Cream of the Crop 1

home *** CD-ROM | disk | FTP | other *** search

/ Cream of the Crop 1 / Cream of the Crop 1.iso / UTILITY / VAULT45.ARJ / VAULTDOC.EXE / ADMIN.DOC next >

Wrap

Text File | 1992-07-15 | 123KB | 2,514 lines

PC-Vault Version 4.5e Hard Disk Protection System Administrator's Manual (c) Copyright 1985, 1991 by Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 (804) 872-9583 Table of Contents THANK YOU . . . . . . . . . . . . . . . . . . . . . . . . . . 4 ABOUT THIS MANUAL . . . . . . . . . . . . . . . . . . . . . . 4 WHAT PC-VAULT DOES . . . . . . . . . . . . . . . . . . . . . 5 RESTRICTIONS . . . . . . . . . . . . . . . . . . . . . . . . 6 DISCLAIMER OF WARRANTY . . . . . . . . . . . . . . . . . . . 6 YOUR PC-VAULT LICENSE . . . . . . . . . . . . . . . . . . . . 7 USING PC-VAULT MENUS . . . . . . . . . . . . . . . . . . . . 8 PC-VAULT PASSWORDS AND USER NAMES . . . . . . . . . . . . . . 8 BEFORE INSTALLING PC-VAULT . . . . . . . . . . . . . . . . . 9 The Logo Program . . . . . . . . . . . . . . . . . . . . 9 The HelpUser Program . . . . . . . . . . . . . . . . . . 10 Pre-installation Setup . . . . . . . . . . . . . . . . . 11 HOW TO INSTALL PC-VAULT . . . . . . . . . . . . . . . . . . . 13 USING THE PC-VAULT MAIN PROGRAM . . . . . . . . . . . . . . . 15 HOW TO USE THE MAIN MENU . . . . . . . . . . . . . . . . . . 15 Installing PC-Vault MS-Windows Support . . . . . . . . . 15 How to Change PC-Vault Names/Passwords . . . . . . . . . 16 Selecting PC-Vault Options . . . . . . . . . . . . . . . 16 MAXIMUM floppy boot protection . . . . . . . . . . 16 DISPLAY password entry asterisks . . . . . . . . . 17 SIDEKICK compatibility mode . . . . . . . . . . . . 17 CTRL-BREAK prohibited during boot . . . . . . . . . 17 TIME/date change prohibited . . . . . . . . . . . . 17 BLANK screen during LunchBreak . . . . . . . . . . 17 FREEZE computer during LunchBreak . . . . . . . . . 18 ALL users may exit LunchBreak . . . . . . . . . . . 18 SPECIAL display blanking . . . . . . . . . . . . . 18 User NAMES are required . . . . . . . . . . . . . . 18 USER may change his/her name . . . . . . . . . . . 18 Selecting Limits . . . . . . . . . . . . . . . . . . . . 18 Maximum keyboard IDLE time . . . . . . . . . . . . 18 Minimum number of PASSWORD characters . . . . . . . 19 Number of DAYS passwords remain valid . . . . . . . 19 Minimum NUMBER of different passwords . . . . . . . 19 Maximum invalid logons before ALARM . . . . . . . . 19 Maximum invalid logons before LOCKOUT . . . . . . . 20 SECONDS to wait before auto logon . . . . . . . . . 20 Alternate KEYBOARD/clock handling . . . . . . . . . 20 PC-Vault 4.5e Administrator's Manual - Page 2 Locking and Unlocking PC-Vault Related Files . . . . . . 21 Accessing Your Fixed Disk When Booting From a Diskette . 21 Removing PC-Vault From Your Computer . . . . . . . . . . 21 The PC-Vault Hot Key . . . . . . . . . . . . . . . . . . 22 Selecting Automatic LunchBreak . . . . . . . . . . . . . 22 Controlling User Access to Directories [+] . . . . . . . 22 Controlling Logging of User Activity [+] . . . . . . . . 25 USING THE PC-VAULT PROGRAM AFTER PC-VAULT IS INSTALLED . . . 26 USING PC-VAULT ON LIMITED SYSTEMS . . . . . . . . . . . . . . 27 YOUR PC-VAULT FILES . . . . . . . . . . . . . . . . . . . . . 27 OPTIONAL PC-VAULT FILES . . . . . . . . . . . . . . . . . . . 33 IN CASE OF DIFFICULTY . . . . . . . . . . . . . . . . . . . . 34 HOW TO ORDER PC-VAULT 4.5e . . . . . . . . . . . . . . . . . 35 PC-VAULT VERSION 4.5e ORDER FORM . . . . . . . . . . . . . . 36 PC-Vault 4.5e Administrator's Manual - Page 3 THANK YOU Thank you for investing in PC-Vault (formerly PC-Lock) version 4.5e. We believe you will find it to be an effective and convenient security system for your IBM-PC/XT/AT/PS2 or compatible. Version 1.1 was reviewed in the June 23, 1987 issue of PC-Magazine and listed among "The Best of the Best Utilities." Subsequent versions have provided enhanced security and many new features. Please note that you are not licensed to use this software until you have read and agree to the "DISCLAIMER OF WARRANTY" and "YOUR PC-VAULT LICENSE" beginning on page 6. If you have any suggestions for improvements, please tell us about them. While we cannot make every change in either the manuals or the programs which has been suggested by our users, we do give careful consideration to each suggestion and have implemented many of them. ABOUT THIS MANUAL This Administrator's Manual is written for the PC-Vault and/or PC-Vault Plus administrator. It provides complete information for installing and using both products. The name "PC-Vault" is used to refer to both PC-Vault and PC-Vault Plus unless the text explicitly states otherwise. Sections which describe features which are only available in PC-Vault Plus are indicated by "[+]". The features of PC-Vault are accessed from a few simple menus. This manual describes each menu and provides a detailed description of each feature accessible from that menu. Several features, such as defining a password, may be accessed from more than one menu. These features are fully described along with the administrator's main menu. The following optional programs are briefly described in this manual: Logo - Allows you to design your own logon screen, HelpUser - Allows granting one-time emergency access without knowing any passwords and without compromising security. If there is a file named READ-ME.1ST on your distribution diskette, please read it before proceeding. It contains information on last minute enhancements to the program and its associated manuals. PC-Vault 4.5e Administrator's Manual - Page 4 WHAT PC-VAULT DOES After you install PC-Vault you will be asked to enter a password each time your computer is booted from its hard disk. Just type your password and press Enter. The boot process will then continue normally. When you boot from a diskette, the system will boot normally, but you will not be able to access your hard disk. The PC-Vault LunchBreak feature provides protection for your computer when it is running but the operator is not physically present. When a computer is in the LunchBreak state: The screen is completely blank, The keyboard is locked, and Processing continues normally. This means that a large spread sheet computation, data base operation, or other process will continue normally during LunchBreak. A "would be" observer will not be able either to see or exercise control over the operation. LunchBreak may be activated by pressing the user selectable PC- Vault hot key. If you so choose, the LunchBreak feature will be automatically activated after a selectable period of keyboard and mouse inactivity. When the correct password is entered, the screen and keyboard will return to normal operation. This feature not only provides protection for the data on the PC's hard disk but also protects any mainframe or network to which the PC is logged on. As PC-Vault administrator you may: - Prevent users from using Ctrl-Brk to exit AUTOEXEC.BAT, - Force each user into a specific application, - Prevent users from obtaining a DOS prompt, - Change any user's name and/or password, - Define a minimum password length, - Require users to enter both their user name and password - Require automatic LunchBreak and select a maximum keyboard idle time, - Remove PC-Vault from the computer, - Display a list of illegal logon attempts, - Access the hard disk when booting from a diskette, and - Control several other aspects of PC-Vault operation. PC-Vault 4.5e Administrator's Manual - Page 5 As PC-Vault Plus administrator you may also, - Grant or deny read/write/execute access to specific hard disk directories on a per user basis, - Disallow sector oriented disk read/writes, - Grant or deny read/write/execute access to diskettes, and - Obtain a log (history) of the activity of each user including illegal access attempts, programs executed, and files accessed. This software security program is probably somewhat more secure than a dead bolt lock on your front door. A sufficiently knowledgeable and determined individual will be able to circumvent the system, as indeed any software security system can be circumvented. The level of protection provided is, however, sufficient for most purposes and exceeds that of any similar program known to us. RESTRICTIONS Norton Cache version 6.0 contains a very serious bug which may destroy all of the data on your hard disk if you have both Norton Cache Intelliwrites and PC-Vault Maximum Floppy Boot Protection enabled at the same time. (It may also cause similar problems when used with other disk related software products.) This bug was fixed in Norton Cache version 6.01 which was distributed free to all registered version 6.0 users. We strongly recommend that you upgrade to version 6.01 on all your machines whether or not you plan to use PC-Vault on them. PC-Vault may work with Windows versions 1.x or 2.x but we no longer explicitly support versions prior to 3.0. Currently, the LunchBreak feature does not work reliably when you are in a Windows DOS Box. This will be fixed in a forthcoming release. PC-Vault will not install if your hard disk uses a non-standard sector size. Your hard drive(s) must not contain partitions belonging to operating systems other than DOS. Do not use FDISK or other partitioning software while PC-Vault is installed. DISCLAIMER OF WARRANTY PC-Vault, PC-Vault Plus, AND ASSOCIATED SOFTWARE AND THIS DOCUMENTATION ARE SOLD "AS-IS" AND WITHOUT WARRANTIES AS TO PERFORMANCE OR MERCHANTABILITY. THE SELLER'S SALESPERSONS AND/OR PC-Vault 4.5e Administrator's Manual - Page 6 THIS OR OTHER DOCUMENTATION PROVIDED BY JOHNSON COMPUTER SYSTEMS, INC. MAY HAVE MADE STATEMENTS ABOUT THIS SOFTWARE. ANY SUCH STATEMENTS DO NOT CONSTITUTE WARRANTIES AND SHALL NOT BE RELIED ON BY THE BUYER IN DECIDING WHETHER TO PURCHASE AND/OR USE THIS PROGRAM. PC-Vault, PC-Vault Plus, AND ASSOCIATED SOFTWARE AND THIS DOCUMENTATION ARE SOLD WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES WHATSOEVER. BECAUSE OF THE DIVERSITY OF CONDITIONS AND HARDWARE UNDER WHICH THIS PROGRAM MAY BE USED, NO WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE IS OFFERED. THE USER IS ADVISED TO BACKUP ALL DATA ON HARD DISKS BEFORE TRYING IT, AND TO THOROUGHLY TEST IT BEFORE RELYING ON IT. THE USER MUST ASSUME THE ENTIRE RISK OF USING THE PROGRAM. ANY LIABILITY OF SELLER OR MANUFACTURER WILL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR REFUND OF THE PURCHASE PRICE. If within thirty days after we ship your order, you wish to discontinue using PC-Vault because it does not perform to YOUR expectations or because you do not agree with the terms and conditions under which it is sold, we will be happy to refund your full purchase price. Just write to us stating that you do not and will not have PC-Vault installed on any of your computer(s) and that you no longer have any copies of the program. Enclose the original PC-Vault diskette(s) with your letter. We would appreciate a description of any problem(s) you encountered, but you are in no way obligated to provide one. YOUR PC-VAULT LICENSE AFTER you have read and AGREE TO the Disclaimer of Warranty you are licensed to install and use PC-Vault Version 4.5e on the number of computers for which you have paid the license fee as shown in the fee schedule on page 35. Removing PC-Vault from one computer and installing it on another is specifically permitted and does not increase the number of computers for which the license fee must be paid. Any form of disassembly or reverse engineering of any portion of any version of PC-Vault is specifically not included in your license or granted by it and is explicitly prohibited. PC-Vault Version 4.5e is a fully copyrighted software product and Johnson Computer Systems, Inc. reserves all rights which are not specifically granted in this license. PC-Vault 4.5e Administrator's Manual - Page 7 USING PC-VAULT MENUS Each menu contains the list of functions which you may perform when that menu is displayed. You may select any item from a menu simply by Pressing the letter displayed in front of that item, or Using the "up" and/or "down" cursor control keys to position the light-bar (inverse video bar) over the item and pressing Enter. Additional information about a function may be displayed by moving the light bar to the item and pressing the "?" key. Letters and the "?" may be typed in either upper or lower case. Either the Escape or the "E" keys may be used to exit any menu. The menus shown in this manual may differ slightly from those displayed on the screen due to page/screen size limitations. PC-VAULT PASSWORDS AND USER NAMES All PC-Vault passwords consist of zero to sixteen characters (key-strokes). The minimum password length may be set to any value from zero to sixteen. User names are optional. If used, they must be from one to seven characters in length. User names are set by the administrator, and may also be set by the user if the administrator has granted that permission. You must enter a password (and at the administrator's option, a user name) whenever the computer is booted from the hard disk, whenever you wish to exit LunchBreak, and whenever the PC-VAULT program is started. If user names are required, begin by entering your user name and pressing the Enter key. Then enter your password and press the Enter key. If the entry is incorrect you will hear a beep and the system will wait for you to start the process over with the user name. The backspace key may be used to correct errors in the normal manner. The escape key may be used to terminate the present attempt and start all over. The Enter key signifies the end of your user name or password. After entering a password, you may hear a sequence of "beeps" alternating between two tones. This is called an alarm and occurs when a number of consecutive incorrect user name/password entries have been entered. The number of consecutive incorrect entries required to trigger the alarm is determined by the administrator. If the number of consecutive errors exceeds PC-Vault 4.5e Administrator's Manual - Page 8 another limit, also chosen by the administrator, the machine will sound the alarm and then lock for five minutes following each incorrect entry. Turning the machine off will not influence the count of incorrect entries. If the machine is turned off during a five minute lock-up, the five minutes will be repeated from the beginning when the machine is next re-booted. For more information on user names and passwords, see the section on changing passwords on page 16. BEFORE INSTALLING PC-VAULT You may skip this section and go directly to the "INSTALLING PC- VAULT" section if: You are not using PC-Vault Plus, and You only want one password on your computer, and You do not have the optional HelpUser or Logo programs. You, as administrator, may select an original administrator password and make several other choices about how you want PC- Vault to work on your computer(s). This is done by using one or more of the three programs described in this section to modify a copy of the PC-Vault program itself before you install it. You may then use the modified copy to install PC-Vault on one or more computers and your administrator password and other selections will automatically be in effect. Please place a diskette containing a COPY of the file PC- VAULT.EXE in drive A:. Your original PC-Vault diskette is not copy protected and may easily be copied using the COPY command. The DISKCOPY command will not work, so please use COPY. THE CHOICES YOU MAKE IN THIS SECTION WILL ONLY AFFECT THE COPY OF PC-VAULT.EXE THAT IS ON THE DISKETTE IN DRIVE A:. NO CHANGES WILL BE MADE TO THE COMPUTER YOU ARE USING. The three programs which may be used are HelpUser, Logo, and PC- Vault itself. These programs may be used in any order. HelpUser and Logo are optional programs whose functions are described in the next two sections. Detailed instructions for using PC-Vault to select an initial administrator password and other features of PC-Vault are included in the "Pre-installation Setup" section starting on page 11. The Logo Program The Logo program allows you to design the appearance of the user name/password request screen that is displayed when you boot your computer. You may completely replace our logo and messages. PC-Vault 4.5e Administrator's Manual - Page 9 Logo provides something similar to a full screen editor which is used to design your logon screen. Once it is designed, you may save your design to a file which you can recall at any later time for additional editing, and/or you may install your design into PC-VAULT.EXE replacing our screen with your design. You may wish to install your company's logo, or have a misleading screen such as "System Board Error 101". If you are using PC- Vault Plus, you might provide very restricted access to anyone who desires to use the system and greater access to specified users. You could accomplish this by assigning a password of GUEST and using Logo to create a boot time message such as, "Please enter your password (if you only wish to use the modem, enter GUEST)." Complete documentation is provided with the Logo program. The HelpUser Program The HelpUser program allows a corporate security officer (CSO) to grant one time access to a machine without the physical presence of the security officer and without either the CSO or the user knowing any passwords. Subsequent access to the same or another machine will require a new approval by the security officer. The CSO will not be able to grant access to machines other than those in his organization. Each copy of HelpUser is unique, and may be run in either the normal mode or in a special configuration mode. When HelpUser is run in the configuration mode, it reads a copy of PC-Vault from a diskette, modifies it to work only with that specific copy of HelpUser and writes PC-Vault back to the diskette. The modified copy of PC-Vault may then be installed on the organization's computers. When an individual needs to gain access to a computer, but doesn't know a valid password, he must call the CSO and convince him/her to grant the access. The CSO then instructs the user to start the PC-Vault program with a special parameter. Instead of requesting the user to enter a password, PC-Vault will display the message: Please read the following string to your security officer: AZq9-Q=4. Then enter the EXACT string you receive in return: The string displayed (AZq9-Q=4 in the above example) is randomly generated and will be different each time. PC-Vault will use the displayed string to compute, but not display, two response strings. The CSO must start HelpUser and enter the exact string which the user read to him. HelpUser will then display both of PC-Vault 4.5e Administrator's Manual - Page 10 the responses for which PC-Vault is waiting. One response will have the same result as entering the administrator's password. The other will have the same result as entering the password for user 1. The CSO simply tells the user the string which corresponds to the privilege he wishes to grant. Complete documentation is provided with the HelpUser program. Pre-installation Setup Pre-installation setup is a simple process that allows the system administrator to modify a copy of the PC-Vault main program (PC- VAULT.EXE) so that it automatically works as desired on each computer on which it is subsequently installed. Pre-installation set up is optional for PC-Vault but is required for PC-Vault Plus. If the setup is not done, you will be able to use only one password. If you do not wish to perform the setup you may go to the "HOW TO INSTALL PC-VAULT" section on page 13. THE PRE-INSTALLATION PROCESS DESCRIBED IN THIS SECTION MAKES NO CHANGES TO THE COMPUTER USED TO PERFORM IT. IT MODIFIES ONLY THE PC-VAULT.EXE FILE ON THE DISKETTE. To setup PC-Vault, place a diskette containing a copy of the file PC-VAULT.EXE (not your original please) in drive A:. (If you wish to use drive B: rather than A: enter the DOS command ASSIGN B=A at the DOS prompt. This will cause your computer to treat drive B: as though it were drive A:) Then enter: PC-VAULT /P The screen shown in Fig. 1 will be displayed. Read the screen and then press any key. The screen shown in Fig. 2 will be displayed. This may seem somewhat redundant, but experience has indicated the value of asking this question one more time. When you are certain you are not using your original diskette press Y to continue. If you have not previously defined an administrator password, the pre-installation main menu shown in Fig. 4 will be immediately displayed. If you have already done pre-installation setup on the copy of PC-Vault in drive A: to define an administrator password, the screen shown in Fig. 3 will be displayed. In this case you must enter your password in order to get to the screen shown in Fig. 4. Please review USING PC-VAULT MENUS on page 8 for general information on menus. An original administrator password must be defined prior to installation in any of the following situations: - You are using PC-Vault Plus, - You wish to have an administrator password, or PC-Vault 4.5e Administrator's Manual - Page 11 - You wish to have more than one user password. To define an original administrator name/password (or names/passwords for other users), select the "P" option from the menu. The exact procedure and the screens you will see during name/password definition are discussed in "How to Change PC- Vault Names and Passwords" on page 16. The O (Select OPTIONS) menu item allows you to determine the way PC-Vault will operate once it is installed. Any options you select at this time may also be selected and/or deselected by you, as administrator, after installation. For additional information on this subject see "Selecting PC-Vault Options" on page 16. The S (SET Limits) menu item allows you to set bounds on certain user selections such as password lifetimes, minimum password length, maximum invalid logons, and maximum keyboard/mouse idle time before LunchBreak is automatically invoked, etc. For detailed information on limits see "Setting Limits" on page 18. The L (LOCK files during installation) option will cause the CONFIG.SYS, AUTOEXEC.BAT, and CLEANDSK.DRV (the PC-Vault device driver) files to be locked during installation. Locked files can not be altered by anyone other than the system administrator. A user cannot delete them or change their names, contents, or attributes. For additional information on locked files see "Locking and Unlocking PC-Vault Related Files" on page 21. The W (Choose WHO will install PC-Vault) option allows you to choose whether the administrator's or user's menu will be displayed after PC-Vault is installed. If the administrator's menu is displayed, the person who installed PC-Vault will be able to change all user names, passwords, options, and limits. In the case of PC-Vault Plus, directory access permissions and logging levels can also be changed. If the user's menu is displayed, the user may change only the User 1 password and perform other functions available to all users. If you choose to have the administrator's menu displayed, you will be asked if you wish to require the administrator's password to be entered in order to install PC-Vault. This will prevent unauthorized persons from installing PC-Vault, and ensure that the installer knows the administrator password. The R (RECORD your choices for later use) option causes the file PC-VAULT.EXE in drive A: to be modified to incorporate your administrator password and other selections. When you use this copy of PC-VAULT.EXE to install PC-Vault on a computer, your selections will be written to the computer's hard disk and will automatically be in effect. PC-Vault 4.5e Administrator's Manual - Page 12 HOW TO INSTALL PC-VAULT Before installing PC-Vault, it is important that you read the warranty disclaimer and the terms of your license starting on page 6. You are not licensed to install and/or use this program until you have read and agree with the terms and conditions contained in those sections. Thank you. While we have a very high degree of confidence in PC-Vault, it is impossible to guarantee that any software program will work on all the millions of differently configured systems on which it may be used. For this reason we ask that you ensure you have a current backup of your hard disk before you install PC-Vault. We do not anticipate that you will experience any problems in installing and using PC-Vault, but we do want you to be able to recover in the unlikely event a problem does occur. If you have an earlier version of PC-Vault installed on your computer, please remove it by using that version of PC-Vault. (NOTE: Your earlier version may have been called PC-Lock.) You will need to have the file PC-VAULT.EXE on a diskette drive or on your hard disk. To install or use PC-Vault simply enter PC-VAULT You may need to type the drive letter if the drive containing PC- Vault is not the default drive, for example: A:PC-VAULT or C:PC-VAULT or C:\PCV\PC-Vault If PC-Vault is not already installed, the menu shown in Fig. 5 will be displayed. Simply select the "INSTALL PC-Vault" option and PC-Vault will install itself on your computer. After PC- Vault installation has been completed a screen giving important information will be displayed. Please read the entire screen carefully. After reading the screen, press any key and a main menu will be displayed. Please note that a file named CLEANDSK.DRV has been placed in the root directory of your hard drive and the line DEVICE=CLEANDSK.DRV has been placed at the beginning of your CONFIG.SYS file. Do not delete the file or the device statement. They will be removed automatically when you de-install PC-Vault. If you wish to de-install PC-Vault, use the "Remove PC-Vault from this computer" option described on page 21. The installation process is completed by selecting any desired items from the main menu. For a complete description of the use of this menu see "HOW TO USE THE MAIN MENU" on page 15. When all desired selections (if any) have been made, select the E (END THIS PROGRAM) option to return to DOS. Protection is now in PC-Vault 4.5e Administrator's Manual - Page 13 effect. The LunchBreak feature will not be available until you reboot your computer. If you are using DOS 5.0 or a memory manager you may wish to install the PC-Vault device driver in Upper Memory Blocks (UMB), or in rare instances, you may need to place the PC-Vault DEVICE statement at another location in your CONFIG.SYS file. You may use any text editor or word processor to modify the DEVICE = CLEANDSK.DRV statement and/or to move it to the desired location. If you expect to remove and re-install PC-Vault from time to time, we suggest placing one of the following lines in your CONFIG.SYS file: Rem CLEANDSK.DRV here Rem CLEANDSK.DRV here (High) Rem CLEANDSK.DRV here (Special,text) PC-Vault will place its DEVICE statement immediately following any of the above lines. If "(High)" is included, PC-Vault will use a standard DOS DEVICEHIGH statement. If "(Special, text)" is included, PC-Vault will create the following CONFIG.SYS line: Device=text CleanDsk.Drv This allows automatic creation of Device statements for QEMM or other memory managers. For example, using: Rem CleanDsk.Drv here (Special,c:\qemm\loadhi.sys /r:2) will create the line: Device=c:\qemm\loadhi.sys /r:2 CleanDsk.Drv Later versions of DOS ignore any CONFIG.SYS statement beginning with "Rem". Earlier versions will display a message stating that they cannot recognize the statement but will otherwise ignore it. If PC-Vault is already setup as you desire, you may do a quick installation by entering: PC-VAULT /I or PC-VAULT /I /W at the DOS prompt or from within a batch file instead of selecting Install from a menu. Use the second form if you wish to also install MS-Windows support (described on page 15). PC-Vault 4.5e Administrator's Manual - Page 14 USING THE PC-VAULT MAIN PROGRAM If you run the PC-Vault program when PC-Vault is already installed on the computer, you will immediately be asked to enter your password. The administrator password or any user password may be entered. If the administrator has so required, you will also have to enter your user name. As soon as a password is correctly entered, one of three main menus will be displayed. The PC-Vault Plus administrator's main menu is shown in Fig. 6. The PC-Vault administrator's menu is the same except that the last two items which control access to directories and logging are not present. The user's main menu contains only items E, H, W, P, K, and I. HOW TO USE THE MAIN MENU For general information on using menus, see "HOW TO USE PC-VAULT MENUS" on page 8. You may return to DOS from the main menu by selecting the E option or by pressing the Esc key. The following sections describe the use of each main menu option. Installing PC-Vault MS-Windows Support Before using the LunchBreak feature with Windows, you must install PC-Vault Windows support by either of two methods: (1) Use the /W switch on the PC-Vault command line when you are installing PC-Vault, or (2) Select the W option from the main menu. This method may be used any time after PC-Vault is installed. Either method will cause PC-Vault to search for your Windows directory, add the files DRVR-APP.EXE and DRVR-DLL.DLL to the directory, and append the characters "DRVR-APP.EXE" to the load statement in your WIN.INI file. If PC-Vault cannot find your Windows directory, it will ask you to enter the directory's drive and path. If you are using the /W switch you may specify the directory by /W=drive:path. For example, if your Window's directory is on drive E: and is named MAIN, you may use: PC-Vault /W=E:\MAIN If you will be using Windows, do not select the "Freeze Computer during LunchBreak" option (page 18) or set the "Alternate Keyboard/Clock Handling" limit (page 20) to a non-zero value. NOTE - It is no longer necessary to select the Special Display Blanking option when using a VGA display with Windows. PC-Vault 4.5e Administrator's Manual - Page 15 How to Change PC-Vault Names/Passwords You may change your name/password by selecting the P (Change PASSWORD) option in the main menu. If the administrator is using the program the screen shown in Fig. 7 will appear. Press the appropriate key to indicate which name/password you wish to change. A screen similar to that shown in Fig. 8 will allow you to change the name associated with the selected user. If you just press Enter, the name will not be changed and you will go directly to the password definition screen shown in Fig. 9. If you enter a new name you will be asked to enter it again to be sure you entered it correctly. The administrator may require that user names be entered whenever a password is required, so please be certain that you remember your user name. If user names have not been assigned, the default names of Admin, User 1, User 2, etc., will be used. If you cannot change user names, please see "USING PC-VAULT ON LIMITED SYSTEMS" on page 27. After the name has been defined the upper portion of Fig. 9 is displayed. Please read the screen and then enter the new password of your choice. If you do not wish to change the password, press the escape key. The example in the figure shows that the user has selected "SECRET-STUFF" as the new password. After you enter your password you will be asked to enter it once more just to be certain it has been entered correctly. The lower portion of the screen shown in Fig. 9 is then displayed and the new password is stored. Passwords are stored in an encrypted form. Whenever you enter a password to gain access, it is encrypted and then compared to the stored value. It is impossible for us to decrypt passwords. It is, therefore, extremely important for the administrator to remember his/her password. If the password is forgotten and your organization has not already purchased and installed the HelpUser program, it will be necessary to perform a low level format of your hard disk. If there were another way to get in, the security provided by PC-Vault would be seriously compromised. Selecting PC-Vault Options Selecting the O (Change OPTIONS) item from the main menu causes the screen shown in Fig. 10 to be displayed. Pressing the letter in front of the option will change its selection/deselection state. Each of the options is described in the following paragraphs. Except as noted, option changes are effective immediately. - MAXIMUM floppy boot protection This option makes it even more difficult for an unauthorized person to break into your computer by erecting a significant additional barrier that they must overcome. Selecting this PC-Vault 4.5e Administrator's Manual - Page 16 option causes no visible difference in the operation of your machine. If you are using or may use Norton Cache version 6.0 (as opposed to 6.01 or later), please see the VERY IMPORTANT note in the Restrictions section on page 6. This option becomes effective the next time you boot your computer after you select it. Deselecting this option is effective immediately. If the words "Not Available" appear by this option, please see "USING PC-VAULT ON LIMITED SYSTEMS" on page 27. - DISPLAY password entry asterisks Selecting this option causes an asterisk to be displayed for each password character entered. If this option is not selected, nothing will be displayed. Note that your password is always displayed while you are defining a new one, and that nothing can be displayed during LunchBreak since the screen is turned off. - SIDEKICK compatibility mode This option prevents the computer from responding to Sidekick's hot key during LunchBreak. Select this option only if you are using Sidekick and you find that the computer responds to Sidekick's hot key during LunchBreak. This paragraph contains a detailed technical description of this option so feel free to skip to the next paragraph if you wish. PC-Vault intercepts both the clock (IRQ 0) and keyboard (IRQ 1) interrupts at boot time and again on entry into LunchBreak. Each time the clock interrupt is issued, Sidekick determines if any program has intercepted the keyboard interrupt since it has. If so, it re-intercepts the keyboard interrupt. This is why they say it must be loaded last, and why it can see its hot key even during LunchBreak. If PC-Vault's Sidekick Compatibility option is selected, PC-Vault passes clock interrupts intercepted to the IRQ 0 interrupt address that was in effect when its device driver was loaded at boot time. This effectively passes clock interrupts around Sidekick (and perhaps other TSRs) so that it never re-intercepts the keyboard interrupt. This also assures that the DOS/BIOS system clock continues to run. - CTRL-BREAK prohibited during boot Selecting this option prevents anyone other than the administrator from breaking out of the AUTOEXEC.BAT file during boot. This option is used in conjunction with the BRK-CNTL.COM file described on page 27. - TIME/date change prohibited Selecting this option will prevent users, but not the administrator, from changing the system date and/or time. - BLANK screen during LunchBreak This option causes the screen to become completely blank during LunchBreak. If it is not selected, the keyboard will lock but the screen will remain active. This allows you to use the system PC-Vault 4.5e Administrator's Manual - Page 17 to monitor some process while prohibiting observers from interfering with the process. - FREEZE computer during LunchBreak This option prevents the computer from continuing to process during LunchBreak and is rarely needed. It should not be selected if you will be running Windows. - ALL users may exit LunchBreak You may allow any user name/password to be used to exit LunchBreak. If this option is not selected, only the name/password used to boot the machine and the administrator's name/password will be accepted. The permissions in effect will be those of the user whose password was used to exit LunchBreak. - SPECIAL display blanking If the "BLANK screen during LunchBreak" option is selected, but your VGA or CGA screen will not blank and/or unblank as it should, please select this option. A few non-standard display CGA and VGA display adapters require selection of this option to blank properly. - User NAMES are required You may require that users enter a correct user name in addition to a password. The user must then type a user name followed by the enter key and then the corresponding password followed by the Enter key. After both items have been entered, access will be granted, or a beep will sound to indicate that the entries were not correct. - USER may change his/her name This option allows a user to change his/her own name. If this option is not selected, only the administrator may change a user name. Selecting Limits Selecting this option from the administrator's main menu allows you to select certain limiting values which users are unable to change. Each of the limits is described in the following paragraphs. Except as noted, limit changes are effective immediately. - Maximum keyboard IDLE time Keyboard idle time is the time in minutes between the most recent keystroke or mouse activity and the time when the machine automatically goes into LunchBreak. This limit allows you to determine the maximum keyboard idle time a user can specify. If the user specifies a time of 61 minutes, automatic LunchBreak will never occur. If you set this limit to 10, a user may set PC-Vault 4.5e Administrator's Manual - Page 18 the actual idle time to any value between 3 and 10 minutes. If you are using a mouse see VMOUSE on page 33. - Minimum number of PASSWORD characters This limit allows you to determine the minimum number of characters in a password. When you select this limit you will be asked to enter a number from 0 to 16. Newly defined passwords must contain at least the number of characters you specify. - Number of DAYS passwords remain valid System security can be enhanced by requiring users to change their passwords periodically. If this limit is set to a value other than zero, it specifies the number of days a newly defined password remains valid. If you select password expiration, you will be asked if, in addition to user passwords, you also want the administrator password to expire. Any time you enter an expired password, you will be required to change it before gaining access. A user may try to prevent expiration by setting the PC's clock/calendar back. For this reason, all passwords are marked as expired whenever the clock regresses by four or more hours. Passwords defined during pre- installation expire the first time they are used. If you have an XT class computer and choose password expiration, we can only check for expiration after DOS's clock has been set from a custom battery-backed clock/calendar installed in your machine. In this case, you MUST have PC-VAULT.EXE on your hard disk, and execute it on each boot by placing the line: PC-VAULT/A near the beginning of your AUTOEXEC.BAT file, but after the statement that sets your DOS's clock from the battery operated clock. This is required for XT class machines only. - Minimum NUMBER of different passwords Password aging is ineffective if a user is allowed to change to the same password he or she had before. As administrator, you can require that a user use several different passwords before being allowed to reuse an earlier one. You can specify that up to ten different passwords must be defined before the first one can be reused. - Maximum invalid logons before ALARM After an excessive number of consecutive unsuccessful attempts to boot the computer and/or use the PC-Vault program, an alarm will sound. This is also true when exiting LunchBreak if the VIOLS /R utility has been loaded as explained on page 33. The alarm consists of several repetitions of a two tone signal. Turning the computer off between attempts will not keep the alarm from PC-Vault 4.5e Administrator's Manual - Page 19 working. This limit allows you to select the number of failed attempts prior to the alarm being sounded. If you select the value zero, the alarm will not sound. - Maximum invalid logons before LOCKOUT After an excessive number of consecutive unsuccessful attempts to boot the computer, exit LunchBreak, and/or use the PC-Vault program, the machine will lock for a period of five minutes. Turning the computer off during a lockout period will cause the five minute lockout to be restarted from the beginning on the next power up. This limit allows you to select the number of failed attempts prior to lockout. If you select the value zero, the lockout will never occur. - SECONDS to wait before auto logon This feature is frequently used when it is desirable to allow anyone restricted access to a computer while granting specific users less restricted access. It is also used to provide for unattended automatic boot-up. Normally, PC-Vault requires that a correct password (and optionally a user name) be entered each time the machine is booted. If this limit is set to a value other than zero, it specifies the number of seconds that PC-Vault will wait for a correct entry. If no correct entry is made during the specified interval, your computer will automatically boot as though the password for User 6 had been correctly entered. The LunchBreak feature will be disabled because it is assumed that the user does not know the User 6 password, and so could not exit LunchBreak. LunchBreak may be re-enabled with the SET-TIME command as described on page 30. This allows you, as administrator, to assign to User 6 those permissions, etc. that you wish to provide to anyone who uses the computer. Only those users requiring additional permissions will have to know a password. Using PC-Vault's ability to prevent breaking out of the AUTOEXEC.BAT file, will ensure that the statements it contains will be executed. The SET-TIME 0 command may be used in the AUTOEXEC.BAT file to re-enable LunchBreak and place the machine into LunchBreak immediately, thus providing for a secure unattended boot-up. - Alternate KEYBOARD/clock handling There are a few hardware and software combinations which cause the LunchBreak feature to operate incorrectly unless this limit is set to a non-zero value. If PC-Vault refuses to go into LunchBreak when it should or will not return from LunchBreak properly, try using this feature. Do not use this feature if you will also be using Windows. When you select this feature, you will be asked to choose one of several software interrupt groups for PC-Vault to use. (You do PC-Vault 4.5e Administrator's Manual - Page 20 not have to know what an interrupt is to use this feature.) PC- Vault will list the values from which you may choose, and even give a recommended choice. Changes you make to this limit become effective when you reboot your computer. Locking and Unlocking PC-Vault Related Files These options lock and unlock CONFIG.SYS, AUTOEXEC.BAT, and the PC-Vault device driver. (When a file is locked its DOS read- only and system attributes are set and the hidden attribute is not set.) Only the administrator can change the attributes or the name of a locked file. Since the file is read-only, DOS will not allow a user to write to or delete the file. (Note: Norton's FA utility may tell a user that it has changed the attributes of a locked file, but it cannot and does not actually change them unless the administrator's password is in use.) Accessing Your Fixed Disk When Booting From a Diskette It may become impossible to boot from your hard disk due to causes unrelated to PC-Vault. For example, if COMMAND.COM is accidentally deleted or a defective device driver is installed, you cannot boot from the hard disk whether PC-Vault is installed or not. You will then have to boot from a diskette and repair the problem. This option allows you to access your hard disk so that you can repair it. Simply boot from a diskette USING THE SAME VERSION OF DOS THAT YOU HAVE ON YOUR HARD DISK or a later version. Then run PC-Vault, enter the administrator's password and select "ACCESS fixed disk after diskette boot." You will be told that PC-Vault protection has been temporarily suspended and that the next time you boot from a floppy you will have access to your hard disk. The next time you boot from your hard disk after correcting the problem, full protection will be automatically restored. Removing PC-Vault From Your Computer Selecting the "REMOVE PC-Vault from this computer" option will completely de-install PC-Vault. The PC-Vault device driver will be deleted, the corresponding device statement will be removed from the CONFIG.SYS file, PC-Vault related files will be unlocked and other changes PC-Vault made to your hard disk will be restored. The MEM-STAT.SYS and/or MEM_STAT.SYS file(s) (page 30), the FPERMF.INF file (page 29), and Windows Support (page 15) will not be removed because they contain information that may be used when PC-Vault is re-installed. PC-Vault 4.5e Administrator's Manual - Page 21 The PC-Vault Hot Key The PC-Vault hot key is used to place your computer in LunchBreak. (For more information on LunchBreak, see "WHAT PC- VAULT DOES" on page 5.) The hot key is actually a combination of two or more keys held down simultaneously. The original hot key consists of the left and right shift keys. You may change it to any combination of two or more of the following keys: Left Shift, Right Shift, Alt, and Ctrl. PC- Vault distinguishes between the left and right Ctrl and Alt keys, but you cannot have both Alt or both Ctrl keys in your hot key definition at the same time. NOTE: MS-Windows converts the right Ctrl and Alt keys into the corresponding left key. Therefore do not use the right Ctrl and/or Alt key when defining a hot key which will be used from within MS-Windows. To change your hot key, select the K (Define new hot KEY) option from the main menu. The hot key selection screen shown in Fig. 12 will then be displayed. Simply follow the directions on the screen and your new hot key will be in effect for all users. Selecting Automatic LunchBreak You may choose to have your computer automatically enter the LunchBreak state when your keyboard and mouse have been idle for a specified period from 3 to 60 minutes. If you select a time of 61 minutes, automatic activation of LunchBreak is disabled and your computer will go into LunchBreak only when the hot key is pressed. If you find that PC-Vault places the maximum value you can enter below 61, the system administrator has selected that lower value as described on page 19. If you are using a mouse see VMOUSE on page 33. To select, deselect, or change the automatic LunchBreak time, choose the I (Select maximum keyboard IDLE time) item from the main menu. The screen shown in Fig. 13 will then be displayed. Simply enter the desired time and press Enter. The time you select will be effective for all users. Controlling User Access to Directories [+] If you are using PC-Vault Plus, you may control each user's access to the sub-directories on your hard disk(s), to sector oriented hard disk I/O, and to diskettes. These functions are accomplished by selecting the "Control DIRECTORY access by user" item from the administrator's main menu. When this item is selected, a table similar to the one shown in Fig. 14 will be displayed. Access rights assigned to a root directory apply only PC-Vault 4.5e Administrator's Manual - Page 22 to that directory, while those assigned to a first level sub- directory also apply to all of its sub-directories. In all cases except HardDisk Abs I/O (described below), you may separately grant access rights to .EXE and .COM files (programs) and to all other files. The access that may be granted are "Read" and "Write", and in the case of programs, "Execute". READ access means that program can read data from files. WRITE access means that files can be created, written to, over written, renamed, deleted, and have there attributes changed. EXECUTE access means that files containing programs can be executed. For example, if the WordPerfect word processor program is a file named WP.EXE, it may be executed only by user's having Execute access to it. Execute access does not imply read access. Thus, if a user has only execute access to WP.EXE, the command, COPY C:WP.EXE A:WP.EXE will fail because the copy command is not allowed to read the file. Some programs such as WordPerfect sometimes modify themselves. If you are using DOS 3.1 or above, PC-Vault will always allow an executing program to read and write itself even if the access is not explicitly granted. In versions of DOS prior to 3.1, PC- Vault cannot determine exactly which file is executing and so the access is denied if it is not explicitly granted. Thus, WordPerfect running under DOS 3.1 or above will be allowed to modify itself even if Write permission has not been granted. Some programs are designed to read and/or write files that they require to be in the same directory as the executing program. If you wish to prevent such programs from being copied, grant only Execute access to .EXE/.COM files but full access to other files. Alternately, you could deny Write access to diskettes. All users are always granted read access to the file named AUTOEXEC.BAT in the root directory of the hard drive from which the system was booted. This is done to allow all users to execute AUTOEXEC.BAT when the system is booting. As shown in Fig. 14, the table begins with three special lines which do not contain directory names. The first line, labeled "Diskette Access," allows you to control user's access to diskettes. The permissions you grant apply to all directories in drives A: and B:. A very few programs ask DOS to read/write specific physical locations on the disk rather than performing operations on files. If such a program can find the physical location of a file, it may be able to read data from the file even if the user does not PC-Vault 4.5e Administrator's Manual - Page 23 have read access to its directory. The second line, labeled "HardDisk Abs I/O" allows the administrator to control this type of access. Preventing the access may prevent some programs from running, but will result in a more secure system. We suggest that you do not grant this access unless you find that the user must run a program that requires it. The column labeled .EXE/.COM is not applicable to absolute I/O. From the time a user creates a new 1st level sub-directory until you next display the directory control table, the permissions you have assigned in the "New Level 1 Dirs" line will control all users' access to the new sub-directory. After you next display the table, the permissions you assign to that directory will apply. If you assign no permissions, no user will have access to the directory. A user may create a new 1st level sub-directory only if you allow that user write permission to new level 1 sub- directories. Write permission to the root directory is not required. (A user may create new sub-directories at other levels if he/she has permission to write to its parent. For example a user having write permission to C:\INVEST is allowed to create C:\INVEST\TBILLS). Please note that in rare instances a program that runs well when PC-Vault Plus is not installed will fail to run correctly when PC-Vault Plus is installed. This does not necessarily indicate an error in PC-Vault Plus. For instance, a program may try to change the attribute of a file from read-only to read-write. If the user has not been granted appropriate access to the file's directory, DOS will return an "access denied" error. It is possible that the program may not handle the error correctly. This bug in the program may never have been noticed because the program never encountered that error before. A sample directory access control table is shown in Fig. 14. The first two lines allow control of diskette and sector oriented I/O access. The remaining lines control access to the root and first level sub-directories of your hard drive(s). Access granted to a root directory applies only to that directory. Access granted to a first level sub-directory applies to that directory and all of its sub-directories. Each column shows the access currently granted to the user whose name appears at the top of the column. User names are assigned using the PASSWORD option of the main menu. In the example shown, user 1 has been assigned to TheBoss and no name has been assigned to user 2. The cursor control, page up, page down, home, and end keys may be used to move the highlight bar from one position to another. Pressing the R, W, and X keys will toggle (turn on and off) read, write, and execute permissions respectively. To grant/deny all permissions in the highlighted square, press A or N respectively. Pressing Ctrl with R, W, X, A, or N, will grant/deny the corresponding access to all directories (the entire column). PC-Vault 4.5e Administrator's Manual - Page 24 Similarly, using the Alt key will affect all users' access to that directory (the entire row). Thus, if a user is to be granted access to almost everything, begin by moving the bar to the user's column and press Ctrl-A. Then remove the undesired accesses. Attempting to move the bar off the screen will cause more users or directory names to be displayed. When you have the access permissions set as you desire, press the escape or the "E" key to return to the main menu. If no new directories have been created since you last booted the computer, your selections will be in effect immediately. If this is not the case, you will be notified that your selections will be effective when you re-boot your computer. Controlling Logging of User Activity [+] Choosing the "Select FILE accesses to be logged" item from the main menu causes the table shown in Fig. 15 to be displayed. You may then select which type(s) of file access you wish to log. Access types which may be selected are Denials, Program Executions, and All Other accesses. Denied accesses occur when PC-Vault Plus refuses to grant a requested access. For example, an attempt by a user to delete, write to, or change the name or attributes of a file in a directory to which the user has read only access will result in a denial. It is not possible to select logging of denied accesses for the administrator because all administrator access requests are granted. The following lines, extracted from an actual log, indicate the type of information that is available to the administrator: Log file starting date is 4-04-89 17:18:43 User 2 - Allowed: Open. C:\COMMAND.COM 17:18:40 User 2 - ═══════ RE-BOOT on 4-04-89 17:18:41 User 2 - Allowed: Open. C:\DOS3.31\ANSI.SYS 17:18:44 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:18:44 User 2 - Execute: ExecPrgm. C:\SAV-DTAB.COM 17:18:55 User 2 - NotAlwd: Change Dir. C:\CBH\ 17:19:02 User 0 - Allowed: Change Dir. C:\CBH\ 17:19:39 User 0 - Allowed: FCB Rename. C:\CBH\SPC\EV.CFG 17:20:15 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:20:15 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:20:27 User 2 - NotAlwd: Create. A:\AUTOEXEC.BAT 17:20:53 User 2 - Allowed: Change Dir. C:\DOC\ 17:21:08 User 2 - Allowed: FCB Delete. C:\JNK 17:21:41 User 1 - ═══════ RE-BOOT on 4-04-89 17:21:41 User 1 - Allowed: Open. C:\AUTOEXEC.BAT 17:21:41 User 1 - Execute: ExecPrgm. C:\SAV-DTAB.COM End of log file. PC-Vault 4.5e Administrator's Manual - Page 25 A small portion of each line was deleted so that it would fit on one line in this document. This portion indicates if files were opened with write access, etc. The above sample indicates that user 2 booted the machine, DOS opened ANSI.SYS and AUTOEXEC.BAT, and then SAV-DTAB was executed. Following this the user attempted to change to a directory, CBH, for which he had no access. The user apparently called the administrator who placed the machine in LunchBreak, entered the administrator password to exit LunchBreak so that the administrator's permissions would be in effect, did the directory change for the user, renamed a file, and re-entered LunchBreak. User 2 then entered his password and continued as shown. Later, User 1 booted the machine, etc. A small area of memory is reserved for recording log entries. These entries are written to the log file on the disk whenever the area is nearly full, when the FLUSHLOG utility is run, and whenever a denial is logged. It is, therefore, possible that a few entries (other than denials) may be lost when the machine is re-booted unless FLUSHLOG is run just prior to booting. The log file is a locked file named ACCESS.SYS and is located in the root directory of the hard drive from which the machine is booted. Normally, one would run the FLUSHLOG utility to write any entries remaining in memory to the ACCESS.SYS file and then change the name of ACCESS.SYS to another name. (PC-Vault will create a new ACCESS.SYS whenever it needs to write log entries and the file does not already exist.) The LOG utility may then be run as described on page 29 to produce a file similar to the sample above. ACCESS.SYS is created as a locked file. The administrator can unlock this file by using the command FLUSHLOG /U. For more information on locked files see "Locking and Unlocking PC-Vault related files" on page 21. USING THE PC-VAULT PROGRAM AFTER PC-VAULT IS INSTALLED Whenever you run the PC-Vault program on a machine on which PC- Vault is already installed, you will be asked to enter your password. When you enter a correct password, the appropriate main menu will be displayed. If you enter any user password the main menu will contain only the items to which users have access. You may then select any of the options shown. Each of these is described in detail in the preceding sections. Your selections will be effective immediately except for Alternate Keyboard/Clock Handling which become effective the next time the machine is booted. PC-Vault 4.5e Administrator's Manual - Page 26 When the system is in LunchBreak, the password used to boot the computer or the administrator's password may be used to exit LunchBreak. The administrator may choose to allow any user name/password to exit LunchBreak as described on page 18. The permissions and capabilities normally associated with the password used to exit LunchBreak will then be in effect. If you hear a two-tone beep when exiting LunchBreak, there are recorded password violations. (Someone may have tried to get into your computer while you were away.) For information on how to view the violations record, see the description of the VIOLS utility on page 33. USING PC-VAULT ON LIMITED SYSTEMS Some small hard disks which have been set up with older versions or computer vendor proprietary versions of DOS do not allow PC- Vault to implement Maximum Floppy Boot Protection, or user names. On such systems, the words "Not Available" will be displayed with the "Maximum Floppy Boot Protection" option in the "Select Options" menu, and user names will not be displayed when the administrator is defining passwords (see Fig. 6). There will be no change in the way you use PC-Vault on such systems, but they will not be quite as secure. Using a later version of the DOS FDISK command to set up your hard disk will probably correct the problem. Setting up your disk with FDISK will destroy all of the data on your disk, and will require that you run the DOS FORMAT command to reformat your disk. YOUR PC-VAULT FILES This section describes each of the files on your PC-Vault distribution diskette, as well as those files created by PC- Vault during or after installation. - ACCESS.SYS [+] This PC-Vault Plus file is not on your diskette. It is created in the root directory of your first (or only) hard drive at any time it does not already exist and there are log entries to be written. This file is used by the LOG utility to generate the user readable log. The LOG utility is described below. - BRK-CNTL.COM This program is used to enable/disable Ctrl-Break, Ctrl-C, and Alt-NumericPad3 at any time after your computer is booted. The system administrator can prevent users from breaking out of the AUTOEXEC file during system boot. This program can be placed in PC-Vault 4.5e Administrator's Manual - Page 27 the AUTOEXEC file to re-enable breaks. Use BRK-CNTL ON to enable breaks and BRK-CNTL OFF to disable them. Resident programs, such as some of the DOS keyboard utilities for various languages which completely take over the keyboard interrupt, will cause your machine to recognize breaks even when you have them disabled. They will also prevent PC-Vault from "knowing" when you are typing on your keyboard. Thus, if you have selected the automatic LunchBreak feature, PC-Vault may go into LunchBreak right while you are typing. To prevent both of these anomalies you may also use the optional RES parameter. This will direct BRK-CNTL to remain resident. For example, BRK-CNTL ON RES will enable breaks and cause BRK-CNTL to remain resident. The RES parameter should be used after the resident program which takes over the keyboard and should be used only once per system boot. - CLEANDSK.DRV This file is a device driver. It is not on your PC-Vault diskette, but is created on your hard disk when you install PC- Vault. It will be automatically deleted when you remove PC- Vault. THIS FILE MUST NOT BE DELETED IN ANY OTHER WAY BECAUSE YOUR COMPUTER WILL NOT BOOT FROM ITS HARD DRIVE UNLESS IT IS PRESENT. - EXEC.COM Allows the system administrator to execute a program for a user and prevent the user from escaping to the DOS prompt or executing any other program. Typically, EXEC would be placed in the AUTOEXEC.BAT file to call a program such as 123, Dbase, or WordPerfect into execution. The EXEC command line has three components separated by spaces: 1. EXEC or EXEC/R 2. The full path name of the program to be executed. 3. The parameters to the program just as you would type them at the DOS prompt. For example, placing the following lines in the AUTOEXEC.BAT file will force users (but not the administrator) into WordPerfect to begin editing file LETTER.FRM. The WordPerfect "Go to DOS" command will not work. The /R will cause WordPerfect to be immediately restarted if the user terminates it. . PC-Vault 4.5e Administrator's Manual - Page 28 . WHO IF NOT ERRORLEVEL 1 GOTO ADM EXEC/R C:\WPERF\WP.EXE LETTER.FRM :ADM . . Note that you must give the drive, full path and complete name of the program you wish to execute. In the above example the program is WP.EXE in directory \WPERF on drive C:. See the description of the WHO utility below for more information. - FLUSHLOG.COM [+] This PC-Vault Plus utility causes any log entries remaining in memory to be written out to the ACCESS.SYS file as described in the section on log control on page 25. ACCESS.SYS is created as a locked file. The administrator may use the command FLUSHLOG /U to unlock ACCESS.SYS and write any remaining log entries to it. - FPERMF.INF [+] This file is re-created whenever PC-Vault Plus directory access permissions are changed and is not deleted when PC-Vault Plus is removed. It will be used to recover the directory permissions the next time you install. - LOG.EXE [+] This PC-Vault Plus utility is used to read the log file produced by PC-Vault Plus and generate a user readable log or journal of the users' activity. A sample of the output from this utility is shown in the section on log control on page 25. To use this utility enter LOG in-file-name out-file-name at the DOS prompt. For example one might use the commands FLUSHLOG RENAME C:\ACCESS.SYS OLDLOG LOG OLDLOG PRN to flush any log entries remaining in memory to the disk, ensure (by renaming) that no new log entries will be added to the file, and write a user readable log of system activity to the printer. - LOGOFF.COM The LOGOFF utility provides a means for one user to log off and another to log on without having to re-boot the computer. For PC-Vault Plus, this file should be placed in a directory having PC-Vault 4.5e Administrator's Manual - Page 29 EXEC permission for all users. Typing LOGOFF at the DOS prompt will clear the screen, and display a box requesting the user to press any key to begin the logon process. When a key is pressed, the boot time logon screen will be displayed. Any valid user password will be accepted. PC-Vault will then control the machine just as though the corresponding user had booted it. - MEM-STAT.SYS and/or MEM_STAT.SYS These small files contain information about the state of your hard disk(s) before the first installation of PC-Vault. They can be used for disaster recovery, and have allowed us to help users to recover from a number of problems which had nothing to do with PC-Vault. If they do not already exist, these files are created when PC- Vault installs but are not deleted when PC-Vault is removed. We suggest that you allow them to remain on your disk if you may re- install PC-Vault at a later time. Please do not copy them from one hard disk to another. - PC-VAULT.EXE This is the main PC-Vault program and is described in the preceding sections of this manual. - SET-TIME.COM With this program you can: Set the keyboard/mouse idle time from a batch file, Re-enable LunchBreak after automatic logon, Place the machine into LunchBreak immediately, and Eliminate incompatibilities caused by other programs. To set the idle time from a batch file or from the DOS prompt, use the command: SET-TIME time where time is any value between 3 and 61 minutes (or the maximum allowed by the system administrator). For more information on automatic LunchBreak see "Selecting Automatic LunchBreak" on page 22. To place the computer into LunchBreak immediately, use SET- TIME 0 from the DOS prompt or a batch file. This will not alter the maximum keyboard idle time setting. - VIOLS.COM PC-Vault records each unsuccessful attempt to enter a password or a user name/password combination. Such attempts are called "violations". When a correct password is entered, PC-Vault erases the record of any violations which occurred during the PC-Vault 4.5e Administrator's Manual - Page 30 immediately preceding two or three minutes. This prevents recording "typos" made by a valid user. The record of each violation contains the user number of the name entered (if any), and the date and time of the violation. When booting the computer, the DOS clock has not yet been set, so we must use the hardware clock. Since XT class machines do not have a standard hardware clock, we cannot record the times on these machines. We do, however, keep a record of each violation. This program has three separate functions related to password entry violations. One, two or all three of the functions may be used on a single execution of VIOLS.COM. The command: VIOLS /L=FileName /C /R will perform all three functions. The "/L" will generate a report of any recorded violations and give the date and time that you last logged on. If a date and time when you know you weren't on the computer are displayed, it is an indication that someone else may know your password. If "=FileName" is present, the report will be written to the file specified by "FileName". If it is not present the report will be written to the screen. The "/C" will remove (clear) all entries from the violation record. If both /L and /C are present, the record will be cleared after the report is generated. The "/R" will cause VIOLS.COM to remain resident. This should not be done more than once per system boot. Violations during LunchBreak will not be recorded unless VIOLS is resident. In addition, the alarm and Lockout features will not work during LunchBreak unless VIOLS is resident. VIOLS terminates with a DOS error level of 8 if an error occurs, an error level of 4 if violations are reported, and 0 otherwise. The following statements in your AUTOEXEC.BAT file would automatically install VIOLS as resident and alert the user to any previous violations: VIOLS /L /R IF NOT ERRORLEVEL 4 GOTO CONTINUE ECHO WARNING --- Violations are listed above PAUSE :CONTINUE - VMOUSE.COM This utility causes the automatic LunchBreak feature to treat mouse activity as keyboard activity. It also prevents anyone from using the mouse while your computer is in LunchBreak. PC-Vault 4.5e Administrator's Manual - Page 31 VMOUSE should be loaded after your mouse driver. If your mouse driver is a device driver (commonly MOUSE.SYS or MSCMOUSE.SYS) place a VMOUSE statement near the beginning of your AUTOEXEC.BAT file. If your mouse driver is loaded from your AUTOEXEC.BAT file, place the VMOUSE statement immediately after the statement that loads your mouse driver. NOTE: PC-Vault Windows Support provides these capabilities while Windows is running. Thus if you use your mouse only while you are in Windows, you do not need to use VMOUSE. - WHO.COM This utility allows the AUTOEXEC or other batch files to do different things for different users. WHO will always return the user number as a DOS error level, or will return an errorlevel of 255 if PC-Vault is not installed. In addition WHO /L will display the name of the user, and WHO /E will set the DOS environment variable PCVU to the name of the current user. (Any spaces in the name will be deleted.) For more information on DOS errorlevels and environment variables and IF statements, please see your DOS manual. The error level facility of the WHO program may be used by structuring your AUTOEXEC file as shown in the following example. Upper case characters indicate actual lines of the AUTOEXEC file. . . commands common to all users . . WHO IF ERRORLEVEL 3 GOTO ERROR IF ERRORLEVEL 2 GOTO USER2 IF ERRORLEVEL 1 GOTO USER1 . . commands to be executed when the administrator's password was used. . . GOTO COMMON :USER1 . . commands for user 1 . . GOTO COMMON :USER2 . PC-Vault 4.5e Administrator's Manual - Page 32 . commands for user 2 . . GOTO COMMON :ERROR . . commands to be used when PC-Vault is not installed or User 3 or above logged on. . . :COMMON . . commands common to all users The environment variable facility may be used as follows: WHO /E IF %PCVU%==TheBoss GOTO SomeLabel IF %PCVU%==User2 GOTO SomeOtherLabel OPTIONAL PC-VAULT FILES These programs, available separately, are designed to work with PC-Vault. HELPUSER.COM This optional utility allows a corporate security officer (CSO) to grant access to a PC-Vault protected computer on a one time basis. The CSO does not need to know any passwords, does not need to be physically present, and cannot grant access to another organization's computers. For more information see "The HELPUSER Program" on page 10. LOGO.EXE This optional utility allows the system administrator to design the appearance of the screen when the system is booted. Our standard logo may be completely replaced with one of your own design. The use of color is supported. For more information see "The Logo Program" on page 9. PC-Vault 4.5e Administrator's Manual - Page 33 IN CASE OF DIFFICULTY The fastest way to solve most problems is to review the appropriate section(s) of this manual. If the problem might be a conflict with other resident software, try renaming your AUTOEXEC.BAT file to another name such as AUTOEXEC.1, and then rebooting your computer. If the problem disappears, rename the AUTOEXEC file back to its original name and then remove statements one at a time until the conflicting software is identified. Call for technical support if more help is needed. In the event that you should need technical support please: 1. Corporate customers using PC-Vault on a large number of computers are supported ONLY through their corporate PC support staff. We will provide technical assistance to them as needed. 2. Contact us by phone (804) 872-9583, or call our BBS at (804) 877-6261. Foreign customers only may also FAX us at (804) 874-8090. 3. Please be prepared to provide: a. Your serial number, b. The dates and times shown by doing a DIR of the PC-Vault diskette, c. The EXACT text of any error messages displayed, d. The selection status of each item in the Options menu, e. The value of each item in the Limits menu, and f. As much information about your system as possible such as brand, model, hard disk(s), video cards, DOS version, resident software, content of your AUTOEXEC.BAT and CONFIG.SYS files, etc. If you do not have this information available when you call, we will most likely be unable to provide correct answers or solutions, and we may have to request that you call again with more complete information. 4. If at all possible, call when you are at the computer in question. We can most often resolve a problem immediately if you can be at the computer while we are talking together. PC-Vault 4.5e Administrator's Manual - Page 34 HOW TO ORDER PC-VAULT 4.5e PC-Vault may be ordered from: Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 Voice (804) 872-9583 FAX (804) 874-8090 We accept: Your personal or company check with your order, Money Orders, Purchase orders over $50.00 (Net 30 days), VISA or MasterCard, and COD orders (USA only). Orders are usually shipped within one working day, but may occasionally take longer. The price of PC-Vault consists of the following: 1. A license fee which is dependent on the number of computers on which you wish to have PC-Vault concurrently installed: No. of Concurrent PC-Vault License PC-Vault Plus Installations per Computer per Computer 1 - 5 30.00 90.00 6 - 15 26.00 75.00 16 - 99 22.00 55.00 100 - 999 18.00 Call 1000 - Up 15.00 Call 2. A media fee of $5.00 ($7.50 outside the U.S. and Canada) for each PC-Vault diskette you wish us to ship to you. We only require you to buy one diskette. 3. There is an additional $5.00 collection fee for Canadian checks not payable through a U.S. bank and a $7.50 fee for electronic fund transfers. These fees are those charged by our bank. All other foreign checks MUST be payable through a U.S. bank. We pay shipping via First-Class air mail to all locations. Add actual shipping costs for other carriers. Overnight service is also available. All prices are subject to change without notice. Our warranty and your return privileges are described in the DISCLAIMER OF WARRANTY section on page 6. PC-Vault 4.5e Administrator's Manual - Page 35 PC-VAULT VERSION 4.5e ORDER FORM To: Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 Voice (804) 872-9583 FAX (804) 874-8090 Please accept our order for PC-Vault version 4.5e as indicated below: ______ Concurrent Installations of PC-Vault $_________ ______ Concurrent Installations of PC-Vault Plus _________ ______ PC-Vault diskette(s) at $5.00 each _________ ($7.50 outside U.S./Canada) ______ Logo ($100.00 per organization) _________ ______ HelpUser ($100.00 per organization) _________ Shipping charge (See preceding page) _________ Virginia State Sales Tax (Ship/Bill address in VA) _________ Total Order _________ Purchase Order _________________________ Date __________________ Company Name ____________________________________________________ Attention _______________________________________________________ Dept./Mail Stop _________________________________________________ City, State, Zip ________________________________________________ Phone: Daytime ____________________ Evening ____________________ Credit card: VISA MasterCard Name on Card ___________________________________________________ Card Number ______________________________ Expires: ___________ PC-Vault 4.5e Administrator's Manual - Page 36 ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5 ║ ║ (C)Copyright 1988 by Johnson Computer Systems, Inc. ║ ║ 20 Dinwiddie Place, Newport News VA. ║ ║ ║ ║ ║ ║ PC-Vault Pre-Installation Setup ║ ║ ║ ║ You have chosen the pre-installation set up option. The ║ ║ choices you make will be recorded in the PC-Vault program ║ ║ on the drive A: diskette. When you use that copy to ║ ║ install PC-Vault your selections will already be in effect. ║ ║ ║ ║ Nothing you do during this run will have any effect on ║ ║ any machine on which PC-Vault is already installed. To ║ ║ change installed values run PC-Vault without the /P. ║ ║ ║ ║ Please place the diskette containing the copy of PC-VAULT ║ ║ to be modified in drive A: and then press any key. ║ ║ ║ ║ ║ ║ Do NOT use your original PC-Vault diskette. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 1 - Pre-installation Notice ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5 ║ ║ ║ ║ ║ ║ Are you CERTAIN the diskette in drive A is a COPY? ║ ║ ║ ║ Please press Y or N. ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 2 - Pre-installation Warning ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5 ║ ║ ║ ║ An administrator password has already been assigned to this ║ ║ file. You must enter that password to make additional ║ ║ changes. ║ ║ ║ ║ Do you wish to continue? (Please enter Y or N) ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 3 - Pre-installation Password Request ╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Pre-Installation Setup Menu ║ ║ ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ ║ ║ H. HOW to use this menu. ║ ║ ║ ║ R. RECORD your choices for later use. ║ ║ ║ ║ P. Define original PASSWORDS and names. ║ ║ ║ ║ O. Select OPTIONS. ║ ║ ║ ║ S. SET limits. ║ ║ ║ ║ L. LOCK files during installation. ║ ║ ║ ║ W. Choose WHO will install PC-Vault. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 4 - Pre-Installation Main Menu ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5 ║ ║ (C)Copyright 1988 by Johnson Computer Systems, Inc. ║ ║ 20 Dinwiddie Place, Newport News VA. (804) 872-9583 ║ ║ ║ ║ ║ ║ PC-Vault is not installed on this computer. ║ ║ ║ ║ ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ ║ ║ H. HOW to use this menu. ║ ║ ║ ║ I. INSTALL PC-Vault. ║ ║ ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 5 - PC-Vault Installation Menu ╔═══════════════════════════════════════════════════════════════╗ ║ PC-Vault Administrator's Main Menu ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ H. HOW to use this menu. ║ ║ W. Install WINDOWS support. ║ ║ ║ ║ P. Change PASSWORD. ║ ║ O. Select OPTIONS. ║ ║ S. SET Limits. ║ ║ ║ ║ L. LOCK PC-Vault related files. ║ ║ U. UNLOCK PC-Vault related files. ║ ║ ║ ║ A. ACCESS fixed disk after diskette boot. ║ ║ R. REMOVE PC-Vault from this computer. ║ ║ ║ ║ K. Define new hot KEY combination. ║ ║ I. Set keyboard IDLE time. ║ ║ ║ ║ D. Control DIRECTORY access by user. ║ ║ F. Select FILE accesses to be logged. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 6 - PC-Vault Plus Administrator's Main Menu ╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Name and/or Password Definition ║ ║ ║ ║ Please press: 0 to change the administrator password. ║ ║ 1-12 to change a user password and/or name. ║ ║ RETURN to return to the main menu. ║ ║ ║ ║ User No. User Name User No. User Name ║ ║ 0. Admin 7. User 7 ║ ║ 1. User 1 8. User 8 ║ ║ 2. User 2 9. User 9 ║ ║ 3. User 3 10. User 10 ║ ║ 4. User 4 11. User 11 ║ ║ 5. User 5 12. User 12 ║ ║ 6. User 6 ║ ║ ║ ║ ║ ║ Please enter your selection: ║ ║ ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 7 - Administrator's User Selection Screen ╔═══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Name Definition ║ ║ ║ ║ ║ ║ The current name for this user is: Admin ║ ║ ║ ║ Press return to retain this name, or enter a new name: Tiny ║ ║ ║ ║ Please enter the new name again to be sure its correct: Tiny ║ ║ You may be required to enter this name to gain access. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 8 - Change User Name Screen ╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Password Definition ║ ║ ║ ║ ║ ║ Passwords may be one to sixteen key strokes, and include ║ ║ letters, numbers, and the keys: space - = [ ] ; , . ║ ║ ║ ║ Case is not significant. Three special keys are: ║ ║ Backspace - Used to correct an error in the normal way. ║ ║ Return - Means, "Password entry is complete." ║ ║ Escape - Means, "I don't want to enter a password." ║ ║ ║ ║ ║ ║ Please enter new password and press return: SECRET-STUFF ║ ║ ║ ║ Your new password is defined. Whenever PC-Vault asks for ║ ║ your password, type it in and then press return. You MUST ║ ║ be able to enter it correctly. We suggest you use your ║ ║ print screen key and then keep it in a safe place. ║ ║ ║ ║ ║ ║ Please press any key to continue. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 9 - Password Definition Screen ╔═══════════════════════════════════════════════════════════════╗ ║ ║ ║ Administrator Options Selections Menu ║ ║ ║ ║ Press the LETTER in front of the option you wish to change. ║ ║ ║ ║ E. END option selection and return to main menu. ║ ║ H. HOW to use this menu, how to get additional help. ║ ║ ║ ║ M. MAXIMUM floppy boot protection - Not Selected. ║ ║ D. DISPLAY password entry asterisks. - Selected. ║ ║ ║ ║ K. SIDEKICK compatibility mode. - Not Selected. ║ ║ C. CTRL-BREAK prohibited during boot. - Not Selected. ║ ║ T. TIME/Date change prohibited. - Not Selected. ║ ║ ║ ║ B. BLANK screen during LunchBreak. - Selected. ║ ║ F. FREEZE computer during LunchBreak. - Not Selected. ║ ║ A. ALL users may exit LunchBreak. - Not Selected. ║ ║ S. SPECIAL Display blanking - Not Selected. ║ ║ ║ ║ N. User NAMES are required. - Not Selected. ║ ║ U. USER may change his/her user name. - Not Selected. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 10 - Administrator's Options Menu ╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ Administrator Limits Selection Menu ║ ║ ║ ║ Press the LETTER in front of the option you wish to change. ║ ║ ║ ║ ║ ║ E. END limit selection and return to main menu. ║ ║ H. HOW to use this menu, how to get additional help. ║ ║ ║ ║ I. Maximum keyboard IDLE time (minutes). - Currently 61 ║ ║ P. Minimum number of PASSWORD characters. - Currently 0 ║ ║ ║ ║ D. Number of DAYS passwords remain valid. - Currently 0 ║ ║ N. Minimum NUMBER of different passwords. - Currently 0 ║ ║ ║ ║ A. Maximum invalid logons before ALARM. - Currently 5 ║ ║ L. Maximum invalid logons before LOCKOUT. - Currently 0 ║ ║ ║ ║ S. SECONDS to wait before auto logon. - Currently 0 ║ ║ K. Alternate KEYBOARD/clock handling - Currently 0 ║ ║ ║ ║ ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 11 - Administrator's Limits Selection Screen ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5 ║ ║ ║ ║ You may now select the keys which will cause your computer's ║ ║ screen to blank (if selected) and your keyboard to lock ║ ║ until you enter your password. ║ ║ ║ ║ Please press any two or more of the following keys: ║ ║ ║ ║ Left Shift Right Shift Alt Ctrl ║ ║ ║ ║ Hold them down until you hear a two tone beep and you are ║ ║ asked to release them. You will have to hold the keys down ║ ║ approximately four seconds. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 12 - Hot Key Selection Screen ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5 ║ ║ ║ ║ You may request that your machine automatically go into the ║ ║ LunchBreak state if the keyboard is idle for a specified ║ ║ time period. You may select a time period from 3 to 61 ║ ║ minutes. ║ ║ ║ ║ A time of 61 minutes means that automatic LunchBreak will ║ ║ never occur. ║ ║ ║ ║ The current keyboard idle time is 5 minutes. ║ ║ ║ ║ Please enter new keyboard idle time in minutes: ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 13 - Maximum Idle Time Selection Screen ╔══════════════════╦═════════════╦═════════════╗ To Select User ║ Directory/Area ║ TheBoss ║ User 2 ║ Cursor keys ║ ║EXE/COM│Other║EXE/COM│Other║ ╠══════════════════╬═══════╪═════╬═══════╪═════╣ To Select Dir. ║ Diskette Access ║ R-W-X │ R-W ║ ----- │ R-W ║ Cursor, PgUp/Dn ╟──────────────────╫───────┼─────╫───────┼─────╢ Home, End ║ HardDisk AbsI/O ║ ----- │ R-W ║ ----- │ --- ║ ╟──────────────────╫───────┼─────╫───────┼─────╢ To Control Access ║ New Level 1 Dirs ║ R-W-X │ R-W ║ R---X │ R-- ║ R=Read W=Write ╟──────────────────╫───────┼─────╫───────┼─────╢ X=Execute ║ C:\ ║ R-W-X │ R-W ║ --X-- │ R-- ║ A=All N=None ╟──────────────────╫───────┼─────╫───────┼─────╢ ║ C:\DATABASE ║ R-W-X │ R-W ║ R-W-X │ R-W ║ To chg all users' ╟──────────────────╫───────┼─────╫───────┼─────╢ access to this ║ C:\UTILS ║ R-W-X │ R-W ║ --X-- │ --- ║ dir, use Alt ╟──────────────────╫───────┼─────╫───────┼─────╢ with R,W,X,A,N ║ C:\BJONES ║ R-W-X │ R-W ║ --X-- │ --- ║ ╟──────────────────╫───────┼─────╫───────┼─────╢ To chg this usr's ║ C:\PAYROLL ║ R-W-X │ R-W ║ ----- │ --- ║ access to all ╟──────────────────╫───────┼─────╫───────┼─────╢ dirs, use Cntrl ║ D:\ ║ R-W-X │ R-W ║ R-W-X │ R-W ║ with R,W,X,A,N ╟──────────────────╫───────┼─────╫───────┼─────╢ ║ D:\BACKUP ║ R-W-X │ R-W ║ R---X │ R-- ║ To Save Choices ╚══════════════════╩═══════╧═════╩═══════╧═════╝ Esc or E Note: R, W and X toggle the corresponding permission. Fig. 14 - Directory Access Control Table ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5+ ║ ║ ║ ║ ╔═════════════════════════════════════════════════╗ ║ ║ ║ Log Control ║ ║ ║ ╠═════════╤═════════╤═════════╤═════════╤═════════╣ ║ ║ ║ Admin │ John T. │ User 2 │ User 3 │ User 4 ║ ║ ║ ╟─────────┼─────────┼─────────┼─────────┼─────────╢ ║ ║ ║ ----- │ D-X-- │ D-X-O │ D---- │ D---- ║ ║ ║ ╚═════════╧═════════╧═════════╧═════════╧═════════╝ ║ ║ ║ ║ Press: Right/Left cursor keys to select a user. ║ ║ D - to toggle logging of denied accesses. ║ ║ X - to toggle logging of programs executed. ║ ║ O - to toggle logging of all other accesses. ║ ║ A - to select all of the above (D, X, F). ║ ║ N - to select none of the above (D, X, F). ║ ║ Esc to save your choices, go to main menu. ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 15 - Logging Control Table