?? winsecurity2.html
字號:
<td>
<p>Hide Virtual Memory Button</p>
</td>
</tr>
</table><br>
<li>In the Network key you can enter:<br><br></li>
<table align="center" border="1" cellpadding="0" cellspacing="0" width="80%">
<tr>
<th>
<p>Key Name</p>
</th>
<th>
<p>Description</p>
</th>
</tr>
<tr>
<td valign="top">
<p>NoNetSetup</p>
</td>
<td>
<p>Disable the Network Control Panel</p>
</td>
</tr>
<tr>
<td valign="top">
<p>NoNetSetupIDPage</p>
</td>
<td>
<p>Hide Identification Page</p>
</td>
</tr>
<tr>
<td valign="top">
<p>NoNetSetupSecurityPage</p>
</td>
<td>
<p>Hide Access Control Page</p>
</td>
</tr>
<tr>
<td valign="top">
<p>NoFileSharingControl</p>
</td>
<td>
<p>Disable File Sharing Controls</p>
</td>
</tr>
<tr>
<td valign="top">
<p>NoPrintSharing</p>
</td>
<td>
<p>Disable Print Sharing Controls</p>
</td>
</tr>
</table><br>
<li>In the WinOldApp key you can enter:<br><br></li>
<table align="center" border="1" cellpadding="0" cellspacing="0" width="80%">
<tr>
<th>
<p>Key Name</p>
</th>
<th>
<p>Description</p>
</th>
</tr>
<tr>
<td valign="top">
<p>Disabled</p>
</td>
<td>
<p>Disable MS-DOS Prompt</p>
</td>
</tr>
<tr>
<td valign="top">
<p>NoRealMode</p>
</td>
<td>
<p>Disables Single-Mode MS-DOS</p>
</td>
</tr>
</table>
</ol>
<p>4. Poledit Tips</p>
<p>The policy editor will allow you to remove the Run command from the Start menu.
You can also specify only certain apps that 95 can run using a policy.
Unfortunatly, booting in safe mode will allow someone to run poledit, and undo all your
changes.</p>
<p>If you are on a network, the best way is to put the policy there, and configure it so they
must log in to use the computer. Any changes made with policy editor in safe mode will be
reset after the user authenticates to the network, unless, of course, they kill the network
configuration. But if that happens, they're now screwed.</p>
<p>Bottom line: If you have such a problem with users hacking your system and reasonable measures
taken with policy editor cannot stop them, those people should not be allowed to use the
computer in the first place!</p>
<p>Don't forget, you can always use a bios password and lock the case, so it can't be reset
without a hammer and screwdriver. You can also edit the msdos.sys file and change the
bootmulti line to 0 so they can't enter safe mode without a boot disk. Disabling boot from
floppy in the bios will afford you another level of protection. There are also 3rd party
utils which will handle these chores for you.</p>
<h4>SECURITY</h4>
<p>INDEX</p>
<ol>
<li>Creating Secure User Profiles under Win9x</li>
<li>Disabling the Right-Click on the Start Button</li>
<li>Disabling My Computer</li>
<li>For Your Eyes Only</li>
<li>Hidden Creator</li>
<li>Boot Keys - Locking Out</li>
<li>Restrictions without running Poledit</li>
<li>Hmmm?</li>
<li>Useful Links</li>
</ol>
<p>1. Creating Secure User Profiles under Win9x:</p>
<p>The following is the text of a letter by Richard Turner of Augusta, Georgia.
It was published in PC Magazine, and is undoubtedly
copyrighted by them. I'm including it because it addresses a common question
about how to create secure user profiles in Win9x. This was a Stumper
question at one point - many people responded that the answer was to use the
Policy Editor, but no one explained the exact, best procedure. This letter
does a very good job of that.</p>
<p>Once again, the following is directly from PC Magazine, and was written by
Richard Turner.</p>
<blockquote>
<p>Publicly accessible computers, such as those in schools, require a
significant degree of security to prevent abuse. The Windows 95 CD-ROM
provides the tool you need to implement restrictive policies on such
machines in the form of the Policy Editor (POLEDIT) application.
Unfortunately, the Windows 95 Resource Kit doesn't tell you how to use
POLEDIT for standalone computers, so I developed a method of my own:</p>
<p>1.Prepare the System.</p>
<p>Use Explorer to make backup copies of USER.DAT and
SYSTEM.DAT, in case of emergency. Make sure you have at least 10MB
free on the Windows drive to hold user profile information.</p>
<p>2.Enable User Profiles.</p>
<p>Launch the Password applet in Control Panel.
Click the User Profiles tab, click the option Users Can Customize,
and check the two boxes. Click OK; Windows will restart.</p>
<p>3.Create Profiles.</p>
<p>When Windows restarts, log on as User and allow
Windows to create folders to hold your profile information. Shut down
and log on again as Administrator, with a suitably obscure password,
and again allow Windows to create profile folders. Don't forget this
password!</p>
<p>4.Restrict User Access to Programs.</p>
<p>While logged on as Adminstrator, use
Explorer to navigate to C:\WINDOWS\PROFILES\USER\STARTMENU. In this
folder and those below it, delete any shortcuts to programs the user
shouldn't be allowed to run, including every shortcut to the Recent
folder. Be sure to delete the shortcuts to POLEDIT, Regedit, and
Explorer.</p>
<p>5.Install Policy Editor.</p>
<p>Launch the Add/Remove Software applet in Control
Panel, click the Windows Setup tab, and press the Have button.
Navigate to the ADMIN\APPTOOLS\POLEDIT folder of the Windows 95 CD-ROM
and install POLEDIT.INF. This will install POLEDIT and put it on the
Accessories\System Tools submenu of the Programs menu. It will also
place the critical policy template file ADMIN.ADM in the C:\WINDOWS\INF
directory. If you don't have the CD, you can download POLEDIT from somewhere on
[<a href="http://www.microsoft.com" target="_blank">www.microsoft.com</a>] or CIS MSWIN.</p>
<p>6.Define Default User Policy.</p>
<p>Launch POLEDIT, create a new file, and add
new users named User and Administrator. Double-click the Default User
icon, select System|Restrictions, and check all four boxes. Select Shell
|Restrictions and check the four boxes whose captions begin with Remove,
plus the two that say Hide All Items on Desktop and Don't Save Settings on
Exit. Do not check the Disable Shutdown
command. Use Explorer to create a folder named C:\WINDOWS\PROFILE\DUMMY.
Back in POLEDIT, select Shell|Custom Folders and check all the boxes,
filling in the dummy folder name you just created for those that
require paths. Click OK and save the file as CONFIG.POL.</p>
<p>7.Define User Policy.</p>
<p>Load the example policy file MAXIMUM.POL, click on
the Default User icon, and chose Copy from the Edit menu. Reload
CONFIG.POL, click on the User icon, and select Paste from the Edit menu.
Double-click the User icon and choose Shell|Custom Folders. Click on the
text of each check box in turn and, if an edit box appears below,
replace C:\WINDOWS with C:\WINDOWS\PROFILES\USER. Make sure all boxes
remain checked. Select Control Panel | Passwords and check the Restrict
box; then check the other four boxes that appear below. Under Shell |
Restrictions, check the Remove Run command, Remove Find command, Hide
Drives in My Computer, and Don't Save Settings on Exit. Consult the
Windows Resource Kit Help to determine what other restrictions you may
wish to add, but be sure not to check Disable ShutDown Command. Now go
to the Shell | Restrictions and System | Restrictions and change any
gray check boxes to blank.</p>
<p>8.Define Adminstrator Policy.</p>
<p>Double-click the Administrator icon and go
through the entire list of restrictions, setting every check box to
blank, not gray. This protects the Administrator policy from being
affected by the Default User policy.</p>
<p>9.Define "no user" Policy.</p>
<p>Log on again, but press ESC to close the
log-on prompt. Run POLEDIT, select Open Registry from the File menu,
and double-click Local User. Apply all the same restrictions you
applied to Default User. Then log on as Adminstrator again.</p>
<p>10.Enable Policy Loading.</p>
<p>Load CONFIG.POL in POLEDIT, open the Default
Computer icon, select System, and check Enable User Profiles. Under
Network\Update, check Remote Update. Select Manual for the Update Mode,
and enter C:\WIINDOWS\CONFIG.POL as your path. Save CONFIG.POL. Now
select Open Registry from the File menu, double-click Local Computer,
and make the same change to the network update mode. Save changes and
exit POLEDIT.</p>
<p>11.Test Policies.</p>
<p>Log on as User; check to see that the policy restrictions
you specified are in place. Log on as Administrator and check that
there are no restrictions. Now shut down and log on again, but use a
new name and password. There should be no icons on the desktop and no
programs available from the Start menu (nothing to do but log on again).
This time press ESC at the log-on prompt to bypass entering a user name.
Again you should have no option but to shut down and log on again.</p>
<p>12.Protect Policies.</p>
<p>Log on as User and confirm there is no way to run
POLEDIT. For greater safety, change the file named ADMIN.ADM
(in the C:\WINDOWS\INF folder) to something else. Use the DOS command
ATTRIB to remove the read-only, hidden, and system attributes from the
file C:\MSDOS.SYS, and load it into your favorite editor. Find the
heading [Options] and change the bootkeys= key to bootkeys=0. If this
key is not present under [Options], simply add it. Save the file and
restore its read-only, hidden, and system attributes. This change
prevents the user from breaking out of Windows 95's startup
process. Finally, if the system BIOS permits, use its SETUP program to
disable booting from a floppy disk.</p>
</blockquote>
<p>2. Disabling the Right-Click on the Start Button:</p>
<p>Normally, when you right button click on the Start button, it allows you
to open your programs folder, the Explorer and run Find. In situations
where you don't want to allow users to be able to do this in order to
secure your computer.</p>
<ol>
<li>Start Regedit</li>
<li>Search for Desktop</li>
<li>This should bring you to <font class="white">HKEY_Classes_Root\Directory</font></li>
<li>Expand this section</li>
<li>Under Shell is Find</li>
<li>Delete Find</li>
<li>Move down a little in the Registry to Folder</li>
<li>Expand this section and remove Explore and Open</li>
</ol>
<p>Now when you right click on the Start button, nothing should happen.
You can delete only those items that you need.<br>
Note: - On Microsoft keyboards, this also disables the Window-E
(for Explorer) and Window-F (for Find) keys.<br>
See the section on Installation to see how to do this automatically
during an install.</p>
<p>3. Disabling My Computer:</p>
<p>In areas where you are trying to restrict what users can do on the
computer, it might be beneficial to disable the ability to click on My
Computer and have access to the drives, control panel etc.</p>
<p>To disable this:</p>
<ol>
<li>Start Regedit</li>
<li>Search for <font class="white">20D04FE0-3AEA-1069-A2D8-08002B30309D</font></li>
<li>This should bring you to the <font class="white">HKEY_Classes_Root\CLSID</font> section</li>
<li>Delete the entire section</li>
</ol>
<p>Now when you click on My Computer, nothing will happen.
You might want to export this section to a registry file before deleting
it just in case you want to enable it again.</p>
<p>See the section on Installation to see how to do this automatically
during an install.</p>
<p>4. For your eyes only:</p>
<p>Don't want your nosy neighbors peeking at what you've got on your
computer when you step away from your desk? Your screen saver's
certainly not going to stop them -- unless you password protect it.
Choose any password you want and once that screen saver kicks in, you
can't get back into what you were doing unless you enter the right
password. So snoopers are locked out. Nyaa-nyaa! To set a screen saver
password, click the desktop with the right mouse button and choose
Properties to open the Display Properties dialog box. Now click the
Screen Saver tab, click the Password protected box, then click the
Change button and enter a password -- twice. Click OK and breathe
easy. While you're at it (2 tips in one!), now might be a good time to
set that screen saver to kick in a little faster. Just use the up and
down arrows next to Wait to adjust how long it takes to kick in.</p>
<p>5. Hidden Creator:</p>
<p>Platform: all windows platforms</p>
<p>When creating a directory in ms-dos, name directory and press ALT255.
Directory can be seen in directory but can not be opened without pressing
ALT255 at end of directory name. Great security feature to keep people out
of your private directory or directories.</p>
<p>6. Boot keys - Locking out</p>
<p>Open a command prompt (from start menu select RUN, then type COMMAND), switch to the root
directory and issue the following command:</p>
<p class="white">ATTRIB -H -R -S MSDOS.SYS</p>
<p>This will remove the hidden, read only and system attributes so you may edit it.</p>
<p>BootKeys=1 Enables the special startup option keys (F5, F6, and F8). Setting this value to 0
prevents any startup keys from functioning. If you're a systems administrator, this setting
lets you configure a more secure system.</p>
<p>BE SURE TO RE-ENABLE THE HIDDEN, READ ONLY, and SYSTEM PROPERTIES after you
edit the MSDOS.SYS by typing:</p>
<p class="white">ATTRIB +H +R +S MSDOS.SYS</p>
<a name="hidewin9xdrives"></a>
<p>7. Hiding Any Combination of Drives</p>
<p>If you want to stop a drive or any combination of drives appearing in Explorer/My
Computer, add the Binary Value of 'NoDrives' in the registry at <font class="white">
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</font></p>
<p>Give it a value from a combination of the table below:</p>
<table align="center" border="1" cellpadding="0" cellspacing="0" width="80%">
<tr>
<th>
<p>Drive Letter</p>
</th>
<th>
<p>Value</p>
</th>
</tr>
<tr>
<td>
<p>A:</p>
</td>
<td>
<p>01 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>B:</p>
</td>
<td>
<p>02 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>C:</p>
</td>
<td>
<p>04 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>D:</p>
</td>
<td>
<p>08 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>E:</p>
</td>
<td>
<p>10 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>F:</p>
</td>
<td>
<p>20 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>G:</p>
</td>
<td>
<p>40 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>H:</p>
</td>
<td>
<p>80 00 00 00</p>
</td>
</tr>
<tr>
<td>
<p>I:</p>
</td>
<td>
<p>00 01 00 00</p>
</td>
</tr>
<tr>
<td>
<p>J:</p>
</td>
<td>
<p>00 02 00 00</p>
</td>
</tr>
<tr>
<td>
<p>K:</p>
</td>
<td>
<p>00 04 00 00</p>
</td>
</tr>
<tr>
<td>
<p>L:</p>
</td>
<td>
<p>00 08 00 00</p>
</td>
</tr>
<tr>
<td>
<p>M:</p>
</td>
<td>
<p>00 10 00 00</p>
</td>
</tr>
<tr>
<td>
<p>N:</p>
</td>
<td>
<p>00 20 00 00</p>
</td>
</tr>
<tr>
<td>
<p>O:</p>
</td>
<td>
<p>00 40 00 00</p>
</td>
</tr>
<tr>
<td>
<p>P:</p>
</td>
<td>
<p>00 80 00 00</p>
</td>
</tr>
<tr>
<td>
<p>Q:</p>
</td>
<td>
<p>00 00 01 00</p>
</td>
</tr>
<tr>
<td>
<p>R:</p>
</td>
<td>
<p>00 00 02 00</p>
</td>
</tr>
<tr>
<td>
<p>S:</p>
</td>
<td>
<p>00 00 04 00</p>
</td>
</tr>
<tr>
<td>
<p>T:</p>
</td>
<td>
<p>00 00 08 00</p>
</td>
</tr>
<tr>
<td>
<p>U:</p>
</td>
<td>
<p>00 00 10 00</p>
</td>
</tr>
<tr>
<td>
<p>V:</p>
</td>
<td>
<p>00 00 20 00</p>
</td>
</tr>
<tr>
<td>
<p>W:</p>
</td>
<td>
<p>00 00 40 00</p>
</td>
</tr>
<tr>
<td>
<p>X:</p>
</td>
<td>
<p>00 00 80 00</p>
</td>
</tr>
<tr>
<td>
<p>Y:</p>
</td>
<td>
<p>00 00 00 01</p>
</td>
</tr>
<tr>
<td>
<p>Z:</p>
</td>
<td>
<p>00 00 00 02</p>
</td>
</tr>
</table>
<p>Where (for eg) you want to hide Drives {C,E,J,O,R,U,Y,Z} you would give 'NoDrives'
the value 14 42 12 03 </p>
<p>Where C+E = 14, J+O = 42, R+U=12 and Y+Z = 03<br>
Please NOTE: The Numbers are to be added in HEXadecimal ie: ABCD = 0F, not 15
All Drives Visible is 00 00 00 00 All Drives Hidden is FF FF FF 03</p>
<p>8. Hmmm? =)</p>
<p>I won't get into the fact that your boss "probably" has the legal right to do whatever
he/she wants. Its his/her computer and his/her salary.... That being said: TweakUI will
automatically clear out things like the Doc, Run, Find etc. In fact in tweakui its under
the tab Paranoia.(which is kind of fitting) You might also del everything in the
\\windows\temp internet file folder. Disable file sharing so he can't sit at his desk and
look at your hard drive. Last but not least, go to find and look for *.pwl . This will tell
you if anyone is logging onto your pc with their password.</p>
<p>9. Useful links</p>
<p>You might find these links useful for securing your pc and keeping it up to date with the
latest security patches:</p>
<p>Junkbusters Home Page [<a href="http://www.junkbusters.com/ht/en/index.html" target="_blank">http://www.junkbusters.com/ht/en/index.html</a>]<br>
Securityfocus [<a href="http://www.securityfocus.com" target="_blank">http://www.securityfocus.com</a>]<br>
Packetstorm [<a href="http://packetstormsecurity.org." target="_blank">http://packetstormsecurity.org</a>]<br>
Blacksun Research Facility [<a href="http://blacksun.box.sk">http://blacksun.box.sk</a>]</p>
</body>
</html>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -