home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
PC Direct 1995 May
/
PC Direct CD-ROM (May 1995).ISO
/
ipe
/
protec
/
manual
/
chap3.txt
< prev
next >
Wrap
Text File
|
1994-08-09
|
31KB
|
743 lines
Chapter 3
Workstation Security
PROTEC NET administers and installs PROTEC on
workstations automatically from the Security
Server. This section provides information on
scheduling installation and configuration of
workstation security.
=======================================
Accessing Workstation Security Features
=======================================
Workstation Security features include all
installation and configuration processes that may
be defined for each workstation. The following
chart lists each Workstation Security Feature and
the chapter each feature is discussed.
Workstation Security Chapters
Features
____________________________________
Add or Delete Workstation 3
ID
Install or Remove PROTEC 3
Install or Remove Boot 3
Protection
Build Directory Trees 3
AUTOEXEC and CONFIG 3
Protection
Keyboard Lockout 3
System Lockout 3
Save Screen 3
System Verification 3
Login Shell 3
Display Violations 3
Events to Audit 4
Memory Buffers 3
When Server is Down / 3
Laptops
Figure 3.1. Workstation Security Features
All security features listed above appear within
the Security program under the Workstation menu
option. When selecting an option, the Security
program requires that you select a workstation
before configuring the selected security feature.
If the workstation ID list is empty, no
workstation IDs have been logged because either
users have not sign onto the Security Server or
Novell NetWare's System Login Script does not
include the PROTEC NET Script programs. Each
workstation ID must be recorded prior to
installing or configuring workstation security.
Refer to Server Installation, Script for
information on modifying the System Login Script.
============================
Add or Delete Workstation ID
============================
In order for PROTEC NET to be installed onto a
workstation automatically, it must first record
the workstation's network address, referred to as
Workstation ID. The workstation ID must be
recorded before security may be installed and
configured for a workstation. The PROTEC NET
Script program, NAMER.EXE, records the workstation
ID and prompts the user for the name and the
location of the his workstation. These strings
can each be up to 16 characters. This information
assists supervisors in selecting a workstation
without having to know the user's network address.
To Add a Workstation ID Manually
1 Run ADDRESS.EXE to record the current
workstation's network address. This program is
located within the PROPUBLIC directory on the
Security Server.
2 Write down the address.
3 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
4 From the Workstation menu, select Add/Del
Workstation ID (ALT, W, D).
5 Choose the INS key.
6 Enter the workstation's name, location and
address.
7 Press the SAVE button.
NOTE NAMER.EXE can be run from the DOS prompt to record the
current workstations network ID automatically.
========================
Install or Remove PROTEC
========================
Once a Workstation ID has been recorded, PROTEC
NET may be configured to install automatically
onto the workstation. Since PROTEC NET uses
NetWare user names and passwords to log users onto
the workstation, PROTEC NET only installs itself
if it detects NetWare drivers are called from the
AUTOEXEC.BAT. If so, PROTEC NET inserts its
security kernel LOADER.COM after these drivers. A
list of these drivers can be found under the
heading `[network drivers]' in the PSETUP.INF file
located in the PROPUBLIC directory. This list can
be modified to include other network drivers if
needed.
To Schedule Installation or Removal of Workstation
Security
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select
Install/Remove PROTEC (Alt W, I).
3 Select the workstation you wish to configure
and press ENTER.
4 Select appropriate operation.
5 Choose the SAVE button.
The next time a user signs onto the Security
Server, PROTEC NET is installed or removed
automatically. Once installation is complete, the
user must reboot his system. The result of this
process is audited stating whether the system
installed successfully. For instructions on how
to review installation results, refer to View Auto
Installation Results.
=================================
Install or Remove Boot Protection
=================================
Multiple features are combined within Boot
Protection to stop unauthorized users from
bypassing PROTEC NET's Login screen. The System
or user login script must run PROTEC NET Script
program, RBP.EXE to install properly. Refer to
Figure 2.2 for proper syntax. If PROTEC NET is
not installed or the active partition on the
workstation is not a DOS partition, Boot
Protection does not install.
The following features are configurable within
Boot Protection:
· Boot Protection. This feature may be configured to
AutoInstall, AutoRemove or Ignore.
· Method. Each method stops users from accessing the C:
Drive by booting from a floppy drive. If AutoInstall is
specified, the method of Boot Protection used may be one of
the following: Level I, Level II or AutoDetect. Level I
and Level II methods protect the master boot record. Level
II also secures the root directory and should only be used
if a workstation's first physical boot disk is not
compressed.
AutoDetect secures the system installing Level
I or II of Boot Protection. Level I method is
installed if PROTEC NET detects the
workstation's drive is compressed by STAC's
Stacker software. Otherwise, PROTEC NET
installs Level II.
During each installation, Boot Protection
inserts its device driver, PROTEC3.SYS, into
the CONFIG.SYS and also inserts `SWITCHES /N'
if it detects DOS version 6.0 or higher is
running. This DOS command stops users from
terminating the boot process by using F5 and F8
function keys.
· Turn off keyboard during boot-up. Boot Protection can
be configured so that the keyboard is disabled while the
AUTOEXEC.BAT is running. If this feature is made active,
PROTEC NET automatically inserts `C2 /0' as the first
statement in the AUTOEXEC.BAT file so users cannot terminate
this batch file. Once PROTEC NET's Login screen is loaded,
the keyboard is reactivated. If keyboard entry is needed
during boot-up, use `C2 /1' in conjunction with `C2 /0' to
turn the keyboard On and Off.
Before Boot Protection is installed, PROTEC NET
creates a workstation keydisk and places it in the
PROPUBLIC directory. A keydisk is an emergency
disk which enables a supervisor to take off Boot
Protection manually if it cannot be removed
through PROTEC NET or the system fails to boot.
The keydisk file is named and can be identified as
follows:
KEY#####.00}
where ##### represents a unique number.
To Schedule Installation of Boot Protection
Disabling the Keyboard
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select Install Boot
Protection (ALT, W, N).
3 Select the workstation you wish to install Boot
Protection and press ENTER.
4 To install Boot protection, select the method
of Boot Protection that is appropriate and
choose the INSTALL button. Select Disable
Keyboard during Boot-up if appropriate.
5 Choose the SAVE button.
=================
Emergency Removal
=================
In the event that you are unable to boot from the
C: Drive, Boot Protection may be removed using a
workstation keydisk.
To Retrieve the Workstation's Keydisk
1 From the appropriate Security Server, change to
the PROSYSTEM directory.
2 Run COPYKEY.EXE.
3 Select the corresponding workstation's keydisk.
All keydisks are created during Boot Protection
installation.
4 Specify the destination path as A: or B:. The
keydisk will be created on the destination
drive along with RBPKEY.EXE. RBPKEY.EXE
removes Boot Protection from a workstation
using its keydisk.
5 Enter keydisk password. Keydisk passwords are
not case sensitive. Password length must be
between 1 and 20 characters.
6 Write down the keydisk file name as presented
on the screen. Proceed to the next set of
instructions on removing Boot Protection with a
keydisk.
To Remove Boot Protection Using Keydisk
1 Boot from the A: Drive with a DOS bootable
diskette. DOS version should be the same
version that is on the computer.
2 Place the proper disk into the A: drive and
type
rbpkey keydisk
3 Enter your keydisk password.
4 Press CTRL+ALT+DEL after the process is
completed. Make sure the A: Drive door is
open.
=====================
Build Directory Trees
=====================
To assign Group Access Permissions, PROTEC NET
must know what resources are available on each
workstation. The PROTEC NET Script program,
BLDTREE.EXE, automatically scans each local drive
excluding floppy drives and records its
directories and files when a user signs onto the
Security Server for the first time. A tree of
each workstation can be scheduled to build every
time a user logs onto the system, once a day, once
a week or once a month.
To Schedule the Building of a Workstation Tree
1 Access the Security program. Refer to Accessing
the Security Program for step by step
instructions.
2 From the Workstation menu, select Build
Directory Trees (Alt W, U).
3 Select the workstation for which you wish to
build a directory tree and press ENTER.
4 Select the frequency to build.
5 Choose the SAVE button.
==============================
AUTOEXEC and CONFIG Protection
==============================
This feature denies all users, even supervisors,
access to the CONFIG.SYS and AUTOEXEC.BAT. If you
need to change either file, then you must
deactivate this feature.
To Activate AUTOEXEC/CONFIG Protection
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select
AUTOEXEC/CONFIG Protection (ALT, W, U).
3 Press ENTER until the word 'On' appears to the
right of the menu selection. Workstation
changes will not take effect until the next
user logs onto the system.
=============
Keyboard Lock
=============
This option allows the user to lock the keyboard
during unattended sessions either through hotkey
activation or automatically by a lockout time
interval. When activated, the computer beeps and
the keyboard locks allowing background processing
to continue. The user must enter his password to
regain access to the system.
If keyboard lock has been activated, the NetWare
Supervisor or the user must enter his password to
gain access to a user's system. If keyboard lock
is activated by the NetWare Supervisor, only he
can deactivate keyboard lock.
The following features may be configured for
keyboard lockout:
· Hotkeys. A hotkey activation means that users must
press a configured combination of keys to activate keyboard
lockout. The default hotkey sequence is CTRL+LEFTSHIFT+F2.
· Lockout(min). A Lockout interval must be specified to
initiate keyboard lockout automatically. The maximum time
that can be specified is 99 minutes. If both Keyboard Lock
and Save Screen are activated, the time set for Keyboard
Lock overrides the Save Screen parameter.
Example: Save Screen is set to 2 minutes while
Keyboard Lockout is set to 5 minutes. Since
both features are made active, Save Screen and
Keyboard Lock activate after 5 minutes.
· Keyboard lock for Windows. If checked, this option
informs PROTEC NET to install and activate keyboard lock
within Windows. Since groups and programs may be deleted
from Windows, PROTEC NET's SIGNON.EXE program ensures that
all PROTEC NET keyboard lock modules are available within
Windows before a user accesses the system. It copies the
following files to the Windows directory: PROTEC.GRP,
KEYTIME.EXE, KEYLOCK.EXE, PKEYDLL.DLL, KTDLL.DLL and
BWCC.DLL.
To deactivate Keyboard Lockout, set Hotkey
combination to {none} and Lockout interval to 0.
To Configure Keyboard Lockout
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select Keyboard
Lockout (ALT, W, K).
3 From the combo box, select a hotkey
combination.
4 Enter the lockout time interval in minutes.
5 Check Keyboard lock for Windows.
6 Choose the SAVE button. Workstation changes
will not take effect until the next user logs
onto the system.
=====================
Windows Keyboard Lock
=====================
Keyboard Lock can be activated within Windows if
the Windows box is checked and the keyboard
lockout interval is set to a value greater than 0.
To Activate Keyboard Lock within Windows
1 Go to the PROTEC window within Windows.
2 Click on the PROTEC Keyboard Lock icon.
==============
System Lockout
==============
System Lockout determines how many access request
failures the user is permitted before the system
halts requiring him to reboot. Specifically, this
option stops repeated access attempts to resources
to which a user has been denied access. Each
System Lockout violation is recorded to the Audit
database.
The maximum number of failures before the system
locks is 99. To deactivate system lockout, set
maximum number of failures to 0.
To Set the System Lockout Count
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select System
Lockout (ALT, W, S).
3 Enter the number of security violations
permitted before PROTEC NET locks the computer.
4 Choose the SAVE button. Workstation changes
will not take effect until the next user logs
onto the system.
===========
Save Screen
===========
Save Screen prevents text from getting "burned
into" the monitor screen by flashing a scrolling
message when the computer is unattended. PROTEC
NET saves the current screen to file when save
screen is activated so unnecessary memory is not
consumed. This feature is disabled when Windows
is active.
There following save screen parameters are
configurable:
· Save Time(min). The Save Time interval is specified in
minutes and may be configured up to 1440 minutes (the number
of minutes in a day). If set to 0 the save screen module is
deactivated.
· Message. The save screen message is configurable and
may consist of up to 33 characters. This message scrolls
down the screen when activated. If PROTEC NET detects the
screen is in graphics mode, the screen blanks and no message
appears.
To Configure Save Screen
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select Save Screen
(ALT, W, V).
3 Enter the number of minutes the computer must
be inactive before the screen is saved.
4 Choose the SAVE button. Workstation changes
will not take effect until the next user logs
onto the system.
=========================
System Verification Check
=========================
System Verification monitors certain critical
files and the boot sector. If these objects are
altered, erased or renamed by any user of the
system including a supervisor, PROTEC NET alerts
the system of the violation during boot up and
requires a supervisor to log onto the system
before allowing another user access. If
violations are checked within Events to Audit,
system verification violations are recorded along
with the user that made these changes and the
file(s) that have been affected. This can also be
useful as a basic monitor for virus infection.
Objects that are protected:
the boot sector
AUTOEXEC.BAT
CONFIG.SYS
COMMAND.COM
DOS system files
Specifically, system verification performs a three-
way checksum of each critical file during the boot
sequence. The total size, date and time of the
file is monitored, along with a checksum.
If a supervisor must modify these objects,
deactivate System Verification before modifying
any object. RPB.EXE automatically resets the
check so that Boot Protection can install without
a violation error.
To Activate System Verification
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select System
Verification Check (ALT, W, Y).
3 Press ENTER until the word 'On' appears to the
right of the menu selection. Workstation
changes will not take effect until the next
user logs onto the system.
===========
Login Shell
===========
PROTEC NET allows you to assign each workstation a
shell which loads directly after a user logs onto
a PROTEC NET workstation. When the user tries to
unload this shell, PROTEC NET's Login screen
reappears. If another menu system is preferred
(e.g. Microsoft Windows), specify this program as
the Login Shell.
The following options are configurable:
· Default Program. A program must always be specified.
the filename syntax is as follows:
drive:\path\filename.ext
where .ext must be .COM or .EXE. To run a
batch file, specify COMMAND.COM as the default
program and specify the batch file on the
Command Line, as shown below.
· Command Line. The command line is optional and allows
you to specify command line parameters required by the
default program. It also allows you to run a batch file if
COMMAND.COM is appointed as the Login Shell filename. The
command line syntax for a batch file is as follows:
/c drive:\path\filename.ext
where /c must precede the file name and .ext
must be .BAT.
To Specify a Login Shell for a Workstation
1 Access the Security program. Refer to section
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select Login Shell
(ALT, W, L).
3 Enter the default program and command line
parameters if required.
4 Choose the SAVE button. These changes will
not take effect until the next user logs onto
the system.
To Reset to the Login Shell to COMMAND.COM
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select Login Shell
(ALT, W, L).
3 Choose the RESET button.
4 Choose the SAVE button. These changes will not
take effect until the next user logs onto the
system.
==================
Display Violations
==================
This option informs the user that he has performed
an operation that is not allowed by the PROTEC NET
system.
If you do not want to notify a user about a PROTEC
NET violation, you may deactivate this feature;
all violations appear as DOS error messages. For
instance, if a user tries to access a file that he
may not access, DOS displays the message 'Bad
command or file name.'
To Display Violations
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select Display
Violations (ALT, W, D).
3 Press ENTER until the word 'On' appears to the
right of the menu selection. Workstation
changes will not take effect until the next
user logs onto the system.
==============
Memory Buffers
==============
There are two memory buffers PROTEC NET uses to
control and monitor security when a user signs
onto the system: Permission and Audit.
· Permission Buffer. The Permission Buffer manages user
permissions when running an application. Its default
setting is 4096 bytes.
· Audit Buffer. The Audit Buffer allows user activity to
be tracked without writing directly to the AUDIT.DBF to
increase performance. The default setting is 0 bytes.
If EMS memory is available, the Permission Buffers
automatically utilizes it. In this case, each
buffer size may be increased without using
additional conventional memory.
To Change a Memory Buffer Size
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select PROTEC Memory
Buffer Size (ALT, W, M).
3 Enter the number of bytes for the Permission
and Audit Buffers.
4 Choose the SAVE button. These changes will not
take effect until the next user logs onto the
system.
=============================
When Server is Down / Laptops
=============================
Since workstations may not always be connected to
their Security Server, this feature allows you to
provide backup workstation protection.
There are three options available:
· No Access to Workstation. Only the Master Password may
obtain access to the workstation. The Master Password can
be configured within User Security and is the same system
wide.
· Local Password. Allows a user full access to resources
on the workstation if the Local Password is entered at
login. A local password is downloaded to the appropriate
workstation after each login.
· Local Copy of PROTEC. Copies PROTEC NET's files to the
PROTEC directory's Local subdirectory (e.g.,
C:\PROTEC.NET\LOCAL) and is only used when the Security
Server is not available. Security cannot be configured from
the workstation. All changes to security must occur from a
user's Primary Server. Local copies of PROTEC NET can be
scheduled to download at Next Login, Every Login, Daily,
Weekly or Monthly.
NOTE Since the local copy of PROTEC runs only when it
cannot access the Security Server, all Login Shells that are
set to programs located on the server are reset to
COMMAND.COM.
To Configure Backup Protection
1 Access the Security program. Refer to
Accessing the Security Program for step by step
instructions.
2 From the Workstation menu, select When the
Server is Down / Laptop (ALT, W, W).
3 Select the workstation you wish to configure
backup protection and press ENTER.
4 Select the method. If you choose Use Local
Password, you must enter a password by
selecting the PASSWORD button.
5 Choose the SAVE button.