Securing a Public Workstation Under Windows 9x VUGM-1999 Rider University Libraries Edward Corrado & Dr. Sharon Yang
Edward M. Corrado, MLS • Unix Administrator/ Library Systems Manager - Rider University Libraries • MLS, Rutgers University-1997 • BA, Mathematics, Caldwell College-1992 • firstname.lastname@example.org
Sharon Yang • Systems Librarian at Rider University • DLS, Columbia University-1997 • MS, Columbia University-1988
Outline of the Presentation • Purpose of the presentation • Presentation • Batsh • System Policy Editor • TweakUI • Netscape
Outline of the Presentation • Fortres 101 • Winselect • Everybody’s Menu Builder • Ghost • Conclusion
Just a Reminder! • The presentation is about the security of a workstation, not that of a server. • The presentation is about our experience at Rider. It is not intended to be an in-depth training session on security software. This is an overview of the tools we use. • What we do to secure a Voyager OPAC may be different from what you do. What we do may not be necessarily the “best” way for your situation .
The Purpose of the Presentation • Present the issue of security on a public workstation • Share our experience at Rider • Introduce new tools
This is what we do for a VoyagerOPAC Workstation • Batsh Program • Windows System Policy Editor • Netscape
Bios (CMOS) password settings • To prevent changing of system settings • to prevent the setting of (unknown to you) passwords • can be used with settings to prevent booting from floppy
Bios (CMOS) password - boot • Prevent unauthorized booting of PC
Autoexec.bat • Can be used to automatically copy files that patrons may have changed when the computer is started • bookmarks • wallpaper • etc.
What is BATSH.EXE for? • To run WINDOWS commands from a text file. Line by Line. Like BATCH (.BAT) files in DOS, but with some WINDOWS specific commands, and not all the DOS features.
What O/S’s does BATSH.EXE run on? • Windows 3.1 • Windows 95 • Windows NT • Windows 98 ?
How and why Rider University uses BATSH.EXE? • BATSH.EXE replaces EXPLORER shell on OPAC computers (both Windows based Voyager and Netscape) • This lessens the potential security hazards that the Explorer shell has. • Can also be used to map network drives • The Price is Right -- Freeware!
Why not just use the application as the shell? • Harder to change between applications • Windows will not shut down correctly with most applications as a shell
Batsh on Voyager Workstation Batsh scripts are used to automatically launch any program we chose on startup The batsh script does not allow patrons from exiting a program. If they try, they will be prompted for a password. If the wrong password is entered, or a password isn’t entered in a set amount of time, batsh will automatically re-launch the program.
Where is BATSH.EXE? • Written by Thomas Nyffenegger • http://www.fmi.ch/groups/ThomasNyffenegger/Group.html • On various freeware sites on the Net: • http://www.winsite.com • Our batsh scripts will be made available
What is System Policy Editor? System Policy Editor is a program that comes on the Windows 95/98 CD-ROM when you buy the OS. It is used to control a user’s desktop environment. In Rider library we use it to lock down a public access workstation such as a voyager OPAC terminal. It does the job successfully.
Where is System Policy Editor? System Policy Editor for Windows 95 is located on Windows 95 CD-ROM in D:\admin\apptools\poledit. System Policy Editor for Windows 98 is on Windows 98 CD-ROM in d:\tools\reskit\netadmin\poledit. System Policy Editor for Windows NT comes in the server software package.
http://www.microsoft.com/Windows95/downloads/contents/WUAdminTools/S_WUManagementTools/W95PolicyEditor/Default.asphttp://www.microsoft.com/Windows95/downloads/contents/WUAdminTools/S_WUManagementTools/W95PolicyEditor/Default.asp System Policy Editor for Windows 95 Or you can download System Policy Editor for Windows 95 from the Microsoft web site at the above URL. It is easier if you search the key words “system policy editor” at the web site.
http://www.microsoft.com/products/msoffice/Project /PRK/text/appa.htm System Policy Editor for Windows 98 You can download it for Windows 98 at the above URL. It is easier if you search the web site by key words “system policy editor”.
Workstation security Customize your desktop according to your wishes Hide various icons as needed Hide the DOS prompt Not allow users to change any settings and configurations Only allow users to use public workstations for designated library purposes What Do We Use It for?
How do we use Policy Editor? For Windows 95 • Create a directory on C:\ drive • Copy all the files from the Windows CD to that directory • Start the program c:\directory\Poledit.exe • Delete the directory where all the policy files are located • Or you can run it from a CD drive or network drive as you want
How do we use Policy Editor? For Windows 98 • Go to Control Panel and install System Policy Editor in Add/Remove Programs • Run Poledit from Windows Run Box • Set up the system policies • Either remove the System Policy Editor or hide it after the setup
How do we use Policy Editor? Disable Display Icon in the Control Panel This is what you may do if you don’t want users to change your display settings in the control panel such as color schemes, refresh rates, resolution. You may not want users to change the background, screen savers, Window font, either.
How do we use Policy Editor? Disable Network Icon in the Control Panel This is how you disable Network icon in the control panel. Network icon has all the communication settings for the network. You should not allow users to play with them freely.
How do we use Policy Editor? Disable Password Icon in the Control Panel This is how you disable Password Icon in the Control Panel. Users can change windows password here.
How do we use Policy Editor? Disable Printing settings It is important to disable printing configurations.
How do we use Policy Editor? Disable System Icon in the Control Panel This is how you disable System Icon in the Control Panel. System Icon contains important information about hardware and related settings. You should not allow users to have access to it.
How do we use Policy Editor? Customize your desktop environment by supplying your own customized settings
How do we use Policy Editor? Some other policies that you can set up Those are some of the configuration parameters in System Policy Editor that we use very often.
How do we use Policy Editor? In Rider Library Electronic Computer Lab we used a single system policy file from a central location for all the client computers. First we created a single policy file on one computer. Then we placed that policy file on our server. We configured each client computer to point to the location of the policy file on the server. When users log on to the network, the system policies from the file will take effect.
What is Power Toy TweakUI? TweakUI is a program that you can download from Microsoft web site at http://www.microsoft.com /windows95/downloads/. It is part of Windows Power Toys Set. Some of its features enable us to do things that System Policy Editor cannot help us to do. We use it in combination with System Policy Editor to lock down a computer.
How do we use TweakUI? TweakUI is a useful tool to help us automatically logon to our network. It saves us a lot of time as we have more than thirty public terminals to turn on each morning.
How do we use TweakUI? System Policy Editor can hide all the drives in My Computer, but that is not what we want. We only want to hide network drives. TweakUI can help us to do it. All you have to do is to set up System Policy Editor first and then set up TweakUI as shown on this slide.
Netscape Security • Preferences • Most settings are under Preferences • Controlled by Prefui32.dll • C:\Program Files\Netscape\Program\ Communicator\Program\Prefui32.dll • Delete or Rename
Netscape Security • Netscape Client Customization Kit (CCK) • Preset preferences including bookmarks, home page, etc. when doing an install • lock in preference settings (home page, cache, proxy settings, etc.) • http://home.netscape.com/partners/distribution/custom/product.html
Netscape Security • Misson Control Dektop • Third Party Security software: • Ikiosk
A Rider Voyager Workstation To summarize: • Batsh: Launch Netscape and Webvoyage or Voyager Windows Client on startup and prevent any unauthorized exit • Netscape: Webvoyage and Internet resources • Policy Editor: restrict access to Windows settings
What is Fortres 101? Fortres 101 is a desktop security software for Window NT, Windows 95, and Windows 98. You can find information about it at http:// www.fortres.com. It is easy to use and well documented. It offers many options that System Policy Editor and TweakUI don’t have.
How does Fortres 101 work? • Erase a user’s name from logon • disable any icons on desktop • Put a password on icons • Central Control Service • Restrict URLs • Protect files and drives • manage group security
What is Winselect Kiosk? Winselect Kiosk is another security software. We use it to secure Netscape and Internet Explorer.
What is Everybody’s Menu Builder? Everybody’s Menu Builder is a menu system. It provides both security and nice appearance to a public workstation.
Where is Everybody’s Menu Builder? You can find information about it at http://www.carl.org/emb.