home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 26
/
CD_ASCQ_26_1295.iso
/
vrac
/
sentry25.zip
/
README.TXT
< prev
next >
Wrap
Text File
|
1995-10-06
|
80KB
|
1,811 lines
╓────────────╖
║ Sentry 2.5 ║
╙────────────╜
Michael A. Bobbitt
Mike.Bobbitt@AcadiaU.Ca
http://dragon.acadiau.ca/~910318b/Sentry.html
TABLE OF CONTENTS
1.0 Introduction
1.1 Purpose of Sentry
1.1.1 In the Home
1.1.2 In the Business Environment
1.2 Features of Sentry
1.2.1 General
1.2.2 Expiry Dates
1.3 Distribution of Sentry
2.0 Setup
2.1 General Setup Issues
2.2 The Initial Login
2.3 First Priorities
2.4 Using the Sentry.ini file
2.5 Modifying Your AUTOEXEC.BAT
3.0 Securing Your Computer
3.1 BIOS Password
3.2 Boot Sequence
3.3 Switches in CONFIG.SYS
3.4 Passwords
3.5 The Password File
3.6 Placement in AUTOEXEC.BAT
3.7 Keep a Backup
4.0 Logging In
4.1 The Login Procedure
4.2 Changing Passwords
5.0 The SuperUser Menu
5.1 Create User
5.2 Delete User
5.3 View Users
5.4 Toggle SuperUser Status
5.5 Change Account Exipry Date
5.6 Change Password Expiry Date
5.7 View Log File
5.8 Change Account Password
5.9 Assign Max Invalid Logins
5.10 Edit Initialization Settings
5.11 Exit
6.0 Using Sentry With Windows
6.1 General
6.2 Installation Procedure
6.3 Additional Windows Security
6.4 Windows 95
7.0 Securing Other Programs
7.1 General
7.2 Setup
8.0 Creating a new Instance of Sentry
9.0 Registration
10.0 Revision History
10.1 Pre-Release Notes
10.2 Sentry V1.0
10.3 Sentry V1.1
10.4 Sentry V1.2
10.5 Sentry V1.3
10.6 Sentry V1.4
10.7 Sentry V2.0
10.8 Sentry V2.1
10.9 Sentry V2.2
10.10 Sentry V2.3
10.11 Sentry V2.4
11.0 Technical Notes
11.1 Encoding Algorithm
11.2 Time Stamps
11.3 Files
11.4 File_id.diz
11.5 General
12.0 Potential Threats To Security
12.1 The Password File
12.2 Hardware Loopholes
13.0 Troubleshooting
13.1 Error messages
13.1.1 Error opening password file!
13.1.2 Error opening temp file!
13.1.3 Error in creating log file!
13.1.4 Error opening log file!
13.1.5 Error opening Sentry.ini file!
13.1.6 Error in Sentry.ini file! [XXXXXXXX]
13.1.7 Registration Error - Program Aborted!
13.1.8 Error in time stamps.
13.1.9 Out of memory!
13.1.10 This account has expired.
13.2 Other problems
15.0 Standard Disclaimer
16.0 Credits
========================
1.0 Introduction
================
Currently, almost all fields of computer security are growing
and advancing, with a few notable exceptions. Networks, servers
and public access systems are all tightening their access to
avoid potential problems. But what of the single-user PC? Is the
information contained on these any less valuable? Often times
not, yet adequate security programs do not exist for PC's. In my
search for security, I discovered that PC's were virtually
ignored, and those programs that did exist were weak and faulty.
Faced with this situation, I decided to write my own security
program from scratch, incorporating the tightest security
measures possible, while allowing flexible, easy use.
1.1 Purpose of Sentry
Sentry is meant for one basic purpose only: to keep unwanted
people off your PC. It is flexible enough that this single
purpose can be used in many different ways, for many different
reasons. Here are just a few.
1.1.1 In the Home
Most people have something on their home PC that they don't want
others to see. Maybe it's a sensitive document, maybe it's
copies of e-mail, or maybe you just want to keep track of who is
using your system. Sentry has the solution for all of these
problems, by restricting access and logging all attempts to use
the system.
Alternatively, sometimes you just want to keep people out,
period. It could be your nosy room mate, your little brother, or
your boss at work. In any case, Sentry will keep them out, while
letting a select group of people in.
1.1.2 In the Business Environment
Businesses will find Sentry valuable to guard against
unauthorized entry into PC's. With Sentry, you can leave your
terminals unattended while knowing that nobody can access the
information held on them, unless you want them to. Many
businesses have cleaners or other independant contractors come
in during silent hours. A lot of businesses have PC's in open
areas where a "passer-by" could use them. There's no guarantee
that these people won't attempt to use your PC's when your're
not around.
For businesses that work in groups, Sentry is useful for keeping
track of who used the PC's and when. Supervisors could have
SuperUser access on all PC's in their group, allowing them to
manage and control access as required. Also, the log that Sentry
keeps could be a valuable tool in determining who was doing
what, and when.
You may not need to use Sentry on your system. You might never
have a security problem to worry about. But the truth is that
Security isn't something to take a chance on. It is a serious
problem in today's computing society, and many legitimate users
find themselves helpless or confused about the real issues. It
is a shame that the immoral few have ruined it for the rest, but
we cannot let them get in the way of our daily business. With
the proper tools and knowledge, we can fight back by closing up
the common loopholes that attackers use.
1.2 Features of Sentry
1.2.1 General
Sentry will allow you to set up accounts on your computer, one
account for each person you want to have access. If someone
doesn't have an account, they don't get in. It's that simple.
Each person has their own account, with their own password,
making it easy to track who logs in and when. Since Sentry
doesn't use a "master access" password, you can wipe a single
users account without affecting any other users.
Sentry records each login attempt in a log file which can be
viewed by a SuperUser at any time.
1.2.2 Expiry Dates
You can set accounts to expire on a certain date, effectively
barring access to the specified user after that. For example, if
you know that Joe will be leaving on April 14th, you can set his
account to expire on April 15th. That means you don't have to
remember to delete his account on the 15th... It will expire on
it's own, and you can delete it whenever you remember.
You can also set expiry dates for passwords, meaning that a user
will have to enter a new password once his old one has expired.
In addition, you can set the period of time that new passwords
are good for.
Sentry can be used to restrict access when you first turn on
your PC, to block DOS access from within Windows, to secure a
single program from general use, or any combination of the
above.
1.3 Distribution of Sentry
Sentry is a copywritten piece of work, however distribution of
the ShareWare version is allowed and encouraged. The only
stipulation is that it must be unmodified, and must contain all
of the original files (and no others). Essentially, the .zip
file you initially recieved is the only format that Sentry is
distributable in.
DO NOT distribute any registered versions whatsoever. (By
distributing a registered version, you are giving out copies of
a specific encoding scheme, which can be used against the
registered user).
2.0 Setup
=========
Since you are reading this, I can safely assume you have
unzipped Sentry. Along with that, I will also assume that you
have created a directory for Sentry, and that all Sentry files
are currently in it. (If this is not true, do it now). You may
want to read the section entitled "Creating a new Instance of
Sentry" below.
2.1 General Setup Issues
The very first thing you should do is make sure you keep a copy
of all the Sentry files somewhere safe. Copying them to a floppy
disk and storing it is a good idea.
The second thing you have to do is to set up the Sentry.ini file
for your system. You should load the file into a text editor
(like MS-DOS's edit) and make the changes from there. There are
instructions and tips provided for each item. Make sure you read
and understand these instructions before making any changes, as
an improperly set up Sentry.ini file can cause errors and
security loopholes.
2.2 The Initial Login
Now the next thing you must do is to change the password and
login provided with the initial copy of Sentry. To do this, you
must run the Sentry.exe program. If it displays an error
message, check the troubleshooting section at the end of this
file.
When it asks for a login, use "Sentry", with the password
"Sentry". You can turn case sensitivity off in the Sentry.ini
file, but for logins only. The password must be entered exactly
as shown (sentry or SENTRY will not work). The Sentry account
has SuperUser access, meaning you can create and delete accounts
while logged in as Sentry. To log in as a SuperUser, enter
Sentry for a login, and instead of pressing enter, hold down the
CONTROL key and press enter. This tells the Sentry program that
you want to log in as a SuperUser. Then enter your password
normally, and instead of dropping to DOS, you will go to the
SuperUser menu. (See the section below on "The SuperUser Menu"
for more information).
From here, you should create a new user (you) and grant yourself
SuperUser access. You can do this during creation by holding the
CTRL key while pressing enter after typing your login name. You
can also do this by using the "Create User" option normally and
then using the "Toggle SuperUser Access" menu option to give
yourself SuperUser privileges.
2.3 First Priorities
Once you have your account set up, you should delete the Sentry
account, so nobody else can use it. This is very important as a
potential intruder will probably try to enter through the
default Sentry account first. (If you delete it, that closes the
loophole).
Sentry will not let you delete the last SuperUser, so you must
create a new user with SuperUser access before deleting the
Sentry account.
From here, you can create the other users of your system, and
define their starting passwords, expiry dates and access rights.
See the section below on "The SuperUser Menu" for more
information.
2.4 Using the Sentry.ini file
Sentry can be configured to your needs by way of the Sentry.ini
file. This file contains information that you may wish to
change, allowing Sentry to adapt to many different situations.
The Sentry.ini file follows a very specific format, and if you
deviate from it, Sentry will not work! Comments are allowed, as
long as the comment line begins with a * character. Blank lines
are also permitted. The order of the items in the Sentry.ini
file is critical. Do not move items around. The comments
provided with the Sentry.ini file will guide you through this
stage. Feel free to add your own comment lines as you see fit.
If this is too much for you, then you can edit the Sentry.ini
file from the SuperUser menu. You can do this by selecting the
"Edit Initialization Settings" option (see section 5.10). Many
people find this easier than editing the actual file. Any
changes you make will not take effect until the next time you
use Sentry.
2.5 Modifying Your AUTOEXEC.BAT
Simply add the following line to the top of your AUTOEXEC.BAT
file:
----------------- CUT ----------------
\Sentry\Sentry
----------------- CUT ----------------
The above example assumes you have installed Sentry on
c:\Sentry, which may not be true. Adjust the path in the first
line to reflect the location of Sentry on your system.
NOTE: These lines MUST be the first lines in your autoexec.bat
file. If not, the user may be given a chance to bypass Sentry by
pressing CTRL-C or CTRL-BREAK.
If Sentry is installed on a drive other than the one you boot
from (drive D in the example below), then add these lines
instead:
----------------- CUT ----------------
d:
\Sentry\Sentry
c:
----------------- CUT ----------------
3.0 Securing Your Computer
==========================
Sentry is essentially useless unless you take the appropriate
additional security measures for your machine. Below I have
outlined some of the things you can do to increase the security
of your system.
3.1 BIOS Password
Protect your BIOS! It has a built in password, so set it!
Without the password, any user can get into your BIOS and change
your critical system settings. I have seen several different
types of BIOS setups, but generally, you use the CHANGE PASSWORD
command (Sometimes also listed as SUPERVISOR PASSWORD) from the
main menu and set the SECURITY OPTION to setup (as opposed to
system) in the BIOS FEATURES SETUP screen. Depending on the
layout of your BIOS, you may have a CHANGE SETUP PASSWORD option
right on the main menu.
3.2 Boot Sequence
Change your boot sequence. Again, in your BIOS, under the BIOS
FEATURES SETUP screen, set your BOOT SEQUENCE to boot from your
hard drive first. (This usually means set it to C,A as opposed
to A,C). This will ensure that no-one can bypass Sentry by means
of a boot disk.
3.3 Switches in CONFIG.SYS
Add "switches /n/f" as the first line of your CONFIG.SYS file.
The /n will dis-allow pressing F8 to step through the CONFIG.SYS
and AUTOEXEC.BAT files. This means that users cannot bypass
Sentry by this method. The /f switch is optional, it simply
speeds up your boot-up time (by about 2 seconds).
3.4 Passwords
Pick a good password. Short passwords are a bad idea, as well as
birthdays, girlfriends names, etc. Anything that is easy to
guess should be avoided. Good passwords are not words at all,
but made up from a "mnemonic" sentence. For example, the
sentence "I'll wait for you" turns into "Illw84u" (trust me).
Mixing lower case letters, upper case letters, and numbers
increases the security of a password, and passwords of this type
are near impossible to guess or crack. Do not write your
password down, especially near your computer. Try to memorize it
if possible. Change your password, but not too often. People who
change their passwords too often (less than 6 months or so) tend
to write them down, which is a bigger risk. Don't enter your
password with someone looking over your shoulder. If someone is
in the room, block their view, or wait until they leave.
3.5 The Password File
Put your password file in a safe place. Although passwords are
encoded, usernames and time stamps are not. Also remember, the
encoding scheme is one way only, so if I encode login names, you
will never be able to view who is in your password file (IE: you
would have to "guess" which person to delete). Users can change
time stamps in the password file, and this can cause serious
problems, so KEEP IT SAFE!
NOTE: Sentry automatically hides your password file for you.
After you have run Sentry once, your password file (and log
file) will not appear in directory listings. This will help your
security, but is not a fool-proof method.
3.6 Placement in AUTOEXEC.BAT
When you are installing Sentry, make sure it is the FIRST file
in your AUTOEXEC.BAT! Otherwise, the user may be able to exit
when another program is running and avoid Sentry all together!
3.7 Keep a Backup
Keep a backup copy of all your Sentry files! Especially your
password file! If something happens to these files, you may be
locked out your computer if you don't have a backup.
4.0 Logging In
==============
4.1 The Login Procedure
When you first run Sentry, you should see the standard startup
screen. Your registration information is contained here. (The
shareware release simply says it is registered to Shareware).
You should also see a prompt asking you to enter your login (or
user name). If instead you see an error message, check at the
end of this file for help.
While entering your user name, if you have SuperUser access, you
can log in as such. You can do this by holding down the CTRL key
while pressing enter. If you do not have SuperUser access, or do
not wish to log in as such, simply press enter. In either case,
this will send you to the password prompt.
Once you have reached the password prompt, you simply enter your
password, and hit enter when you are finished. Your password is
not echoed to the screen. At this time, the date and time of
your last login will be displayed.
The minimum and maximum length of both the login and password
are set by the "MinPasswordLen" and "MaxPasswordLen" attributes
in the Sentry.ini file respectively.
If there have been any invalid login attempts made against your
account since the last valid login, you will be told so, and how
many. If the number of invalid login attempts against your
account has exceeded the maximum allowed, your account will be
locked out until the SuperUser resets it.
If your account has expired, it will say so, and subsequently
lock you out. If your password has expired, it will also say so,
but will then prompt you to enter a new password. You may not
re-use your old password, and you must pick a password that
corresponds to the length limits set out in the Sentry.ini file.
Once you have entered and verified your new password, it is
given a new expiry date according to the "PasswordExpiresIn"
value in the Sentry.ini file.
If you have logged in as a SuperUser, and have SuperUser access,
you will now be in the SuperUser menu (see the section below).
If not, you will simply be dropped to DOS, and the login
procedure is complete.
4.2 Changing Passwords
If you wish to change your password at any time, you can do so
by entering the pass key. The pass key is defined in the
Sentry.ini file, and is displayed when Sentry starts up. To
change your password, simply enter your user name as usual, and
when prompted for your password, enter the pass key. You will
then be prompted for your old password (to make sure it is
really you), and then you will be asked for your new password,
which will be verified and saved to disk. Your new password will
expire in the number of days designated by "PasswordExpiresIn"
in the Sentry.ini file.
Changing your password has no effect on SuperUser access.
5.0 The SuperUser Menu
======================
5.1 Create User
This option allows you to create users on your system. First of
all, you must enter the username (or login) you wish to assign
to that user. If you wish to create a user with SuperUser
status, type in the username and hold down the CONTROL key when
pressing enter. Otherwise, just press enter when you're finished
at the login prompt. Once that is complete, Sentry asks for the
password. The password is not echoed to the screen. The user
should choose and enter their own password. SuperUsers need not
know what the passwords are since they can still manage the
accounts without knowing them. The password is entered twice to
ensure no typos were made, and then saved to the password file
in encoded form. The ESCAPE key will abort this operation at any
time.
Note: There is currently a maximum of 100 users allowed. This
limit can be bypassed if required (contact me for a larger
capacity version).
5.2 Delete User
The delete option is very simple. It brings up a list of all
users, and you simply use the cursor keys to highlight the user
you wish to delete. SuperUsers are denoted by a * to the right
of their username. Press enter to select the appropriate user.
If the selected user is a SuperUser, Sentry will give a warning.
SuperUser or not, Sentry will then ask if you are sure you want
to delete them. Any input other than a 'y' will not perform the
delete. The ESCAPE key will abort this option at any time.
5.3 View Users
This option allows you to view all users who currently have
accounts on your system. SuperUsers are again denoted by a * to
the right of their login name. The last login date/time, account
expiry date and password expiry date are also shown to the right
of the user's login name. In addition, the number of invalid
logins since the users last valid login are shown with the
number of invalid logins allowed before an account is locked up.
An "X" in the "Max Inv Log" (Maximum Number of Invalid Logins
Allowed) column means there is no limit. You can use the PAGE UP
and PAGE DOWN keys to scroll forward and back if there are
multiple pages of users. Arrows ( and ) will be present if
there are additional pages above and/or below. The ESCAPE key
will exit back to the main menu.
5.4 Toggle SuperUser Status
When this option is selected, it first brings up a list of all
users on the system. Again, SuperUsers are denoted by a *. Once
you have selected a user, Sentry will ask you if you want to
grant/revoke SuperUser access to/from the appropriate user. Any
input other than a 'y' will not change that users status. Now
the user must enter a password. (Since the SuperUser status is
encoded in the password, and the password can never be decoded,
I can't change SuperUser access without resetting the password).
The user can re-enter their old password, or enter a new one
(the old one will be over-written). In a worst case scenario,
the SuperUser can re-assign a new password to the user if he is
unavailable to enter a new password himself. (A hostile user can
have SuperUser access revoked without having to enter a new
password; you can do it for him).
5.5 Change Account Expiry Date
This option lets you define when an account will expire on your
system. Expired accounts no longer have access. This option is
useful if a user will be leaving. Then you don't have to
remember to delete their account on the day they leave. You can
set it to expire, and delete it when you remember.
This option also works in conjunction with the "Assign Max
Invalid Logins" option. Once an account reaches it's maximum
number of sequential invalid logins, it expires. The only way to
re-activate the account is to change the expiry date with this
option.
Once you select this option, some information about the account
will be displayed. If it is a SuperUser account, Sentry will
tell you so. It will then display the account's current expiry
date. You will be asked if you are sure you want to change that
user's expiry date. Any input other than a 'y' will abort the
process, otherwise you will be prompted for the year the account
will expire. The year must be entered as 4 digits (IE: 1997). If
you enter 'N' at the year prompt, no expiry date is assigned to
that account (it is valid forever). If you enter a valid year,
you will then be prompted for the expiry month, which is entered
as 2 digits (IE: 06 for June) followed by the expiry day, which
is also entered as 2 digits. Accounts expire at one second past
midnight on the date of expiry.
5.6 Change Password Expiry Date
This option lets you define when a users password will expire.
Once the password has expired, the user must enter a new one.
This forces the user to change their password. Once a password
has expired, the next time the user logs in he will be forced to
enter a new password. The new password is valid for the number
of days set in the "PasswordExpiresIn" option in the Sentry.ini
file. Once a password has expired, the user cannot re-enter it.
He must select a new password. (NOTE: Sentry does not keep
historical records on passwords, so a user may alternate back
and forth between 2 passwords. This is not a secure practice and
should be avoided).
Once you select this option, some information about the account
will be displayed. If it is a SuperUser account, Sentry will
tell you so. It will then display the current expiry date for
the password. You will be asked if you are sure you want to
change that user's expiry date. Any input other than a 'y' will
abort the process, otherwise you will be prompted for the year
the password will expire. The year must be entered as 4 digits
(IE: 1997). If you enter 'N' at the year prompt, no expiry date
is assigned to that password (it is valid forever). If you enter
a valid year, you will then be prompted for the expiry month,
which is entered as 2 digits (IE: 06 for June) followed by the
expiry day, which is also entered as 2 digits. Passwords expire
at one second past midnight on the date of expiry.
5.7 View Log File
Every time a user logs in, a record is kept on disk. If you want
to view that online record, select this option. The log file
will be displayed, one screen at a time. Once the entire log
file has been displayed, Sentry will ask you if you want to
clear the log file. Any input other than 'y' will exit, leaving
the log file in tact. If you answer with a 'y', Sentry will
clear out the old entries. This should be done fairly
frequently, depending on how busy your system is. Large log
files take up more disk space.
You should always keep a close eye on the log file as this will
often tell you when something is wrong on your system. All error
messages are saved to the log file, so you can see if Sentry has
run into any problems. Also, it records the current time, and
the username of the user attempting to log in. This will help
you to identify any potential attacks on your system. The log
file is hidden by Sentry, but you should also place it somewhere
safe so that users cannot tamper with it. You can set the
location of the log file with the Sentry.ini file.
5.8 Change Account Password
This option allows the SuperUser to change an account's
password, in case the user forgot it, or some other strange
disaster has occurred. When assigning a new password to an
account, you should set the expiry date to be immediatly, so the
user is forced to choose a new one. If the previous password had
no expiry date, none is assigned to the new password. Otherwise
the password expires in the number of days assigned to
"PasswordExpiresIn" in the Sentry.ini file. You can abort at any
time by pressing the ESCAPE key.
5.9 Assign Max Invalid Logins
This allows you to set the maximum number of invalid logins
allowed before an account is disabled. The default number is
defined in the Sentry.ini file ("InvalidLogins") and is assigned
to all accounts when they are first used.
To assign a new maximum, simply select the "Assign Max Invalid
Logins" option from the SuperUser menu. From here you will be
shown the complete user list, and asked to select the user you
wish to change. Pressing the ESCAPE key will abort the operation
here.
Once you have selected the user, you will be informed if that
user is a SuperUser. NOTE: You should not assign a maximum
number of invalid logins to your last SuperUser account. If you
do, and someone attempts to break in to that account, you could
be locked out of the SuperUser menu!
Next you will be told what the user's current max invalid login
setting is, and asked if you want to change it. Any input other
than a 'Y' will abort the operation. Now you will be asked to
enter the number of invalid login attempts before an account is
disabled. Entering 'N' or a 0 will mean that there can be
unlimited invalid login attempts made.
Please note that a value of less than 10 may cause you more
trouble than good. You may be spending a lot of time re-setting
accounts if you pick too low a value, so consider this
carefully. Also note that when an account is locked up, it is
actually set to expire immediately. As a result, if you wish to
re-activate an account, you must change the account's expiry
date (see above). This is also handy for determining when the
account was actually de-activated. The expiry date for that
account it set the the day it was locked out.
Every time a successful login is made to an account, the invalid
login counter is reset. This means that an account will not be
locked out if it has a valid login before the maximum is
reached. (For example, say an account has a maximum of 10
invalid logins. If there are 7 invalid logins before a
successful login, and then 5 more invalid logins, the account
will not be locked up. There must be 10 sequential invalid
logins for the account to be disabled.)
Once you have finished making the change, you can view the user
list to make sure it is acceptable.
5.10 Edit Initialization Settings
This option allows you to edit the Sentry.ini file from within
Sentry. Once this option is selected, all of the attributes from
the Sentry.ini file are displayed. Simply select the attribute
you wish to modify, and you will be given the following
information:
- A one line description of the attribute.
- The name of the attribute as it appears in the
Sentry.ini file. This will appear in brackets under
the one-line description.
- A brief description of the attribute and it's uses.
- Valid settings for the attribute, if applicable.
- Any security notes, if applicable.
- The default value for the attribute.
- The current value for the attribute.
At this time, you will be prompted to enter a new value for the
attribute. Pressing ENTER on a blank line, or pressing the ESC
key abort any changes the current value.
Sentry performs strict checking on the values you enter, and
will not save an invalid value. For this reason, you should
change your Sentry.ini settings from the SuperUser menu whenever
possible.
5.11 Exit
This simply returns you to the DOS prompt. It is the same as
pressing the ESCAPE key.
6.0 Using Sentry With Windows
=============================
6.1 General
Sentry is also adaptable to Windows, allowing you to keep users
away from DOS. This may be desirable if you enter Windows
immediatly upon startup (I.E.: your autoexec.bat contains "win"
as a command). If you want to limit access to your system as a
whole, you could install Sentry in the usual way. This would
keep out unwanted users all together. If you want to also limit
access to the DOS prompt from Windows, you can do that too. All
you must do is create a new instance of Sentry (see below), and
then simply set up your windows to run Sentry when you drop to
DOS. The example setup below assumes you have installed an
instance of Sentry in c:\Sentry\Inst1, but you can substitute
your actual directory names in where applicable.
6.2 Installation Procedure
Installing Sentry in the Windows environment is simple. Included
in the Sentry zip file are 2 files:
Sentry.grp
Sentry.pif
Copy both of these files into your windows directory. Now, enter
Windows and from the Program Manager, select [F]ile, then [N]ew.
Next select Program Group. When prompted, enter "Sentry" for
both description and file name. Now you should see a new program
group called Sentry. The Sentry program group should contain a
single icon, labelled MS-DOS. This icon actually points to
sentry.pif, which contains specific information about running
Sentry.
You can edit the new icon (highlight it and press ALT-ENTER) and
change the working directory to point to your Sentry files.
IE: c:\Sentry, or c:\Sentry\Inst1, etc.
From here, run the Pif Editor program (the icon is a little
tag), and open Sentry.pif. Now change the "Program Filename" to
point to your Sentry.exe file.
IE: c:\Sentry\Sentry.exe, or c:\Sentry\Inst1\Sentry.exe, etc.
In Addition, change the "Working Directory" to be the same as
the working directory for the icon (see above). Once you save
the .pif file, you are all set.
At this point you should test out the new Sentry icon to make
sure it works ok. When you double click on the new icon, it
shoould take you directly to Sentry. Once you have entered a
correct username and password, it will then drop you to a
regular DOS shell. You can type "EXIT" to return to Windows at
any time.
Once you are sure it works, remove your old MS-DOS icon, so that
users cannot use it to drop straight to DOS. You can drag your
new icon into the same location as your old MS-DOS icon, so
everything will look the same.
Now there is one last step. If a user were to exit Windows, they
would be at the DOS level, which is not what we want. Since your
autoexec.bat file is running windows on startup, you can block
people from exiting by forcing them to go through Sentry. You
can do this by adding a call to Sentry after the win command in
your autoexec.bat.
For example, the last few lines of your autoexec.bat might look
like this:
----------------- CUT ----------------
win
\Sentry\Inst1\Sentry
----------------- CUT ----------------
Alternatively, you can add the security measures described in
section 6.3 below.
And that's it. If it seems like a complicated process, just try
the steps one at a time, and make sure everything works ok. The
end result is that when you click on the MS-DOS icon, it will
run Sentry before dropping you to the DOS shell. That means that
you can limit access to the operating system, without pulling
any fancy tricks in Windows. Since you have made a new instance
of Sentry, you could have one instance run when you boot up
(giving access to windows), and have another instance run when
you click on the DOS icon (giving access to the operating
system). That way, a user that has access to windows may not be
able to drop to DOS.
Be warned however that Sentry will still lock up your system
when a user fails to log in. This may cause you to lose any
information you have not saved in your Windows session, if
Windows becomes unstable.
If Sentry does lock up your system, you may be able to recover
back to Windows by pressing CTRL-ALT-DELETE and closing the DOS
prompt. This will still not allow access to DOS, but you will
not lose anything you were working on.
6.3 Additional Windows Security
There are additional security measures built into Windows that
should be considered when using Sentry. After all, securing the
MS-DOS icon won't do any good if someone can edit it back to the
way it was.
To add more security to your Windows system, just add this
Restriction section to your progman.ini file:
----------------- CUT ----------------
[Restrictions]
EditLevel=4
rem Stops the creation, movement, copying, deletion, or
rem modification of ANY groups or icons.
Noclose=1
rem Prevents a user from exiting windows.
NoRun=1
rem Disables the run command selection from the file menu.
NoSave=1
rem Stops the selection of save settings on exit from program
rem manager.
NoSaveSettings=1
rem Disables the save settings on exit command, so any changes
rem made to the your program manager group icons and windows
rem cannot be saved upon exiting windows.
----------------- CUT ----------------
To nulify any of these entries, remove it or change the value
from 1 to 0. You can delete the file manager Icon as an
additonal security precation.
6.4 Windows 95
Sentry is easily adaptable to use in a Windows 95 environment.
In most respects, the setup is the same as in a DOS/Windows
environment.
As before, ensure that the call to Sentry is at the beginning of
your AUTOEXEC.BAT file. The Sentry.pif file and Sentry.grp file
will still work with Windows 95, although at this time I have
not drawn up specific instructions for installation.
I have not yet conducted thorough tests in a Windows 95
environment, however documentation for this should be
forthcoming in a future revision.
7.0 Securing Other Programs
===========================
7.1 General
In some cases, it might be beneficial to secure a single
program. It might be a word-processor, a mail program, or even
Windows. In any case, you can secure it with Sentry, even if you
don't use Sentry during boot-up. You will probably want to
create a new instance of Sentry (see below) for each program you
want to secure. That will allow you to have different accounts
and passwords for each program.
7.2 Setup
To set this up, all you have to do is write a batch file of the
following format, and stick it in a directory in your path.
(C:\DOS is almost always in your path, so you could stick these
batch files there). In this example, we will secure the program
called RUNME (loacted at C:\prog\runme.exe):
----------BEGIN RUNME.BAT-----------------
@echo off
c:
\Sentry\Inst2\Sentry
cd \prog
runme
cd \
-----------END RUNME.BAT------------------
The program as shown above will run Sentry before it runs
RUNME.EXE. As long at the batch file is in your path ahead of
RUNME.EXE, RUNME.BAT will execute first, barring the user from
running RUNME.EXE without running Sentry first. C:\DOS is almost
always first in your path, so this will work for everything but
DOS programs. You can add a new directory to you path by editing
your AUTOEXEC.BAT. If you add it to the beginning, and place all
your batch files there, they will run first. The only exception
to this rule is that if the user is in the directory containing
RUNME.EXE they will not execute RUNME.BAT first.
This is not by any means a perfect method of securing a program.
It will work in most cases, but with the proper knowledge and
patience, this method can be defeated. If your users are
skilled, don't rely on this method to be "bullet-proof." (Sentry
was not designed for this purpose, it is merely an additional
use).
Future versions of Sentry may have an "automated" method for
doing this if the need exists.
8.0 Creating a new Instance of Sentry
=====================================
In some of the scenarios listed above, you may be required to
create a new "instance" of Sentry. That is to say, a completely
new copy of Sentry, that works independantly of all other
copies. This is a fairly simple process, that you can perform as
many times as required.
The first thing you must do when creating a new instance is to
create the directory you wish to place it under. If you plan to
have several instances, you may want to create a Sentry main
directory, with your instances branching off of that. For
example:
c:\Sentry
|
+----+------- Inst1
|
+------- Inst2
This will allow you to keep all your Sentry files well
organized, and seperate from your other programs. Create a
directory for each instance you anticipate you will need. From
there, simply copy ALL of the Sentry files into each directory.
The final step is to set up the accounts of each instance
according to your needs. To do this, you must go into each
directory individually and run Sentry. Now log in as a SuperUser
and set up all the required accounts. Remember that each
instance is independant of the others. Your password file should
not be the same for any 2 instances (otherwise there is no
advantage to having 2 instances). That means that the PassFile
setting in each Sentry.ini must be different, and your password
files must be in different locations. For simplicity's sake, you
may want to keep your password file for each instance in the
same directory as the other related Sentry files. (The password
file for Instance 1 goes into c:\Sentry\Inst1, and so on).
You should always test out each instance and make sure it works
before using it.
9.0 Registration
================
If you use Sentry on your machine(s), I urge you to register. I
have put a lot of time and effort into making Sentry a viable
security program, and I would appreciate the effort very much.
On the other hand, I realize that not everyone can afford to
register. In that case, please feel free to continue to use the
ShareWare version. There are no limitations on how long or how
many times it can be used. My intention with Sentry was to make
a contribution to PC security, and to make it available to
everyone. All I ask is that if you use Sentry, and are able,
please register.
The shareware version of Sentry has all the functionality of the
registered version, with one exception: it does not encode
passwords. This will allow you to test out all the functions of
Sentry before you commit to purchasing it. The ShareWare version
in itself is a very secure program as is, however if you are
serious about Security, plaintext passwords are not a viable
option.
To order, simply fill out the order form provided (Order.frm)
and e-mail or snail-mail a copy to me.
As a registered user, you will receive:
- The full Sentry program (with password encryption) and
related files on 3.5" disk.
- A laser printed user's manual (essentially this file,
with a few changes in format and content).
- Online internet support via e-mail.
- Free upgrades as soon as they are available.
- Notices about any potential security risks, and
instructions on how to protect yourself.
- The ability to request specific features in future
versions of Sentry.
NOTE: Registered versions are not inter-compatible. That is,
user X's password file is encrypted differently than user Y's
password file. The version of Sentry that you recieve is good
only for you and your files. (Likewise, nobody else can use
their copy of Sentry with your password file). See the order
form for information on obtaining compatible versions of Sentry.
10.0 Revision History
=====================
10.1 Pre-Release Notes
March 95 - My search for DOS security programs is
unsuccessful. The general idea for Sentry is
formed.
April 95 - Coding for Sentry begins.
May 95 - Still coding...
June 95 - Sentry is now a complete program.
July 95 - Beta testing. Many updates made.
10.2 Sentry V1.0
Release Date: 20 July 95
- Sentry V1.0 (Shareware) is released. Contains basic
functionality. At this point, Sentry is approximately 1700
lines of code.
10.3 Sentry V1.1
Release Date: 27 July 95
- Sentry V1.1 Released. V1.1 fixes some serious bugs in V1.0,
and has these additions:
* Date format is selectable.
* Users with no password expiration are not
assigned an expiry date on entering a new
password.
* Incorrect password verification displayed
immediately when creating a new user, or toggling
SuperUser status.
10.4 Sentry V1.2
Release Date: 29 July 95
- Sentry V1.2 Released. Some more minor bugs are repaired and
several areas are updated. Additions are:
* Memory management improved.
* All user stats now shown instead of just login
name.
* The keyboard buffer is flushed after an invalid
login attempt.
10.5 Sentry V1.3
Release Date: 01 Aug 95
- Sentry V1.3 Released. Again, more bugs were fixed in this
version. Additions are:
* The log file is now much more detailed than
before, and includes a time stamp on every
action.
* A bug with deleting a user listed as 15th or
later in the password file has been fixed.
(Regardless of what page the user you selected to
delete was on, a user from the first page was
always deleted).
* A bug in the multi-user display was fixed. (If
the last page contained one user, you could not
page down to see him).
10.6 Sentry V1.4
Release Date: 08 Aug 95
- Sentry V1.4 Released. Some minor changes have been made,
mostly for the sake of appearance. Additions are:
* The Sentry.ini file now allows the user to select
the colours to be used for normal and highlighted
text.
* Input routines have been improved and simplified.
Inapropriate characters have been stripped from
the input stream.
10.7 Sentry V2.0
Releaase Date: 11 Aug 95
- Sentry V2.0 Released. Many revisions, fixes and additions have
been made to the program for this release. Most of the update
ideas came from Bret Jacobsen. Additions include:
* Invalid login/password length messages (both to
the screen and log file) are user-definable in
the Sentry.ini file.
* If a normal user attempts to log in as a
SuperUser, it is recorded in the log file.
* The SuperUser Login flag is cleared after an
invalid login. (This is a bug fix: previously if
CTRL-ENTER was pressed during an invalid login
attempt, the next successful login attempt would
be as a SuperUser, as long as the user had
access).
* A bug with the Toggle SuperUser Access option
corrupting the time stamps has been fixed.
* The log file is again re-organized to be more
"readable."
* You can no longer delete the last SuperUser on
your system (thereby locking yourself out).
Sentry performs a check previous to deletion and
will abort if you are deleting the last
SuperUser.
* A bug with the input skipping characters was
fixed.
* After a successful login, the number of invalid
login attempts since your last successful login
is now shown.
* The user can now abort a password change, unless
the password has expired.
* The option to reset an account's password has
been added to the SuperUser menu.
* You can now define the number of invalid logins
permissible before an account expires (locks up).
The default setting is defined in the Sentry.ini
file, and the settings for individual accounts
can be modified from the SuperUser menu.
10.8 Sentry V2.1
Releaase Date: 20 Aug 95
- Sentry V2.1 Released. Changes include:
* Input no longer automatically ends after
"MaxPasswordLen" characters have been entered at
the login or password prompts. Input continues as
required, however only "MaxPasswordLen"
characters are used. Any extra characters are
discarded.
* Case sensitivity for logins can now be turned on
and off via the Sentry.ini file. This is
applicable to logins only, passwords are still
case sensitive.
10.9 Sentry V2.2
Releaase Date: 10 Sep 95
- Sentry V2.2 Released. Changes include:
* Sentry now uses windowed screens for all output,
as opposed to simply directing output to the
entire screen.
* When entering dates, the year is now checked. If
it is not 4 characters, the user is forced to
re-enter it. This was causing problems with
Sentry accepting '96' as a valid year, and
subsequently not translating correctly.
* A bug with the password encoding scheme has been
fixed. The encryption used to truncate passwords
at length 8, causing only the first 8 characters
to be recognized. For SuperUsers, this meant that
passwords over 8 would not contain the SuperUser
stamp (it was truncated). This problem has now
been rectified, and passwords are significant for
MaxPasswordLen characters. All in all, this
seriously increases the amount of security
available from Sentry.
NOTE: Because of the above modification, older
versions of Sentry cannot use password files from
V2.2 and up. The reverse is not true however, as
Sentry V2.2 can use password files all the way
back to V1.0.
Also note that to use passwords over 8
characters, you must re-create the old passwords.
This can be easily done by selecting the "Change
Account Password" option from the SuperUser menu.
10.10 Sentry V2.3
Releaase Date: 24 Sep 95
- Sentry V2.3 Released. Changes include:
* Small bugs with windowed mode have been fixed.
* Windowed mode is now optional. For those that
prefer "normal" operation, you can set that in
the Sentry.ini file.
* Log file viewing can now handle long lines, and
you can skip to the end of the file by pressing
the ESC key once.
* Quickstart instructions are now included in the
Qstart.txt file.
10.11 Sentry V2.4
Releaase Date: 06 Oct 95
- Sentry V2.4 Released. Changes include:
* The Sentry.ini file can now be edited from the
SuperUser menu. The user can get information on
each attribute, including a brief description,
security notes, default setting, and the current
setting just by selecting which attribute they
wish to change.
10.12 Sentry V2.5
Releaase Date: 10 Oct 95
- Sentry V2.5 Released. Changes include:
* Sentry can now be run from any location. The user
does not have to be in the Sentry home directory
for it to work properly.
11.0 Technical Notes
====================
11.1 Encoding Algorithm
The encoding algorithm used is the standard UNIX crypt()
algorithm. It is a one-way encoding algorithm that incorporates
the Data Encryption Standard (DES) and RSA technology. It is
used on UNIX systems to secure passwords. (As a note, the
encryption code is not included with the ShareWare version, so
no amount of examining the code will reveal the algorithm).
The users' passwords are never decoded. They are stored on disk
and in memory in an encoded format. The entered passwords are
encoded using the same algorithm and matched in an encoded form.
This prevents disk or memory scans from revealing the password
to prying eyes.
I have begun running some tests on cracking the passwords, and I
will include my results. So far, this is what I have found:
Password Length Maximum Time to Break
------------------------------------------------
4 22 days
5 1368 days or 3.75 years
6 232.4 years
7 14409 years
8 893357 years
All times listed are approximated as using a Pentium 90MHz CPU
and an alpha-numeric password.
These figures may be adjusted as my testing becomes more
accurate. The above figures also assume you know the length of
the password, which cannot be determined by looking at the
encrypted version. As a result, the search time may be much
greater.
SuperUser access is also encoded in the password. I tried many
different ways before finally settling on this. It is the most
secure method. Actually, SuperUser access is stored on the
password (which is then encoded), and then stored again on the
encoded password. That looks like:
password <-- Password as entered.
super(password) <-- Password with SuperUser stamp.
* This is the stamp that is
used to determine access.
crypt(super(password)) <-- Encoded password password with
SuperUser stamp.
super(crypt(super(password))) <-- SuperUser stamped encoded
password with SuperUser
stamp.
* This is the stamp that is
used to "see" who has
SuperUser access.
That way when you use the "View Users" command, you can see
which ones are SuperUsers. However, since the non-encoded
SuperUser stamp can be edited, it is only used for viewing. The
encoded SuperUser stamp is used for access. If anyone attempts
to alter the non-encoded stamp, a warning will be displayed in
the log file each time that user logs in.
11.2 Time Stamps
The time stamps used in Sentry are in the standard UNIX format.
That is, the number of seconds since 01 Jan 1970 00:00:00.
NOTE: I have found one date which always seems to cause an
error. 01/01/1997 translates to 01/15/1995 (1st day of the 15th
month of 1997). This is obviously incorrect. I have determined
it is a bug in Borland's date conversion routines. It is the
ONLY date that causes problems, to my knowledge, all others
translate fine. I advise against using 01/01/1997 for any expiry
dates.
11.3 Files
The following files are included with this release of Sentry:
Sentry.exe This is the executable program.
Sentry.ini The initialization file.
Sentry.pwd The password file.
Sentry.pif The Sentry .pif file for Windows.
Sentry.grp The Sentry Group file for Windows.
File_id.diz Short description file.
Order.frm The order form.
Readme.com Displays this file.
Readme.txt This file.
Qstart.txt Quickstart instructions.
Whatsnew.txt A short description of modifications to the
latest version.
If you do not have all of these files, Sentry will probably not
work for you. You can pick up a complete copy of Sentry (and
updates as they become available) at:
http://dragon.acadiau.ca/~910318b/Sentry.html
11.4 File_id.diz
The actual contents of the file_id.diz file are shown below. If
any modification has been made to the original file, please
re-create it from the following section.
NOTE: this is primarily for SysOps of BBS's. Single users can
delete the file_id.diz if they wish. (However, please make sure
that all files are present if you distribute the program.)
-------------------CUT----------------------
(V2.5) Sentry - Security for DOS/Windows
Sentry is a DOS based security program that
allows you to control and monitor access to
your PC. It can support up to 100 users and
has normal and "SuperUser" access. It can
also be used in Windows to secure the MS-DOS
icon. Installed correctly, Sentry can be an
extremely powerful security tool for your PC.
http://dragon.acadiau.ca/~910318b/Sentry.html
Mike Bobbitt [Mike.Bobbitt@AcadiaU.Ca]
-------------------CUT----------------------
11.5 General
Sentry is written entirely in Borland C for DOS. As of version
2.5, Sentry contains over 2600 lines of code. Portability
between machines is not an issue, since Sentry has been designed
and tested on standard MS-DOS machines.
Sentry is verified to be compatible with Windows 3.x and Windows
95.
12.0 Potential Threats To Security
==================================
Never underestimate your users. And never be satisfied that your
system is completely "air-tight". Users are incredibly apt at
finding loopholes in security, and once found, these holes can
be expoited. Because of this, I am listing below all of the
security loopholes that I am aware of at this time.
12.1 The Password File
Let me once again stress again that the time stamps and user
names are not encoded in the password file. This means that if a
malicious user found the password file, he could edit it, and
effectively wreak havoc on your system. Bear in mind that the
password file is automatically hidden by Sentry, so finding it
is not always easy. Also, most of these methods require a
working knowledge of how Sentry operates, and that is not
commonly available. The best source for that information would
be from this file, which is deliberately missing some key pieces
of "technical" information.
If a user did manage to find the password file however, he could
do any of the following:
- Add/Remove an expiry date (account or password)
This is not a serious issue for passwords, as the user
would still have to enter their old one before being
notified that their password has expired. An attacker
cannot expire a password and then log in to that account.
- Edit a username
This would effectively lock out that user, unless they
could guess their new user name.
- Delete a user
Users can be deleted, but not created.
- Destroy a password
Since passwords are encoded, there is no way to change a
password to something usable. An edited password will
likely lock that user out of their account, until the
password is reset.
- Change "last login" information
Not critical, but could be used to cover an attackers
tracks.
- Change "number of invalid logins since last login" information
Same as above.
- Add/Remove restrictions on the number of invalid login attempts
Could allow a "brute force" technique to work on an
account password if the restriction was lifted. Also, if
an attacker set this restriction to 1 invalid login, that
account would be disabled if a single failed login attempt
was made.
It is important to know however, that a renegade user can never
grant himself SuperUser privileges, nor can he ever view any
users password, or attempt to effectively modify one. To perform
any of these functions, he must be logged in as a SuperUser. In
fact, not even SuperUsers can view passwords. Nobody can. (They
can never be decrypted, remember?)
In essence: KEEP YOUR PASSWORD FILE SOMEWHERE SAFE, AND
GUARD YOUR SUPERUSER PASSWORDS!
12.2 Hardware Loopholes
Although it is unlikely that a user will do this, there is a
potential security risk to Sentry. Fortunately, this method can
only be implemented by technical users. If a user really wants
to get into your system, he can disassemble it, and take the
battery out of your BIOS. This will reset your BIOS to the
standard setup, which does not include password protection. From
there, the user can enter your BIOS, and change the boot
sequence from C,A to A,C. This means that your computer will
search for a boot disk before booting from your hard drive.
Therefore, the user can get in if he has a pre-made boot disk.
Like I said, it's unlikely, but possible. If you want to fix up
this back door, you can re-wire your floppy disk drive so that
it is never used on boot up. I do not have instructions for that
at this time, however I am looking, and will include them in
future.
Along the same lines, a user could replace your hard drive (the
one containing Sentry) with another hard-drive. This way he
could then boot up using the new hard drive, and never have to
worry about Sentry. Also, if he kept your hard drive on the
system (as drive D for example), he could still access your
data. This kind of trickery is highly improbable, but not
impossible.
The above two methods take more technical skill than the average
user posesses, and should not be considered a serious threat. I
include them simply so you can be aware such things exist. If
you are concerned about attacks of this nature, you should
secure your system's case to the frame (IE: make it impossible
to open the case with a screwdriver).
It is critical to realize that it is EXTREMELY difficult to
repel a determined and well-organized attack. Using Sentry does
not guarentee your computer's safety. It does however greatly
reduce the threat of a successful attack, and more importantly,
it can alert you to potential threats before they become a
serious problem. Your ability to defend is much greater once you
know you are under attack. Sentry can assist in keeping you
informed of suspicious actions on your PC, and it is a powerful
tool in defeating most threats.
13.0 Troubleshooting
====================
13.1 Error messages
Below are listed all possible error messages you can get while
running Sentry. With each is a brief description of what it
means, probable causes, and how to fix it.
Please be aware that ALL of these errors cause Sentry to
lock-up. This may be an inconvenience at times, but it is done
for security reasons (that way an attacker can't "induce" an
error and get into the system).
13.1.1 Error opening password file!
This means your password file cannot be found or opened. Make
sure your password file is at the location specified by
"PassFile" in your Sentry.ini file. As long as it's there, you
should have no problems.
13.1.2 Error opening temp file!
A temporary storage file cannot be opened. Make sure you have at
least a little disk space left when you run Sentry.
13.1.3 Error in creating log file!
The file that logs all transactions to your computer cannot be
created. Make sure you have specified a valid pathname for
"LogFile" in the Sentry.ini file, and make sure you have some
free space on your drive. If a log file already exists, it will
be appended to. Otherwise it will be created.
13.1.4 Error opening log file!
There is a problem with the log file. Make sure that the log
file pointed to by "LogFile" in the Sentry.ini file is not
write-protected.
13.1.5 Error opening Sentry.ini file!
This means that your Sentry.ini file cannot be found. Make sure
the Sentry.ini file is in the same directory as your Sentry.exe
file, and that it is named correctly.
13.1.6 Error in Sentry.ini file! [XXXXXXXX]
Your Sentry.ini file does not follow the correct format. The
error message should have a word in square brackets after it
(IE: [PassFile], [PasswordExpiresIn], etc). This is the
attribute in the Sentry.ini file that is causing the problems.
(Sentry expects to find that attribute but doesn't). Use an
editor to set the attribute correctly. If you are completely
lost, restore the Sentry.ini file from you backup, or use the
default attribute setting listed in the comments of the
Sentry.ini file.
13.1.7 Registration Error - Program Aborted!
Someone (probably you) has tried unsuccessfully to change the
registration information. Very naughty, but if you want to fix
it, simply restore Sentry.exe from your original copy.
13.1.8 Error in time stamps.
This means there is a problem with the time stamps on a user's
account. You can attempt to manually edit a user's record in the
Sentry.pwd file, but I don't recommend this. If you don't know
what you're doing you are more likely to cause additional
problems than to fix the user. Otherwise, you can try restoring
your password file from backup. If you continue to use a
password file that is corrupt, you will probably find you are
locked out quite frequently. It should be a top priority to fix
the password file.
13.1.9 Out of memory!
When this error appears, it means that for some reason, Sentry
didn't have enough memory to run. This is extremely rare, since
Sentry requires very little memory. If this error occurs, try
freeing up some memory by unloading some un-needed programs, or
rebooting.
13.1.10 This account has expired.
Sorry, you're out of luck. The SuperUser(s) have set your
account to expire, and so it has. If you ARE the SuperUser,
silly you (you shouldn't let your own account expire!). In that
case, you will have to restore your password file from a backup,
and make the necessary changes to get your system running.
13.2 Other problems
When I run Sentry, is displays a warning saying I am using a
newer/older version of the Sentry.ini file.
A: You should probably get the latest version of Sentry (see
section 11.3 for info on obtaining the latest version). Replace
all your current files with the files you retrieve. This warning
may not be a problem in itself, however it is not a good idea to
use a Sentry.ini file from a different version.
I get a warning about users being tampered with in the log file.
A: Someone has been tampering with your users (obviously). They
thought they could change the SuperUser access on your system,
but really couldn't. The only side effect of this is that some
users may appear to have SuperUser access when they don't (and
vice-versa) when you view them from the SuperUser menu. The
users' actual access has not changed. To remedy this situation,
you can get the user to enter another password (this can easily
be done by expiring their current password). As soon as the new
password is entered, the problem will disappear.
I can't log in at all.
A: Make sure you are a user on the system. Make sure your
Sentry.ini file has been set up correctly. Make sure your
password file is in the right location.
I can't log in as a SuperUser.
A: Did you give yourself SuperUser access? Are you remembering
to hold down CTRL when you hit enter?
My password file is corrupt or deleted.
A: Pray you kept a backup somewhere. At the very least, you
should have the password file sent with Sentry. In that case,
re-install, and log in as Sentry. Since Sentry is initially a
SuperUser, you can re-create your users (don't forget to delete
the Sentry user when you are finished!).
I can't create a c:\Sentry directory on my drive.
A: If you are using MS-DOS's Undelete program, it may create a
directory called "Sentry" off of your root directory. This
directory is hidden, and can only be seen with the "dir /a"
command. (This only occurs if you are using the "delete sentry"
mode). Possible fixes are to stop using "delete sentry" mode, or
to create your Sentry directory as something else (eg:
c:\Sentry2, c:\Secur\Sentry, etc etc).
My password file disappeared, but Sentry still works fine!
A: Your password file is still there, but Sentry has hidden it
from normal view. When you type "dir" your password file will no
longer show up. This is done to confuse and mislead any
potential attackers. If you want to check to make sure it is
really there, type "dir /a" and it should show up. The log file
is protected with the same measures.
I copied my Sentry files to another drive/directory, and now it
says my password file is not found!
A: This is (once again) because the password file is hidden.
When the copy operation was performed, it didn't "find" the
hidden file and therefore was not copied with the other files.
Older versions of the DOS copy command can copy hidden files,
but that function has been removed in later versions. The best
bet to avoiding this is to re-install Sentry on the destination
drive/directory and create your accounts from scratch. (There
are ways to move the password file, but I won't discuss them
here).
15.0 Standard Disclaimer
========================
Inexperienced users should take care this program, as you may
lock yourself out of your computer!
If you feel you want to use it, but don't feel completely
confident, leave a "back door" for you to use. (IE: don't
implement all of the security measures listed in "Securing Your
Computer"), so that if you DO get locked out, you can still get
in somehow.
I have not included a nice simple install program on purpose. If
you aren't familiar with the basics of DOS, then you probably
shouldn't be installing Sentry anyway. If there is a need for an
install program, I may include it in a future release.
I take no responsibility for how you use this program, or any
effects it may have on your system.
Having said that, I would greatly appreciate any comments you
might have about my program (either positive or negative). If
you find any problems, or have a suggestion for making Sentry
better, please let me know, and I'll try to put it in a future
release. I look forward to hearing from you.
You can contact me via e-mail at Mike.Bobbitt@AcadiaU.Ca and I
will reply as quickly as I can. If you do not have internet
access, you can contact me via surface mail at:
Michael A. Bobbitt
P.O. Box 1336
Wolfville, NS
B0P 1X0
16.0 Credits
============
My thanks go out to these people:
Mark Saarinen for the encryption algorithm.
D.J. Houghton, Rob Coombs and Jack Hill for testing and
advising during the design phase.
Bret Jacobsen for finding some serious errors in the first
release, as well as continually making suggestions for
improvement. Bret has given invaluable assistance in the
development of Sentry.
...And my wife for listening to me talk incessantly about it.
