Create Secure User Profiles with Windows 95's Policy Editor
Publicly accessible computers, such as those in schools, require a
significant degree of security to prevent abuse. The Windows 95 CD-ROM provides
the tool you need to implement restrictive policies on such machines in the form
of the Policy Editor (POLEDIT) application. Unfortunately, the Windows 95
Resource Kit doesn't tell you how to use POLEDIT for standalone computers, so I
developed a method of my own:
- Prepare the System. Use Explorer to make backup copies of USER.DAT and
SYSTEM.DAT, in case of emergency. Make sure you have at least 10MB free on
the Windows drive to hold user profile information.
- Enable User Profiles. Launch the Password applet in Control Panel. Click
the User Profiles tab, click the option Users can customize..., and check
the two check boxes. Click OK; Windows will restart.
- Create Profiles. When Windows restarts, log on as User and allow Windows
to create folders to hold your profile information. Shut down and log on
again as Administrator, with a suitably obscure password, and again allow
Windows to create profile folders. Don't forget this password!
- Restrict User Access to Programs. While logged on as Administrator, use
Explorer to navigate to C:\WINDOWS\PROFILES\USER\STARTMENU. In this folder
and those below it, delete any shortcuts to programs the user shouldn't be
allowed to run, including every shortcut in the Recent folder. Be sure to
delete shortcuts to POLEDIT, Regedit, and Explorer.
- Install Policy Editor. Launch the Add/Remove Software applet in Control
Panel, click the Windows Setup tab, and press the Have... button. Navigate
to the ADMIN\APPTOOLS\POLEDIT folder of the Windows 95 CD-ROM and install
POLEDIT.INF. This will install POLEDIT and put it on the Accessories\System
Tools submenu of the Programs menu. It will also place the critical policy
template file ADMIN.ADM in the C:\WINDOWS\INF directory. If you don't have
the CD, you can download POLEDIT from http://www.microsoft.com
or CIS MSWIN.
- Define Default User Policy. Launch POLEDIT, create a new file, and add new
users named User and Administrator. Double-click the Default User icon,
select System | Restrictions, and check all four boxes. Select Shell |
Restrictions and check the four boxes whose captions begin with Remove, plus
the two that say Hide All Items on Desktop and Don't Save Setting at Exit.
Do not check the Disable Shut Down command. Use Explorer to create a folder
named C:\WINDOWS\PROFILES\DUMMY. Back in POLEDIT, select Shell | Custom
Folders and check all the boxes, filling in the dummy folder name you just
created for those that require paths. Click OK and save the file as
CONFIG.POL.
- Define User Policy. Load the example policy file MAXIMUM.POL, click on the
Default User icon, and choose Copy from the Edit menu. Reload CONFIG.POL,
click on the User icon, and select Paste from the Edit menu. Doubleclick the
User icon and choose Shell | Custom Folders. Click on the text of each check
box in turn and, if an edit box appears below, replace C:\WINDOWS with
C:\WINDOWS\PROFILES\USER. Make sure all boxes remain checked. Select Control
Panel | Passwords and check the Restrict box; then check the other four
boxes that appear below. Under Shell | Restrictions, check Remove Run
command, Remove Find command, Hide Drives in My Computer, and Don't Save
Settings at Exit. Consult the Windows Resource Kit Help to determine what
other restrictions you may wish to add, but be sure not to check Disable
Shut Down command. Now go to the Shell | Restrictions and System |
Restrictions and change any gray check boxes to blank.
- Define Administrator Policy. Double-click the Administrator icon and go
through the entire list of restrictions, setting every check box to blank,
not gray. This protects the Administrator policy from being affected by the
Default User policy.
- Define "no user" Policy. Log on again, but press Esc to close
the log-on prompt. Run POLEDIT, select Open Registry from the File menu, and
double-click Local User. Apply all the same restrictions you applied to
Default User. Then log on as Administrator again.
- Enable Policy Loading. Load CONFIG.POL in POLEDIT, open the Default
Computer icon, select System, and check Enable User Profiles. Under
Network\Update, check Remote Update. Select Manual for the Update Mode, and
enter C:\WINDOWS\CONFIG.POL as your path. Save CONFIG.POL. Now select Open
Registry from the File menu, double-click Local Computer, and make the same
change to the network update mode. Save changes and exit POLEDIT.
- Test Policies. Log on as User; check to see that the policy restrictions
you specified are in place. Log on as Administrator and check that there are
no restrictions. Now shut down and log on again, but use a new name and
password. There should be no icons on the desktop and no programs available
from the Start Menu (nothing to do but log on again). This time press Esc at
the log-on prompt to bypass entering a user name. Again you should have no
option but to shut down and log on again.
- Protect Policies. Log on as User and confirm that there is no way to run
POLEDIT. For greater safety, change the file named ADMIN.ADM (in the
C:\WINDOWS\INF folder) to something else. Use the DOS command ATTRIB to
remove the read-only, hidden, and system attributes from the file C:\MSDOS.SYS,
and load it into your favorite editor. Find the heading [Options] and change
the Bootkeys= key to Bootkeys=0. If this key is not present under [Options],
simply add it. Save the file and restore its read-only, hidden, and system
attributes. This change prevents the user from breaking out of Windows 95's
startup process. Finally, if the system BIOS permits, use its SETUP program
to disable booting from a floppy disk. Richard Turner, Augusta, Georgia
Do note that each attempt by a user to log on with a new name will create a
folder below C:\WINDOWS\PROFILES containing a copy of USER.DAT. You'll want to
periodically delete all such folders except User, Administrator, and dummy.
If the MAXIMUM.POL and STANDARD.POL files mentioned here are not on your hard
disk, look in the folder \ADMIN\RESKIT\SAMPLES\POLICIES on the Windows 95
CD-ROM. For help on the meaning of various policy restrictions, launch
WIN95RK.HLP in the \Admin\Reskit\Helpfile folder
More on the Windows 95 System Policy Editor
PC MAGAZINE: The July 1996 User-to-User column included a long
discussion on using the Windows 95 System Policy Editor (Poledit.exe) to lock
out unauthorized users and to control the access of authorized users. The
Windows 95 CD-ROM contains Poledit.exe itself, as well as the example files
Standard.pol and Maximum.pol; the technique described in the discussion relies
on these example files. If you loaded Windows 95 from disks rather than from a
CD-ROM, you can download PolEdit from www.microsoft.com
or from the CompuServe MSWIN Forum. A number of readers, however, have pointed
out that if you download the online version of PolEdit, you don't get the
example policy files Maximum.pol and Standard.pol. Here's how you can create
these files for yourself.
Start the System Policy Editor and choose New File from the File menu; icons
will appear representing the Default User and Default Computer. Double-click on
the Default User icon to edit the properties for Default User, then press the
Shift and asterisk keys together to completely open the policy tree. Note that
this keystroke works only with the asterisk key located on the numeric keypad.
If your system doesn't have a separate asterisk key, you'll have to open every
branch of the policy tree manually. Simply go down the list clicking on every
boxed plus-sign until all branches are open.
Initially all of the policy check boxes will be grayed, and most of them can
stay that way. You need to put a check in the specific boxes listed below and,
in some cases, supply additional information in the lower panel of the
Properties dialog.
- Control Panel | Printers | Restrict Printer Settings (in the lower panel,
check only Disable Deletion of Printers)
- Shell | Custom Folders | Custom Programs Folder (in the lower panel, enter
C:\Windows\Start Menu\Programs)
- Shell | Custom Folders | Custom Desktop Icons (in the lower panel, enter
C:\Windows\Desktop)
- Shell | Custom Folders | Hide Start Menu subfolders
- Shell | Custom Folders | Custom Startup Folder (in the lower panel, enter
C:\Windows\Start Menu\Programs\Startup)
- Shell | Custom Folders | Custom Network Neighborhood (in the lower panel,
enter C:\Windows\Nethood)
- Shell | Custom Folders | Custom Start Menu (in the lower panel, enter
C:\Windows\Start Menu)
- System | Restrictions | Disable Registry editing tools
- System | Restrictions | Disable MS-DOS prompt
Click OK to close the Properties dialog, then double-click on the Default
Computer icon. Again, expand the policy tree completely either by pressing the
Shift and asterisk keys together or by clicking on every boxed plus-sign icon.
As before, all of the check boxes will be grayed to start with; you need to put
a check by the following items:
- Network | Logon | Logon Banner (in the lower panel, enter "Important
Notice:" and "Do not attempt to log on unless you are an
authorized user")
- Network | Logon | Require validation by Network for Windows Access
- Network | Passwords | Hide shared passwords with asterisks
- Network | Passwords | Minimum Windows password length (in the lower panel
enter the number 6)
- System | Enable User Profiles
Save the result as Standard.pol. Now choose Save As from the File menu and
save it again as Maximum.pol. Maximum.pol is a more restrictive policy, so you
must check a number of additional boxes. In the Default Computer properties,
check:
- Network | Dial-Up Networking | Disable dial-in
In the Default User properties, check:
- Control Panel | Display | Restrict Display Control Panel (in the lower
panel, check the box named Disable Display Control Panel)
- Control Panel | System | Restrict System Control Panel (in the lower
panel, check all four boxes)
- Network | Sharing | Disable file sharing controls
- Network | Sharing | Disable print sharing controls
- Shell | Restrictions | Remove 'Run' command
- Shell | Restrictions | Remove folders from 'Settings' on Start Menu
- Shell | Restrictions | Remove Taskbar from 'Settings' on Start Menu
- Shell | Restrictions | No 'Entire Network' in Network Neighborhood
- Shell | Restrictions | No workgroup contents in Network Neighborhood
- Shell | Restrictions | Don't save settings at exit
Save Maximum.pol. Now you have the files referenced in the earlier article,
and you can build your own security system using System Policy Editor.
--Neil J. Rubenking