Novell Home

Registry Keys Used with Secure Workstation

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 27 Jul 2004
 

TID 10087272 describes all registry keys and values used by Secure Workstation. Because the local policy is stored in the registry along with a list of .DLLs that will be loaded by the Secure Workstation Service, Novell strongly recommends setting a restrictive ACL on all keys listed in this document.

All keys listed here are relative to this key:

HKLM\SOFTWARE\Novell\NMAS\MethodData


Key Key Description Value Value Description
Secure Workstation Root key for the section of the registry used by Secure Workstation Debug, DWORD If this value is non-zero, then Secure Workstation will output trace information using the OutputDebugString call. This trace information can be viewed using DebugView from sysinternals.com.


DebugLog, DWORD If this value is non-zero, then Secure Workstation will write trace information to a series of log files. The log files can be found in <<SystemDrive>>\Program Files\Common Files\NMAS.
Secure Workstation\ RegisteredMethods Each sub-key of this key represents a device- removal plug-in for Secure Workstation. None
Secure Workstation\ RegisteredMethod\ <<Method Name>> Each sub-key of the registered methods key represents a registered device-removal plug-in for Secure Workstation. Each of these keys must contain the following values. MethodID, DWORD NMAS method ID number for the plug-in.


RemovalDLL, String Path and name of a DLL that implements the device removal plug-in for this method.
Secure Workstation\Policy This key and its sub-keys contain the local workstation policy. Flags, DWORD Contains flags specified in the local policy:



0x01: Policy active flag.



0x02: Inactivity timeout flag.



0x04: Force logoff flag. If this flag is set, Secure Workstation passes the ESX_FORCE flag to ExitWindowsEx when logging out of Windows.



0x08: Forcelly terminate applications. If this flag is set, Secure Workstation will call TerminateProcess on applications that do not terminate within a specified time period.



0x10: Display the Inactivity Warning dialog before taking the lock action due to an inactivity timeout.



0x20: Execute a post-policy command.



0x40: If a post-policy command has been specified in both the local policy and the network policy, always use the command from the network policy. If this flag has not been set, then Secure Workstation will always use the command from the local policy in this case.



0x80: Close all programs when the network user logs off.


IdleTimeout, DWORD User inactivity timeout.


ConsoleLockAction, DWORD Lock action that will be taken for a session connected to the local console. Possible values are:



0x01: Close all programs. May be combined with the Log out of the Network value.



0x02: Log out of the network (Client32 and/or the LDAP GINA). This may be combined with the Close all Programs value.



0x04: Log out of Windows.



0x08: Lock the workstation or disconnect the terminal services session.


TerminalLockAction, DWORD Lock action that will be taken for remote sessions. The possible values are the same as for ConsoleLockAction.


DeviceFlags, DWORD Specifies information about authentication devices to be monitored. Possible values are:



0x01: Monitor devices flag. Secure Workstation will not monitor any devices unless this flag is set.



0x02: Monitor all devices.



0x04: Use a device list. Monitor devices specified in the Secure Workstation\Policy\Devices key.


KillAppTimeout, DWORD Used by the Close all Programs lock action. If this “forcefully terminate applications” flag has been set, this is the amount of time Secure Workstation will wait for applications to close before forcefully terminating them.


WarnCountdown, DWORD Number of seconds a warning dialog should be displayed before an inactivity timeout event. This value cannot be more than idleTimeout.


InactivityFlags, DWORD Specifies if a .wav or .avi file should be played with the inactivity warning dialog.



0x01: Play an AVI file on the dialog.



0x02: Play a WAV file when the dialog is displayed.


WarnAnimation, String Path and name of AVI file that will be displayed on the inactivity warning dialog.


WarnSound, String Path and name of WAV file that will be played when the inactivity warning dialog is displayed.


LockCommand, String Post-policy command. The SMP will execute this command using CreateProcess after a close all programs and/or log out of the network lock action has been executed.


DevicePluseTime, DWORD Detects device removal after executing a Close all Programs lock action. Secure Workstation will continue enforcing the policy until the original devices are present, in compliance with the policy or until a new user logs in. In order to detect the presence of the devices, the service re-starts the device removal plug-ins at regular intervals. This setting was created to handle the latency between the time when the service sends the plug-ins a startup message and the time when the plug-ins report that their device is not present. This value specifies the amount of time that Secure Workstation will wait to receive a “device removal” message before assuming that the device is present. The default for this value is 10 seconds.


PostPolicyCommand Timeout, DWORD When a post-policy command has been configured, this value specifies how the command will be executed. For example, if loginw32.exe (displays the Client32 login dialog) has been specified as the post-policy command, then the administrator will probably want Secure Workstation to re-execute the command if a user cancels the dialog. However, if the post-policy command has been configured to execute a script, then the administrator may want to execute only once. If this value is zero, Secure Workstation will execute the post-policy command only once. If this value is non-zero, then it specifies the number of seconds that Secure Workstation should wait to re-execute the post policy command after detecting that it has terminated.


UseClient32, DWORD If this value is zero, then Secure Workstation will ignore Client32 connections. In this case, it will not monitor the Client32 connection, nor will it terminate any Client32 connections when executing the Log out of the Network lock action.


UseLDAPAuthClient, DWORD If this value is zero, then Secure Workstation will ignore events from the LDAP Auth Client, and will not clear the LDAP Auth Client credentials.


NSWAdmin, String Name of a Windows user that will be used to administer Secure Workstation. When this user logs in, Secure Workstation will not enforce its policy. This feature can be used by an administrator to disable Secure Workstation if, for instance, a device specified in the policy is malfunctioning.


Client32PollInterval, DWORD Amount of time in milliseconds that Secure Workstation will wait before polling the primary connection to see if the user has logged out.


LdapAuthPollInterval, DWORD Same as Client32PollInterval, but applies to the LDAP Authentication Client.


DefaultFileLocation, String When a .avi and/or a .wav file has been specified in the Network Policy, those files must be stored locally on the workstation. This value specifies the directory where Secure Workstation will write those files. The default behavior is to write these files to the user?s profile directory. Note that these files will be created by a process running as the currently logged-in Windows user, so the Windows user must have write rights directory specified by this registry entry.
Secure Workstation\Policy\ Devices Device list associated with the local policy. 0, 1, 2, ?, DWORD The names of the values in the device list are numbered starting with zero. The value is the NMAS method ID of each device removal plug-in specified in the policy.
Secure Workstation\Policy\ Process List List of process associated with the Close all Programs lock action. include, DWORD Specifies if the values in the process list determine programs that should be closed, or programs that should be excluded. If this value is non-zero, then only the programs specified in the process list will be closed. If this value is not present or set to zero, all processes will be closed except those specified in the process list.


0, 1, 2,?, DWORD The names of values in the process list are numbered starting with zero. The value can be either the name of a process (nwtray.exe), the full path and name of a process (c:\winnt\system32\nwtray.exe), or the path and name of a process using environment variables (%systemroot%\nwtray.exe).
Secure Workstation\Policy\ Allowed Processes List of processes that are allowed to communicate with the Secure Workstation service via its named pipe. 0, 1, 2, ?, DWORD The names of the values this list are numbered starting with zero. The value is the full path and name of each executable that is allowed to communicate with the Secure Workstation service.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell