desktop lockup 5

[mickG]

I am using S to Infinity security on Win98 systems on an NT4 Network but I cant find any way to stop users ( students) from changing the name of the My computer icon to whatever they like (usually something obscene) any free or cheap utilities out there that can help?

Mick Gallagher

 

[tmoses]

HKEY_CURRENT_USER\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}<br>HKEY_USERS\em_pt\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}<br><br>This is a copy of the registry entries where the change is made in the icon.&nbsp;&nbsp;When you change the name of that icon it changes the name in the user.dat in the c:\windows\profiles\logged on user\user.dat<br>and in the c:\windos\user.dat<br><br>What you can do is write a simple batch file that stores the original copy of the registry entries, the ones that you set.&nbsp;&nbsp;And write a batch file that puts these files back into those folders evry time window restarts.&nbsp;&nbsp;This will work, and is what my school does, and is pretty effect to stop kids who don't know what they are doing.&nbsp;&nbsp;The other option is to find a program that prevents and modification to the registry at all.<br>The only program that i remeber that can do this is fortress 101.&nbsp;&nbsp;i don't know who made this.<br><br>hope this helps, if you need more email me <p>moses<br><a href=mailto:tmoses@iname.com>tmoses@iname.com</a><br><a href=

http://home.cyberarmy.com/ackka>

my site</a><br> "We've heard that a million monkeys at a million keyboards could produce the<br>
Complete Works of Shakespeare; now, thanks to the Internet, we know this is<br>
not true." <br>
--Robert Wilensky, University of California <br>
<br>
<br>

 

[rjs]

If your 98 PCs are logging into an NT4 server, you can really lock the desktop and PC down by using system policies on the NT server. I also think that TweakUI or an update from Microsoft's site allows you to set local policies on a Windows98 PC without reference/login to a server (but don't quote me on that last one).

 

[LadyH]

I'm in an educational environment as well and do the same thing tmoses suggested, we are also using Fortress 101 software which is a backup but can only keep the honest people honest.&nbsp;&nbsp;Recently, I have been testing a hardware product called Centurion Guard.&nbsp;&nbsp;So far I've been very impressed with what its capable of but am holding off on college recommendations until the drivers are available for Windows 2000.&nbsp;&nbsp;

 

[LadyH]

FYI, something else I'm looking into is an application from Fortress called CleanSlate that does the same thing as the Centurion Guard, and considerably cheaper if you have alot of systems.&nbsp;&nbsp;I've been using it on a Win98 SE system for demo purposes and have liked what it can do.&nbsp;&nbsp;Just and FYI..<br>Heather <p> <br><a href=mailto: pcheather@home.net> pcheather@home.net</a><br><a href= > </a><br>

 

[Hokey]

LadyH,

I have also been looking into the Centurion Guard for our college labs. How has it worked out for you? Any problems or concerns that I should be aware of?

 

[LadyH]

Our college was not willing to pay for the the Centurion Guard, but I did have good results with it on both Win98 and W2K systems. We are instead using the Clean Slate software as I mentioned above. It started off rockey, but is setteling down now and we are preparing to reimage our labs to get them secure now.

Heather


pcheather@yahoo.com

 

[Hokey]

I have been putting the Centurion Guard through some tests, and so far - I love it. Best thing since sliced bread.

but - to make an informed purchasing I must look at a software solution also. I will be installing Clean Slate this weekend for a trial run.

LadyH -- You said that your use of Clean Slate started off rocky. What kind of problems were you having? And - if you had a choice between CG and CS (money issues aside) what would be your choice?

Thanks
Mike

 

[LadyH]

All of the problems we had were software related, conflicts with CS. Network applications wouldn't run, some apps wouldn't run at all unless the application directory was made writable (unprotected) which defeated the whole purpose of the application. With the latest revision to CS alot of the problems have been resolved, however, we are still experiencing one once in a while that is a pain. If a student copies a read only file from the network to the local hard drive and then tries to edit the properties, the blue screen of death appears. If the file is copied to a floppy it works fine. There has also been a problem opening Office 2000 files from the server. If I make the office directory writable in clean slate it works fine. What happens is the system doesn't seem to recognize the file and wants to install office 2000, what a pain!! But, we are chugging along with it anyway.
If i had my choice, CG would win out hands down. We met with a sales person for the CG yesterday and they have come up with a new and great way to unlock the guard with one key, rather then one key per system. Looks like it would work great, but the college may still not fork out the bucks to go that route.
I have worked with the CG and W2K and found no issues, worked great. They also have support for multiple partitions now, although we still stick with one. If I can be of any more help/info please let me know.
Heather


pcheather@yahoo.com

 

[Hokey]

Thanks!

I appreciate the information!

 

[Bulwinkle]

Hi, I work for a University IT department and we too are looking at Centurion Guard, has anyone found any weakness in this product, so far I've not found any hacking info and every attempt we've tried so far has not defeated the device, but we really need to make sure we have a winner before we seak approvial for purchase for all our campuses. We are running win2k pro logging into a NT network for security and files.

The only weakness I have discovered where covered in the faq for the product, namely accessing the drive without going through the operating system.

 

[ackka]

The school that i am at has also tried to lockdown the windows based desktop. The only two ways i have found the bypass them so far is... With fortress 101 a similar application like centurion guard is by a boot disk. Check to make sure before purchasing this software how this program is started. Fortress 101 was placed in the autoexec.bat file It was very simple for me to go in with a boot disk and comment the line out. Boot windows, make any changes, i wanted to , then restore the line to the autoexec.bat file... So double check how the program gets loaded, if someone can find this point it is very easy to stop a program like this from loading. The other thing i have noticed is with a simple html file. If you make a simple html file with the link <a href=&quot;file://c:\command.com&quot;>test</a> And the browser allows you to download or click on a link you can launch the command prompt this way. This works in my school on a locked down version of 98. I would definetely check these weakness before you purchase an exspensive software suit.

good luck ackka
ackka@mad.scientist.com

http://home.cyberarmy.com/ackka

Java is the Future, Sun Microsystems will control you all!!!!

 

[LadyH]

Yes, you could probably by-pass the security by booting with a disk but, if you set the system configuration (BIOS) to boot to the hard drive as the first boot device and password protect the BIOS then you will take away that opportunity. We had been (until recently) running the Fortress 101 software and never had a bypass as long as we had the options set in the BIOS.And yes, soneone can crack the case and reset the bios password with a jumper on the motherboard, but for most that is too much work, especially in a monitored environment.

Heather


pcheather@yahoo.com

 

[CST]

Another alternative is a software product called Hands-Off. The company is called Eye-T. I am a support manager and I found that my support calls and issues have dramatically reduced since using this software. You can configure different levels for different users depending on what access you wish them to have.

 

[LadyH]

To get a demo copy of Clean Slate you have to go download it and then there is a way to contact the company for the password, they're very reluctant to post it to the site due to the free usage of the app (understandably). If I recall, you have to send a fax to the company with specific information and then they will contact you. Check the website (

http://www.fortres.com/downloads/index.htm)

for the specifics on the information. I believe this is a 30 day trial.
For DeepFreeze go to

http://www.deepfreezeusa.com/download.htm

and fill out the form, then you can download a 60 day trial version.


pcheather@yahoo.com

 

[volsungs]

I used to work at a college in the IT Department, We used PolEdit and Novell's Apps launcher.
With Poledit you can lock the box down remove access to the thing like the run command in the start menu, network neighborhood changing the desktop adding printers ect... Force login through the network to authentic and block access to the box as well as block the F8 re-boot option.

 

[eeprom]

Hi
Just a note for some cheap and effective software that I have found. It uses the ZAW and ZAK registry keys (ie ZenWorks)much like a Poledit frontend without the confusion.
The program is called Security Setup 2.01 and can be downloaded at

http://www.security-setup.dk.

This is a neat little program and I was able to lock down all of my trouble library pcs with it.

A good site to hit if you don't mind disabling regedit after you are finished is

http://www.regedit.com.

If the kids can have regedit capabilities they can kill the machine naturally, so I always delete regedit and load it from a cd.
Granted, someone else can do this too but client side security never really works does it?

One question, has anyone used visual basic to write an alternative windows shell? I have written a pretty neat one that disables all functionality yet looks just like a windows 9x desktop. Still a bit buggy, but I was wondering if any success has been made by anyone else.

 

[Alt255]

EEPROM, I considered adding a bogus GUI shell to one of my projects but decided there wasn't a practical reason to do so. Every UI feature of Windows can be controlled programmatically, either proactively (through manipulation of the registry) or interactively (by monitoring user activity and interceding when necessary).

The only apparent advantage to filtering user activities through a shell seemed to be the ability to maintain a standard, unchanging desktop image with custom enhancements. When you think about it, the Policy Editor can do a fair job of maintaining standardization. Custom enhancements can be added by creating an application designed to provide them.

The biggest problem with the Policy Editor and the third-party user control packages (aside from obvious security issues) is the inability to control every aspect of a user's environment. Poledit can deny access to some or all of the Control Panel applets but it cannot prevent a user from reading a document entitled &quot;Memo to the CEO&quot;. It can deny access to the MS-DOS prompt but, if access is granted, it can't prevent a user from entering [tt]DELTREE /Y C:\WINDOWS[/tt]. The &quot;fake desktop&quot; approach might seem tempting here... but it is unnecessary. Windows provides all the tools one requires to intercept and control user events.

Alt255@Vorpalcom.Intranets.com

&quot;Don't be humble. You're not that great.&quot;
Golda Meier​

 

[chrismi]

I'm seeking system-lockdown software which will secure a computer to which the attacker has unlimited private access, system knowledge, and time (think: MIT grad students with night-time access, the NSA, etc.) It shouldn't allow *any* computer usage other than to the administrator, i.e. is supposed to secure a computer, not just keep the computer's settings from being modified by a rogue daytime user.

The software should thus thwart even ladyh's &quot;reset the bios password with a jumper on the motherboard&quot; scenario.

I want to encrypt the entire hard drive as well, but the encryption could be part of a separate security suite if running it were ensured by the first boot-time program.

Does such software exist? I will be booting into Win2000.

On the Internet I have seen boot-time encryption software which overwites the BIOS, but don't know if that is sufficiently secure.

Thank you in advance.

Chris
match@real-d.com

 

[LadyH]

We have been doing extensive work, and typically a student will not copy that many, or that large of files with a malicious intent. Yes, the system will crash, but will be cleared upon the reboot. If that is a consistent problem with the system you have installed the CG on, simply make the partition bigger. Currently, we have set ours to 1GB, giving the students plenty of room on the CG partition. People will always try to find a work around when they know security is in place, thats a given. But, in our environment, the CG is going to be the best solution, especially since we will be implementing W2K. We used CleanSlate software for 3 semesters with W98, and while it was functional, we had to leave some labs unprotected due to software conflicts. The CG will enable our students to do what they want to the systems, especially in the training mode, without changing any of the configurations...

pcheather@yahoo.com