|
|
|||||||
Hello, I have been having problems with security restrictions on my network which consists mostly of 95/98 clients. Is there a script i can use to ensure each time a user from a certain group logs into an NT server, they will have the same desktop. I do not want them to be able to change anything. Bear with me if i am confusing, but this will be my first attempt at using kixtart and i have exhausted all efforts in trying to resolve security issues. It seems the users are finding ways to work around the policy restrictions. So if anyone can get me started in a the right direction I would truly appreciate it. Can kixtart help me? |
||||||||
|
|
|||||||
You might be able to work out a way of using both the Policies, and KIX together to accomplish what you want? How are your users finding ways around your policies? Bryce |
||||||||
|
|
|||||||
Thanks for replying. I have several labs that are used by students. They have been able to change the desktop appearances by downloading wallpaper bitmaps from the internet and adding icons to the desktop. I am using both poledit and winshield. What can I do? |
||||||||
|
|
|||||||
You might want to use mandatory Profiles instead of Policies, since they are not working. That way it will load the Settings everytime they log on, regardless of who they are. |
||||||||
|
|
|||||||
Mandatory profiles would be great if they would load the .exe files. When I try to set up mandatory profiles for win 95 work-stations from a NT Server, the appearances worked but they only downloaded the .ink folders for winword, excel, powerpoint on the desktop. Maybe I didn't do something right. Do you have anymore suggestions? |
||||||||
|
|
|||||||
Hello, After further thinking about the suggestion of the mandatory profiles i am going to test a NT installation on one of the win 95 workstations and try using roaming profiles to see if that will solve my problems. But I still want to try and use Kixtart for the lab with win 98 installed. Sounds confusing? |
||||||||
|
|
|||||||
We are a school. I don't like policies. I tested roaming, mandatory, local, & group. All are flawed in my opinion. MS designed their security for a business environment not a school. The closer you are to the one official user to one machine the better MS security works. Large numbers of users randomly accessing different machines with different capabilities is not something Ms handles well. To do well with MS security you must fit one of 2 molds - all machines are exactly the same & all potentially have access to the same software or you must be a business environment where each user has their own machine. Locking down the desktop in a school is hard. Students are very creative. We moved to disabling policies entirely. We do all security with reg files. We restore the machine images with PCRdist. I presume you have problems with your wallpaper, screensaver, renaming of system icons, deleting icons, etc. The only real answer is reset these things on every logon. Too many MS apps offer backdoors that circumvent your best security. You need to disable the search & Windows keys. You really must also limit the apps student can run. Too many can get to explorer or telnet or whatever. |
||||||||
|
|
|||||||
Sorry, Just noticed - several times I said policies when I meant profiles. Just read "policies" as "policies/profiles". |
||||||||
|
|
|||||||
Thanks JackLothian for your reply. Yes, the students are changing the wallpaper, screensavers, etc very smart. Can you tell me more about the software or strategies that you use? I am still working on a kixtart script for restrictions, too. Thanks again. |
||||||||
|
|
|||||||
This is a big question & a lot to dump on this board. Below is a start. (All our clients are Win95) There are other issues as well but I can only put so much here. You also have to lock down the msdos.sys file & force logon to an NT domain. Also you need some type of backdoor through the security (We have used HiddenOptions & Security Wizard 97 both work well. Both have passwords which most free security apps lack.) Good luck. Here is the basic kixtart file for students. *****************************************
REGEDIT4 [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Network] [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\System] [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] **************************** REGEDIT4 [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun] |
||||||||
|
|
|||||||
Hello Lothian, I am also working in a school and I face the same problems not only the student. I found your script work great but I have not yet implement on my system. Thanks for your attention. Gilbert Ng
|
||||||||
|
|
|||||||
We build logging in to the domain into our basic image so we don't apply an edit for it, but here is the edit. ******************************** [HKEY_LOCAL_MACHINE\Network\Logon] If a domain controller is not available, the lock down will not work. Thus if a student pulls out the LAN cable they can still get to the desktop by hitting "ESC". We get around this by applying very tight restrictions that are applied through the autoxec.bat file. Thus they need to logon to open the system up. You should also note we color code our desktops so we can spot students doing this type of activity. You should also note there is a some write ups in Technet about the 2 above edits conflicting & being unstable when used in combination if you don't have all the lates "DLLs". We don't have a problem but you might. As to the MSDOS file you need to disable the bootup menu & the function keys during bootup. If you also disable booting from a floppy in the BIOS, it is very hard for a student to break in during bootup. Go to the NONAGS site to get a freeware package to edit the MSDOS.SYS file. As a point of interest, Windows 95 ships with all security disabled while NT ships with most security enabled. When you enable all of Windows 95 security options, the difference between Windows 95 & NT security is not significant in the context of a school environment. Hope you find that helpful. Jack Lothian |
||||||||
|
|
|||||||
This is in reference to the Kixscript from JackLothian. Will this script work with NT workstations, too? And is this the complete script that you use for restricting your user? Is it all combined as one executable script. I hope you understand what I am trying to ask I am just getting started with using kixtart. Thanks for all your thus far. Please reply as soon as you can, thanks again. |
||||||||
|
|
|||||||
In theory all these scripts can be adapted to NT workstation but I doubt they will work as is with NT workstation. The registry in Win95/98 and NT are very simular but just different enough to force you to write specific scripts for each type of station. I think you would have to write an NT variant & use kixtart to detect the type of OS & call the script accordingly. (Our kixtart scripts use to have 2 versions Win3.11 & Win95 but we just eliminated Win3.11 a few months asgo.) Personally, I think NT Workstation in a school is not a good idea. No matter how hard you try students or wear & tear brings your systems down. Systems in schools take much more abuse than in an office or home environment. We find that keeping a school lab running takes a lot of hands on maintainance. Our experience with NT is that while it is rock-solid when running it is bitch to repair or rebuild. Usually a complete wipe & rebuild is necessary where Win95 can be fixed with a DOS boot disk & a few CDs of drivers. In our schools GPFs are not really much of an issue but failing hardware & corrupted files are an every day issue. I think Win95/98 is more robust than NT when it comes to repairing a damaged system. A further point is NT (& more so Win2000) requires significant more RAM & HD space than Win95/98. Typically you have to pay $200 to $300 more in hardware to run NT. All those great "efficiencies" that MS boasts in NT are not really very helpful in a school and it is my personal opinion that Win95/98 has a lower "total cost of ownership" in a school. Of course, in an office environment NT workstation shines. |
||||||||
|
|
|||||||
Thanks for your opinion about NT in a school environment. But this is my last resort turning to NT OS. We have to visit our labs now constantly with problems relating to our win 95 workstations. Right now I must deal with this security issue to try and lock down these workstations to the best of my knowledge with the help of others. I am going to try kixtart with the NT workstation and i know that you have given my fair warning. Does anyone wants to take a chance in getting me started? |
||||||||
|
|
|||||||
Hello All, First, I recommend Symantec's Ghost instead of re-installing. If you make an image of each computer variation you have, when a problem arises on that computer, you just re-image it. It is quite fast and certainly much easier than going through a total re-install. Second, here is a segment of script that you may use to differentiate between a Win9x workstation and a WinNT workstation: code: Hope this helps. ------------------ Brad |
||||||||
|
|
|||||||
We use ghost to build our primary images & PCRDist to maintain them. Without them building & maintaining our labs & library would be impossible. Unfortunately, if you have a mixture of diverse hardware & software (our library & labs have very different equipment & software & our classroom have older 486s) plus lots of users who can potential logon anywhere none of these automation techniques are really ideal. Plus potentially like us you might want to offer different desktops & software to different grade levels & teachers. We spent 2 years looking for the "magic solution" and found nothing we could even come close to affording. One way or another we realized, lots of hand crafting was inevitable. |
||||||||
|
|
|||||||
Further to Jack Lothians replies.... I noticed that the program "Logoff Computer.exe" is listed in your allowed programs. Can you tell me more about it. I've started a new thread "Stopping multiple logon" which this might help me with! Thanks |
||||||||
|
|
|||||||
Thanks to everyone for your feedback and the advice on symantec Ghost. Right now i have been toiling for 3 weeks trying to get this security just right. It is a college and the semester is about up so you know i am rush rush. I put some of the workstation back and guess what one of the desktop wallpaper was changed. I am using regedit for restriction and still trying to implement the kix script. What went wrong in the wallpaper. I used NoChangingWallpaper in HKEY_CURRENT_USER SOFTWARE/MICROSOFT/WINDOWS/POLICIES/EXPLORER This is happening when the students go to the internet and set pictures as wallpaper. Help me please. |
||||||||
|
|
|||||||
Several MS apps circumvent system policies & allows students to change the wallpaper. Depending on what you are trying to lock down, MS apps can be a big back door through your security. The only sure fired method I know to handle this is to reset the wallpaper on each logon. |
||||||||
|
|
|||||||
Hello again, i had to leave this project for awhile while i worked on some lingering network problems. Mr. Lothian you said i need to set my wallpaper at login? As you know this is a first for me in using kixtart. I have begun creating a batch file and using the setwallpaper syntax from the kixtart manual. However it is not allowing me to logon to the NT workstation because the error is stating user does not have the require privileges for this operation. Can anyone tell me how to give rights to the default user to use kix script on an NT workstation? And also am i heading in the right direction for setting the wallpaper at logon. Perhaps I will be able to post my amateur script soon. thanks |
||||||||
|
|
|||||||
Sorry, I can't help you with this one. We use Win95 clients exclusively. Don't you get the feeling Microsoft is practicing guerrilla war against schools. They hype us like crazy to buy the latest & greatest version of their software & each version seems more antagonistic to a school environment. Furthermore, they offer us no tools to really get the job done. The only really great tool they offered us was "NT Communication Tools for Schools". It was great & free but they pulled it after only a few months of availability. Their so-called advice on "locking down the desktop in schools" on Windows NT is worse than a joke. It supplies no real details & I believe it encourages novice administrators to take an unfeasible development path. We use several software tools that are non Microsoft & I find these manufacturers usually bend over backwards to help us. (Especially once we tell them we are a school.) When we try to elicit help from Microsoft they ignore us. (or tell us to pay more money for support) We get regular sales presentations from Microsoft representatives exhorting to buy their latest software but there is no support. Sorry for the rant but we spent almost a year studying & testing policies to discover that Microsoft's White paper on "Policies & Profiles" intentionally under emphasized several constraints that applied to our environment. For public institutions Microsoft's security paradigm has serious limitations. Thank God for Kixtart & the NT resource kit. We would be lost without them. [This message has been edited by JackLothian (edited 25 April 2000).] |