PC Direct 1995 May

home *** CD-ROM | disk | FTP | other *** search

/ PC Direct 1995 May / PC Direct CD-ROM (May 1995).ISO / ipe / protec / manual / chap3.txt < prev next >

Wrap

Text File | 1994-08-09 | 30.3 KB | 743 lines

Chapter 3 Workstation Security PROTEC NET administers and installs PROTEC on workstations automatically from the Security Server. This section provides information on scheduling installation and configuration of workstation security. ======================================= Accessing Workstation Security Features ======================================= Workstation Security features include all installation and configuration processes that may be defined for each workstation. The following chart lists each Workstation Security Feature and the chapter each feature is discussed. Workstation Security Chapters Features ____________________________________ Add or Delete Workstation 3 ID Install or Remove PROTEC 3 Install or Remove Boot 3 Protection Build Directory Trees 3 AUTOEXEC and CONFIG 3 Protection Keyboard Lockout 3 System Lockout 3 Save Screen 3 System Verification 3 Login Shell 3 Display Violations 3 Events to Audit 4 Memory Buffers 3 When Server is Down / 3 Laptops Figure 3.1. Workstation Security Features All security features listed above appear within the Security program under the Workstation menu option. When selecting an option, the Security program requires that you select a workstation before configuring the selected security feature. If the workstation ID list is empty, no workstation IDs have been logged because either users have not sign onto the Security Server or Novell NetWare's System Login Script does not include the PROTEC NET Script programs. Each workstation ID must be recorded prior to installing or configuring workstation security. Refer to Server Installation, Script for information on modifying the System Login Script. ============================ Add or Delete Workstation ID ============================ In order for PROTEC NET to be installed onto a workstation automatically, it must first record the workstation's network address, referred to as Workstation ID. The workstation ID must be recorded before security may be installed and configured for a workstation. The PROTEC NET Script program, NAMER.EXE, records the workstation ID and prompts the user for the name and the location of the his workstation. These strings can each be up to 16 characters. This information assists supervisors in selecting a workstation without having to know the user's network address. To Add a Workstation ID Manually 1 Run ADDRESS.EXE to record the current workstation's network address. This program is located within the PROPUBLIC directory on the Security Server. 2 Write down the address. 3 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 4 From the Workstation menu, select Add/Del Workstation ID (ALT, W, D). 5 Choose the INS key. 6 Enter the workstation's name, location and address. 7 Press the SAVE button. NOTE NAMER.EXE can be run from the DOS prompt to record the current workstations network ID automatically. ======================== Install or Remove PROTEC ======================== Once a Workstation ID has been recorded, PROTEC NET may be configured to install automatically onto the workstation. Since PROTEC NET uses NetWare user names and passwords to log users onto the workstation, PROTEC NET only installs itself if it detects NetWare drivers are called from the AUTOEXEC.BAT. If so, PROTEC NET inserts its security kernel LOADER.COM after these drivers. A list of these drivers can be found under the heading `[network drivers]' in the PSETUP.INF file located in the PROPUBLIC directory. This list can be modified to include other network drivers if needed. To Schedule Installation or Removal of Workstation Security 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Install/Remove PROTEC (Alt W, I). 3 Select the workstation you wish to configure and press ENTER. 4 Select appropriate operation. 5 Choose the SAVE button. The next time a user signs onto the Security Server, PROTEC NET is installed or removed automatically. Once installation is complete, the user must reboot his system. The result of this process is audited stating whether the system installed successfully. For instructions on how to review installation results, refer to View Auto Installation Results. ================================= Install or Remove Boot Protection ================================= Multiple features are combined within Boot Protection to stop unauthorized users from bypassing PROTEC NET's Login screen. The System or user login script must run PROTEC NET Script program, RBP.EXE to install properly. Refer to Figure 2.2 for proper syntax. If PROTEC NET is not installed or the active partition on the workstation is not a DOS partition, Boot Protection does not install. The following features are configurable within Boot Protection: · Boot Protection. This feature may be configured to AutoInstall, AutoRemove or Ignore. · Method. Each method stops users from accessing the C: Drive by booting from a floppy drive. If AutoInstall is specified, the method of Boot Protection used may be one of the following: Level I, Level II or AutoDetect. Level I and Level II methods protect the master boot record. Level II also secures the root directory and should only be used if a workstation's first physical boot disk is not compressed. AutoDetect secures the system installing Level I or II of Boot Protection. Level I method is installed if PROTEC NET detects the workstation's drive is compressed by STAC's Stacker software. Otherwise, PROTEC NET installs Level II. During each installation, Boot Protection inserts its device driver, PROTEC3.SYS, into the CONFIG.SYS and also inserts `SWITCHES /N' if it detects DOS version 6.0 or higher is running. This DOS command stops users from terminating the boot process by using F5 and F8 function keys. · Turn off keyboard during boot-up. Boot Protection can be configured so that the keyboard is disabled while the AUTOEXEC.BAT is running. If this feature is made active, PROTEC NET automatically inserts `C2 /0' as the first statement in the AUTOEXEC.BAT file so users cannot terminate this batch file. Once PROTEC NET's Login screen is loaded, the keyboard is reactivated. If keyboard entry is needed during boot-up, use `C2 /1' in conjunction with `C2 /0' to turn the keyboard On and Off. Before Boot Protection is installed, PROTEC NET creates a workstation keydisk and places it in the PROPUBLIC directory. A keydisk is an emergency disk which enables a supervisor to take off Boot Protection manually if it cannot be removed through PROTEC NET or the system fails to boot. The keydisk file is named and can be identified as follows: KEY#####.00} where ##### represents a unique number. To Schedule Installation of Boot Protection Disabling the Keyboard 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Install Boot Protection (ALT, W, N). 3 Select the workstation you wish to install Boot Protection and press ENTER. 4 To install Boot protection, select the method of Boot Protection that is appropriate and choose the INSTALL button. Select Disable Keyboard during Boot-up if appropriate. 5 Choose the SAVE button. ================= Emergency Removal ================= In the event that you are unable to boot from the C: Drive, Boot Protection may be removed using a workstation keydisk. To Retrieve the Workstation's Keydisk 1 From the appropriate Security Server, change to the PROSYSTEM directory. 2 Run COPYKEY.EXE. 3 Select the corresponding workstation's keydisk. All keydisks are created during Boot Protection installation. 4 Specify the destination path as A: or B:. The keydisk will be created on the destination drive along with RBPKEY.EXE. RBPKEY.EXE removes Boot Protection from a workstation using its keydisk. 5 Enter keydisk password. Keydisk passwords are not case sensitive. Password length must be between 1 and 20 characters. 6 Write down the keydisk file name as presented on the screen. Proceed to the next set of instructions on removing Boot Protection with a keydisk. To Remove Boot Protection Using Keydisk 1 Boot from the A: Drive with a DOS bootable diskette. DOS version should be the same version that is on the computer. 2 Place the proper disk into the A: drive and type rbpkey keydisk 3 Enter your keydisk password. 4 Press CTRL+ALT+DEL after the process is completed. Make sure the A: Drive door is open. ===================== Build Directory Trees ===================== To assign Group Access Permissions, PROTEC NET must know what resources are available on each workstation. The PROTEC NET Script program, BLDTREE.EXE, automatically scans each local drive excluding floppy drives and records its directories and files when a user signs onto the Security Server for the first time. A tree of each workstation can be scheduled to build every time a user logs onto the system, once a day, once a week or once a month. To Schedule the Building of a Workstation Tree 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Build Directory Trees (Alt W, U). 3 Select the workstation for which you wish to build a directory tree and press ENTER. 4 Select the frequency to build. 5 Choose the SAVE button. ============================== AUTOEXEC and CONFIG Protection ============================== This feature denies all users, even supervisors, access to the CONFIG.SYS and AUTOEXEC.BAT. If you need to change either file, then you must deactivate this feature. To Activate AUTOEXEC/CONFIG Protection 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select AUTOEXEC/CONFIG Protection (ALT, W, U). 3 Press ENTER until the word 'On' appears to the right of the menu selection. Workstation changes will not take effect until the next user logs onto the system. ============= Keyboard Lock ============= This option allows the user to lock the keyboard during unattended sessions either through hotkey activation or automatically by a lockout time interval. When activated, the computer beeps and the keyboard locks allowing background processing to continue. The user must enter his password to regain access to the system. If keyboard lock has been activated, the NetWare Supervisor or the user must enter his password to gain access to a user's system. If keyboard lock is activated by the NetWare Supervisor, only he can deactivate keyboard lock. The following features may be configured for keyboard lockout: · Hotkeys. A hotkey activation means that users must press a configured combination of keys to activate keyboard lockout. The default hotkey sequence is CTRL+LEFTSHIFT+F2. · Lockout(min). A Lockout interval must be specified to initiate keyboard lockout automatically. The maximum time that can be specified is 99 minutes. If both Keyboard Lock and Save Screen are activated, the time set for Keyboard Lock overrides the Save Screen parameter. Example: Save Screen is set to 2 minutes while Keyboard Lockout is set to 5 minutes. Since both features are made active, Save Screen and Keyboard Lock activate after 5 minutes. · Keyboard lock for Windows. If checked, this option informs PROTEC NET to install and activate keyboard lock within Windows. Since groups and programs may be deleted from Windows, PROTEC NET's SIGNON.EXE program ensures that all PROTEC NET keyboard lock modules are available within Windows before a user accesses the system. It copies the following files to the Windows directory: PROTEC.GRP, KEYTIME.EXE, KEYLOCK.EXE, PKEYDLL.DLL, KTDLL.DLL and BWCC.DLL. To deactivate Keyboard Lockout, set Hotkey combination to {none} and Lockout interval to 0. To Configure Keyboard Lockout 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Keyboard Lockout (ALT, W, K). 3 From the combo box, select a hotkey combination. 4 Enter the lockout time interval in minutes. 5 Check Keyboard lock for Windows. 6 Choose the SAVE button. Workstation changes will not take effect until the next user logs onto the system. ===================== Windows Keyboard Lock ===================== Keyboard Lock can be activated within Windows if the Windows box is checked and the keyboard lockout interval is set to a value greater than 0. To Activate Keyboard Lock within Windows 1 Go to the PROTEC window within Windows. 2 Click on the PROTEC Keyboard Lock icon. ============== System Lockout ============== System Lockout determines how many access request failures the user is permitted before the system halts requiring him to reboot. Specifically, this option stops repeated access attempts to resources to which a user has been denied access. Each System Lockout violation is recorded to the Audit database. The maximum number of failures before the system locks is 99. To deactivate system lockout, set maximum number of failures to 0. To Set the System Lockout Count 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select System Lockout (ALT, W, S). 3 Enter the number of security violations permitted before PROTEC NET locks the computer. 4 Choose the SAVE button. Workstation changes will not take effect until the next user logs onto the system. =========== Save Screen =========== Save Screen prevents text from getting "burned into" the monitor screen by flashing a scrolling message when the computer is unattended. PROTEC NET saves the current screen to file when save screen is activated so unnecessary memory is not consumed. This feature is disabled when Windows is active. There following save screen parameters are configurable: · Save Time(min). The Save Time interval is specified in minutes and may be configured up to 1440 minutes (the number of minutes in a day). If set to 0 the save screen module is deactivated. · Message. The save screen message is configurable and may consist of up to 33 characters. This message scrolls down the screen when activated. If PROTEC NET detects the screen is in graphics mode, the screen blanks and no message appears. To Configure Save Screen 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Save Screen (ALT, W, V). 3 Enter the number of minutes the computer must be inactive before the screen is saved. 4 Choose the SAVE button. Workstation changes will not take effect until the next user logs onto the system. ========================= System Verification Check ========================= System Verification monitors certain critical files and the boot sector. If these objects are altered, erased or renamed by any user of the system including a supervisor, PROTEC NET alerts the system of the violation during boot up and requires a supervisor to log onto the system before allowing another user access. If violations are checked within Events to Audit, system verification violations are recorded along with the user that made these changes and the file(s) that have been affected. This can also be useful as a basic monitor for virus infection. Objects that are protected: the boot sector AUTOEXEC.BAT CONFIG.SYS COMMAND.COM DOS system files Specifically, system verification performs a three- way checksum of each critical file during the boot sequence. The total size, date and time of the file is monitored, along with a checksum. If a supervisor must modify these objects, deactivate System Verification before modifying any object. RPB.EXE automatically resets the check so that Boot Protection can install without a violation error. To Activate System Verification 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select System Verification Check (ALT, W, Y). 3 Press ENTER until the word 'On' appears to the right of the menu selection. Workstation changes will not take effect until the next user logs onto the system. =========== Login Shell =========== PROTEC NET allows you to assign each workstation a shell which loads directly after a user logs onto a PROTEC NET workstation. When the user tries to unload this shell, PROTEC NET's Login screen reappears. If another menu system is preferred (e.g. Microsoft Windows), specify this program as the Login Shell. The following options are configurable: · Default Program. A program must always be specified. the filename syntax is as follows: drive:\path\filename.ext where .ext must be .COM or .EXE. To run a batch file, specify COMMAND.COM as the default program and specify the batch file on the Command Line, as shown below. · Command Line. The command line is optional and allows you to specify command line parameters required by the default program. It also allows you to run a batch file if COMMAND.COM is appointed as the Login Shell filename. The command line syntax for a batch file is as follows: /c drive:\path\filename.ext where /c must precede the file name and .ext must be .BAT. To Specify a Login Shell for a Workstation 1 Access the Security program. Refer to section Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Login Shell (ALT, W, L). 3 Enter the default program and command line parameters if required. 4 Choose the SAVE button. These changes will not take effect until the next user logs onto the system. To Reset to the Login Shell to COMMAND.COM 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Login Shell (ALT, W, L). 3 Choose the RESET button. 4 Choose the SAVE button. These changes will not take effect until the next user logs onto the system. ================== Display Violations ================== This option informs the user that he has performed an operation that is not allowed by the PROTEC NET system. If you do not want to notify a user about a PROTEC NET violation, you may deactivate this feature; all violations appear as DOS error messages. For instance, if a user tries to access a file that he may not access, DOS displays the message 'Bad command or file name.' To Display Violations 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select Display Violations (ALT, W, D). 3 Press ENTER until the word 'On' appears to the right of the menu selection. Workstation changes will not take effect until the next user logs onto the system. ============== Memory Buffers ============== There are two memory buffers PROTEC NET uses to control and monitor security when a user signs onto the system: Permission and Audit. · Permission Buffer. The Permission Buffer manages user permissions when running an application. Its default setting is 4096 bytes. · Audit Buffer. The Audit Buffer allows user activity to be tracked without writing directly to the AUDIT.DBF to increase performance. The default setting is 0 bytes. If EMS memory is available, the Permission Buffers automatically utilizes it. In this case, each buffer size may be increased without using additional conventional memory. To Change a Memory Buffer Size 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select PROTEC Memory Buffer Size (ALT, W, M). 3 Enter the number of bytes for the Permission and Audit Buffers. 4 Choose the SAVE button. These changes will not take effect until the next user logs onto the system. ============================= When Server is Down / Laptops ============================= Since workstations may not always be connected to their Security Server, this feature allows you to provide backup workstation protection. There are three options available: · No Access to Workstation. Only the Master Password may obtain access to the workstation. The Master Password can be configured within User Security and is the same system wide. · Local Password. Allows a user full access to resources on the workstation if the Local Password is entered at login. A local password is downloaded to the appropriate workstation after each login. · Local Copy of PROTEC. Copies PROTEC NET's files to the PROTEC directory's Local subdirectory (e.g., C:\PROTEC.NET\LOCAL) and is only used when the Security Server is not available. Security cannot be configured from the workstation. All changes to security must occur from a user's Primary Server. Local copies of PROTEC NET can be scheduled to download at Next Login, Every Login, Daily, Weekly or Monthly. NOTE Since the local copy of PROTEC runs only when it cannot access the Security Server, all Login Shells that are set to programs located on the server are reset to COMMAND.COM. To Configure Backup Protection 1 Access the Security program. Refer to Accessing the Security Program for step by step instructions. 2 From the Workstation menu, select When the Server is Down / Laptop (ALT, W, W). 3 Select the workstation you wish to configure backup protection and press ENTER. 4 Select the method. If you choose Use Local Password, you must enter a password by selecting the PASSWORD button. 5 Choose the SAVE button.