SuperUser to send messages to users.
Is compatible with both Windows 3.x and Windows 95.
Can be used with Windows to secure all DOS gateways.
Has online help available at the touch of a key.
A simple, automated install process.
A simple, automated uninstall process.
SuperUsers can modify or remove commands from the command interpreter (DOS).
Protected files can be upgraded as easily as they were first protected.
A new program has been added, sdel, which deletes files so they cannot be recovered.
The SuperUser menu has been redesigned to allow for more options.
Sub-menus can be accessed with a single intuitive keystroke.
Regular users can reply to messages if desired.
SuperUsers can select what to audit on an item by item basis.
Secure file deletion can be turned on and off.
Shareware versions of Sentry cannot upgrade registered protected files.
Files and directories are resolved to their absolute paths.
Initialization setting changes are effective immediately.
When viewing users, "problem accounts" are automatically highlighted.
An automated Security Audit feature that searches the following areas for potential weaknesses:

System

Initialization Settings

Account Structure

Is completely customizable for almost any environment.

Check out the Simtel website for the latest version of Sentry.

Quickmenu IV (4.3) for Windows 95 and Windows NT

Another solution which struck me as pretty elegant was replacing the GUI altogether. Quickmenu is aimed at this and thus provides some interesting security options.

Other Security Tools

A selection of security access restriction type products is valuable from the internet and in particular from download.com. Follow the link below and email me if you found something useful.

More Security Utilities

Back To Windows 95 FAQ