Post on 21-Dec-2015
transcript
Securing a Public Workstation Under Windows 9x
VUGM-1999Rider University LibrariesEdward Corrado & Dr. Sharon Yang
Edward M. Corrado, MLS
• Unix Administrator/ Library Systems Manager - Rider University Libraries
• MLS, Rutgers University-1997
• BA, Mathematics, Caldwell College-1992
• ecorrado@rider.edu
Sharon Yang
• Systems Librarian at Rider University
• DLS, Columbia University-1997• MS, Columbia University-1988
Outline of the Presentation
• Purpose of the presentation• Presentation
– Batsh– System Policy Editor– TweakUI– Netscape
Outline of the Presentation
– Fortres 101– Winselect– Everybody’s Menu Builder– Ghost
• Conclusion
Just a Reminder!
• The presentation is about the security of a workstation, not that of a server.
• The presentation is about our experience at Rider. It is not intended to be an in-depth training session on security software. This is an overview of the tools we use.
• What we do to secure a Voyager OPAC may be different from what you do. What we do may not be necessarily the “best” way for your situation .
The Purpose of the Presentation
• Present the issue of security on a public workstation
• Share our experience at Rider
• Introduce new tools
This is what we do for a VoyagerOPAC Workstation• Batsh Program• Windows System Policy Editor• Netscape
Bios (CMOS) password settings• To prevent changing of system
settings• to prevent the setting of (unknown
to you) passwords• can be used with settings to
prevent booting from floppy
Bios (CMOS) password - boot• Prevent unauthorized booting of PC
Autoexec.bat
• Can be used to automatically copy files that patrons may have changed when the computer is started– bookmarks– wallpaper– etc.
What is BATSH.EXE for?
• To run WINDOWS commands from a text file. Line by Line. Like BATCH (.BAT) files in DOS, but with some WINDOWS specific commands, and not all the DOS features.
What O/S’s does BATSH.EXE run on?• Windows 3.1• Windows 95 • Windows NT• Windows 98 ?
How and why Rider University uses BATSH.EXE?• BATSH.EXE replaces EXPLORER shell
on OPAC computers (both Windows based Voyager and Netscape)
• This lessens the potential security hazards that the Explorer shell has.
• Can also be used to map network drives
• The Price is Right -- Freeware!
Why not just use the application as the shell?
• Harder to change between applications
• Windows will not shut down correctly with most applications as a shell
Batsh on Voyager WorkstationBatsh scripts are used to automatically
launch any program we chose on startupThe batsh script does not allow patrons
from exiting a program. If they try, they will be prompted for a password. If the wrong password is entered, or a password isn’t entered in a set amount of time, batsh will automatically re-launch the program.
Where is BATSH.EXE?
• Written by Thomas Nyffenegger• http://www.fmi.ch/groups/
ThomasNyffenegger/Group.html• On various freeware sites on the
Net:• http://www.winsite.com• Our batsh scripts will be made
available
What is System Policy Editor?
System Policy Editor is a programthat comes on the Windows
95/98CD-ROM when you buy the OS. It
isused to control a user’s desktopenvironment. In Rider library weuse it to lock down a public
accessworkstation such as a voyagerOPAC terminal. It does the jobsuccessfully.
Where is System Policy Editor?
System Policy Editor for Windows 95 is located on Windows 95 CD-ROM
in D:\admin\apptools\poledit. System Policy Editor for Windows 98 is
on Windows 98 CD-ROM in d:\tools\reskit\netadmin\poledit. System
Policy Editor for Windows NT comes in theserver software package.
http://www.microsoft.com/Windows95/downloads/contents/WUAdminTools/S_WUManagementTools/W95PolicyEditor/Default.asp
System Policy Editor for Windows 95
Or you can download SystemPolicy Editor for Windows 95
from the Microsoft web site at theabove URL. It is easier if you
searchthe key words “system policy
editor”at the web site.
http://www.microsoft.com/products/msoffice/Project /PRK/text/appa.htm
System Policy Editor for Windows 98
You can download it for Windows
98 at the above URL. It is easier if
you search the web site by key
words “system policy editor”.
What Do We Use It for?
Workstation security• Customize your desktop
according to your wishes• Hide various icons as
needed• Hide the DOS prompt• Not allow users to change
any settings and configurations
• Only allow users to use public workstations for designated library purposes
How do we use Policy Editor?
For Windows 95• Create a directory on C:\ drive• Copy all the files from the Windows CD to that directory• Start the program c:\directory\Poledit.exe• Delete the directory where all the policy files are
located• Or you can run it from a CD drive or network drive as
you want
How do we use Policy Editor?For Windows 98• Go to Control Panel and install System Policy Editor in
Add/Remove Programs• Run Poledit from Windows Run Box • Set up the system policies• Either remove the System Policy Editor or hide it after
the setup
How do we use Policy Editor?
Disable Display Icon in the Control Panel
This is what you may do if you don’t
want users to change your display
settings in the control panel such
as color schemes, refresh rates,
resolution. You may not want users
to change the background, screen
savers, Window font, either.
How do we use Policy Editor?
Disable Network Icon in the Control Panel
This is how you disable Network
icon in the control panel. Network
icon has all the communication
settings for the network. Youshould not allow users to
play withthem freely.
How do we use Policy Editor?
Disable Password Icon in the Control Panel
This is how you disable Password
Icon in the Control Panel. Users
can change windows password
here.
How do we use Policy Editor?
How do we use Policy Editor?
Disable Printing settings
It is important to disable printing
configurations.
How do we use Policy Editor?
Disable System Icon in the Control Panel
This is how you disable System
Icon in the Control Panel. System
Icon contains important information about hardware
andrelated settings. You should
notallow users to have access to
it.
How do we use Policy Editor?Customize your
desktopenvironment bysupplying your own customized
settings
How do we use Policy Editor?
Some other policies that you can set up
Those are some of the configuration parameters inSystem Policy Editor that
we usevery often.
How do we use Policy Editor?In Rider Library Electronic Computer Lab we used a single system policy file from a central location for all theclient computers. First we created a single policy file on one computer. Then we placed that policy file on our
server. We configured each client computer to point to the
locationof the policy file on the server. When users log on to thenetwork, the system policies from the file will take effect.
What is Power Toy TweakUI?
TweakUI is a program that you candownload from Microsoft web siteat http://www.microsoft.com/windows95/downloads/. It ispart of Windows Power Toys Set.Some of its features enable us todo things that System Policy Editorcannot help us to do. We use it incombination with System PolicyEditor to lock down a computer.
How do we use TweakUI?
TweakUI is a useful tool to help
us automatically logon toour network. It saves us a
lot oftime as we have more than
thirtypublic terminals to turn on
eachmorning.
How do we use TweakUI?
System Policy Editor can hide all
the drives in My Computer, but that
is not what we want. We only want
to hide network drives. TweakUI
can help us to do it. All you have to
do is to set up System Policy Editor
first and then set up TweakUI as
shown on this slide.
Netscape Security
Netscape Security
• Preferences– Most settings are under Preferences– Controlled by Prefui32.dll– C:\Program Files\Netscape\Program\
Communicator\Program\Prefui32.dll– Delete or Rename
Netscape Security
• Netscape Client Customization Kit (CCK)– Preset preferences including
bookmarks, home page, etc. when doing an install
– lock in preference settings (home page, cache, proxy settings, etc.)
– http://home.netscape.com/partners/distribution/custom/product.html
Netscape Security
• Misson Control Dektop
• Third Party Security software:– Ikiosk
A Rider Voyager Workstation
To summarize:• Batsh: Launch Netscape and
Webvoyage or Voyager Windows Client on startup and prevent any unauthorized exit
• Netscape: Webvoyage and Internet resources
• Policy Editor: restrict access to Windows settings
Other software for security
What is Fortres 101?
Fortres 101 is a desktop security
software for Window NT, Windows
95, and Windows 98. You can find
information about it at http://www.fortres.com. It is easy touse and well documented. It offers many options that
SystemPolicy Editor and TweakUI don’thave.
Fortress 101
How does Fortres 101 work?• Erase a user’s name from
logon• disable any icons on
desktop• Put a password on icons• Central Control Service• Restrict URLs• Protect files and drives• manage group security
What is Winselect Kiosk?
Winselect Kiosk is another security software. We use it
tosecure Netscape and
Internet Explorer.
Where is Winselect Kiosk?
How do we use it?
What is Everybody’s Menu Builder?
Everybody’s Menu Builder is a
menu system. It provides both
security and nice appearance
to a public workstation.
Where is Everybody’s Menu Builder?
You can find information about it
at http://www.carl.org/emb.
Norton Ghost
• No security is foolproof
• Backups, Backups• We use Ghost• Also use it to clone
groups of computers to save time
• http://www.ghost.com
Conclusion
Securing a Public Workstation under Windows 9xDr. Sharon Yang and Edward CorradoVUGM 1999
Overview
• Batsh.exe• Windows Poledit• TweakUI• Netscape Security
– Prefui32.dll– CCK
• Third Party Software
• Backups!
Questions ?????????