Win95 policies tips?

I'm setting up a new set of policies on a server at a local high school, wondering if anyone has any good tips for locking the little turds down. They'll be saving to a network folder or floppy so I want to give them as little access to the local computer as possible! <IMG SRC="smilies/tongue.gif" border="0">

Good luck, School kids have a habit of getting into things no matter how tight u try and secure things. But hey.....we got to try.

I presume the new server is running Windows NT and will be in a domain. If I remeber
from the Micro$oft NT 922 course u can implement a computer policy. U can do this by running the system policy editor on
Windows 95, save the policy settings to a file e.g. config.pol and then save config.pol file to the netlogon share on the PDC.

Try this link
http://www.bruceb.com/program_tips/Win95.htm you might find some useful info here to help you out.

Hope this helps.

I've got two words for you: Restrict Run if you don't, you'll have so many mp3's downloads and games of Counter Strike and Team Fortress running, you won't have any bandwidth left... you'd think teachers would keep the kids from playing the games and dling mp3s but they're just as bad!

Yeah, restrict everything and then make changes as you go along to let them do more as needed.

Under local user/control pannel in poledit Restrict the system, display and network so that nobody can get into stuff without running poledit to get the properties back. Under local user/shell/restrictions you will find all sorts of things to make the lives of people trying to put games and other whatnot on the PC without permission a little more difficult. Restricting the background and screen saver keeps questionable material from popping up on the desktop and crappy screen savers off the system.

Also, be sure to set the system up so that the computer updates it's config.pol from a network computer everyday so when people do make changes to poledit the restrictions go back. The setting is under local computer/network/update. Set up the policy on one PC, save it and copy the config.pol to the network file you will be directing the other computers to. After they boot they will grab the config.pol from the network (and use it localy from there on).

This is nice if you are always on site and go to fix the PC at a moments notice. If not it can become a real headache walking the users through removing the permissions (they then know what to do and might go in and do some damage). I have problems with remote users who have the restrictions on but do not have poledit installed. If you need to instal it go to control pannel/add remove programs/windows setup/have disk/poledit.

demand a valid logon to continue, impliment user level security, install and maintain good anti-virus software, password protect the bios and disable running of programs from the floppy, disable floppy boot in the bios, upgrade to nt and ntfs, create a list of allowed application and ENFORCE IT!, and remember the more security you place on the machines, the harder they will try to crack it.

THESE ARE THE 3 MOST IMPORTANT THINGS IN ANY SECURE SETUP:

1. Disable boot from Floppy/CDROM in BIOS
2. Password protect BIOS
3. Disable boot menu in msdos.sys

Without these three basic things, any other security measure can be bypassed in minutes. Even with these setting, a dedicated hacker can still bypass any weak security measure such as a system policy (but it will require cracking open the case).

If you want to try to make it so the user can not bypass your system security settings, all of the following must be done.

1. Disable access to floppy/cdrom drives
2. Disable Start-Run
3. Disable Windows Explorer
4. Disable command prompt
5. Disable internet explorer (yes there are many ways to use IE to open files... or they could download hacking utilites off of the net to do bypass your security)
6. You may even have to disable right-click context menus (for instance right-click My Computer and select Explore)
7. Remove the Recycle Bin from the desktop. (yes by double-clickin the recycle bin and changing the path, you can access all the drives just like my computer or explorer)

There are so many ways to hack into a system that you will most likely not be able to totally lock it down no matter what you try. But hopefully the average high school kid won't know your weaknesses.

sorry... I just read that you needed to give them access to the floppy drive. Well if this is the case, consider any security you are implementing worthless. If it were me going to that school, all I would have to do would be to pop in a floppy, run my little disable system policies program, and within seconds I would have access to whatever I want. System policies rely on local registry settings, so any registry editor (or custom app, such as the one I wrote) can alter these settings and disable all of your security options. The sad thing is that just about any lock-down windows security package works the same way. Just face it you can't secure a Windows machine, no matter what you try. Or at least I have yet to find one that I could not break into.

Even an amature hacker could get into the system in a matter of minutes with access to the floppy drive.

thanks guys,

That's pretty much how it's set up right now. I know that regardless of what I do they'll be able to get around it if they really try, doesn't take me long to so I doubt it'd take them any longer. Most kids see it as pointless now too, since they know that the teachers have a CD to ghost the machine back in 15mins regardless of what they do <IMG SRC="smilies/rolleyes.gif" border="0">

always handy that hehe

Also try this: it won't stop the brats from wreaking havoc, but after a reboot the computer is returned to it's original config.
http://www.deepfreezeusa.com/