USING SYSTEM POLICY EDITOR
Many schools have installed programs to keep users out of certain
programs. PC Guard, is one such program, which works reasonably well,
but it has no layers so either no one is locked out or everyone is locked
out. So if the tutor of a night class wants to access Control Panel then
the last class in the evening must be given over to removing PC Guard,
whilst ensuring the students don't see the keys being pressed to enter
the password. The following morning another class is lost reinstalling PC
Guard.
System Policy Editor comes free with Win95/98. It takes a bit of work
to come to grips with it but it is multi-layered and so you could for
example set up three user types: student, teacher and visitor. Each user
can be given different levels of access.
There are four important steps to installing System Policy Editor:
1. You install System Policy Editor on your favourite computer
2. Create System Policies on this computer and save the policy either
on this computer or on the Netlogon folder of the Server
3. Install System Policy Editor on a client and enable remote update
and enable user profiles
4. With the CD use system policy editor to open the registry, and
insert restrictions so that if a user cancels the network then
certain programs are blocked. You will be messing about with the
pc's registry so make sure to: BACK UP THE USER.DAT and
SYSTEM.DAT files)
1. Installing System Policy Editor
In my network the administrators pc is pc18, so I'll be installing
Policy Editor on this computer and controlling the clients from
here.
Before installing System Policy Editor you need to set up Password
Properties and User Settings.
Open Passwords in Control Panel click the User Profile tab, Enable
Users can customise their Desktop and check both buttons in: User
Profile settings.
Open Users in Control Panel and add your name and password.
When you now install the Policy Editor only you will have access to
the editor. This is important, as you don't want any other user to
be able to access Policy Editor.
Insert the 98 or 95 CD, open Add/Remove Programs in Control
Panel and switch to the Windows Setup tab. Click on Have Disk and
browse to D:\tools\reskit\netadmin\poledit\poledit.inf, where D is
your CD-ROM drive letter. Select System Policy Editor, and click
install.
2. Creating System Policies on a Stand Alone PC
(Administrator's PC ie pc18, or Server)
Before you start check where your config sub-folder resides. It
should be in c:\ windows. You will be saving naming your policy file
as config.pol and so the path should be similar to
c:\windows\config\config.pol.
If you are using NT, you could save the config.pol file into the
netlogon folder of the server and the path would be something like
- \\netserver\netlogon\config.pol.
Run system policy editor Start/Programs/Accessories/System
Tools/ Sytem Policy Editor.
Create a new policy by clicking on New on the toolbar. Double click
on Default computer.
Expand the Windows 98/95 Network and scroll down to Update,
click on Remote Update and change Update mode to Manual. In the
Path area enter c:\Windows\config\cofig.pol
Now expand Windows 98/95 System and click on User Profile.
Check the Enable User Profiles box and save the file as config.pol
in the config sub-folder of the Windows folder.
From the file menu, select Open Registry and make exactly the
same changes to Local Computer as you did to Default computer
and save on exit. Policy Editor will not work unless you save both
the Local and Default Computers with the same settings.
Now you can add users. Open the Policy File, open file menu and
click on your policy file on the drop down menu. Now select Edit,
Add User and type in yourself as user. D/click on the new user and
setup some restrictions, most of the restrictions can be found in
Windows 98/95 sytem\shell\restrictions. Initially I would just
change the Desktop Display settings. You can then, safely see if
the Policy is working properly.
3. Using System Policy Editor on a Peer to Peer or
Server/Client Network (Installing on Client computers)
Repeat Step 1 above on one client computer. Try one first and
when you're sure that the System Policy is working then you can
fully install it across the network. Once again make sure that you
install the programme as administrator, so that only you can access
the program. With policy editor installed you now want the client
pc to access the settings from the computer, which will control the
policy editor.
A. Peer to Peer (This also works with Client/Server
In a peer-to-peer network you would probably use the computer
which the teacher would normally use e.g. 2 above, which in my case
is PC 18. Having installed the Policy Editor, you open System Policy
editor and open registry. Double click on Local Computer, open
Microsoft Client for NetWare Networks, check preferred server
and enter \\pc18 as server name.
Click on Update and check Remote Update, Update Mode Manual
and type in the UNC of the computer, which holds the policy file
e.g., \\PC18\c\Windows\Config\Config.pol.
Now click on Win 98 System, User Profile and Enable User Profile.
B. Server/Client (Peer to Peer works on an NT Client/Server
network but if you're a perfectionist you may want to use the
netlogon folder on your server)
In the case of Server/Client, you will have created your Policy
Editor on your favourite PC and then saved the cofig.pol file into
the netlogon folder of the server. This is the same folder which
holds the logon script if you're using one. Before you save to this
folder you need to allow access to the logon folder so you must go
to the server and you'll find the logon folder buried deep in Winnt
folder of the C: or D: drive.
D:\winnt\system32\repl\import\scripts and share scripts giving
read access to all users.
Now go back to your favourite computer PC 18 and save your
config.pol file as follows: Save As, browse to Network
Neighborhood, D/click on the server and save in the Netlogon
folder, which is the same folder as scripts folder above.
When you're installing the policy on the client you click on
Automatic rather than manual. System Policy Editor on the client
should search for the .pol file in the netlogon folder. This doesn't
always work and you may have to use the manual settings typing in
the UNC of the server: \\NTServer\Netlogon\Config.pol.
Its hardly worth all the bother of using the server when the peer
to peer system seems to work equally well.
4. Editing a client registry – this will install settings on the
computer when the Windows/Network password is cancelled.
You've installed Policy Editor across a network so Johnny Student
will quickly discover that he can play around with settings if he
cancels on the Network password. You will need to disconnect the
computer from the network and change the settings in the
registry.
You're messing about with the registry here which can be
disastrous so you should back up your system and user files
otherwise you could find yourself in serious PC soup.
Backing up the system.dat and the user.dat files.
These are hidden files so you most remove the attributes h s r,
which hide the files, make a copy and then hide the files again. If
the changes cause problems then start the computer in DOS mode
remove the attributes and rename the copies to the original and
reboot, first paragraph is an example of copying the user.dat file
and the second of restoring the original if you run into trouble:
C:\Windows>attrib –s –h –r user.dat {unhide user.dat}
C:\Windows>copy user.dat user.old {make a copy called user.old}
C:\Windows>attrib +s +h +r user.dat {hide user.dat}
C:\Windows>attrib +s +h +r user.old
C:\Windows>attrib -s -h -r user.dat
C:\Windows>attrib -s -h -r user.old
C:\Windows>ren user.old user.dat {you'll be asked if you wish to
replace user.dat – say yes}
C:\Windows>attrib +s +h +r user.dat
Reboot and cancel on the Windows password
Insert the Win98 Disk and run poledit:
tools/reskit/netadmin/poledit & click on the poledit icon and you
are into the default registry.
Click on local user and make changes to the local user, then save
and reboot. The following changes are recommended by the author
of a system policy editor tutorial:
www.elkantler.net/security/security.htm
Local User Properties
Control Panel
Display
U Restrict display control panel
Network
U Restrict network control panel
Passwords
U Restrict passwords control panel
Printers
U Restrict Printer Settings
System
U Restrict System control Panel
Shell
Restrictions
U Remove 'Run' command
U Remove folders from 'Settings' on start menu
U Remove 'Find' command
U Hide drives in My Computer
U Hide Network Neighborhood
U No 'Entire Networks' in Network Neighborhood
U No workgroup contents in Network Neighborhood
U Hide all items on desktop
U Disable shutdown command
U Don't save settings at exit
System
Retrictions
U Disable Registry Editing tools
U Only run allowed windows apps ( I wouldn't touch this, if
poledit.exe is not on the list then you're locked out)
U Disable MS-Dos Prompt
U Disable single-mode MS-DOS apps
Local Computer
Logon
Restrictions
U Require validation by network for windows access
This last restriction is dicey, you can lock ourself out of a
computer. This will only allow access to the computer if a password
is entered, so it's not possible to cancel logon. This can cause a
problem in a network if you change from client/server to peer to
peer. You can find yourself locked out. If you haven't backed up
the registry then make sure you have all the program disks – you're
going to have to reinstall your OS.
Useful Sites: www.elkantler.net/security/security.htm,
http://windows.oreilly.com/news/syspolicy_0600.html,
www.smartcomputing.com,
I got a lot of information on SysPol in the magazine
PC Answers April 2001
There's a ream of info on the Microsoft site if you have the time
and patience to read through the turgid text –
www.microsoft.com/technet/,
M Duggan
ICT Advisor
Wexford Education Centre
Kilkenny Education Centre
