-tictech message:
Also keep in mind that with the steps outlined by Tony, you have to go
through the opposite steps to return a computer to "normal" when you need
to do troubleshooting.
The program that I like to use to secure a PC is Fortres. On our Business
Ed labs where students have individual logons, I still use policies and a
lot of registry hacks, but on classroom computers where individual student
logons are not needed, I use Fortress. Fortress works great on Win2k
computers. A nice feature is that if you logon as an Administrator,
Fortress leaves the system unprotected. (This is just with the latest
versions of Fortress). How much did Fortress cost me? Nothing! At
Ingraham, and possibly at other Seattle High Schools, FACSE bought Building
site licenses for it.
As I stated above, I use registry hacks along with Policies. In fact, I
carry in my shirt pocket a CD-ROM Disc with a lot of the hacks. By the way
have you seen the 2" CD-ROM discs that hold about 85 MB and the "credit
Card" size ones that hold about 50 MB. Very handy. You can get the 2"
ones at CompUSA and I get the credit card sized ones from Cyberguys over
the net.
How do I figure out a registry hack and what might I hack? Here is an
example. Our newspaper computers have not been available to other students
who take classes in the same room since the computers all connect to a
DropFolder on the main computers with all of the paper articles in it. So,
I protected the DropFolder on the main computer with a Share password. So,
anyone on any of the other computer need a password to connect to the
DropFolder. But, Microsoft put that @#$% "remember my password" checkbox
on the password dialog and even made it the default. So, if it is ever
left checkmarked when the password is entered, then the DropFolder is never
protected again on that computer.
I have another program that I really like called "WinBoost". It allows me
to change a lot of Windows' behaviors, like modifying Internet Explorer's
settings or saving passwords as above. It also allows me to remove the
password on the content advisor which the kids just love to screw
up. (Remember, where ever a password can be used, YOU want to put in a
password or the kids will!). I only have one license for this program so I
use it on only one computer. Here is what I do. On an unpatched computer,
I run regedit and export the registry to a folder that I create for this
purpose. I use "c:\Dif". I call the exported file "old.reg. I then run
WinBoost and turn off the feature like "password caching" above. Then I
run regedit again and export the registry as "new.reg" to "c:\Dif". I then
go into DOS, cd into c:\Dif and enter the command "fc old.reg new.reg >
dif.txt". This creates a text file "dif.txt" that shows what got changed
when WinBost did its magic. (For you who want to know better what is going
on, "fc" is an old DOS command for "File Compare". It compares the two
files that you follow the command with. The results scroll off the screen
faster than I can read so "> dif.txt" redirects the output from the fc
command into a text file called "dif.txt". I just go back into windows and
double-click dif.txt to read it. It will usually show me the registry key
that got modified (along with a bunch of garbage). With this little hack,
I completely removed the checkbox in the password dialog for password
caching.
Here is what it looks like to turn off students changing the settings in
Internet Explorer...
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet
Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001
The easiest way to use this registry hack is to put it into a file like
this...
REGEDIT4
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet
Explorer\Restrictions]
"NoBrowserOptions"=dword:00000001
Save this as a text file with a ".reg" extension, like
"NoChangeIE.reg". Running this will give the students "access denied" when
they try to change the options in Internet explorer. But, when you
deprotect the system and right-click on the Internet Explorer Icon on the
desktop and go to properties, you can still make changes. If you screw up,
go back and run "c:\Dif\old.reg" and it should restore the registry. Using
these registry hacks, I have protected most everything that the policies
don't. But, remember that regedit is a power tool that can screw you up
very fast.
Wes Felty <wfelty@gte.net>
At 07:51 AM 6/10/2002 -0700, you wrote:
>-tictech message:
>
>Dear Folks,
>
>This might still be of interest to some:
>
>
>How We Secured our Win 9x Machines at Hale
>
>Preamble: for Historians Only
>
(cut - ma)
-end tictech message. To join, leave, or visit
the message archive, go to tictech on the Web:
http://www.earthdaybags.org/tictech/
This archive was generated by hypermail 2b29 : Mon Jun 10 2002 - 20:45:31 PDT