Securing a Public Workstation Under Windows 9x

VUGM-1999Rider University LibrariesEdward Corrado & Dr. Sharon Yang

Edward M. Corrado, MLS

• Unix Administrator/ Library Systems Manager - Rider University Libraries

• MLS, Rutgers University-1997

• BA, Mathematics, Caldwell College-1992

• ecorrado@rider.edu

Sharon Yang

• Systems Librarian at Rider University

• DLS, Columbia University-1997• MS, Columbia University-1988

Outline of the Presentation

• Purpose of the presentation• Presentation

– Batsh– System Policy Editor– TweakUI– Netscape

Outline of the Presentation

– Fortres 101– Winselect– Everybody’s Menu Builder– Ghost

• Conclusion

Just a Reminder!

• The presentation is about the security of a workstation, not that of a server.

• The presentation is about our experience at Rider. It is not intended to be an in-depth training session on security software. This is an overview of the tools we use.

• What we do to secure a Voyager OPAC may be different from what you do. What we do may not be necessarily the “best” way for your situation .

The Purpose of the Presentation

• Present the issue of security on a public workstation

• Share our experience at Rider

• Introduce new tools

This is what we do for a VoyagerOPAC Workstation• Batsh Program• Windows System Policy Editor• Netscape

Bios (CMOS) password settings• To prevent changing of system

settings• to prevent the setting of (unknown

to you) passwords• can be used with settings to

prevent booting from floppy

Bios (CMOS) password - boot• Prevent unauthorized booting of PC

Autoexec.bat

• Can be used to automatically copy files that patrons may have changed when the computer is started– bookmarks– wallpaper– etc.

What is BATSH.EXE for?

• To run WINDOWS commands from a text file. Line by Line. Like BATCH (.BAT) files in DOS, but with some WINDOWS specific commands, and not all the DOS features.

What O/S’s does BATSH.EXE run on?• Windows 3.1• Windows 95 • Windows NT• Windows 98 ?

How and why Rider University uses BATSH.EXE?• BATSH.EXE replaces EXPLORER shell

on OPAC computers (both Windows based Voyager and Netscape)

• This lessens the potential security hazards that the Explorer shell has.

• Can also be used to map network drives

• The Price is Right -- Freeware!

Why not just use the application as the shell?

• Harder to change between applications

• Windows will not shut down correctly with most applications as a shell

Batsh on Voyager WorkstationBatsh scripts are used to automatically

launch any program we chose on startupThe batsh script does not allow patrons

from exiting a program. If they try, they will be prompted for a password. If the wrong password is entered, or a password isn’t entered in a set amount of time, batsh will automatically re-launch the program.

Where is BATSH.EXE?

• Written by Thomas Nyffenegger• http://www.fmi.ch/groups/

ThomasNyffenegger/Group.html• On various freeware sites on the

Net:• http://www.winsite.com• Our batsh scripts will be made

available

What is System Policy Editor?

System Policy Editor is a programthat comes on the Windows

95/98CD-ROM when you buy the OS. It

isused to control a user’s desktopenvironment. In Rider library weuse it to lock down a public

accessworkstation such as a voyagerOPAC terminal. It does the jobsuccessfully.

Where is System Policy Editor?

System Policy Editor for Windows 95 is located on Windows 95 CD-ROM

in D:\admin\apptools\poledit. System Policy Editor for Windows 98 is

on Windows 98 CD-ROM in d:\tools\reskit\netadmin\poledit. System

Policy Editor for Windows NT comes in theserver software package.

http://www.microsoft.com/Windows95/downloads/contents/WUAdminTools/S_WUManagementTools/W95PolicyEditor/Default.asp

System Policy Editor for Windows 95

Or you can download SystemPolicy Editor for Windows 95

from the Microsoft web site at theabove URL. It is easier if you

searchthe key words “system policy

editor”at the web site.

http://www.microsoft.com/products/msoffice/Project /PRK/text/appa.htm

System Policy Editor for Windows 98

You can download it for Windows

98 at the above URL. It is easier if

you search the web site by key

words “system policy editor”.

What Do We Use It for?

Workstation security• Customize your desktop

according to your wishes• Hide various icons as

needed• Hide the DOS prompt• Not allow users to change

any settings and configurations

• Only allow users to use public workstations for designated library purposes

How do we use Policy Editor?

For Windows 95• Create a directory on C:\ drive• Copy all the files from the Windows CD to that directory• Start the program c:\directory\Poledit.exe• Delete the directory where all the policy files are

located• Or you can run it from a CD drive or network drive as

you want

How do we use Policy Editor?For Windows 98• Go to Control Panel and install System Policy Editor in

Add/Remove Programs• Run Poledit from Windows Run Box • Set up the system policies• Either remove the System Policy Editor or hide it after

the setup

How do we use Policy Editor?

Disable Display Icon in the Control Panel

This is what you may do if you don’t

want users to change your display

settings in the control panel such

as color schemes, refresh rates,

resolution. You may not want users

to change the background, screen

savers, Window font, either.

How do we use Policy Editor?

Disable Network Icon in the Control Panel

This is how you disable Network

icon in the control panel. Network

icon has all the communication

settings for the network. Youshould not allow users to

play withthem freely.

How do we use Policy Editor?

Disable Password Icon in the Control Panel

This is how you disable Password

Icon in the Control Panel. Users

can change windows password

here.

How do we use Policy Editor?

How do we use Policy Editor?

Disable Printing settings

It is important to disable printing

configurations.

How do we use Policy Editor?

Disable System Icon in the Control Panel

This is how you disable System

Icon in the Control Panel. System

Icon contains important information about hardware

andrelated settings. You should

notallow users to have access to

it.

How do we use Policy Editor?Customize your

desktopenvironment bysupplying your own customized

settings

How do we use Policy Editor?

Some other policies that you can set up

Those are some of the configuration parameters inSystem Policy Editor that

we usevery often.

How do we use Policy Editor?In Rider Library Electronic Computer Lab we used a single system policy file from a central location for all theclient computers. First we created a single policy file on one computer. Then we placed that policy file on our

server. We configured each client computer to point to the

locationof the policy file on the server. When users log on to thenetwork, the system policies from the file will take effect.

What is Power Toy TweakUI?

TweakUI is a program that you candownload from Microsoft web siteat http://www.microsoft.com/windows95/downloads/. It ispart of Windows Power Toys Set.Some of its features enable us todo things that System Policy Editorcannot help us to do. We use it incombination with System PolicyEditor to lock down a computer.

How do we use TweakUI?

TweakUI is a useful tool to help

us automatically logon toour network. It saves us a

lot oftime as we have more than

thirtypublic terminals to turn on

eachmorning.

How do we use TweakUI?

System Policy Editor can hide all

the drives in My Computer, but that

is not what we want. We only want

to hide network drives. TweakUI

can help us to do it. All you have to

do is to set up System Policy Editor

first and then set up TweakUI as

shown on this slide.

Netscape Security

Netscape Security

• Preferences– Most settings are under Preferences– Controlled by Prefui32.dll– C:\Program Files\Netscape\Program\

Communicator\Program\Prefui32.dll– Delete or Rename

Netscape Security

• Netscape Client Customization Kit (CCK)– Preset preferences including

bookmarks, home page, etc. when doing an install

– lock in preference settings (home page, cache, proxy settings, etc.)

– http://home.netscape.com/partners/distribution/custom/product.html

Netscape Security

• Misson Control Dektop

• Third Party Security software:– Ikiosk

A Rider Voyager Workstation

To summarize:• Batsh: Launch Netscape and

Webvoyage or Voyager Windows Client on startup and prevent any unauthorized exit

• Netscape: Webvoyage and Internet resources

• Policy Editor: restrict access to Windows settings

Other software for security

What is Fortres 101?

Fortres 101 is a desktop security

software for Window NT, Windows

95, and Windows 98. You can find

information about it at http://www.fortres.com. It is easy touse and well documented. It offers many options that

SystemPolicy Editor and TweakUI don’thave.

Fortress 101

How does Fortres 101 work?• Erase a user’s name from

logon• disable any icons on

desktop• Put a password on icons• Central Control Service• Restrict URLs• Protect files and drives• manage group security

What is Winselect Kiosk?

Winselect Kiosk is another security software. We use it

tosecure Netscape and

Internet Explorer.

Where is Winselect Kiosk?

How do we use it?

What is Everybody’s Menu Builder?

Everybody’s Menu Builder is a

menu system. It provides both

security and nice appearance

to a public workstation.

Where is Everybody’s Menu Builder?

You can find information about it

at http://www.carl.org/emb.

Norton Ghost

• No security is foolproof

• Backups, Backups• We use Ghost• Also use it to clone

groups of computers to save time

• http://www.ghost.com

Conclusion

Securing a Public Workstation under Windows 9xDr. Sharon Yang and Edward CorradoVUGM 1999

Overview

• Batsh.exe• Windows Poledit• TweakUI• Netscape Security

– Prefui32.dll– CCK

• Third Party Software

• Backups!

Questions ?????????