Go to our Home Page
Link to ClassHost for Online Classes Information
Link to Workshops Information Page
Link to Web Site Development Information Page
Link to Consulting Page
Link to Fees Page
Link to the Williams Consulting Article Archive
Link to the Williams Consulting Store
Link to Web Resources Page
Link to Information Page about Williams Consulting
 

       

 
Configuring the Windows Registry for Minimal Security

Author: Robert L. Williams
E-Mail: robert@rlwconsulting.com
Version: 1.0a
Last Revision: May 25, 2000

(A print version of this document is also available for download in MS Word 97 format.)
 

Since Windows 95 and Windows 98 are primarily designed for the home and small business environment, security has not been a dominant philosophy in their development. However, since these are the prevalent operating systems used in public access settings in public libraries and schools, securing the user interface against accidental changes or minimal attempts at tampering is very important. Win9x (as we shall refer to the two editions herein, except where instructions for the two differ) does provide a base level of configuration security, however. It is most effective in a networked environment where the security settings are stored on a remote server. If all of your public access computers are networked, a consultation with your network administrator is highly encouraged.

The following instructions provide a method to configure a standalone Win9x-based computer with minimal security of its user interface using a program called the System Policy Editor. System policies are collections of settings from the Windows Registry, the storehouse of software settings for much of the software installed on your computer, as well as those of Windows itself.

On the following pages, we propose registry settings you can use to prevent accidental changes to the Win9x desktop and Start Menu, as well as many user attempts at tampering with other configuration settings. Realize at the beginning, however, that a configuration set in the Policy Editor can be circumvented or counteracted by a knowledgeable user; not all desirable security parameters can be set within the Win9x registry, even in a networked environment.

For those wanting a free, basic configuration security solution, the registry offers a compromise. With these reservations, we present the following instructions as an exploration of the parameters that can be set on a single workstation. They are for illustrative purposes only. Consult a qualified computer/network technician before implementing final settings on your public access computers.

Backing Up the Windows Registry Files

The first step in dealing with Win9x registry changes is performing a backup of the registry files. If any problems are encountered, you may restore the original settings by copying the original registry files back onto your hard drive.

  1. Click the Start button.
  2. Click Programs.
  3. Click Windows Explorer.
  4. In the left "pane" of the Explorer window, find and click on the Windows folder.
  5. After the contents of the Windows folder are displayed in the right pane of the Explorer window, scroll down until you see filenames beginning with the letter S. Do you see a file named system.dat?
  6. If yes, skip to the next step. If no, follow the instructions shown below:
  7. Click the View menu at the top of the Explorer window.
  8. Set the file options:

    For Win98:

    • Click the Folder Options… menu item.
    • Click the View tab.
    • Under the Hidden Files folder, make sure the Show all files radio button is selected. If not, click it.
    • Make sure the Hide file extensions for known file types checkbox is unchecked. If it is checked, click the box to remove the checkmark.

    For Win95:

    • Click the Options… menu item.
    • In the Hidden Files group, make sure the Show all files radio button is selected. If not, click it.
    • Make sure the Hide MS-DOS file extensions for file types that are registered checkbox is unchecked. If it is checked, click the box to remove the checkmark.

  9. If you made changes, click the Apply button.
  10. Click the OK button.
  11. Click the View menu again.
  12. Click Refresh.
  13. Scroll down the right pane again until you find the system.dat file. If the file size is greater than 1370K, you need to have a high-capacity backup device available (optimally a Zip drive, a network file server, or a writable CD drive) to back up the file. If you do not have such a device in this situation, stop now and consult a computer technician. Otherwise, you can store the file on a floppy disk. Put media in the designated drive.
  14. Right click the system.dat file.
  15. Click Copy.
  16. In the left pane of the Explorer window, click on the target backup drive (Zip, network, or writable CD).
  17. In the right pane again, right click anywhere in a white space.
  18. Click Paste. The system.dat file will be copied to the selected drive.
  19. In the left pane, find the Windows folder and click on it again.
  20. Scroll the right pane until you see the user.dat file.
  21. Repeat steps h-l for the user.dat file to copy it to the backup drive.


Installing the System Policy Editor

Windows 95 and 98 include a program named poledit.exe which provides easy access to many Windows registry settings aimed at workstation configuration. The program is called the System Policy Editor. However, this program is not included in the original installation of the Windows operating system on your computer(s). To use it, the Policy Editor must be installed on your system. This section provides instructions for Policy Editor installation.

From the Win9x desktop:

  1. Insert your original Windows 9x CD into the CD-ROM drive.
  2. Double-click the My Computer icon.
  3. Double-click the Control Panel icon.
  4. Double-click the Add/Remove Programs icon.
  5. Click the Windows Setup tab in the Add/Remove Programs Properties dialog.
  6. Click the Have Disk… button.
  7. Click the Browse button.
  8. In the Open dialog, click the drop-down list under Drives:.
  9. Click on your CD-ROM drive.
  10. Find the policy editor files, under the Folders: list:

    For Win98:

    • Double-click Tools.
    • Double-click Reskit.
    • Double-click Netadmin.
    • Double-click Poledit.

    For Win95:

    • Double-click Admin.
    • Double-click Apptools.
    • Double-click Poledit.

  11. Under the File name: list, click poledit.inf (type the name in the filename text box if does not appear there after clicking).
  12. Click the OK button on the Open dialog.
  13. Click the OK button.
  14. The policy editor files will be installed. After the system is finished, you may close the Add/Remove dialog and the Control Panel.


Checking for User Logon

When you reboot your computer or restart Windows, does a Windows Login screen appear on your computer? In order to restrict certain users, or certain groups of users, from changing some of the configurable parts of Windows, you must enable the Windows Login feature. If you already get a login screen, your computer is already set to allow multiple logons, or multiple people to create "profiles," differing configurations of Start Menu items, desktop icons, etc. Nevertheless, you might follow these instructions just to be sure all the items are configured appropriately.

If your computer boots straight to a Windows desktop screen with no login prompt, you need to follow these instructions.

  1. Click the Start button.
  2. Click Settings.
  3. Click Control Panel.
  4. After the Control Panel loads, find the Passwords icon. Double-click it.
  5. Click the User Profiles tab.
  6. Click the Users can customize their preferences and desktop settings item.
  7. Click both User profile settings checkboxes.
  8. Click OK.
  9. Close the Control Panel.


Creating a Manager’s User Profile

The system policies you will be creating in the next section will be implemented as an "all user" policy. Any user accounts created after the configuration is created will inherit all the settings you specify. The settings will provide as much protection from mischief as Windows itself will allow you. But you may need to work on the computer without these settings from time to time. To do so, we need to create a specific user profile without the protected configuration. This section provides a "manager" user profile for this purpose.

  1. Click the Start button.
  2. Click Settings.
  3. Click Control Panel.
  4. After the Control Panel loads, find the Users icon. Double-click it.
  5. In the User Settings dialog, click New User….
  6. Click Next in the pop-up dialog.
  7. In the User name: text box, type a name for the manager of the accounts; "manager" might be good.
  8. Click Next.
  9. Type a hard-to-guess password in the Password: text box. A good password usually consists of characters and numerals, or even two words separated by a hyphen. Confirm the password by typing it again in the Confirm password: text box. Be sure to write the user name and password down and keep it secure.
  10. Click Next.
  11. Check each of the checkboxes indicating that all areas of the interface should be separate from the main interface configuration.
  12. Click Next.
  13. Click Finish.


Setting Up the System Policy Editor

Windows 95’s version of the System Policy Editor has far fewer options than the Windows 98 version. Once it is installed, it has only one pre-configured template, Admin.adm, which is opened by default. So you will not need to configure the Windows 95 System Policy Editor. The instructions below refer to the Windows 98 version.

Before you begin working with the policy editor, you must first add some policy template files to its configuration.

  1. Click the Start button.
  2. Click Run….
  3. In the command dialog, type poledit.exe and click the OK button.
  4. Click the Options menu.
  5. Click Policy Template….
  6. Check to see if any of the following templates are loaded. These four templates provide all of the configuration settings most libraries will require in securing their workstations:
    inetresm.adm
    inetresm.adm
    shellm.adm
    windows.adm

    For each of the above files that are missing, complete the following steps:

    1. Click Add….
    2. In the Open Template File dialog, click the drop-down list under Look in:.
    3. Click drive icon labeled (C:).
    4. Scroll until the Windows folder is visible. Double-click the Windows folder.
    5. Scroll until the Inf folder is visible. Double-click the Inf folder.
    6. Double-click on the desired template file name.
  7. When all the template files are listed in the window, click the OK button. The System Policy Editor now has access to all the registry settings that impact the security of your workstation.


Configuring the Default User Policy Settings

On a standalone public access computer, the policy editor must work on that computer’s and user’s registry settings (the local computer). In a networked environment, settings for "Default Computer" and "Default User" are used to create a policy that is stored on a network file server and accessed by each computer that logs onto the file server. The instructions below use the same settings, but store and retrieve the policy from the local hard drive instead of the network. These override the computer’s registry settings.

Windows 95 and Windows 98 present different default templates in the System Policy editor and have different settings available for configuration. The instructions below apply to Windows 98. A note is made where configuration settings also apply to Windows 95.

Before you begin setting system policies, experiment with the configuration of the default Windows desktop by restarting Windows and pressing the Esc key when the Windows Login screen appears. This will load the default user configuration. Then add/delete desktop icons, Start Menu items, wallpaper, etc.

Once you have configured the desktop as you want it to appear for your patrons, run the System Policy Editor again as directed in steps 1-3 of the previous section.

System Policy Editor Screen

  1. Click the File menu.
  2. Click New.
  3. You should see the two icons shown above.
  4. Double-click the Default User Icon. The Default User Properties dialog will appear, with a "tree" of configuration categories. If you configured your template files as directed in the previous section, you should see a list very similar to the one shown below.
  5. The items labeled General through Advanced Settings allow you to configure the operation of the Internet Explorer browser. If you use Netscape, you will not need to work with these settings.Policy List
  6. The Desktop item provides settings to secure the desktop icons from manipulation. I have experienced difficulty making these work with existing user profiles, but you should have no trouble on a new PC or on a PC which previously had no User Profiles already created. Click the plus sign (Plus Sign Graphic) beside Desktop to reveal four areas of configuration.
  7. Place a checkmark beside each item. As you check each one, look at the Settings list for its options. We recommend checking the following items:

    1. Desktop Restrictions:
      • Do not allow changes to Active Desktop
      • Hide Explorer Icon (if you use Netscape Navigator exclusively)
    2. Active Desktop Items:
      • Disable adding ANY desktop items
      • Disable deleting ANY desktop items
      • Disable editing ANY desktop items
      • Disable closing ANY desktop items (if you have open windows on the desktop)
    3. Desktop Wallpaper Settings:
      • Disable changing wallpaper
    4. Desktop Toolbars Settings:
      • Disable dragging, dropping, and closing ALL toolbars
      • Disable resizing ALL toolbars
  8. Click the plus sign beside Start Menu to reveal its configuration item. Click the check box beside its configuration item and you will see a list of thirteen settings appear in the Settings for Start Menu list below. Click the checkboxes for the first twelve items to set a maximum level of security.
  9. Click the plus sign before Shell. Then click its configuration item to place a checkmark in the selection box and reveal the seven settings in the Settings for Shell list.
  10. Four settings in particular should be checkmarked:
    1. Disable File menu in Shell folders
    2. Disable context menus in Shell folders
    3. Hide Floppy Drives in My Computer
    4. Disable net connections/disconnections
  11. Check with your network technician/administrator regarding the other items. In relation to your computer use policy, you should also discuss hiding floppy disk drives in My Computer. (Note: This setting will hide the floppies in all Explorer windows, "File Save" and "File Open" dialogs as well, keeping patrons from immediately accessing floppy disks; however, the hiding is easily circumvented by just adding an a: drive designation before the filename in the dialogs.)
  12. Click the plus sign beside the System item. Checkmark its configuration item. Then, in its Settings list, checkmark the Do not allow computer to restart in MS-DOS mode item.
  13. (+Win95, Network) The Windows 98 Network item, if it appears, is not applicable to a standalone computer. Discuss these settings with your network technician/administrator if the computer is set up in a networked environment.
  14. Click the plus sign beside the Windows 98 System item to reveal four configuration items.
  15. (+Win95) Click the plus sign beside the Shell item. In most cases, the Custom Folders item can be ignored.
  16. (+Win95) Click the plus sign beside the Restrictions item. A series of eleven items will be listed. Some of these reflect changes you may have made in previous configuration items. Check all items except two: Hide all items on Desktop and Disable Shut Down command.
  17. Notes: If you want to make your Start Menu the only method of accessing programs, you can also check the Hide all items on Desktop item. Disabling the Shut Down command will keep your patrons from trying to reboot the machine, but it will also prevent you from easily rebooting if a program freezes the system, etc. Hide Drives in My Computer will hide all drives on your system in File Save and Open dialogs, as well. However, a knowledgeable patron can still access the drives by adding a specific drive letter before a filename or alone, such as c:\, and the drive contents will be displayed.
  18. (+Win95) Click the plus sign beside the Control Panel item. A series of five items will be listed underneath it.
    1. Restrict Display Control Panel
    2. Restrict Network Control Panel
    3. Restrict Passwords Control Panel
    4. Restrict Printers Control Panel
    5. Restrict System Control Panel
  19. (+Win95) Click the plus sign beside each of the five items and checkmark the configuration item which appears. Checkmark the top item in the Settings: list for each. For example, below the Display item is Restrict Display Control Panel. Checkmark that and a series of five items appears in the Settings: box. The first is Disable Display Control Panel. Checkmarking the Disable item effectively accomplishes all of the other items in the list.
  20. (+Win95) You may set the options for wallpaper or color scheme with the Desktop Display item if you wish, but you have probably already done that when setting up the computer.
  21. (+Win95, System first) Click the Restrictions item. Four important settings appear below it.
  22. (+Win95) Checkmark the Disable MS-DOS prompt and Disable single-mode MS-DOS applications to keep patrons from easily accessing an MS-DOS prompt.
  23. (+Win95) If you would like for your patrons to have access only to the few programs you prescribe, put a checkmark beside the item Only run allowed Windows applications. In the Settings box you can then specify which programs are allowed to run (Note: Set this option only on the default user's profile and be sure to "uncheck" it when adding the manager profile later. Also, be certain to add the programs to the list that you wish the default user to have access to. Checking this box without adding programs, and not unchecking it in the manager's profile, may virtually lock you out of the machine.)
  24. (+Win95) Lastly, when you finalize all the settings you desire, put a checkmark beside the Disable Registry editing tools item. This will keep patrons from using the regedit.exe tool under Windows, but does not keep them from running other, third-party registry editing applications. Nevertheless, it offers a moderate amount of protection from patron tampering with the settings you have just set. For an added layer of protection, remove the regedit.exe file from the computer (copy it to a floppy disk for your own use).

At this point, you’re almost finished. In order for you to be able to change any of these settings later, you’ll need a separate, unsecured configuration for your own use. We configure that user in the last section.

Configuring the Manager Profile

To create a policy for the manager account you created earlier, you need to add an additional user.

  1. Click the Edit menu in the System Policy Editor.
  2. Click Add User….
  3. Type the name of the manager profile you created earlier into the text box.
  4. Click OK. A new user icon appears in the policy editor window.
  5. Double-click the new user icon.
  6. The policy settings will be the same as those you set in the previous section for the Default User. Go into each of the setting areas and uncheck all of the items you wish to be able to access as the manager. Basically, this means you can uncheck all of the items you checked for the default user.
  7. When you have configured the policy as desired for the manager account, click OK.


Saving the Policy

In order for Windows to access these settings after you computer is rebooted, they need to be written to the hard drive.

  1. Click the File menu in the Policy Editor.
  2. Click Save As….
  3. In the Save As dialog, click the icon beside the location box.
  4. Double-click My Computer.
  5. Double-click C: drive icon.
  6. Double-click the Windows folder.
  7. In the File name: text box, type config.pol and click Save.


Setting the Path to the Policy File

So that Windows knows which policy file to open as it boots, you need to tell it to download the policy manually from the file you just created.

  1. Click the File menu in the Policy Editor.
  2. Click Open Registry.
  3. Double-click the Local Computer icon.
  4. Click the plus sign beside the Windows 98 Network item (Network in Win95).
  5. Click the plus sign beside Update.
  6. Put a checkmark beside the Remote Update setting.
  7. In the Settings box below, click on the Update Mode: drop down list and click on Manual.
  8. In the Path for manual update: text box, type c:\windows\config.pol
  9. Click OK.
  10. Click File.
  11. Click Save.


Exit and Reboot

Your configuration is now ready. Close the System Policy Editor and restart Windows. When the login screen appears, press ESC to see what the patron desktop looks like. See where you can or can’t go, what you can or can’t do.

Restart the computer a second time and type in the manager user name and password you selected. When the desktop loads, you should see your normal screen.

To protect the policy file, you can write-protect it by using attrib.exe to make it read-only and hidden: (attrib +r +h c:\windows\config.pol).
 

HOME | ONLINE CLASSES | WORKSHOPS | WEB DESIGN
CONSULTING | FEES | ARTICLES | WC STORE
LINKS | ABOUT WC
 

   
Copyright © 1999-2000 Williams Consulting. Send comments and suggestions to webmaster@rlwconsulting.com.