I happen to have some old examples on hand for the boot up process. I think they are ok but I am not sure.
To completely lock down you need to go into the BIOS & disable the floppy drive & then password protect the BIOS. Next go into MSDOS.sys and disable all options that allow users to breakin during bootup. Then in your autoexec put:
"c:\windows\security\regedit.exe /s c:\windows\security\restrict.reg"
The restrict.reg file is:
code:
REGEDIT4
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDeletePrinter"=dword:00000001
"NoAddPrinter"=dword:00000001
"NoRun"=dword:00000001
"NoFind"=dword:00000001
"NoNetHood"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoPrinterTabs"=dword:00000001
"NoSetFolders"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoDrives"=dword:03ffffff
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"NoEntireNetwork"=dword:00000001
"NoWorkgroupContents"=dword:00000001
"NoNetSetup"=dword:00000001
"NoNetSetupIDPage"=dword:00000001
"NoNetSetupSecurityPage"=dword:00000001
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoSecCPL"=dword:00000001
"NoAdminPage"=dword:00000001
"NoPwdPage"=dword:00000001
"NoDispCPL"=dword:00000001
"NoDispSettingsPage"=dword:00000001
"NoDispScrSavPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"NoProfilePage"=dword:00000001
"NoDevMgrPage"=dword:00000001
"NoConfigPage"=dword:00000001
"NoFileSysPage"=dword:00000001
"NoVirtMemPage"=dword:00000001
"DisableRegistryTools"=dword:00000001
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"RestrictRun"=dword:00000001
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"0"="HiddenOptions.exe"
[HKEY_LOCAL_MACHINE\Network\Logon]
"MustBeValidated"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FBF23B42-E3F0-101B-8488-00AA003E56F8}]
@="The Internet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}]
@="My Computer"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}]
@="Network Neighborhood"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020D75-0000-0000-C000-000000000046}]
@="Inbox"
The key to making this work is the disabling of profiles in the registry because you now get access to the Current User Hive which is critical for security.
Also note the hiddenoption.exe program. This is a can-opener. It is a small freeware security program for win98 that we keep on a disk. By changing the BIOS settings we can open up machines disconnected from the LAN. Beware if implement the above script without the canopener you will have great of difficulty getting at the OS. (It can be done by enabling boot from disk in BIOS & using a DOS boot disk.)
Then during logon we edit the registry with kixtart to open the system up. Again the key to making this work is disabling profiles so you can get at the current user hive.
Hope that helps you get started.
[ 04. October 2002, 21:49: Message edited by: Jack Lothian ]
_________________________
Jack
