Protecting Windows NT Machines

.

Environment: Windows NT 4.0 (Server or Workstation)

Windows NT security makes it possible to lock down a desktop so a given user has access
to only one or a few specific programs. On a public kiosk computer, it is often important
that user access be restricted. This article explains the steps that need to be taken to
implement this before you start please read the IMPORTANT notice.

IMPORTANT: This article contains information about editing the Windows registry. Before you edit the registry, you should first make a backup copy of the registry files (System.dat and User.dat). Both are hidden files in the Windows folder. Do not run the sample .reg file which contains all the specified registry entries as a demonstration or test because doing this will disable the menus of the demonstrator and might not give him access to remove the entries also. It is advised that for demonstration, make only one entry at once.
Unsolicited changes in registry might damage the system functionality in which cases author can not be held responsible.

Windows always works on its Registry entries which are stored some hidden .dat files
usually the system.dat and user.dat in widows directory. It can be viewed as the settings
for the individual user determining his environment in Windows NT user session. It is
found that these settings or registry entries play a key role while deciding the
access to individual user on any Windows NT machine. Whenever the user loggs in,
Windows fetches all the settings from files, and loads it in the memory. So the
user settings are stored with your windows explorer which works like shell for
your Windows NT session.
For making the registry entries, you can either go to RUN menu and run regedit.exe or regedt32.exe. This will open a windows similar to Windows explorer. There are five by default major categories viz. HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS,HKEY_CURRENT_CONFIG which are used for the basic functionality of the Registry and Windows security.

You can browse through and make the entries at right places.Windows also specifies a format which goes in .reg file (see the sample code), which can be run from any location. This .reg file can be edited using a simple notepad also.
In this format, specify the REGEDIT4 first, to tell the version of editing utility, then you have to specify the absolute path in square brackets where this registry entry will go for example [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPolicies] you can specify multiple paths also where the settings will be stored followed by the name of the entries which have to be made are written as

“NameOfEntry”=DataType:ValueOfTheEntry


For restricting the access, following are the names of the entries/keys and their functionality at [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPolicies]

Key Name Functionality Data Type Value
NoFind Removes Find command from Start menu. dword 00000095
NoFolderOptions Removes the Folder Options menu item from the
Settings
dword 00000001
NoRecentDocsMenu Removes the Documents command from the Start
menu.
dword 00000001
NoDesktop Hide all items on desktop. dword 00000001
NoRun Removes Run command from Start menu dword 00000001
NoLogOff Disables the logoff options dword 00000001
NoClose Disables Shut Down command. dword 00000001
NoNetHood Hides Network Neighborhood. dword 00000001
NoDrives Hides drives in My Computer. dword 00000000
To give access to only drive C dword fbffff03
To give access to drives C and D dword f3ffff03
To give access to drives A to F dword c0ffff03
NoTrayContextMenu Removes context menus for tray including the
start button, tab control, and clock.
dword 00000001
NoSetFolders Remove folders from Settings/Start menu dword 00000001
NoSetTaskbar Remove Taskbar from Settings/Start menu. dword 00000001
NoFavoritesMenu Removes the Favorites folder from the Start
menu.
dword 00000001
NoSaveSettings Does not save settings at exit. dword 00000001
NoDriveTypeAutoRun Prevents CD-ROM drive from running
automatically.
dword 00000001
NoViewContextMenu Removes the context menu when you right click
the desktop, or when you right click explorer in the results pane.
dword 00000001
NoFolderOptions Removes the Folder Options menu item from the
Settings
dword 00000001

Note : NoRecentDocsMenu and NoRecentDocsHistory requires Active Desktop
to be installed; otherwise they do not work


At the place
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]

Key Name Functionality Data Type Value
DisableLockWorkstation Disables the Lock workstation option from menu dword 00000001
DisableTaskMgr Disables the Task Manager dword 00000001
DisableChangePassword Disables the password change option dword 00000001

Copy the following source in notepad and save it as .reg file


REGEDIT4

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPolicies]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]

"NoDriveTypeAutoRun"=dword:00000095
"NoFind"=dword:00000001
"NoFolderOptions"=dword:00000001
"NoDesktopUpdate"=dword:00000001
"NoFavoritesMenu"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoSetActiveDesktop"=dword:00000001
"NoDesktop"=dword:00000001
"NoSetFolders"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoClose"=dword:00000001
"NoNetHood"=dword:00000001
"NoRun"=dword:00000001
"NoDrives"=dword:00000000
"NoTrayContextMenu"=dword:00000001
"NoViewContextMenu"=dword:00000001

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]

"DisableLockWorkstation"=dword:00000001
"DisableTaskMgr"=dword:00000001
"DisableChangePassword"=dword:00000001 

Downloads

Download instructions:

1. Save it to your disk
2. For running: Save it as .reg file, and double click
3. For editing:  You can edit it in test format or you can right
click the .reg file and click on edit option.

Download demo registry source code – 1 Kb

More by Author

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Must Read