WINDOWS 9x/ME SECURITY AND SYSTEM RESTRICTIONS

Version: 1.0b
Written by: PHaRaoH
for the Blacksun Research Facility.
Release Date: 20 January 2002

[DISCLAIMER]

This tutorial was written for informational purposes only, so let's keep it that way!
I am not responsible for anything stupid you do with this information (not that you can do anyting stupid with it but you know people...). yada yada yada...

[THE FLASHING RED WARNING NOTE]

This tutorial is about editing the registry. Editing the registry is very dangerous: you can break your PC, so please take the time and backup the registry before you even try anything written in this tutorial. I also suggest that you first read the other tutorials about the registry available from BSRF [http://blacksun.box.sk].

[ABOUT THIS TUTORIAL]

This tutorial was not written by me entirely, I gathered information form other sources on the web (some time ago) like messageboards, advisories etc. I do not know who the original authors are, but if you read this and feel that you need some credit for it please drop me a line and I will put your name in here somewhere ;-)

A large part of this tutorial originated from a post on Elf Qrin's message board [http://www.elfqrin.com]

The reason for this tutorial is that I was looking for something like this and could not get hold of it easy... (That is good enough a reason, ain't it? =)

Anyway, here goes, I hope you like it. Send all feedback to PHaRaoH.

You can control the way your Win95/98/ME system restricts access to certain areas or features (especially useful on multiuser machines) without having to mess with Poledit.exe (Policy Editor), the default Windows administrative control tool.

All you have to do is modify the Registry values listed below.
You can either make these changes manually using the Registry Editor (Regedit.exe), or save them in a .REG file for future use (name it for example RESTRICT.REG). Start Regedit and go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

Look in the left hand pane for these subkeys:

1. Explorer
2. System
3. Network
4. WinOldApp

If they are not present, create them: right-click... New... Key... Name it to one of the values listed above.

Now you need to create (or modify if it already exist) the following DWORD values listed further below under the subkeys above. To create a new DWORD value: right-click... New... DWORD... name it to one of the values listed further below. To modify one of these DWORD values: right-click... Modify... check the Decimal box... enter a value of 1 to disable access to a certain feature, or a value of 0 to enable access to a certain feature). These are the valid DWORD values (if not specified otherwise) you can change under the following subkeys:

1. Explorer subkey:

2. System subkey:

3. Network subkey:

4. WinOldApp subkey:

Similar settings for Explorer, Network and System can be also found under these Registry keys:

HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies

and:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

If there is only one user, the ".Default" key above contains all global system settings. If more than one user, each user has its own subkey here, named after the username(s) found in Control Panel... Users, and the registry settings located under a user's subkey are valid only for that specific user. If you double-click on any of these keys, you'll see 3 subkeys in the left hand pane: Explorer, Network and System.
Create (or modify if already present) the following Binary [hex] values listed below under the subkeys above. To create a new Binary value: right-click... New... Binary... Name it to one of the values listed below.
To modify one of these Binary [hex] values: double-click on it... give it a value of 01 00 00 00 to disable access to a certain system feature, or a value of 00 00 00 00 to enable access to a certain system feature. Don't type the spaces, they will be inserted automatically.

Explorer subkey valid DWORD values (if not specified otherwise) that can be changed (some are valid ONLY for Win98/ME and MS IE 3/4/5/6):

Some of these values are also found under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Example:
NoControlPanel [hex] = enable/disable Control Panel

Most of the "CURRENT_USER" settings, especially the ones that affect the entire system, change automatically when you modify the similar values under the "LOCAL_MACHINE" registry key (see above). Most of these values affect ONLY Internet Explorer versions 3, 4, 5 and 6, and CAN be changed separately in the "CURRENT_USER" key, without influencing the overall system operation.
ANY changes to these settings under ANY of these Registry keys require a Windows restart to take effect.

The MS Internet Explorer 4.0x/5.xx/6.xx restrictions are found under these Registry keys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions

and:

HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Restrictions

if there is only one user. If more than one user, the ".Default" key above is replaced with each "username" key. All values are in DWORD format. Type in the decimal box for the desired value: 1 to disable or 0 to enable the respective function/key combo:

Internet Explorer Restrictions

The Internet Properties restrictions for MS Internet Explorer 4.0x/5.xx/6.xx (also found as a Control Panel applet) are located under this Registry key:

HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Control Panel

if there is only one user. If more than one user, the ".Default" key above is replaced with each "username" key. All values are in DWORD format. Type in the Decimal box for the desired value: 1 to disable or 0 to enable the respective tab/setting/button.
Changing ANY of these settings does NOT require restarting Windows:

Change/Add Restrictions And Features

If you want to make restrictions to what users can do or use on there computer without having to run poledit.exe, you can edit the registry. You can add and delete Windows features by editing the registry. In this key the value 0 is ON and the value 1 is Off.

Example: to Save Windows setting add or modify the value name NoSaveSettings to 0, if set to 1 Windows will not save settings. And NoDeletePrinter set to 1 will not allow the user to delete a printer.

The same key shows up at:

HKEY_USERS\(yourprofilename)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

so change it there also if you are using different profiles.

1. Open RegEdit
2. Go to HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Policies
3. Go to the Explorer Key (Additional keys that can be created under Policies are System, Explorer, Network and WinOldApp)
4. You can then add DWORD or binary values set to 1 in the appropriate keys for ON and 0 for off.

The following keys are valid:

POLICY EDITOR

Tips/Info

INDEX

1. Customize your system with the System Policy Editor
2. Don't want someone else changing your Windows?
3. Restrictions without running Poledit
4. Poledit Tips

1. Power users: Customize your system with the System Policy Editor

The policy editor comes free on the Win9x CD. Here's how to install it: Open the Control Panel and double-click on the Add/Remove Programs icon. Select the Windows Setup tab, then click on the Have Disk button. Click on the Browse button and find the ADMIN\APPTOOLS\POLEDIT folder on your Win9x installation CD. Click on OK twice. Select both System Policy Editor and Group Policies and click on the Install button.

2. Don't want someone else changing your Windows environment?

Use the System Policy Editor, located on the Win 95 installation CD-ROM. Don't put the Policy Editor on your own hard drive or you'll make it too easy for others to change your configuration. When you need it, pop in the CD-ROM, select Start... Run, and run the command d:\admin\apptools\poledit\poledit.exe, where d is your CD-ROM drive.

3. Restrictions without running Poledit:

If you want to make restrictions to what users can do without having to running Poledit, changes can be made directly to the Registry.

This will allow you to make a .reg file with the specific restrictions you want and importing them all at once.

1. Start Regedit
2. Go to HKEY_Current_User\Software\Microsoft\CurrentVersion\Policies
3. There should already be at least a Explorer key
4. Additional keys that can be created under Policies are System, Network and WinOldApp
5. You can then add DWORD values set to 1 in the appropriate keys
6. In the Explorer key you can add:
   
   

Key Name	Description
NoDeletePrinter	Disables Deletion of Printers
NoAddPrinter	Disables Addition of Printers
NoRun	Disables Run Command
NoSetFolders	Removes Folders from Settings on Start Menu
NoSetTaskbar	Removes Taskbar from Settings on Start Menu
NoFind	Removes the Find Command
NoDrives	Hides Drives in My Computer
NoNetHood	Hides the Network Neighborhood
NoDesktop	Hides all items on the Desktop
NoClose	Disables Shutdown
NoSaveSettings	Don't save settings on exit
DisableRegistryTools	disable registry editing tools NOTE: remember to be careful of this one!



7. In the System key you can add:
   
   

Key Name	Description
NoDispCPL	Disable Display Control Panel
NoDispBackgroundPage	Hide Background Page
NoDispScrSavPage	Hide Screen Saver Page
NoDispAppearancePage	Hide Appearance Page
NoDispSettingsPage	Hide Settings Page
NoSecCPL	Disable Password Control Panel
NoPwdPage	Hide Password Change Page
NoAdminPage	Hide Remote Administration Page
NoProfilePage	Hide User Profiles Page
NoDevMgrPage	Hide Device Manager Page
NoConfigPage	Hide Hardware Profiles Page
NoFileSysPage	Hide File System Button
NoVirtMemPage	Hide Virtual Memory Button



8. In the Network key you can enter:
   
   

Key Name	Description
NoNetSetup	Disable the Network Control Panel
NoNetSetupIDPage	Hide Identification Page
NoNetSetupSecurityPage	Hide Access Control Page
NoFileSharingControl	Disable File Sharing Controls
NoPrintSharing	Disable Print Sharing Controls



9. In the WinOldApp key you can enter:
   
   

Key Name	Description
Disabled	Disable MS-DOS Prompt
NoRealMode	Disables Single-Mode MS-DOS

4. Poledit Tips

The policy editor will allow you to remove the Run command from the Start menu. You can also specify only certain apps that 95 can run using a policy. Unfortunatly, booting in safe mode will allow someone to run poledit, and undo all your changes.

If you are on a network, the best way is to put the policy there, and configure it so they must log in to use the computer. Any changes made with policy editor in safe mode will be reset after the user authenticates to the network, unless, of course, they kill the network configuration. But if that happens, they're now screwed.

Bottom line: If you have such a problem with users hacking your system and reasonable measures taken with policy editor cannot stop them, those people should not be allowed to use the computer in the first place!

Don't forget, you can always use a bios password and lock the case, so it can't be reset without a hammer and screwdriver. You can also edit the msdos.sys file and change the bootmulti line to 0 so they can't enter safe mode without a boot disk. Disabling boot from floppy in the bios will afford you another level of protection. There are also 3rd party utils which will handle these chores for you.

SECURITY

INDEX

1. Creating Secure User Profiles under Win9x
2. Disabling the Right-Click on the Start Button
3. Disabling My Computer
4. For Your Eyes Only
5. Hidden Creator
6. Boot Keys - Locking Out
7. Restrictions without running Poledit
8. Hmmm?
9. Useful Links

1. Creating Secure User Profiles under Win9x:

The following is the text of a letter by Richard Turner of Augusta, Georgia. It was published in PC Magazine, and is undoubtedly copyrighted by them. I'm including it because it addresses a common question about how to create secure user profiles in Win9x. This was a Stumper question at one point - many people responded that the answer was to use the Policy Editor, but no one explained the exact, best procedure. This letter does a very good job of that.

Once again, the following is directly from PC Magazine, and was written by Richard Turner.

Publicly accessible computers, such as those in schools, require a significant degree of security to prevent abuse. The Windows 95 CD-ROM provides the tool you need to implement restrictive policies on such machines in the form of the Policy Editor (POLEDIT) application. Unfortunately, the Windows 95 Resource Kit doesn't tell you how to use POLEDIT for standalone computers, so I developed a method of my own:

1.Prepare the System.

Use Explorer to make backup copies of USER.DAT and SYSTEM.DAT, in case of emergency. Make sure you have at least 10MB free on the Windows drive to hold user profile information.

2.Enable User Profiles.

Launch the Password applet in Control Panel. Click the User Profiles tab, click the option Users Can Customize, and check the two boxes. Click OK; Windows will restart.

3.Create Profiles.

When Windows restarts, log on as User and allow Windows to create folders to hold your profile information. Shut down and log on again as Administrator, with a suitably obscure password, and again allow Windows to create profile folders. Don't forget this password!

4.Restrict User Access to Programs.

While logged on as Adminstrator, use Explorer to navigate to C:\WINDOWS\PROFILES\USER\STARTMENU. In this folder and those below it, delete any shortcuts to programs the user shouldn't be allowed to run, including every shortcut to the Recent folder. Be sure to delete the shortcuts to POLEDIT, Regedit, and Explorer.

5.Install Policy Editor.

Launch the Add/Remove Software applet in Control Panel, click the Windows Setup tab, and press the Have button. Navigate to the ADMIN\APPTOOLS\POLEDIT folder of the Windows 95 CD-ROM and install POLEDIT.INF. This will install POLEDIT and put it on the Accessories\System Tools submenu of the Programs menu. It will also place the critical policy template file ADMIN.ADM in the C:\WINDOWS\INF directory. If you don't have the CD, you can download POLEDIT from somewhere on [www.microsoft.com] or CIS MSWIN.

6.Define Default User Policy.

Launch POLEDIT, create a new file, and add new users named User and Administrator. Double-click the Default User icon, select System|Restrictions, and check all four boxes. Select Shell |Restrictions and check the four boxes whose captions begin with Remove, plus the two that say Hide All Items on Desktop and Don't Save Settings on Exit. Do not check the Disable Shutdown command. Use Explorer to create a folder named C:\WINDOWS\PROFILE\DUMMY. Back in POLEDIT, select Shell|Custom Folders and check all the boxes, filling in the dummy folder name you just created for those that require paths. Click OK and save the file as CONFIG.POL.

7.Define User Policy.

Load the example policy file MAXIMUM.POL, click on the Default User icon, and chose Copy from the Edit menu. Reload CONFIG.POL, click on the User icon, and select Paste from the Edit menu. Double-click the User icon and choose Shell|Custom Folders. Click on the text of each check box in turn and, if an edit box appears below, replace C:\WINDOWS with C:\WINDOWS\PROFILES\USER. Make sure all boxes remain checked. Select Control Panel | Passwords and check the Restrict box; then check the other four boxes that appear below. Under Shell | Restrictions, check the Remove Run command, Remove Find command, Hide Drives in My Computer, and Don't Save Settings on Exit. Consult the Windows Resource Kit Help to determine what other restrictions you may wish to add, but be sure not to check Disable ShutDown Command. Now go to the Shell | Restrictions and System | Restrictions and change any gray check boxes to blank.

8.Define Adminstrator Policy.

Double-click the Administrator icon and go through the entire list of restrictions, setting every check box to blank, not gray. This protects the Administrator policy from being affected by the Default User policy.

9.Define "no user" Policy.

Log on again, but press ESC to close the log-on prompt. Run POLEDIT, select Open Registry from the File menu, and double-click Local User. Apply all the same restrictions you applied to Default User. Then log on as Adminstrator again.

10.Enable Policy Loading.

Load CONFIG.POL in POLEDIT, open the Default Computer icon, select System, and check Enable User Profiles. Under Network\Update, check Remote Update. Select Manual for the Update Mode, and enter C:\WIINDOWS\CONFIG.POL as your path. Save CONFIG.POL. Now select Open Registry from the File menu, double-click Local Computer, and make the same change to the network update mode. Save changes and exit POLEDIT.

11.Test Policies.

Log on as User; check to see that the policy restrictions you specified are in place. Log on as Administrator and check that there are no restrictions. Now shut down and log on again, but use a new name and password. There should be no icons on the desktop and no programs available from the Start menu (nothing to do but log on again). This time press ESC at the log-on prompt to bypass entering a user name. Again you should have no option but to shut down and log on again.

12.Protect Policies.

Log on as User and confirm there is no way to run POLEDIT. For greater safety, change the file named ADMIN.ADM (in the C:\WINDOWS\INF folder) to something else. Use the DOS command ATTRIB to remove the read-only, hidden, and system attributes from the file C:\MSDOS.SYS, and load it into your favorite editor. Find the heading [Options] and change the bootkeys= key to bootkeys=0. If this key is not present under [Options], simply add it. Save the file and restore its read-only, hidden, and system attributes. This change prevents the user from breaking out of Windows 95's startup process. Finally, if the system BIOS permits, use its SETUP program to disable booting from a floppy disk.

2. Disabling the Right-Click on the Start Button:

Normally, when you right button click on the Start button, it allows you to open your programs folder, the Explorer and run Find. In situations where you don't want to allow users to be able to do this in order to secure your computer.

1. Start Regedit
2. Search for Desktop
3. This should bring you to HKEY_Classes_Root\Directory
4. Expand this section
5. Under Shell is Find
6. Delete Find
7. Move down a little in the Registry to Folder
8. Expand this section and remove Explore and Open

Now when you right click on the Start button, nothing should happen. You can delete only those items that you need.
Note: - On Microsoft keyboards, this also disables the Window-E (for Explorer) and Window-F (for Find) keys.
See the section on Installation to see how to do this automatically during an install.

3. Disabling My Computer:

In areas where you are trying to restrict what users can do on the computer, it might be beneficial to disable the ability to click on My Computer and have access to the drives, control panel etc.

To disable this:

1. Start Regedit
2. Search for 20D04FE0-3AEA-1069-A2D8-08002B30309D
3. This should bring you to the HKEY_Classes_Root\CLSID section
4. Delete the entire section

Now when you click on My Computer, nothing will happen. You might want to export this section to a registry file before deleting it just in case you want to enable it again.

See the section on Installation to see how to do this automatically during an install.

4. For your eyes only:

Don't want your nosy neighbors peeking at what you've got on your computer when you step away from your desk? Your screen saver's certainly not going to stop them -- unless you password protect it. Choose any password you want and once that screen saver kicks in, you can't get back into what you were doing unless you enter the right password. So snoopers are locked out. Nyaa-nyaa! To set a screen saver password, click the desktop with the right mouse button and choose Properties to open the Display Properties dialog box. Now click the Screen Saver tab, click the Password protected box, then click the Change button and enter a password -- twice. Click OK and breathe easy. While you're at it (2 tips in one!), now might be a good time to set that screen saver to kick in a little faster. Just use the up and down arrows next to Wait to adjust how long it takes to kick in.

5. Hidden Creator:

Platform: all windows platforms

When creating a directory in ms-dos, name directory and press ALT255. Directory can be seen in directory but can not be opened without pressing ALT255 at end of directory name. Great security feature to keep people out of your private directory or directories.

6. Boot keys - Locking out

Open a command prompt (from start menu select RUN, then type COMMAND), switch to the root directory and issue the following command:

ATTRIB -H -R -S MSDOS.SYS

This will remove the hidden, read only and system attributes so you may edit it.

BootKeys=1 Enables the special startup option keys (F5, F6, and F8). Setting this value to 0 prevents any startup keys from functioning. If you're a systems administrator, this setting lets you configure a more secure system.

BE SURE TO RE-ENABLE THE HIDDEN, READ ONLY, and SYSTEM PROPERTIES after you edit the MSDOS.SYS by typing:

ATTRIB +H +R +S MSDOS.SYS

7. Hiding Any Combination of Drives

If you want to stop a drive or any combination of drives appearing in Explorer/My Computer, add the Binary Value of 'NoDrives' in the registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Give it a value from a combination of the table below:

Where (for eg) you want to hide Drives {C,E,J,O,R,U,Y,Z} you would give 'NoDrives' the value 14 42 12 03

Where C+E = 14, J+O = 42, R+U=12 and Y+Z = 03
Please NOTE: The Numbers are to be added in HEXadecimal ie: ABCD = 0F, not 15 All Drives Visible is 00 00 00 00 All Drives Hidden is FF FF FF 03

8. Hmmm? =)

I won't get into the fact that your boss "probably" has the legal right to do whatever he/she wants. Its his/her computer and his/her salary.... That being said: TweakUI will automatically clear out things like the Doc, Run, Find etc. In fact in tweakui its under the tab Paranoia.(which is kind of fitting) You might also del everything in the \\windows\temp internet file folder. Disable file sharing so he can't sit at his desk and look at your hard drive. Last but not least, go to find and look for *.pwl . This will tell you if anyone is logging onto your pc with their password.

9. Useful links

You might find these links useful for securing your pc and keeping it up to date with the latest security patches:

Junkbusters Home Page [http://www.junkbusters.com/ht/en/index.html]
Securityfocus [http://www.securityfocus.com]
Packetstorm [http://packetstormsecurity.org]
Blacksun Research Facility [http://blacksun.box.sk]