LM_NET 11/18/94: Kid Proofing Windows

LM_NET: Library Media Networking
Previous by Date	Next by Date	Date Index
Previous by Thread	Next by Thread	Thread Index
LM_NET Archive
Subject: Kid Proofing Windows
From: Jay Nelson <jdnelson@FREE.ORG>
Date: Fri, 18 Nov 1994 16:50:50 -0600
Dear Theresa Sterchi et al:

I noticed that a few folks had questions on maintaining security while
running Windows.  Hopefully, I can lend a hand.  Let me say that when
running Windows on a network, the first step is good security management
through the network operating system.  In the case of Novell, it's important
that user accounts are granted the minimum rights necessary to run the
various applications made available to them on the network.  Typically, this
means that users are only granted "R"ead and "F"ilescan in the directory
where the application resides.  In other words, with some forethought, a
student shouldn't be able to do any damage to your network even if they are
successful in getting to a DOS prompt.  If they have no rights to files and
directories, it's as if they don't exist.  Let it suffice to say that on a
network, you have a great deal of control over what users can and can't do.
A "stand-alone" DOS computer, or a DOS computer with a local hard drive,
presents some security problems that are more difficult to overcome.

        In the case of Windows, there are some specific features available
which will allow you to control what students can and can't do.  Again, one
of the biggest concerns to be addressed is restricting access to DOS.  I
can't, in this limited space, address all security options with much
specificity.  I can give you some general pointers:

        If you run DOS 6.0 or above edit your CONFIG.SYS file to include the
        line   SWITCHES /n  This will disallow the option in DOS 6.x for
        executing the CONFIG.SYS and AUTOEXEC.BAT line by line.  If you have
        your computer booting directly to Windows (Called from your AUTOEXEC)
        students won't be able to abort it.

        Once you're in Windows, delete the "File Manager" and "MS-DOS" icons.
        You may also wish to delete other icons you deem inappropriate for
        student use.

        Following are some features reprinted from the Windows Resource Kit:

You can also add a [restrictions] section to the PROGMAN.INI to restrict
user actions.  The [restrictions] section can have these entries:

[restrictions]
NoRun=
NoClose=
NoSaveSettings=
NoFileMenu=
EditLevel=

                        NoRun=
1 disables the Run command on the File menu.  The run command will appear
dimmed on the File menu and the user will not be able to run applications
from Program Manager unless the applications are set up as icons in a group.

                        NoClose=
1 disables the Exit Windows command on the File menu.  Users will not be
able to quit Program Manager through the File Menu or the Control menu (the
Exit Windows and Close commands will be dimmed), or by using ALT+F4.

                        NoSaveSettings=
1 disables the Save Settings on the Exit command on the Options menu.  The
Save Settings command will appear dimmed on the Options menu and any changes
that the user makes to the arrangement of windows and icons will not be
saved when Windows is restarted.  This setting overrides the SaveSettings=
entry in the [Settings] section of the PROGMAN.INI file.

                        NoFileMenu=
1 removes the File menu from Program Manager.  All of the commands on that
menu will be unavailable.  Users can start the applications in groups by
selecting them and pressing ENTER, or by double-clicking the icon.  Unless
you have also disabled the Exit Windows command, users can still quit
Windows by using the Control menu or ALT+F4.

                        EditLevel=n
Sets restrictions for what users can modify in Program Manager.  You can
specify one of the following values for n:

0 allows the user to make any change. (This is the default value.)

1 prevents the user from creating, deleting, or renaming groups.  If you
specify this value, the New, Move, Copy, and Delete commands on the File
menu are not available when a group is selected.

2 sets all restrictions in EditLevel=1, plus prevents the user from creating
or deleting program items.  If you specify this value, the New, Move, Copy
and Delete commands on the File menu are not available at all.

3 sets all restrictions in EditLevel=2, plus prevents the user from changing
command lines for program items.  If you specify this value, the text in the
Command Line box in the Properties dialog box cannot be changed.

4 sets all restrictions in EditLevel=3, plus prevents the user from changing
any program item information.  If you specify this value, none of the areas
in the Properties dialog box can be modified.  The user can view the dialog
box, but all of the areas are dimmed.

To enable any of the commands or remove any of the EditLevel= restrictions,
either remove the entry from the PROGMAN.INI file, or set the value to 0.


        As you can see, there are many options and combinations of options
available.  Though I'm not an expert, I'd be happy to try to answer
questions if you send me email.  We install a lot of networks in schools
which include our SURPASS/2 library automation software and CD-ROM servers.
I hope this helps some.

Best regards,
Jay D. Nelson, Vice President
EDUCATIONAL SOLUTIONS, INC.
800-443-3229
email  jdnelson@free.org
Prev by Date: Re: target--->LCD panels
Next by Date: Re: BLOCK SCHEDULING & TEXAS
Prev by thread: ?"Revolution Brew" software
Next by thread: Australian netters
Index(es):
- Date
- Thread
LM_NET Archive Home