Using Poledit: Policy Editor to help secure Windows 95/98 computers
By default, Windows 95/98 is not a secure environment. Users can log on without passwords, can mess with all sorts of system settings, and can have access to all the programs and data within reach.
Before getting started with Poledit or any other security tool, think carefully about what you want to accomplish. Security always involves tradeoffs—keeping users from being able to do things also makes it more difficult for you to do things. And it’s easy to lock up systems so tight that users can’t accomplish tasks that they perhaps should be able to do. It may be useful to consider how likely it is that users will actually cause damage if settings aren’t locked down, and compare that to the inconvenience caused to you and other legitimate users if these settings are locked down—a sort of cost-benefit analysis. There’s no single or simple answer to how much security provides the optimum tradeoff between convenience and protection—there will be different answers for different settings.
Changes made with Poledit are global—they effect everyone using the machine with that log-in—if you’ve set policy options while logged into a Student profile, the machine restricts your actions just as much as it does a ‘real’ student. Personally, I don’t set up multiple user profiles—I do restrict a number of settings, which I’ll indicate down below—and since I just have a single profile, everyone—students, teachers, and I, is equally restricted. So I don’t turn off options that I need to access regularly—and I understand that if I need to access one of the restricted settings (for example, to reset wallpaper), then I need to re-run Poledit first to allow me access—and afterwards, I need to remember to turn the restriction back on.
Note that the Win95 and 98 versions of Poledit are not identical—the 98 version potentially includes many more templates which load functions, most of which, however, are specific to Internet Explorer or other Microsoft Internet tools. As a result, the Win95 version is easier to use—we’ll look at it first. As well, as far as I can determine, the Win95 version works just fine with Win98 systems as well—so you may just choose to use that version.
You can’t install Poledit into Windows using either the Windows setup or the Control Panel’s Add-Remove Programs/Windows Setup option. That’s because Microsoft, wisely in my opinion, doesn’t want typical users to be able to mess with it. You couldcopy the contents of the Poledit folder to the hard drives of your various computers—but don’t. If you copy it to a shared network drive, don’t make its location obvious. Better still—keep a copy on a floppy diskette, and run it from there—leaving no copy for your users to access.
Note that use of Poledit can cause problems—read this document carefully, and pay attention to what you’re doing. Experimentation can end up with unwanted settings that can be very difficult to fix!
| || |
Run Poledit by double-clicking the file Poledit.exe . The first time you run the Win95 version on each computer, it will start off by prompting you to open a *.ADM file—and will show the ones included in its folder.
Pick the only choice: Admin.adm.
Then, from the File menu, choose Open Registry. You’ll see:
| || |
Double-click on the Local User icon (There are a bunch of options for Local Computer—but they mostly affect network logon to Netware or NT servers—and few of them are items that I think you will need to reset, so I’m going to (mostly) ignore them in this discussion).
When you open the Local User icon, you’ll get a window with a list of areas that can be controlled, with a [+] beside each area. Clicking on the [+] opens that area, showing further options.
| || |
Within each set, you will find a number of options that you can check off… when you’re done, click OK. As soon as you save your changes, using the File/Save menu option, the changes go into effect.
Important Note: If you are using multiple user logons, such as Teacher/student/etc, changes made to Local Useronly affect that single user/logon… if you make these changes while logged into the Teacher account, for example, you will need to do so again in order to affect the Student account.
Let’s look at the various user settings that can be controlled in this way:
Control Panel-- DisplayWhen you click on the [+] beside Control Panel, a list of five items opens up, with a [+] beside each… If you click on the first [+], beside Display, you still get no visible options—until you click to add a checkmark to [ ] Restrict Display Control Panel . Then you see the following options:
| || |
Clicking to add a checkmark beside one or more options in the bottom section offers the following:
| || |
Wallpaper and Pattern. Note that web browsers include a Save as Wallpaper item accessible by right-clicking on a Web graphic—with this option, users can still set, for example, a Pokemon picture as wallpaper—and it will be impossible to change back, without re-running Poledit. Despite this, I recommend that you set this option, after setting your choice of wallpaper.
- Hide Screen Saver Page—similarly, the Desktop Control Panel can be accessed, but the Screen Saver page will be hidden. I recommend setting screen saver options as desired, then hiding the screen saver page.
- Hide Appearance Page—this option disables users’ ability to change the colours used on title bars, and other Windows elements. Again, I recommend setting them to your choice, then hiding the Appearance page.
- Hide Settings Page—this option disables users’ ability to change screen resolution and number of colours on-screen. I tend to leave this unchecked—some programs only run in 256 colours, while if you’re working with photographs, you probably want to be able to view more colours than this. Similarly, I have one nice freeware astronomy program that works best in 800x600 resolution, while most of the time, I prefer to leave systems in 640x480 resolution so I need to leave these options available—but if these are not issues for you, disable this as well. In fact, if you’re turning all of these pages off, do all at once by Disabling the Display Control Panel.
Control Panel-- Network
| || |
- Remove Taskbar from ‘Settings’… --removes the ability to edit Taskbar and Start Menu items. I strongly recommend not checking it—Most computers have very messy Start Menus, and it’s important to learn how to tidy this up, and keep it clean on an ongoing basis.
- Hide Drives in ‘My Computer’—hides all the local and shared network drives. This makes it impossible for users to double-click on saved documents, although they can still find them using the File/Opencommand in applications. I recommend leaving it unchecked, though you may want to use the free TweakUI Control Panel add-in to limit access to the hard drive.
- Hide Network Neighborhood—if you don’t have a network, you may want to choose this, to remove one piece of clutter on the Desktop.
- No ‘Entire Network’ in Network Neighborhood—if you have a classroom or lab network, and also have other workgroups in the school such as Office, you really should apply this item… with it checked, there is no way that users can easily move from their defined workgroup to access shared resources in a different workgroup—keep the kids out of the office files. If you have a classroom network, apply this restriction right away—before some kid erases all the student records in the office!
- No workgroup contents in Network Neighborhood— this would limit users to mapped network drives and pre-set network printers. I like having access to shared resources that aren’t already mapped, but if you have such resources and have problems with curious kids, you may want to restrict access in this way.
- Hide all items on Desktop—I suppose some people would like to hide My Computer, Network Neighborhood, the Recycle Bin, and any other icons on the desktop, leaving just the Start Menu and Taskbar…
- Disable Shut Down command—I can’t imagine using this… Windows systems need to be shut down and restarted from time to time (I’d recommend at least weekly) to restore resources.
- Don’t Save Settings at Exit—I like this one… get the Desktop the way you want it, then apply this restriction. That way, if users move icons around, when the system restarts, they’re back the way you wanted them. I don’t think this will help if users rename or delete icons on the desktop, however.
- Disable Registry editing tools—disallows use of tools such as Regedit to make basic changes to the system… some people have had trouble after using this—being then unable to run Poledit again to make changes to settings… in effect, locking themselves out of their own system. While Regedit is powerful and potentially dangerous, I’d be very careful before turning on this restriction… in fact, despite the dangers of not restricting it, I can’t recommend that you check this item.
- Only run allowed Windows applications—if you really want to control what users have access to, this is for you! You add (one at a time) the applications that allowable, and all others won’t run… it’s not clear, however, how you add an application—none are listed, by default, and there’s no browse button. Besides, if an application doesn’t show up in the Start Menu, and you’ve turned off access to the Run command, and perhaps to some of the drives (using TweakUI), is anyone really going to access other applications?
- Disable MS-DOS prompt—do you have kids that get around your restrictions by going to a DOS prompt to explore the system or delete files? If so, you can restrict access to the DOS prompt. If not, don’t bother!
- Disable single-mode MS-DOS applications—some older DOS programs, particularly some older games, will only run if they restart the system in so-called MS-DOS mode. This item keeps that from happening.
Setting up a bunch of machines
Saving your butt!
Boot to a DOS prompt (press F8 as soon as you see the ‘Starting Windows 95’ message, and choose Command Prompt from the boot menu), and at the C: prompt, type:
This will load the contents of this file into the System Registry, turning off the two lines that restrict access to the Registry editing tools. From there, restart Windows, run Poledit, and remove any other unwanted settings… a real life-saver—thank you John Woram!
Something from the Computer icon
Poledit for Windows 98
You may want to copy the Windows.adm and Common.adm files into your C:WindowsINF folder (note that this folder may be hidden-- you'll need to turn on the option in Explorer/My Computer to Show All Files to access it). After you do this, they will be loaded into Poledit98 automatically.
Again, choose File/Open Registry, and double-click on the Local User, icon, as described in the Win95 version above… you’ll see:
| || |
Notice that the Network sharing items have been moved—opening up the lower Windows 98 System items results in pretty much the same items as we saw in the Win95 version, though in a somewhat different order. At this point, all can be done as described for the Win95 version.
| ||Click on the Add… button, to see the list of templates, and choose another. You can go back to the Add…dialogue box as many times as desired. When you have the list of templates you want to use, click OK, and return to the File/Open Registrymenu item. After adding the Shellm.adm template to the Windows.adm template, for example, I saw:|
| ||Notice how the Desktop, Start Menu, Shell, and System items are new—a result of the Shellm.admtemplate. Some of these will be of use to Windows 98 users. I’m just going to highlight some of the uses: |
These items allow setting some restrictions to Active Desktop—the ability to make the Windows Desktop act like a web page, with HTML text and graphics appearing on the desktop and within Explorer and My Computer views.
Other *.Adm Templates
Inetsetm.adm—computer: Language, modem, default Net program settings; user: IE colour, font, and general browser settings
OEM.adm—user: Mail/News settings
Shellm.adm—user: Active Desktop/Shell/Start Menu/System settings
Subsm.adm—user: IE subscription settings
Windows.adm—computer: Network and system settings; user: network sharing/Shell/Control Panel/Desktop/Restrictions settings.
Unless control of IE5 and related files is important, I’d recommend that most users load the Windows.adm and Shellm.adm templates.
- Microsoft Knowledge Base Article- Q147381: How to Use System Policies On a Standalone Computer
- Create Secure User Profiles with Windows 9x Policy Editor
(Feel free to send me other Poledit-related links that you think others might find useful)
Another party heard from...
Teacher Terry King of Vermont's Waits River Valley School wrote that he had "figured out how to set up a WIN95/98 network without any NT machines, but still have a single shared version of system policies on a WIN95/98 server." With his permission, I've posted his tips here.
Poledit doesn't work with these versions of Windows. However, there's something equivalent-- at least for Win2000 and XP Pro-- but not for XP Home. From the Start Menu's RUN command, type: gpedit.msc and the Group Policy program will start up. It looks different, and works differently from Win9x's Poledit, but offers much the same abilities. Give it a try!
PC Magazine published a good overview on WinXP's GPEDIT in their September 7 2004 issue:
Windows XP Home does not include GPEDIT; XP Home users can apparently run this program if they have access to files from an XP Pro (or possibly Win 2000?) installation, by doing the following:
- Copy the files gpedit.dll and fde.dll from WINDOWSSystem32 on the XP Pro machine to WINDOWSSystem32 on the XP Home machine.
- From a command prompt issue the following commands on the XP Home machine: regsvr32 C:WINDOWSSystem32gpedit.dll
- Open the Microsoft Management Console (mmc.exe) and select File->Add/Remove Snap-in... Then click Add. Select the Group Policy snap-in from the list of installed snap ins.
You can now edit the Group Policy on the local machine. But XP Home doesn't support the same feature set as XP Pro, so the policies you are looking for might be missing.
Note: I haven't tested this, and can't vouch for it's usability.