-tictech message:
Dear Folks,
This might still be of interest to some:
How We Secured our Win 9x Machines at Hale
Preamble: for Historians Only
When I first took over our Open Lab, I tried to get our very old, but
disgustingly healthy Mac LC computers to be replaced by just about
anything that would run Windows. With $5,000, some tech budget money, and
some luck, we
managed this in about a year's time. Then the question which
immediately arose was: How to secure them? We had used Fool Proof
happily for many years on our Macs. A natural thought was to purchase
it for our PCs as well. The first time I did this, it completely
toasted one of my main computers and required a complete rebuild.
Because of this, I looked briefly at using Win95 policies placed on our
NT server. With a lot of work one could configure these (thanks to Wes
for the info on this) so they were fairly secure. I took another look
at Fool Proof after they had completely redone it and did a lot of
testing. The results were mixed, but just good enough that I decided to
purchase it ($700). I like the ease of having that switch to use when
I wanted to shut off security, and also the symmetry with our Macs which
have a similar Fool Proof switch. The company that makes Fool Proof has
been in serious disarray and has released a version of Fool Proof 4x for
Win2K that is atrocious in the number of bugs and things that just don't
work. So, I don't necessarily recommend what we have done... I just
know it worked well for us.
A tech person would want to look at the numbers of Win9x machines left
in their building and projections for this OS in the future in your
location to see if this solution for those machines would be worth the
price.
Some Free (but much less wonderful) alternatives to Fool Proof for WIn9x:
A little free piece of software that can provide some security is on the
Win95 CD in Power Tools folder, called Security Setup... Basically an
easy front end for 9x policies. Not sure if this is compatible with all
versions of 9x. Poledit is another, less friendly option which is also
on the CD. A formal install is required for it to run.
What We Did That Worked
Our Windows 9x machines are much, much more secure than the Windows NT
and Win2000 machines in our building that are being protected by
protected by NT (not Win2K) policies.
Fool Proof to Secure the OS
What I like about Fool Proof 3x for Windows:
...is that it only allows saving to one, specified location, and it only
allows programs to run which you specify. This latter feature is very
helpful if someone had been able to get around your attempts to put
threatening executables off limits. Other very useful features are the
ability to put custom settings on a disk which allows one to load
FoolProof onto a machine in seconds, and the ability to use a machine as
a "settings server" to allow Fool Proof changes to an entire lab by
changing a single checkbox or password. (in our extensive testing, FP4.0
for Win2K would never do either of these things making installation (in my
opinion)
ridiculous!). Also, Fool Proof comes with a master and a user password.
That means you can give the user password to your TAs and keep the
master one secret. If one of your TAs proves to be less trustworthy
than you had hoped, you can change it everyday at lunch for the entire
school with a single click as I did in my lab for awhile.
What I don't like about Fool Proof 3x for WIndows:
.... is that sometimes it locks up the machine when you use that handy
little switch. The frequency of this is significantly below the level
where it would override the benefits however.
Also if the Autosweep feature is enabled [this is supposed to eliminate
any non-allowable changes which have been made to the computer since the
last boot], it occasionally sweeps exolorer.exe into oblivion. This is
not Internet Explorer... the exlorer.exe application is necessary for
creation of the desktop so the computer is non-functional until you copy
this file back.
In General...
In general, we are very pleased with FP3x. However, In my opinion, FP4x is
so full of problems that
we are finding it to be worse than nothing. If anyone is interested, I
could report on that
system... suffice it to say it would be really short and say mostly bad
things. This is unfortunate,
because I think it has the makings of a great security system.
BIOS and MSDOS.SYS settings to protect the Boot Process:
One usually gets into the BIOS settings by pressing delete, F1, F2 or
F10 (depending on the manufacturer) during bootup. Generally you'll be
prompted, although Compaq doesn't always do that and you have to look
for a little flashing square in the upper right hand corner of the black
screen and then quickly hit F10. Everyone's got to come up with their
own variant!
First, one has to set the boot sequence BIOS setting so it will either
only boot from the hard drive (usually c), or at least so that it boots
from the harddrive first with as few other options as possible. Then
the BIOS has to be password protected. All of this can be defeated by
opening up the case and shorting out a jumper, so if you really, really
want tight security, you'll lock the case shut. Obviously, if your
computer won't boot, you'll have to go into the BIOS and undo the boot
sequence
setting so you can once again boot from a floppy disk.
Fool Proof proper protects the OS and River Deep includes a boot
locking function to do the latter. Our experience is that sometimes the
boot locking would be interpreted as a boot sector virus (!), would
interfere with graphics in the window menus, or sometimes appeared to
"toast" the machine. I decided not to use it and to use alterations to
the MSDOS.SYS file instead. Adding the following lines to this file:
BootGUI=1
BootKeys=0
BootWarn=0
Will defeat the F8 key which brings up a menu asking if the user wants
to boot into command line (ack!) mode, Safe Mode, etc... Fixing this is
essential for security. See below for details of settings and how to
alter them.
One weakness here is that one could interrupt the boot process by
restarting the computer in the middle of the boot, let the machine go
into auto scandisk and then cancel that. This can give one a command
line option. Setting autoscan to 0 [see below] would defeat this, but
would put your machine at risk for a messed-up FAT table. Leaving the
autoscan intact seemed the best choice in the absence of evidence that
people were doing this.
Below is information on the MSDOS.SYS file and how to setup up security
changes:
From http://support.microsoft.com/default.aspx?scid=kb;EN-US;q118579
These Three:
1) BootGUI= Boolean
Default: 1
Purpose: A setting of 1 forces the loading of the GUI interface.
A setting of 0
disables the loading of the GUI interface
2) BootKeys= Boolean
Default: 1
Purpose: A setting of 1 enables the use of the function key boot
options (that is,
F4, F5, F6, F8, and CTRL). A setting of 0 disables the use of
these function keys
during the boot process
3) BootWarn= Boolean
Default: 1
Purpose: A setting of 0 disables the Safe-mode boot warning
message and the
Startup menu.
Probably not needed if you don't have a second OS... but no reason to
not do it that I know of
4) BootMulti= Boolean
Default: 1
Purpose: A setting of 0 disables the multi-boot option. (For
example, with a
setting of 0 you cannot boot your previous operating system.) A
setting of 1
enables the F4 and F8 keys to boot your previous operating
system.
Hmmm... I wouldn't do this but they might be interesting
5) AutoScan= Number
Default: 1
Purpose: Defines whether or not ScanDisk is run after a bad
shutdown. A setting
of 0 does not run ScanDisk; 1 prompts before running ScanDisk; 2
does not
prompt before running ScanDisk but prompts you before fixing
errors if any
errors are found.
This setting is used only by OEM Service Release 2 and Windows
98.
How to Edit the Msdos.sys File
(Taken from:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q118579)
If you want to change any of the values in the Msdos.sys file,
follow these steps to
edit the file:
Click Start , point to Find , and then click Files Or Folders .
In the Named box, type msdos.sys . In the Look In box, click your
boot drive
(usually drive C, or drive H if drive C is compressed). Click the
Find Now
button.
Right-click the Msdos.sys file, and then click Properties .
Click to clear the Read-Only and Hidden check boxes to remove
these
attributes from the Msdos.sys file, and then click OK .
Right-click the Msdos.sys file, and then click Open With .
In the Choose the program you want to use box, click WordPad ,
and then
click OK .
Make the changes you want to the Msdos.sys file. When you are
done, save the
file as a text document, and then quit WordPad.
Right-click the Msdos.sys file, and then click Properties .
Select the Read-Only and Hidden check boxes to set the attributes
for the file,
and then click OK . Close the Find window.
Restart Windows.
==============================================
Tony Hand
tghand@seattleschools.org
Technology Coordinator
Nathan Hale High School
Seattle School District
-end tictech message. To join, leave, or visit
the message archive, go to tictech on the Web:
http://www.earthdaybags.org/tictech/
This archive was generated by hypermail 2b29 : Mon Jun 10 2002 - 08:35:39 PDT