home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 1996 April
/
CHIP 1996 aprilis (CD06).zip
/
CHIP_CD06.ISO
/
sac
/
security
/
slw95b2.exe
/
MANUAL.TXT
< prev
next >
Wrap
Text File
|
1996-01-23
|
32KB
|
732 lines
StopLight for Windows 95
Beta Version
This product is not freeware or shareware.
This product can be used for commercial or private evaluation purposes
only. It is identical to the retail version with the following exceptions:
1. The hard drive is not protected from floppy disk boot access.
2. The Master Admin password is displayed on the login screen.
To login as Master Admin, use the name SUPERMSF and password AKVPPEOK.
For ordering information or assistance, please contact:
Safetynet, Inc.
140 Mountain Ave.
Springfield, NJ 07081 USA
1-800-851-0188 - Sales
1-201-467-1024 - Sales & Technical Support
1-201-467-1611 - Fax
1-201-467-1581 - BBS (28800,N,8,1)
+1-908-276-9641 - International
safety@safe.net - Email
ftp.safe.net /pub/safetynet - FTP
www.safe.net/safety/ - WWW
go cis:safe - Compuserve
Safetynet products are available on GSA Schedule. Single unit, volume
discount and site license pricing is available.
For information on becoming a reseller of our products, please contact our
dealer sales department at the address listed above.
--------------------------------------------------------------------------
Safetynet, Inc. is a member of the National Computer Security Association
(NCSA), Information Systems Security Association (ISSA), and Software
Publisher's Association (SPA).
Copyright Notice
This software package and document are copyrighted (c) 1991-1996 by
Safetynet, Inc. Portions (c) Eliashim, Inc. All rights are reserved. No
part of this publication may be reproduced, transmitted, stored in any
retrieval system, or translated into any language by any means without the
express written permission of Safetynet, Inc.
Disclaimer
Safetynet, Inc. makes no warranties as to the contents of this
documentation and specifically disclaims any implied warranties of
merchantability or fitness for any particular purpose. Safetynet, Inc.
further reserves the right to alter the specifications of the program
and/or the contents of the manual without obligation to notify any person
or organization of these changes.
Trademark Notice
StopLight and Drive-In are registered trademarks, and StopLight,
VirusNet and ProfileNet are trademarks of Safetynet, Inc. All other
trademark names referenced are for identification purposes only and are
proprietary to their respective companies.
--------------------------------------------------------------------------
Welcome to StopLight(R) for Windows 95.
StopLight is a PC security system that combines exceptional power with
ease of use. StopLight provides the essential features required for
protecting PCs and laptop computers. With its very low memory
and disk requirements and simple operation, StopLight can easily
integrate with your system. During normal operation, you will not even
know that security is there. But if an intruder or hacker attempts to get
at your sensitive information, or perform an unwanted action, StopLight
will immediately come to the rescue.
StopLight provides security by preventing unauthorized users from
accessing the computer. Security profiles can be set up quickly for the
administrator and 255 users. An almost unlimited number of possibilities
can be assigned to each user based on the type of access that is deemed
appropriate. And through its log file, user activity and attempted
violations can be tracked.
StopLight quietly protects your computer and its files from unauthorized
activity in the background, providing you with a secure and highly
productive environment.
SYSTEM REQUIREMENTS
Hardware IBM PC, XT, AT, PS/2 or true compatible PC with 400K
free space on Hard Drive C.
Operating PC-DOS and MS-DOS 3.0 or higher,
System Microsoft Windows 95 or Windows 3.x
Network Supports Novell, LAN Manager, Banyan, and all networks
supporting a DOS client
Video Display MDA, CGA, EGA, VGA, SVGA and compatibles. The screen
saver blanks all DOS text and graphics video modes
including those used by Microsoft Windows.
Memory 384K of free RAM required. StopLight uses 14K
memory for its security kernel.
Mouse Any Microsoft and MS-Mouse compatible mouse is
supported, although its use is optional.
TECHNICAL SUPPORT
We have included many features which make StopLight as user-friendly
and helpful as possible. If you run into a problem during its installation
or use, please refer to the on-line Windows help. If you have found a
problem or situation that is not covered, contact our technical support
department as described at the beginning of this guide.
When calling for technical support, you should be at the computer in
question so that our support personnel can effectively work with you. You
may need to be logged in as System Administrator to properly solve the
problem.
-------------------------------------------------------------------------
1. Security Features
This chapter provides an overview of security concepts and how they are
implemented in StopLight. To successfully implement a security
strategy, you should become familiar with this chapter. If you are already
proficient with security systems, you may only need to skim over this
information before moving onto the installation instructions found in the
next chapter.
PASSWORD MANAGEMENT
Use of passwords, variously controlled and managed in the background, is
the essence of protection offered by StopLight. The system
administrator may establish a flexible security system by defining users
and their passwords in different combinations described below. Use of
individual passwords for access to the system during login is the first
stage of security offered by StopLight. Examples of user name and
password combinations offered by StopLight follow:
a) Name and Password: This is the default setting and is deemed appropriate
for most situations. The user name will be displayed on the screen but
the password will remain concealed.
b) Password, No Name: It is possible to enter a password without the need
to have a user's name. In this case the user will simply enter the
password and skip the name entry.
c) No Password, No Name: In some cases, for example, in classrooms where
users do not require confidentiality from each other, security can be
provided without assigning user names and passwords. Initial PC access
will be possible by merely pressing <Enter> when prompted at the login
screen. Students will then receive the security profile defined by USER1
in the Setup Users section described below. Along with other
protection, security can be provided for the AUTOEXEC.BAT and CONFIG.SYS
files, virus protection can be activated, and the hard disk can be
protected against formatting.
d) No Password, Many Names: A fourth possibility is to allow access by
entering the user's name only (no need for a password). This option is
particularly useful for systems where every user has equal access to the
system but the output itself must be separated (for example, an
accountant may want to compute the total time spent on one customer for
billing purposes).
For security reasons, when logging in as SYSADMIN the
password will still be required.
The system administrator controls the use of passwords by the users in
different ways. A minimum valid length for the password may be specified.
Thus, even if users are allowed to replace their password, it may not be
shorter than the minimum length. The system administrator may also specify
the number of times or days that a given password may be used. After the
password has expired, access to the system with this password will be
denied.
The user's name is not normally a password since it is visible to all when
entered on the screen. However, the password itself is known only to the
individual user. The password is stored in encrypted form to ensure its
confidentiality.
The system administrator has access to the hard disk with an administrator
password. Once logged in, the administrator has access to the complete
system including every users' privileges and secure directories. Further,
the administrator also has access to the main security menu and to the
Global Security Setup and Setup Users. In other words, when logging in as
administrator, all security protection (except virus protection) is
suspended from the computer. Therefore, it is recommended that great care
be taken to keep the administrator password completely confidential.
When you login as system administrator, you have all
privileges including access to the \SAFER directory. It
is advisable that you also define yourself as a USER
and login as a user while normally using the system.
Login as a system administrator only when making
changes to the StopLight security system. This will
avoid unnecessary exposure to the security system and
to the administrator password.
SUPER PASSWORD
There may be occasions when the administrator password is not available
(resignation, vacation, forgotten password), or the security system needs
to be uninstalled after booting from a floppy disk (corrupted hard disk,
etc.). Under these circumstances, the StopLight Super Password is
required. This password is linked to your unique StopLight serial
number and cannot be used to access another StopLight package. The
Super Password cannot be changed by the administrator and should only be
used for emergency purposes.
Since the Super Password can access or unlock the
system, it is very important that you keep it safe and
secure at all times. You may wish to store the Super
Password away from the computer in a locked filing
cabinet or safe.
To login to the system with the Super Password, follow these steps:
Boot the computer from the hard disk.
At the login screen, for the User Name, type
SUPERMSF (and press <Enter>)
At the password prompt, type in your Super Password (and press <Enter>).
In the eval version, the Super Password is AKVPPEOK.
If your computer does not boot and you must uninstall StopLight, please
refer to the Appendix section - Hard Disk Problems.
RESTRICTED DIRECTORY
SAFER Directory
The \SAFER directory (usually on drive C:) contains all the security
parameters and configuration as set by the system administrator. It
contains the security configuration file, the Log file and all other
security files generated by StopLight. Only the system administrator
has access to this directory.
To define access rights to specific files and directories, please see the
Trustee Assignments section of this manual.
AUDIT TRAIL LOG
The Audit Trail Log records DOS and security-related activity performed at
any time by each user from the moment of login. By consulting the contents
of the Audit Trail Log, the system administrator can globally supervise the
activity in the system, check each user's activity, check any attempts to
get access to unauthorized areas of the disk, violations, etc., and even
get statistical reports of the activity conducted on the computer. The
options for Audit Trail tracking are Off, Full, and Brief. Selecting Off
prevents any actions from being tracked. It is used when you do not wish
to monitor activity. Full and Brief settings track login and logout times,
violation messages and programs that are run. The Full tracking option
also records all data file activity including Read, Write, Create and
Delete. Since most user activity involves data file access, the Full
tracking option generates significantely larger log files than the Brief
option. Full tracking should only be used if you will be frequently
monitoring the audit log. The log file should be periodically cleared to
conserve disk space.
A flexible Audit Trail report generator helps the administrator manage
audit information. Reports are generated based on date ranges, users and
activity. Report information is displayed to the screen or exported to
data file for use with other programs. Violations are emphasized on the
screen in Red for easy recognition. On monochrome systems, violations will
appear in Bold.
SCREEN BLANKER / KEYBOARD LOCK
When a user leaves the computer unattended for a period of time, StopLight
can blank out the screen to prevent monitor burn. The computer system
will continue to work, but nothing but a moving box will appear (for text
mode applications). In graphics applications other than Microsoft Windows,
the screen will not display the moving box. Instead, it will be blanked to
blue for the Screen Saver and red for the Keyboard Lock. The result is the
same, since information on the screen will not be visible to users and the
monitor will be protected from burn in.
The Screen Blanker / Keyboard Lock can be activated automatically if the
computer keyboard and mouse are not used after a period of time. This
period of inactivity is adjustable from 2 minutes to 60 minutes. An
adjustable hot-key is also available to activate the Screen Blanker /
Keyboard Lock on demand.
When the Screen Blanker is activated, the user simply presses <Enter> to
restore the screen. All underlying screen information will be properly
restored.
Normally, only the Screen Blanker will appear when you step away from your
computer. However, if you want your keyboard lock to activate along with
your Screen Blanker, select the "Keyboard Lock During Screen Saver"
option on the Users' Privileges window during set-up.
For non-Windows graphics programs, a color other than
red or blue may be displayed for the Screen Blanker /
Keyboard Lock.
MS-WINDOWS SCREEN BLANKER
A program (MSWIN.EXE) is provided to blank the screen while using Microsoft
Windows. During the StopLight installation process, your system is
automatically configured to run this program when Windows is started. To
activate the screen blanker, double-click on its icon.
HOT KEY PROTECTION
A hot-key is provided to activate the Screen Saver / Keyboard Lock
immediately. Press and hold the <Ctrl><Alt> together for five seconds to
blank or lock your screen.
The administrator can redefine the hot keys or even add a letter to be
pressed after the first hot-key is pressed. Hot keys can be changed by
using the security setup program.
-------------------------------------------------------------------------
2. Installation
This chapter lets you install and get acquainted with StopLight and
test it with the default settings. When you are more familiar with the
system and determine what your requirements are, StopLight can be
configured to meet your security needs.
StopLight Security Defaults are as follows:
System Administrator Name: SYSADMIN
System Administrator Password: PASSWORD
Superuser Name: SUPERMSF
Superuser Password: AKVPPEOK
User 1 Name: USER1
User 1 Password: PASSWORD
User 2 Name: USER2
User 2 Password: PASSWORD
TRUSTEE ASSIGNMENT RIGHTS
Trustee Assignments can be added to drives, directories and files. Rights
which can be granted (or denied) include (C)reate, (D)elete, (E)xecute,
(R)ead and (W)rite. If a right is not given, it is not allowed. Trustee
Assignments that are blank for an object mean that the user will have no
access to that object.
(C)reate - Allows a user to use the DOS Create function to add a new file
to a drive or directory.
(D)elete - Allows a user to delete a file from the drive or directory.
(E)xecute - Allows a user to run a program from the drive or directory.
This must be accompanied by the (R)ead privilege.
(R)ead - Allows a user to have Read file access.
(W)rite - Allows a user to have Write file access. It is usually
accompanied by the (R)ead privilege.
When a drive, directory or file is not listed, either explicitly, or by a
pattern, the user has full rights. Only items that are included in the
Trustee Assignment window are protected.
Examples:
C:\WKS\
[RW ] Files in C:\WKS will be Read and Write Only. The trailing "\"
after WKS means that files in directories under C:\WKS are not affected by
these rights and will remain with full access.
C:\WKS
[RW ] Files in C:\WKS and directories below it have Read Write privileges.
(Notice that no trailing backslash is placed after WKS.)
C:\SECURE
[ ] The C:\SECURE directory (and directories below it) are not
accessible to the user since no rights were granted.
C:\123\TS.WKS
[RWCD] User has full rights to the TS.WKS file.
-------------------------------------------------------------------------
3. End-User Operation
This chapter should be read by all users of StopLight.
It covers operation when you are logged in as a
User (non-administrator).
StopLight is a sophisticated security system that will protect your
important information and make your computer time more enjoyable. It gives
you the privacy and levels of security that will guarantee that no
unauthorized user has access to your private files or programs.
* StopLight is user-transparent. In other words, it will not
inhibit you in any of your activities, unless you do something that
your system administrator has not authorized you to do (for example,
trying to have access to another user's files!). The system
administrator may have assigned a separate safe directory to you
where you can store your files without worrying about other users
gaining access to them.
* StopLight cannot be by-passed. It is not possible to boot the
system from a diskette and gain access to the hard drive. Also,
certain directories and files may be restricted from being accessed.
You are one of the authorized users who has been assigned certain access
and user privileges by your administrator. This chapter will help you to
understand and use the security features of your system.
LOG IN
When the PC is first powered on, the StopLight login screen will
appear, asking you for your Login Name and Password. Type in the
information requested and press <Enter> after each line. Upon supplying
the correct information, you will gain access to the computer with a
certain security profile assigned by the system administrator. Access to
the computer will not be granted until you supply the correct information.
PASSWORD
Proper use of your login password is very important to the security of your
information stored on the PC. The system administrator has assigned each
user a unique login password. With your password you can prevent other
users from gaining access to your files. If you disclose your password to
another user, they will then have access to your files.
Along with your Login Name you must use this password to enter the system,
or access will be denied. If you forget your password, ask your system
administrator. Don't try to randomly guess your password at the login
screen. Proper password use is critical to the StopLight system. The
following sections provide important information regarding password use.
Default password
If the administrator gave you a password of PASSWORD, you will be asked to
change the password to a new one. Type in a new password and press
<Enter>. Then type it in again to verify that it was typed correctly. You
will then use this new password to access the system.
Invalid password
Three consecutive attempts to enter the system with a wrong user name or
password will produce the message: "System Halted!". You may unlock the
system by pressing the reset button and try to login again with your
correct user name and password.
Expired password
For additional security, your system administrator may decide that your
password will be valid for a certain period of time or number of valid
logins, and then expire. When your password is due to expire, the following
message will be displayed on your screen: "Password usage expires, MUST
change password!". If you are authorized to replace your password, do so
AT ONCE! If not, please notify your system administrator as soon as
possible. After the password expires, you will no longer have access to the
system!
Changing your password
An existing password can be replaced on the login screen by following these
instructions.
1. Type in your user name and press <Enter>.
2. Type in your current password and press <Home>.
(If you are authorized to change your password, two new fields will
appear.)
3. Type in your new password and press <Enter>.
4. Type in your new password again to verify that it was typed in
correctly and press <Enter>.
Your new password will remain in effect until you change it voluntarily,
the system administrator changes it for you, or the system requires you to
change it.
If the administrator has not allowed you to change your
password, pressing <Home> after you type in your user
name and password will not work. You must notify the
administrator that your password needs to be changed.
The system administrator may have specified a minimum password length. If
the new password you entered is less than the minimum length, a "Password
too short" message will be displayed. Please enter a longer password
(maximum eight characters).
SCREEN BLANKER / KEYBOARD LOCK
When the computer is left unattended for a period of time, it is possible
to implement a Screen Blanker or Keyboard Lock. Each one blanks out the
screen to protect sensitive information and prevent monitor burn. While
the screen is blanked, any programs which were running will continue to
run. The screen will be replaced by a moving message display. The Screen
Blanker is cleared by pressing <Enter>, and the Keyboard Lock is cleared by
pressing <Enter>, typing in your login password and pressing <Enter> again.
The system will be unlocked and its screen information will be restored.
The Microsoft Windows keyboard lock clears the screen and displays a moving
message window. DOS-based programs will also be replaced by a moving
display.
In graphics applications other than Microsoft Windows, the Screen Blanker
and Keyboard Lock will blank the screen with a solid color. For most
programs, the Screen Blanker will display a blue screen, and the Keyboard
Lock will display a red screen. Some programs may change the video display
and alter these colors. To regain access to the system, press <Enter> to
clear the keyboard buffer. If the screen is not restored, the Keyboard
Lock is active. Type in your login password and press <Enter> to restore
the screen.
Normally, only the Screen Blanker will appear when you step away from your
computer. However, to activate the keyboard lock instead of your Screen
Blanker, ask the administrator to select the "Keyboard Lock during Screen
Saver" choice in the Security Setup program.
HOT KEY ACTIVATION
A hot-key is provided to activate the Screen Saver / Keyboard Lock
immediately. Press and hold <Alt><Ctrl> together for five seconds to blank
or lock your screen. If the administrator requires a letter to be pressed
along with the hot key, press the hot key and hold it down for five
seconds. The computer speaker will then make a clicking sound. Without
lifting the hot key, press one of the following keys:
D key: Dims the screen (Screen Blanker).
S key: Secures the keyboard and dims the screen (Keyboard Lock &
Screen Blanker.)
K key: Keyboard lock but does not dim the screen.
B key: Boots the computer after the current program is exited. When
activated, two beeps will be heard to confirm that the feature
is activated. This feature is ideal for unattended modem
transfers and tape backups when you wish to ensure that no
other programs will be run from the computer.
WHAT A USER CANNOT DO
By being granted User access to the computer, you inherit certain
restrictions which will keep your computer operating correctly.
* A user cannot access the \SAFER Directory. This is the
directory where the security parameters are defined by the
system administrator.
* A user cannot alter or write to the Boot sectors.
* A user cannot use the CHKDSK program since no access is
granted to the \SAFER directory and other private user
directories. If you must use CHKDSK, please contact your
system administrator.
SECURITY VIOLATIONS
If an action results in the breach of any security rules, a warning message
is displayed and the action is denied. Typical actions which may breach
security include unauthorized access to the CONFIG.SYS and AUTOEXEC.BAT
files, and attempting to change to a secure directory. A complete list of
messages can be found in the Appendix.
LOGGING OFF
When you are done working with the PC, you must exit the system in one of
the following manners:
a) By pressing <Ctrl><Alt><Del>; or,
b) By running LOGON when you wish to return to the initial login
screen without rebooting the computer. As in the example above,
this command may be located in the C:\PUBLIC directory.
Your logoff time will be recorded in the Audit Log file when you exit the
system in one of the above ways. If you exit the system by turning the
computer off, the system will not be able to record the logoff time.
Instead, the security system will record this as an "INVALID LOGOFF" and
include it as a violation in a report to the system administrator.
-------------------------------------------------------------------------
4. Special Programs
Several programs are included with StopLight to enhance its overall
performance and flexibility. Some programs are especially useful when
placed in batch files. Each of these programs can be used at the DOS
prompt or incorporated in a menu system.
PCC
PC Checkup (PCC.EXE) is a powerful tool for examining your system
configuration and recovering from hard drive failure. It is located in the
C:\SAFER directory.
ALERT
When a program attempts to perform an action that is not allowed by the
user's security definition, StopLight generates a warning beep and
displays a message indicating the type of offense. To prevent this
violation alert, run ALERT OFF before running your program. After the
program is finished, ALERT ON will reactivate security alerts. These
commands can be placed in a batch file to automate this process. It is
important to note that turning alerts off has no effect on the user's
security priviledges, just on the warning that is given.
DEFMSG
The DEFMSG command allows you to insert a new or different message that
will appear when the screen is blanked.
Syntax: DEFMSG message
When the screen blank option is active, your personal message will be
displayed.
EX
Fixes access denied errors in some programs that try to access secure
directories. When these programs encounter a directory that is restricted,
they either stop and issue an error message, or rescan the drive in an
infinite loop. The EX program will allow these programs to skip secure
directories and continue to read the drive properly.
Syntax: EX ProgramName
KEYBFIX
Keyboard fix is for international language KEYBxx support when certain hot-
keys are used. This program must be executed in the AUTOEXEC.BAT
immediately after KEYBxx is loaded.
LOGON
Utility to login as another user without rebooting the computer. This
utility is essential for accessing a secured system remotely.
WHOAMI
Displays the current user name, system date and time.
UNLOCK
Used by the system administrator to temporarily unlock the hard drive.
This is useful when making modifications to the CONFIG.SYS or AUTOEXEC.BAT
files. When the computer is rebooted, the security system will ask if the
hard drive should be relocked. After testing that the boot process
completes successfully, the computer can be rebooted and the hard drive
locked. If someone logged in as a USER tries to access this utility, they
will be denied.
-------------------------------------------------------------------------
Appendix
This chapter starts with solutions to common problems that can occur with
security software. Then, a list of error messages that the system
generates is presented. The final section of the chapter briefly describes
other Safetynet products which can complement StopLight.
SOLUTIONS TO COMMON PROBLEMS
The following section represents situations and suggestions that have been
compiled from our customers.
Some programs cause the computer to issue warning beeps during their
startup or normal operation.
Solution
The beeps may be coming from the security system, signaling that some
program actions are being prevented because they break a security rule
for the current user. Check your audit log to see what kind of
violations are being registered. Then modify your security settings
to allow this activity. If you do not wish to allow this activity,
but still wish to prevent the warning messages and beeps, use the
ALERT.EXE command with an OFF parameter (ALERT OFF). This will
prevent StopLight from generating any visual or audible error
messages. To turn security alerts back on, use the ALERT ON command.
More information about the ALERT program is found in the previous
chapter.
Netware does not allow a user to login to the network. A Date/Time
Change warning is given.
Solution
Upon login to Netware networks, the network may try to synchronize
your PC's date and time. If you Disable DATE/TIME Change, the network
may not let you login. Do not select Disable DATE/TIME Change if you
are experiencing this problem.
After logging into the network, DOS Shell Access is no longer
disabled.
Solution
Some network drivers (e.g. NETx.COM) do not allow Prevent DOS Shell
Access to work properly. To restore this feature, make a batch file
that runs these drivers and then runs the StopLight NETFIX.COM
utility.
Programs that scan the hard disk stop when they encounter a secure
directory.
Solution
Run the program by using the EX.EXE utility to prevent warning
messages while scanning the disk.
NEW SOLUTIONS
If you have implemented StopLight to solve a difficult problem, please
let us know. We would like to pass the knowledge on to others. Also, if
you have any programs that need special handling when working in a security
environment, we would like to hear from you. Please contact our Technical
Support department and share your experiences with them.
### End of Manual ###
