Keeping Users From Bypassing the NetWare Login
Novell Cool Solutions: Trench
Digg This -
Posted: 15 Apr 2002
We snagged this tip from the support forums because it covered a few security/user access areas we hadn't heard of. (Not that that's a new thing. We prove every day there's a *lot* we haven't heard of.) There are a lot of brilliant people in the forums that we can all learn a thing or two from. Here's a good example:
Is there a way to prevent a user from using the ESC key or Cancel button to bypass the NetWare login and get to the local hard drive? Want to keep anyone from going further without actually logging in. The Client version we're using is 3.32.
For Client 2.5 to 3.21:
You will find an option "Cancel Desktop Login" (Start, Settings, Control Panel, Network, Novell NetWare Client, Properties, Advanced Settings, Cancel Desktop Login). If set to "Off", the user will have the opportunity to login to the Windows95/98 desktop and other network providers after cancelling the Initial Novell Client Login. If set to "On", there will be no subsequent login opportunities.
It might be necessary to also change the following setting: Use regedit and go to hkey_local_machine, network, logon and create a new dword value called MustBeValidated with a (hex) value of 1. This prevents users from gaining access to Windows itself when pressing on the Cancel button in the Client Login Screen. (instead of regedit you can use PolEdit or ZEN to set the "Require validation from network" policy).
For Client 3.3:
You can use the following settings in the Novell Client Properties, Advanced Menu Settings: Cancel Desktop Login and Require Initial Login. Set those both to "On"
Four problems remain:
Depending on your windows version, users can sometimes (while the Novell Login screen is showing) use the Windows key or [Ctrl]-[Esc] key combination to enable taskman and run programs (check this on your systems).
You can remove taskman.exe from their system. Although many administrators aren't very comfortable with this solution we haven't heard of any ill side effects.
With the earlier clients (below 3.20) users can press the [F1] key or click on the ? button (upper right corner of the login screen) and select f.e. the Username field and a help window appears from which you can choose File Open... Although it seems you can only open help files here there is a problem when they right click on folder or file names and choose delete. An even bigger problem is that by right-clicking on a folder name users can also choose Explore from here and unfortunately they can now use Windows.
- Use Client 3.3 (with the SP3 patch) or later.
- You can edit c:\windows\system\loginw32.dll with a resource editor
(f.e. MS Visual C++) and try disabling the (?) Help button.
The problem mentioned under 2 was fixed with Client 3.21 and later versions but the engineers overlooked a small "backdoor": With client 3.3 SP3 you can right-click on the Username text in the Login screen and select "What's this". The client will respond with "No help topic is associated with this item". When you right-click on this you can choose Copy or Print Topic... Depending on the default printer and its driver you can then, from the printer dialog, f.e. select Properties. Click on the Help button. From this Help screen use File, Open and right click on a folder to select Explore from here and from there on you're in Windows and can do what you want.
- Try removing the printer help file.
- Try the solutions mentioned below.
Users can disconnect their PC temporarily from the network (in which case they can enter Windows without having to login on the network).
- Remove explorer.exe from your c: drive and put it on your server. In c:\windows\system.ini change the following setting from shell=Explorer.exe to shell=\\your_server_name\sys\explorer.exe. After this change your users will not be able to use windows if the server is down. - If you don't mind using a third party product you can look into a program called (PreLog) which, among other things, can disable the Windows key, [Ctrl]-[Esc], [Alt]-[Tab] and [Ctrl]-[Alt]-[Del] key combinations until successfully logged in. PreLog can also secure your Windows PC with a password if it detects that there is no network connection. You can download version 1.1.2 from: http://www.pobox.com/~prelog
Here's some pasted text from the readme:
You can also implement the following "features" and settings on your PC to make your PC more secure but it's a fact that Window 9x is very difficult to secure. Besides the following ground rules you could look into a program called Fortress 101 for Win9x for near 100% security (see: http://www.fortres.com).
- Disable in your PC's BIOS settings booting from disk drive A:
- Password protect your systems BIOS
- Remove files like regedit.exe and poledit.exe from your system.
- Use PreLog's option to disable the [Ctrl]-[Alt]-[Del], [Ctrl]-[Esc], [Alt]-[Tab] and [Windows] keys during and before login.
- Use PreLog's option to force a Blank Windows password (so users cannot find out each others or your Novell password by applying a .pwl cracker to your local windows password (.pwl) files. Or you can apply a registry setting which disables Windows Password caching (use the nowinpwd.reg and winpwdon.reg files to disable or enable windows password caching in .pwl files).
- Add the following line as the first line of Config.sys:
You can also use a utility like break.sys (search for it on the web) to prevent users from breaking out of autoexec.bat.
- Add the following 5 lines under the options setting in MSDOS.SYS
Network=0 BootKeys=0 Disables Function keys to boot to DOS
BootSafe=0 Disables booting in Safe Mode
BootWarn=0 Disables Safe Mode in your Startup Menu
Network=0 Disables Safe Mode with Network in your Startup Menu
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com