Piper's Pit BBS/FTP: ibm 0010

home *** CD-ROM | disk | FTP | other *** search

/ Piper's Pit BBS/FTP: ibm 0010 - 0019 / ibm0010-0019 / ibm0010.tar / ibm0010 / PC-VAULT.ZIP / VAULTDOC.EXE / ADMIN.DOC next >

Wrap

Text File | 1990-07-30 | 115.5 KB | 2,363 lines

PC-Vault Version 4.4 Hard Disk Protection System (Formerly called PC-Lock) Administrator's Manual (c) Copyright 1989 by Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 (804) 872-9583 Table of Contents THANK YOU . . . . . . . . . . . . . . . . . . . . . . . . . . 4 ABOUT THIS MANUAL . . . . . . . . . . . . . . . . . . . . . . 4 WHAT PC-VAULT DOES . . . . . . . . . . . . . . . . . . . . . 5 RESTRICTIONS . . . . . . . . . . . . . . . . . . . . . . . . 6 DISCLAIMER OF WARRANTY . . . . . . . . . . . . . . . . . . . 7 YOUR PC-VAULT LICENSE . . . . . . . . . . . . . . . . . . . . 8 USING PC-VAULT MENUS . . . . . . . . . . . . . . . . . . . . 8 PC-VAULT PASSWORDS AND USER NAMES . . . . . . . . . . . . . . 9 BEFORE INSTALLING PC-VAULT . . . . . . . . . . . . . . . . . 10 The LOGO Program . . . . . . . . . . . . . . . . . . . . 10 The HelpUser Program . . . . . . . . . . . . . . . . . . 11 Pre-installation Setup . . . . . . . . . . . . . . . . . 11 HOW TO INSTALL PC-VAULT . . . . . . . . . . . . . . . . . . . 13 USING THE PC-VAULT MAIN PROGRAM . . . . . . . . . . . . . . . 14 HOW TO USE THE MAIN MENU . . . . . . . . . . . . . . . . . . 15 How to Change PC-Vault Names/Passwords . . . . . . . . . 15 Selecting PC-Vault Options . . . . . . . . . . . . . . . 16 MAXIMUM floppy boot protection . . . . . . . . . . 16 DISPLAY password entry asterisks . . . . . . . . . 16 SIDEKICK compatibility mode . . . . . . . . . . . . 16 CTRL-BREAK prohibited during boot . . . . . . . . . 17 BLANK screen during LunchBreak . . . . . . . . . . 17 FREEZE computer during LunchBreak . . . . . . . . . 17 ALL users may exit LunchBreak . . . . . . . . . . . 17 SPECIAL display blanking . . . . . . . . . . . . . 17 User NAMES are required . . . . . . . . . . . . . . 17 USER may change his/her name . . . . . . . . . . . 17 Selecting Limits . . . . . . . . . . . . . . . . . . . . 18 Minimum number of password characters . . . . . . . 18 Number of days passwords remain valid . . . . . . . 18 Minimum number of different passwords . . . . . . . 18 Maximum keyboard idle time . . . . . . . . . . . . 19 Maximum invalid logons before ALARM . . . . . . . . 19 Maximum invalid logons before LOCKOUT . . . . . . . 19 Seconds to Wait Before Auto Logon . . . . . . . . . 19 Alternate Keyboard/Clock Handling . . . . . . . . . 20 Locking and Unlocking PC-Vault Related Files . . . . . . 20 Accessing Your Fixed Disk When Booting From a Diskette . 20 PC-Vault 4.4 Administrator's Manual - Page 2 Removing PC-Vault From Your Computer . . . . . . . . . . 21 The PC-Vault Hot Key . . . . . . . . . . . . . . . . . . 21 Selecting Automatic LunchBreak . . . . . . . . . . . . . 21 Controlling User Access to Directories [+] . . . . . . . 21 Controlling Logging of User Activity [+] . . . . . . . . 24 USING THE PC-VAULT PROGRAM AFTER IT IS INSTALLED . . . . . . 25 USING PC-VAULT ON LIMITED SYSTEMS . . . . . . . . . . . . . . 25 YOUR PC-VAULT FILES . . . . . . . . . . . . . . . . . . . . . 26 OPTIONAL PC-VAULT FILES . . . . . . . . . . . . . . . . . . . 31 IN CASE OF DIFFICULTY . . . . . . . . . . . . . . . . . . . . 31 HOW TO ORDER PC-VAULT 4.4 . . . . . . . . . . . . . . . . . . 33 PC-VAULT VERSION 4.4 ORDER FORM . . . . . . . . . . . . . . . 34 PC-Vault 4.4 Administrator's Manual - Page 3 THANK YOU wish Thank you for investing in PC-Vault (formerly PC-Lock) version 4.4. We believe you will find it to be an effective and convenient security system for your IBM-PC/XT/AT/PS2 or compatible. Version 1.1 was reviewed in the June 23, 1987 issue of PC-Magazine and listed among "The Best of the Best Utilities." Subsequent versions have provided enhanced security and many new features. Please note that you are not licensed to use this software until you have read and agree to the "DISCLAIMER OF WARRANTY" and "YOUR PC-VAULT LICENSE" beginning on page 7. If you have any suggestions for improvements, please tell us about them. While we cannot make every change in either the manuals or the programs which has been suggested by our users, we do give careful consideration to each suggestion and have implemented many of them. ABOUT THIS MANUAL While many people have told us that they are able to use PC- Vault without reading the manual, we know that others prefer a complete written description of the programs they use. This is why we have attempted to make PC-Vault as easy to use as possible without reading the manual as well as provided complete administrator and user manuals. If you are using PC-Vault Plus, or if you wish to use more than one password, please see "BEFORE INSTALLING PC-VAULT" on page 10. If you have any difficulties using PC-Vault, please consult the Table of Contents and then refer to the appropriate section. This Administrator's Manual is written for the PC-Vault and/or PC-Vault Plus administrator. It provides complete information for installing and using both products. The name "PC-Vault" is used to refer to both PC-Vault and PC-Vault Plus unless the text explicitly states otherwise. Sections which describe features which are only available in PC-Vault Plus are indicated by "[+]". The features of PC-Vault are accessed from a few simple menus. This manual describes each menu and provides a detailed description of each feature accessible from that menu. Several features, such as defining a password, may be accessed from more than one menu. These features are fully described along with the administrator's main menu. The following optional programs are briefly described in this manual: Logo - Allows you to design your own logon screen, PC-Vault 4.4 Administrator's Manual - Page 4 HelpUser - Allows granting one-time emergency access without knowing any passwords and without compromising security, and DesMaster - Provides very fast full DES and other methods of file encryption. (Available soon) If there is a file named READ-ME.1ST on your distribution diskette, please read it before proceeding. It contains information on last minute enhancements to the program and its associated manuals. WHAT PC-VAULT DOES After you install PC-Vault you will be asked to enter a password each time your computer is booted from its hard disk. Just type your password and press return. The boot process will then continue normally. When you boot from a diskette, the system will boot normally, but you will not be able to access your hard disk. The PC-Vault LunchBreak feature provides protection for your computer when it is running but the operator is not physically present. When a computer is in the LunchBreak state: The screen is completely blank, The keyboard is locked, and Processing continues normally. This means that a large spread sheet computation, data base operation, or other process will continue normally during LunchBreak. A "would be" observer will not be able either to see or exercise control over the operation. LunchBreak may be activated by pressing the user selectable PC- Vault hot key. If you so choose, the LunchBreak feature will be automatically activated after a selectable period of keyboard inactivity. When the correct password is entered, the screen and keyboard will return to normal operation. This feature not only provides protection for the data on the PC's hard disk but also protects any mainframe or network to which the PC is logged on. As PC-Vault administrator you may: - Prevent users from using Ctrl-Brk to exit AUTOEXEC.BAT, - Force each user into a specific application, PC-Vault 4.4 Administrator's Manual - Page 5 - Prevent user's from obtaining a DOS prompt, - Change any user's user name and/or password, - Define a minimum password length, - Require user's to enter both their user name and password - Require automatic LunchBreak and select a maximum keyboard idle time, - Remove PC-Vault from the computer, - Display a list of illegal logon attempts, - Access the hard disk when booting from a diskette, and - Control several other aspects of PC-Vault operation. As PC-Vault Plus administrator you may also, - Grant or deny read/write/execute access to specific hard disk directories on a per user basis, - Disallow sector oriented disk read/writes, - Grant or deny read/write/execute access to diskettes, and - Obtain a log (history) of the activity of each use including illegal access attempts, programs executed, and files accessed. This software security program is probably somewhat more secure than a dead bolt lock on your front door. A sufficiently knowledgeable and determined individual will be able to circumvent the system, as indeed any software security system can be circumvented. The level of protection provided is, however, sufficient for most purposes and exceeds that of any similar program known to us. Data encryption is the most secure method for protecting your data. Our soon to be available DesMaster program provides full Data Encryption Standard (DES) encryption with very short encryption/decryption times. It also provides QuickDes which omits certain steps of the full DES encryption process. The steps we omit are widely regarded as not strengthening the DES algorithm. Our proprietary Flash encryption, which is not as secure as DES but is extremely fast, is also included. For more information on DesMaster, please contact us. RESTRICTIONS DOS releases prior to the 3.3 release do not support hard disks larger than 32 Megabytes. Version 3.3 allows you to divide a large disk into volumes, each of which must be 32 megabyte or less. DOS versions 3.31 and beyond allow large hard drives to be used as a single volume. Many products are available which correct the deficiencies of the earlier versions of DOS. PC- Vault works correctly with virtually all of these products. A few, however, force your disk to use a non-standard sector size. PC-Vault 4.4 Administrator's Manual - Page 6 PC-Vault will detect this condition and tell you that it will not install because of the presence of a non-standard sector size. Your hard drive(s) must not contain partitions belonging to operating systems other than DOS. Do not use FDISK while PC-Vault is installed. If you are using Microsoft Windows and a have a VGA display controller, you may need to select "Special display blanking" in the options selection menu because of an error Windows' handling of VGA displays. You may also need to use the "Alternate keyboard/clock handling" feature found in the set limits menu. LunchBreak works properly in the Windows 3.0 real mode, but not in the standard and enhanced 386 modes. To ensure Windows runs in the real mode, start windows with the WIN /R command. For more information see your Microsoft Windows Users Guide. We anticipate resolving these incompatibilities in our next release. If you are using DOS 3.31 or greater and you use the shell statement to point to COMMAND.COM it should look similar to: SHELL = C:\DOS\COMMAND.COM C:\DOS /P or SHELL = C:\DOS\COMMAND.COM C:\DOS /P /E:800 Use the latter form if you are changing the environment size. DISCLAIMER OF WARRANTY PC-Vault, PC-Vault Plus, AND ASSOCIATED SOFTWARE AND THIS DOCUMENTATION ARE SOLD "AS-IS" AND WITHOUT WARRANTIES AS TO PERFORMANCE OR MERCHANTABILITY. THE SELLER'S SALESPERSONS AND/OR THIS OR OTHER DOCUMENTATION PROVIDED BY JOHNSON COMPUTER SYSTEMS, INC. MAY HAVE MADE STATEMENTS ABOUT THIS SOFTWARE. ANY SUCH STATEMENTS DO NOT CONSTITUTE WARRANTIES AND SHALL NOT BE RELIED ON BY THE BUYER IN DECIDING WHETHER TO PURCHASE AND/OR USE THIS PROGRAM. PC-Vault, PC-Vault Plus, AND ASSOCIATED SOFTWARE AND THIS DOCUMENTATION ARE SOLD WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES WHATSOEVER. BECAUSE OF THE DIVERSITY OF CONDITIONS AND HARDWARE UNDER WHICH THIS PROGRAM MAY BE USED, NO WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE IS OFFERED. THE USER IS ADVISED TO BACKUP ALL DATA ON HARD DISKS BEFORE TRYING IT, AND TO THOROUGHLY TEST IT BEFORE RELYING ON IT. THE USER MUST ASSUME THE ENTIRE RISK OF USING THE PROGRAM. ANY LIABILITY OF SELLER OR MANUFACTURER WILL PC-Vault 4.4 Administrator's Manual - Page 7 BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR REFUND OF THE PURCHASE PRICE. If within thirty days after we ship your order, you wish to discontinue using PC-Vault because it does not perform to YOUR expectations or because you do not agree with the terms and conditions under which it is sold, we will be happy to refund your full purchase price. Just write to us stating that you do not and will not have PC-Vault installed on any of your computer(s) and that you no longer have any copies of the program. Enclose the original PC-Vault diskette(s) with your letter. We would appreciate a description of any problem(s) you encountered, but you are in no way obligated to provide one. YOUR PC-VAULT LICENSE AFTER you have read and AGREE TO the Disclaimer of Warranty you are licensed to install and use PC-Vault Version 4.4 on the number of computers for which you have paid the license fee as shown in the fee schedule on page 33. Removing PC-Vault from one computer and installing it on another is specifically permitted and does not increase the number of computers for which the license fee must be paid. Any form of disassembly or reverse engineering of any portion of any version of PC-Vault is specifically not included in your license or granted by it and is explicitly prohibited. PC-Vault Version 4.4 is a fully copyrighted software product and Johnson Computer Systems, Inc. reserves all rights which are not specifically granted in this license. USING PC-VAULT MENUS Each menu contains the list of functions which you may perform when that menu is displayed. You may select any item from a menu simply by Pressing the letter displayed in front of that item, or Using the "up" and/or "down" cursor control keys to position the light-bar (inverse video) over the item and pressing return. Additional information about a function may be displayed by moving the light bar to the item and pressing the "?" key. Letters and the "?" may be typed in either upper or lower case. Either the Escape or the "E" keys may be used to exit any menu. PC-Vault 4.4 Administrator's Manual - Page 8 The menus shown in this manual may differ slightly from those displayed on the screen due to page/screen size limitations. PC-VAULT PASSWORDS AND USER NAMES All PC-Vault passwords consist of zero to sixteen characters (key-strokes). The minimum password length may be set to any value from zero to sixteen. User names are optional. If used, they must be from one to seven characters in length. User names are set by the administrator, and may also be set by the user if the administrator has granted that permission. You must enter a password (and at the administrator's option, a user name) whenever the computer is booted from the hard disk, whenever you wish to exit LunchBreak, and whenever the PC-VAULT program is started. If user names are required, begin by entering your user name and pressing the return key. Then enter your password and press the return key. If the entry is correct you will hear two short tones, otherwise you will hear one long tone and the system will wait for you to start the process over. No tones are ever sounded immediately after a user name is entered. The backspace key may be used to correct errors in the normal manner. The escape key may be used to terminate the present attempt and start all over. The return key signifies the end of your user name or password. After entering a password, you may hear a sequence of "beeps" alternating between two tones. This is called an alarm and occurs when a number of consecutive incorrect user name/password entries have occurred. The number of consecutive incorrect entries required to trigger the alarm is determined by the administrator. If the number of consecutive errors exceeds another limit, also chosen by the administrator, the machine will sound the alarm and then lock for five minutes following each incorrect entry. Turning the machine off will not influence the count of incorrect entries. If the machine is turned off during a five minute lock-up, the five minutes will be repeated from the beginning when the machine is next re-booted. For more information on user names and passwords, see the section on changing passwords on page 15. PC-Vault 4.4 Administrator's Manual - Page 9 BEFORE INSTALLING PC-VAULT You may skip this section and go directly to the "INSTALLING PC- VAULT" section if: You are not using PC-Vault Plus, and You only want one password on your computer, and You do not have the optional HelpUser or Logo programs. You, as administrator, may select an original administrator password and make several other choices about how you want PC- Vault to work on your computer(s). This is done by using one or more of the three programs described in this section to modify a copy of the PC-Vault program itself before you install it. You (or anyone else) may then use the modified copy to install PC- Vault on one or more computers and your administrator password and other selections will automatically be in effect. Please place a diskette containing a COPY of the file PC- VAULT.EXE in drive A:. Your original PC-Vault diskette is not copy protected and may easily be copied using the COPY command. The DISKCOPY command will not work, so please use COPY. THE CHOICES YOU MAKE IN THIS SECTION WILL ONLY EFFECT THE COPY OF PC-VAULT.EXE THAT IS ON THE DISKETTE IN DRIVE A:. NO CHANGES WILL BE MADE TO THE COMPUTER YOU ARE USING. The three programs which may be used are HelpUser, LOGO, and PC- Vault itself. These programs may be used in any order. HelpUser and LOGO are optional programs whose functions are described in the next two sections. Detailed instructions for using PC-Vault to select an initial administrator password and other features of PC-Vault are included in the "Pre-installation Setup" section starting on page 11. The LOGO Program The LOGO program allows you to design the appearance of the user name/password request screen that is displayed when you boot your computer. You may completely replace our logo and messages. LOGO provides something similar to a full screen editor which is used to design your logon screen. Once it is designed, you may save your design to a file which you can recall at any later time for additional editing, and/or you may install your design into PC-VAULT.EXE replacing our screen with your design. You may wish to install your company's logo, or have a misleading screen such as "System Board Error 101". If you are using PC- Vault Plus you might provide very restricted access to anyone who desires to use the system and greater access to specified users. You could accomplish this by assigning a password of GUEST and using LOGO to create a boot time message such as, "Please enter PC-Vault 4.4 Administrator's Manual - Page 10 your password (if you only wish to use the modem, enter GUEST)." Complete documentation is provided with the LOGO program. The HelpUser Program The HelpUser program allows a corporate security officer (CSO) to grant one time access to a machine without the physical presence of the security officer and without either the CSO or the user knowing any passwords. Subsequent access to the same or another machine will require a new approval by the security officer. The CSO will not be able to grant access to machines other than those in his organization. Each copy of HelpUser is unique, and may be run in either the normal mode or in a special configuration mode. When HelpUser is run in the configuration mode, it reads a copy of PC-Vault from a diskette, modifies it to work only with that specific copy of HelpUser and writes PC-Vault back to the diskette. The modified copy of PC-Vault may then be installed on the organization's computers. When an individual needs to gain access to a computer, but doesn't know a valid password, he must call the CSO and convince him/her to grant the access. The CSO then instructs the user to start the PC-Vault program with a special parameter. Instead of requesting the user to enter a password, PC-Vault will display the message: Please read the following string to your security officer: AZq9-Q=4. Then enter the EXACT string you receive in return: The string which is displayed is randomly generated and will be different every time. PC-Vault will use the displayed string to compute, but not display, a response string. If the user is able to enter that response string, the administrator's main menu is displayed and the user is given full administrator privileges. The CSO must start HelpUser and enter the string which the user read to him. HelpUser will then display the response for which PC-Vault is waiting. Complete documentation is provided with the HelpUser program. Pre-installation Setup Pre-installation setup is a simple process that allows the system administrator to modify a copy of the PC-Vault main program (PC- VAULT.EXE) so that it automatically works as desired on each computer on which it is subsequently installed. Pre-installation set up is optional for PC-Vault, but is required for PC-Vault PC-Vault 4.4 Administrator's Manual - Page 11 Plus. If the setup is not done, you will be able to use only one password. If you do not wish to perform the setup you may go to the "HOW TO INSTALL PC-VAULT" section on page 13. THE PRE-INSTALLATION PROCESS DESCRIBED IN THIS SECTION MAKES NO CHANGES TO THE COMPUTER USED TO PERFORM IT. IT MODIFIES ONLY THE PC-VAULT.EXE FILE ON THE DISKETTE. To setup PC-Vault, place a diskette containing a copy of the file PC-VAULT.EXE (not your original please) in drive A:. (If you must use drive B: rather than A: enter the DOS command ASSIGN B=A at the DOS prompt. This will cause your computer to treat drive B: as though it was drive A:) Then enter: PC-VAULT /P The screen shown in Fig. 1 will be displayed. Read the screen and then press any key. The screen shown in Fig. 2 will be displayed. This may seem somewhat redundant, but experience has indicated the value of asking this question one more time. When you are certain you are not using your original diskette press Y to continue. If you have already done pre-installation setup on the copy of PC-Vault in drive A:, you may modify the choices you made. If you defined an administrator password, the screen shown in Fig. 3 will be displayed and you will have to enter your password before continuing. If you have not previously defined an administrator password or have entered it correctly, the pre-installation main menu shown in Fig. 4 will be displayed. Please review USING PC-VAULT MENUS on page 8 for general information on menus. An original administrator password must be defined prior to installation in any of the following situations: - You are using PC-Vault Plus, - You wish to have an administrator password, or - You wish to have more than one user password. To define an original administrator name/password (or names/passwords for other users), select the "P" option from the menu. The exact procedure and the screens you will see during name/password definition are shown in "How to Change PC-Vault Names and Passwords" on page 15. The O (Select PC-Vault OPTIONS) menu item allows you to determine the way PC-Vault will operate once it is installed. Any options PC-Vault 4.4 Administrator's Manual - Page 12 you select at this time may also be selected and/or deselected by you, as administrator, after installation. For additional information on this subject see "Selecting PC-Vault Options" on page 16. The S (SET Limits) menu item allows you set bounds on certain user selections such as password lifetimes, minimum password length, maximum invalid logons and maximum keyboard/mouse idle time before LunchBreak is automatically invoked, etc. For detailed information on limits see "Setting Limits" on page 18. The L (LOCK files during installation) option will cause the CONFIG.SYS, AUTOEXEC.BAT, and CLEANDSK.DRV (our device driver) files to be locked during installation. Locked files can not be altered by anyone other than the system administrator. A user cannot delete them or change their name, contents, or attributes. For additional information on locked files see "Locking and Unlocking PC-Vault Related Files" on page 20. After PC-Vault installation is complete, either the user's or the administrator's main menu is displayed. If the administrator's menu is displayed, the person who installed PC-Vault will be able to change all user names, passwords, options, and limits. In the case of PC-Vault Plus, directory access permissions and logging levels can also be changed. The W option of the pre-installation menu allows you to choose which menu will be displayed. Simply select this option and answer the question displayed with a Y or an N. After you have finished making your selections, select the R option from the menu. This will cause the file PC-VAULT.EXE in drive A: to be modified to incorporate your administrator password and other selections. When you use this copy of PC- VAULT.EXE to install PC-Vault on a computer your selections will be transferred to the computer and will be automatically be in effect. HOW TO INSTALL PC-VAULT Before installing PC-Vault, it is important that you read the warranty disclaimer and the terms of your license starting on page 7. You are not licensed to install and/or use this program until you have read and agree with the terms and conditions contained in those sections. Thank you. While we have a very high degree of confidence in PC-Vault, it is impossible to guarantee that any software program will work on all the millions of differently configured systems on which it may be used. For this reason we ask that you ensure you have a current backup of your hard disk before you install PC-Vault. We PC-Vault 4.4 Administrator's Manual - Page 13 do not anticipate that you will experience any problems in installing and using PC-Vault, but we do want you to be able to recover in the unlikely event a problem does occur. If you have an earlier version of PC-Vault installed on your computer, please remove it by using that version of PC-Vault. (NOTE: Your earlier version may have been called PC-Lock.) You will need to have the file PC-VAULT.EXE on a diskette drive or on your hard disk. To install or use PC-Vault simply enter PC-VAULT You may need to type the drive letter if the drive containing PC- Vault is not the default drive, for example: A:PC-VAULT or C:PC-VAULT If PC-Vault is not installed, the menu shown in Fig. 5 will be displayed: Simply select the Install option. After PC-Vault installation has been completed a screen giving important information will be displayed. Please read it carefully in its entirety. After reading the screen, press any key and a main menu will be displayed. Please note that a file named CLEANDSK.DRV has been placed in the root directory of your hard drive and the line DEVICE=CLEANDSK.DRV has been added to your CONFIG.SYS file. Do not delete the file or alter the device statement. They will be removed automatically when you de-install PC-Vault. If you wish to de-install, use the "Remove PC-Vault from this computer" option described on page 21. The installation process is completed by selecting any desired items from the main menu. For a complete description of the use of this menu see "HOW TO USE THE MAIN MENU" on page 15. When all desired selections (if any) have been made, select the E (END THIS PROGRAM) option to return to DOS. Protection is now in effect. The LunchBreak feature will not be available until you reboot your computer. USING THE PC-VAULT MAIN PROGRAM If you run the PC-Vault program when PC-Vault is already installed on the computer, you will immediately be asked to enter your password. The administrator password or any user password may be entered. If the administrator has so required, you will also have to enter the corresponding user name. As soon as a password is correctly entered, one of three main menus will be PC-Vault 4.4 Administrator's Manual - Page 14 displayed. The PC-Vault Plus administrator's main menu is shown in Fig. 6. The PC-Vault administrator's menu is the same except that the last two items which control access to directories and logging are not present. The user's main menu contains only the E, H, P, K and I options. HOW TO USE THE MAIN MENU For general information on using menus, see "HOW TO USE PC-VAULT MENUS" on page 8. You may return to DOS from the main menu by selecting the E option or by pressing the Esc key. The following sections describe the use of each main menu option. How to Change PC-Vault Names/Passwords You may change your password by selecting the P (Change PASSWORD) option from the main menu. If the administrator is using the program the screen shown in Fig. 7 will appear. Press the appropriate key to indicate which name/password you wish to change. A screen similar to that shown in the upper portion of Fig. 8 will allow you to change the name associated with the selected user. If you just press return, the name will not be changed and you will go directly to the password definition screen shown in Fig. 9. If you enter a new name you will be asked to enter it again to be sure you entered it correctly. The administrator may require that user names be entered whenever a password is required, so please be certain you remember your user name. If user names have not been assigned, the default names of Admin, User 1, User 2, etc., will be used. If you cannot change user names, please see "USING PC-VAULT ON LIMITED SYSTEMS" on page 25. After the name has been defined the upper portion of Fig. 9 is displayed. Please read the screen and then enter the new password of your choice. If you do not wish to change the password, press the escape key. The example in the figure shows that the user has selected "SECRET-STUFF" as the new password. After you enter your password you will be asked to enter it once more just to be certain it has been entered correctly. The lower portion of the screen shown in Fig. 9 is then displayed and the new password is stored. Passwords are stored in encrypted form. Whenever you enter a password to gain access, it is encrypted and then compared to the stored value. We do not know how to decrypt passwords. It is, therefore, extremely important for the administrator to remember his/her password. If the password is forgotten and your organization has not purchased the HelpUser program, it will be PC-Vault 4.4 Administrator's Manual - Page 15 necessary to perform a low level format of your hard disk. If there were another way to get in, the security provided by PC- Vault would be seriously compromised. Selecting PC-Vault Options Selecting the O (Change OPTIONS) item from the main menu causes the screen shown in Fig. 10 to be displayed. Pressing the letter in front of the option will change its selection/de-selection state. Each of the options is described in the following paragraphs. MAXIMUM floppy boot protection - This option makes it even more difficult for an unauthorized person to break into your computer by erecting an additional barrier that they must overcome. Selecting this option, causes no visible difference in the operation of your machine. Maximum floppy boot protection is an option because some hard disk controllers do not support the features required by this option. If your machine will not support this option, attempting to select it will result in an informative message and the option will not select. In either case, your machine will still be well protected. If the words "Not Available" appear by this option, please see "USING PC-VAULT ON LIMITED SYSTEMS" on page 25. DISPLAY password entry asterisks - Selecting this option causes asterisk to be displayed for each password character entered. If this option is not selected, nothing will be displayed. Note that your password is always displayed while you are defining a new one, and that nothing is displayed during LunchBreak since the screen is turned off. SIDEKICK compatibility mode - This option prevents the computer from responding to Sidekick's hot key during LunchBreak. Select this option only if you are using Sidekick and you find that the computer responds to Sidekick's hot key during LunchBreak. This paragraph contains a detailed technical description of this option so feel free to skip to the next paragraph if you wish. PC-Vault intercepts both the clock (IRQ 0) and keyboard (IRQ 1) interrupts at boot time and again on entry into LunchBreak. Each time the clock interrupt is issued, Sidekick determines if any program has intercepted the keyboard interrupt since it has. If so, it re-intercepts the keyboard interrupt. This is why they say it must be loaded last, and why it can see its hot key even during LunchBreak. If PC-Vault's Sidekick Compatibility option is selected, PC-Vault passes clock interrupts intercepted to the IRQ 0 interrupt address that was in effect when its device driver was loaded at boot time. This effectively passes clock interrupts around Sidekick (and perhaps other TSRs) so that it PC-Vault 4.4 Administrator's Manual - Page 16 never re-intercepts the keyboard interrupt. This also assures that the DOS/BIOS system clock continues to run. CTRL-BREAK prohibited during boot - Selecting this option prevents anyone other than the administrator from breaking out of the AUTOEXEC.BAT file during boot. This option is used in conjunction with the BRK-CNTL.COM file described on page 26. BLANK screen during LunchBreak - This option causes the screen to become completely blank during LunchBreak. If this option is not selected, the keyboard will lock but the screen will remain active. This allows you to use the system to monitor some process while prohibiting observers from interfering with the process. FREEZE computer during LunchBreak - There are certain rare instances when processing cannot continue during LunchBreak and utilizing this option is necessary. This option prevents the computer from continuing to process during that time. Normally it should not be needed. ALL users may exit LunchBreak - You may allow any user name/password to be used to exit LunchBreak. If this option is not selected, only the password used to boot the machine and the administrator's password will be accepted. The permissions in effect will be those of the user whose password was used to exit LunchBreak. SPECIAL display blanking - If the "BLANK screen during LunchBreak" option is selected, but your VGA or CGA screen will not blank and/or unblank as it should, please select this option. A few non-standard display CGA and VGA display adapters require selection of this option to blank properly. Because MS-Windows does not follow the rules for using the VGA display, you may need to select the "Special display blanking" option for your screen to unblank properly following LunchBreak. This applies when you are in Windows and are using a VGA display adapter. User NAMES are required - You may require that users enter a correct user name and password. The user must then type a user name followed by the enter key and then the password followed by the enter key. After both items have been entered, access will be granted or a beep will sound to indicate that the entries were not correct. PC-Vault 4.4 Administrator's Manual - Page 17 USER may change his/her name - This option allows a user to change his/her own name. If this option is not selected only the administrator may change a user name. Selecting Limits Selecting this option from the administrator's main menu allows you to select certain limiting values which users are unable to change. Each of the limits is described in the following paragraphs. Minimum number of password characters - This limit allows you to determine the minimum number of characters in a password. When you select this limit you will be asked to enter a number from 0 to 16. Newly defined passwords must contain at least the number of characters you specify. Number of days passwords remain valid - System security can be enhanced by requiring users to change their passwords periodically. If this limit is set to a value other than zero, it specifies the number of days a newly defined password remains valid. To use this limit, choose the desired password lifetime in days and place the command PC-VAULT/A at or near the beginning of your AUTOEXEC.BAT file. The PC- VAULT.EXE file must be in the root directory of your hard drive. If you have an XT class computer (generally an 8088 CPU), and you have installed a battery operated clock, you will already have a statement in AUTOEXEC.BAT that sets your computer's clock from the battery operated clock each time your machine is booted. This statement must be placed before the PC-VAULT/A statement. Any time you enter an expired password, you will be required to change it and given an opportunity to do so. A user may try to prevent expiration by setting the PC's clock/calendar back. For this reason, all passwords are marked as expired whenever the clock regresses by four or more hours. Passwords defined during pre-installation expire the first time they are used. Minimum number of different passwords - Password aging is ineffective if a user is allowed to change to the same password he or she had before. As administrator, you can require a user to use several different passwords before being allowed to reuse an earlier one. You can specify that up to ten different passwords must be defined before the first one can be reused. PC-Vault 4.4 Administrator's Manual - Page 18 Maximum keyboard idle time - Keyboard idle time is the time in minutes between the most recent keystroke or mouse activity and the time when the machine automatically goes into LunchBreak. This limit allows you to determine the maximum keyboard idle time a user can specify. If the user specifies a time of 61 minutes, automatic LunchBreak will never occur. If you select this limit and enter 10, a user may set the actual idle time to any value between 3 and 10 minutes. If you are using a mouse see VMOUSE on page 28. Maximum invalid logons before ALARM - After an excessive number of consecutive unsuccessful attempts to boot the computer, exit LunchBreak, and/or use the PC-Vault program, an alarm will sound. The alarm consists of several repetitions of a two tone signal. Turning the computer off between attempts will not keep the alarm from working. This limit allows you to select the number of failed attempts prior to the alarm being sounded. If you select the value zero, the alarm will not sound. Maximum invalid logons before LOCKOUT - After an excessive number of consecutive attempts to boot the computer, exit LunchBreak, and/or use the PC-Vault program, the machine will lock for a period of five minutes. Turning the computer off between attempts will not keep the alarm from working. Turning the computer off during a lockout period will cause the five minute lockout to be restarted from the beginning on the next power up. This limit allows you to select the number of failed attempts prior to the lockout occurs. If you select the value zero, the lockout will never occur. Seconds to Wait Before Auto Logon - This feature is frequently used when it is desired to allow anyone restricted access to a computer while granting specific users less restricted access. It is also used to provide for unattended automatic boot-up. Normally, PC-Vault requires that a correct password (and optionally a user name) be entered each time the machine is booted. If this limit is set to a value other than zero, it specifies the number of seconds that PC-Vault will wait for a correct entry. If no correct entry is made during the specified interval, your computer will automatically boot as though the password for User 6 had been correctly entered. The LunchBreak feature will be disabled because it is assumed that the user does not know the User 6 password, and so could not exit LunchBreak. LunchBreak may be re-enabled with the SET-TIME command as described in this section. This allows you, as administrator, to assign to User 6 those permissions, etc. that you wish to provide to anyone who uses the computer. Only those requiring additional permissions will have PC-Vault 4.4 Administrator's Manual - Page 19 to know a password. Using PC-Vault's ability to prevent breaking out of the AUTOEXEC.BAT file, will ensure that statements it contains will be executed. The SET-TIME 0 command may be used in the AUTOEXEC.BAT file to re-enable LunchBreak and place the machine into LunchBreak immediately, thus providing for a secure unattended boot-up. Alternate Keyboard/Clock Handling - There are a few hardware and software combinations which cause the LunchBreak feature to operate incorrectly unless this limit is set to a non-zero value. If PC-Vault refuses to go into LunchBreak when it should, or will not return from LunchBreak properly, try using this feature. When you select this feature, you will be asked to choose one of several software interrupt groups for PC-Vault to use. (You do not have to know what an interrupt is to use this feature.) PC- Vault will list the values from which you may choose, and even give a recommended choice. Locking and Unlocking PC-Vault Related Files These options lock and unlock CONFIG.SYS, AUTOEXEC.BAT, and the PC-Vault device driver. When a file is locked its DOS read-only and system attributes are set. Only the administrator can change the attributes or the name of a locked file. Since the file is read-only, DOS will not allow a user to write to or delete the file. (Note: Norton's FA utility may tell a user that it has changed the attributes of a locked file, but it cannot and does not actually change them unless the administrator's password was used.) Accessing Your Fixed Disk When Booting From a Diskette It may become impossible to boot from your hard disk due to causes unrelated to PC-Vault. For example, if COMMAND.COM is accidentally deleted or a defective device driver is installed, you cannot boot from the hard disk whether PC-Vault is installed or not. You will then have to boot from a diskette and repair the problem. This option allows you to access your hard disk so that you can repair it. Simply boot from a diskette, run PC- Vault, enter the administrator's password and select "ACCESS fixed disk after diskette boot." You will be told that PC-Vault protection has been temporarily suspended and that the next time you boot from a floppy you will have access to your hard disk. The next time you boot from your hard disk, full protection will be automatically restored. PC-Vault 4.4 Administrator's Manual - Page 20 Removing PC-Vault From Your Computer Selecting the "REMOVE PC-Vault from this computer" option will completely de-install PC-Vault. The PC-Vault device driver will be deleted, the corresponding device statement will be removed from the CONFIG.SYS file, PC-Vault related files will be unlocked and other changes to your hard disk will be restored. The PC-Vault Hot Key The PC-Vault hot key is used to place your computer in LunchBreak. (For more information on LunchBreak, see "WHAT PC- VAULT DOES" on page 5.) The hot key is actually a combination of two or more keys held down simultaneously. The original hot key consists of the left and right shift keys. You may change it to any combination of two or more of the following keys: Left Shift, Right Shift, Alt, and Ctrl. To change your hot key, select the K (Define new hot KEY) option from the main menu. The hot key selection screen shown in Fig. 12 will then be displayed. Simply follow the directions on the screen and your new hot key will be in effect. Selecting Automatic LunchBreak You may choose to have your computer automatically enter the LunchBreak state when your keyboard and mouse have been idle for a specified period from 3 to 60 minutes. If you select a time of 61 minutes, automatic activation of LunchBreak is disabled and your computer will go into LunchBreak only when the hot key is pressed. If you find that PC-Vault places the maximum value you can enter below 61, the system administrator has selected that lower value. If you are using a mouse see VMOUSE on page 28. To select, deselect or change the automatic LunchBreak time, choose the I (Select maximum keyboard IDLE time) item from the main menu. The screen shown in Fig. 13 will then be displayed. Simply enter the desired time and press return. Controlling User Access to Directories [+] If you are using PC-Vault Plus, you may control each user's access to the sub-directories on your hard disk(s), to sector oriented hard disk I/O, to diskettes, and to executable (.EXE and .COM files). These functions are accomplished by selecting the "Control DIRECTORY access by user" item from the administrator's PC-Vault 4.4 Administrator's Manual - Page 21 main menu. When this item is selected, a table similar to the one shown in Fig. 14 will be displayed. The user has no access to the hard disk or to diskettes unless the access has been granted. For this reason, only the administrator is allowed to create a new directory in the root directory (known as a first level subdirectory.) In all cases except HardDisk Abs I/O (described below), you may separately grant read, write, and execute access to the resources (directories, diskettes, etc.) listed in the rows of the table. READ access means that program can read the data from the resource. WRITE access means that: data can be written to the resource, data in the resource can be over written, and files can be created, deleted, and their names can be changed. NOTE: Only the administrator can create a new first level subdirectory. EXECUTE access means that files containing programs can be executed. For example, if the WordPerfect word processor program is a file named WP.EXE, it may be executed only by user's having execute access to it. Execute access does not imply read access. Thus, if a user has only execute access to WP.EXE, the command, COPY C:WP.EXE A:WP.EXE will fail because the copy command is not allowed to read the file. Some programs such as WordPerfect sometimes modify themselves. If you are using DOS 3.1 or above, PC-Vault will always allow an executing program to read and write itself even if the access is not explicitly granted. In versions of DOS prior to 3.1, PC- Vault cannot determine exactly which file is executing and so the access is denied if it is not explicitly granted. Thus, WordPerfect running under DOS 3.1 or above will be allowed to modify itself even if execute permission has not been granted. Some programs are designed to read and/or write files that they require to be in the same directory as the executing program. This means that their directory may not have execute only access. Some users will desire to prevent reading of these programs. For this reason we have included the ability to globally grant or deny read and/or write access to .EXE and .COM files (see the third row in Fig. 14) .EXE and .COM files cannot be read (written) unless read (write) access has been granted to .EXE and .COM files AND they are in a directory having read (write) access. All users are always granted read access to the file named AUTOEXEC.BAT in the root directory of the hard drive from which PC-Vault 4.4 Administrator's Manual - Page 22 the system was booted. This is done to allow all users to execute AUTOEXEC.BAT when the system is booting. A very few programs ask DOS to read/write specific physical locations on the disk rather than performing operations on files. If such a program can find the physical location of a file, it may be able to read data from the file even if it does not have read access to its directory. The "HardDisk Abs I/O" item in Fig. 14 allows the administrator to allow/prevent this type of access. Preventing the access may prevent some programs from running, but will result in an even more secure system. We suggest that you do not grant this access unless you find that you must run a program that requires it. Execute access cannot be selected for this item because sector oriented access is used only for reading and writing, not for executing. Please note that in rare instances a program that runs well when PC-Vault Plus is not installed will fail to run correctly when PC-Vault Plus is installed. This does not necessarily indicate an error in PC-Vault Plus. For instance, a program may try to change the attribute of a file from read-only to read-write. If the user has not been granted appropriate access to the file's directory, DOS will return an "access denied" error. It is possible that the program may not handle the error correctly. This bug in the program may never have been noticed because the program may never have encountered that error before. A sample directory access control table is shown in Fig. 14. The first two lines allow control of diskette and sector oriented I/O access. The remaining lines control access to the root and first level sub-directories of your hard drive(s). Access granted to a root directory applies only to that directory. Access granted to a first level sub-directory applies to that directory and all of its sub-directories. Each column shows the access currently granted to the user whose name appears at the top of the column. User names are assigned using the PASSWORD option of the main menu. In the example shown, user 1 has been assigned to Jim T. and no names have been assigned to users 2 and 3. The cursor control, page up, page down, home, and end keys may be used to move the highlight bar from one position to another. Pressing the R, W, and X keys will toggle (turn on and off) read, write, and execute permissions respectively. To grant/deny all permissions in the highlighted square, press A or N respectively. Ctrl-A and Ctrl-N may be used to grant/deny a user all accesses to everything. Thus, if a user is to be granted access to almost everything, begin by moving the bar to the user's column and press Ctrl-A. Then remove the undesired accesses. Attempting to move the bar off the screen will cause more users or directory names to be displayed. PC-Vault 4.4 Administrator's Manual - Page 23 When you have the access permissions set as you desire, press the escape or the "E" key to return to the main menu. Your selections will be in effect when you re-boot your computer. Controlling Logging of User Activity [+] Choosing the "Select FILE accesses to be logged" item from the main menu causes the table shown in Fig. 15 to be displayed. You may then select which type(s) of file access you wish to log. Denied accesses occur when PC-Vault Plus refuses to grant a requested access. For example, an attempt by a user to delete, write to, change the name of, or change the attributes of a file in a directory to which the user has read only access will result in a denial. It is not possible to select logging of denied accesses for the administrator because all administrator access requests are granted. The following lines, extracted from an actual log, indicate the type of information that is available to the administrator: Log file starting date is 4-04-89 17:18:43 User 2 - Allowed: Open. C:\COMMAND.COM 17:18:40 User 2 - ═══════ RE-BOOT on 4-04-89 17:18:41 User 2 - Allowed: Open. C:\DOS3.31\ANSI.SYS 17:18:44 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:18:44 User 2 - Execute: ExecPrgm. C:\SAV-DTAB.COM 17:18:55 User 2 - NotAlwd: Change Dir. C:\CBH\ 17:19:02 User 0 - Allowed: Change Dir. C:\CBH\ 17:19:39 User 0 - Allowed: FCB Rename. C:\CBH\SPC\EV.CFG 17:20:15 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:20:15 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:20:27 User 2 - NotAlwd: Create. A:\AUTOEXEC.BAT 17:20:53 User 2 - Allowed: Change Dir. C:\DOC\ 17:21:08 User 2 - Allowed: FCB Delete. C:\JNK 17:21:41 User 1 - ═══════ RE-BOOT on 4-04-89 17:21:41 User 1 - Allowed: Open. C:\AUTOEXEC.BAT 17:21:41 User 1 - Execute: ExecPrgm. C:\SAV-DTAB.COM End of log file. A small portion of each line was deleted so that it would fit on one line in this document. This portion indicates if files were opened with write access, etc. The above sample indicates that user 2 booted the machine, DOS opened ANSI.SYS and AUTOEXEC.BAT, and then SAV-DTAB was executed. Following this the user attempted to change to a directory, CBH, for which he had no access. The user apparently called the administrator who placed the machine in LunchBreak, entered the administrator password to exit LunchBreak so that the administrator's permissions would be PC-Vault 4.4 Administrator's Manual - Page 24 in effect, did the directory change for the user, renamed a file, and re-entered LunchBreak. User 2 then entered his password and continued as shown. Later, User 1 booted the machine, etc. A small area of memory is reserved for recording log entries. These entries are written to the log file on the disk whenever the area is nearly full, when the FLUSHLOG utility is run, and whenever a denial is logged. It is, therefore, possible that a few entries (other than denials) may be lost when the machine is re-booted unless FLUSHLOG is run just prior to booting. The log file is named ACCESS.SYS and is located in the root directory of the hard drive from which the machine is booted. Normally, one would run the FLUSHLOG utility to write any entries remaining in memory to the ACCESS.SYS file and then change the name of ACCESS.SYS to another name. (PC-Vault will create a new ACCESS.SYS whenever it needs to write log entries and the file does not already exist.) The LOG utility may then be run as described on page 28 to produce a file similar to the sample above. USING THE PC-VAULT PROGRAM AFTER IT IS INSTALLED Whenever you run the PC-Vault program on a machine on which PC- Vault is already installed, you will be asked to enter your password. When you enter a correct password, the appropriate main menu will be displayed. If you enter any user password the main menu will contain only the items to which users have access. You may then select any of the options shown. Each of these is described in detail in the preceding sections. Your selections will be effective immediately except for directory access permissions which become effective the next time the machine is booted. When the system is in LunchBreak, the password used to boot the computer or the administrator's password may be used to exit LunchBreak. The administrator may choose to allow any user name/password to exit LunchBreak as described on page 17. The permissions and capabilities normally associated with the password used to exit LunchBreak will then be in effect. USING PC-VAULT ON LIMITED SYSTEMS Some small hard disks which have been set up with older versions or computer vendor proprietary versions of DOS do not allow PC- Vault to implement Maximum Floppy Boot Protection, or user names. On such systems, the words "Not Available" will be displayed with the "Maximum Floppy Boot Protection" option in the "Select PC-Vault 4.4 Administrator's Manual - Page 25 Options" menu, and user names will not be displayed when the administrator is defining passwords (see Fig. 6). There will be no change in the way you use PC-Vault on such systems, but they will not be quite as secure. Using a later version of the DOS FDISK command to set up your hard disk may correct the problem. Setting up your disk with FDISK will destroy all of the data on your disk, and will require that you run the DOS FORMAT command to reformat your disk. YOUR PC-VAULT FILES This section describes each of the files on your PC-Vault distribution diskette, as well as those files created by PC- Vault during or after installation. ACCESS.SYS [+] - This PC-Vault Plus file is not on your diskette. It is created in the root directory of your first (or only) hard drive at any time it does not already exist and there are log entries to be written. This file is used by the LOG utility to generate the user readable log. The LOG utility is described below. BRK-CNTL.COM - This program is used to enable/disable Ctrl-Break and Ctrl-C at any time after your computer is booted. The system administrator can prevent users from breaking out of the AUTOEXEC file during system boot. This program can be placed in the AUTOEXEC file to re-enable breaks. Use BRK-CNTL ON to enable breaks and BRK-CNTL OFF to disable them. Resident programs, such as some of the DOS keyboard utilities for various languages which completely take over the keyboard interrupt, will cause your machine to recognize breaks even when you have them disabled. They will also prevent PC-Vault from "knowing" when you are typing on your keyboard. Thus, if you have selected the automatic LunchBreak feature, PC-Vault may go into LunchBreak right while you are typing. To prevent both of these anomalies you may also use the optional RES parameter. This will direct BRK-CNTL to remain resident. For example, BRK-CNTL ON RES will enable breaks and cause BRK-CNTL to remain resident. The RES parameter should be used after the resident program which takes over the keyboard and should be used only once per system boot. PC-Vault 4.4 Administrator's Manual - Page 26 CLEANDSK.DRV - This file is a device driver. It is not on your PC-Vault diskette, but is created on your hard disk when you install PC- Vault. It will be automatically deleted when you remove PC- Vault. THIS FILE MUST NOT BE DELETED IN ANY OTHER WAY BECAUSE YOUR COMPUTER WILL NOT BOOT FROM ITS HARD DRIVE UNLESS IT IS PRESENT. EXEC.COM - Allows the system administrator to execute a program for a user and prevent the user from escaping to the DOS prompt or executing any other program. Typically, EXEC would be placed in the AUTOEXEC.BAT file to call a program such as 123, Dbase, or WordPerfect into execution. The EXEC command line has three components separated by spaces: 1. EXEC or EXEC/R 2. The full path name of the program to be executed. 3. The parameters to the program just as you would type them at the DOS prompt. For example, placing the following lines in the AUTOEXEC.BAT file will force users (but not the administrator) into WordPerfect to begin editing file LETTER.FRM. The WordPerfect "Go to DOS" command will not work. The /R will cause WordPerfect to be immediately restarted if the user terminates it. . . WHO IF NOT ERRORLEVEL 1 GOTO ADM EXEC/R C:\WPERF\WP.EXE LETTER.FRM :ADM . . Note that you must give the drive, full path and complete name of the program you wish to execute. In the above example the program is WP.EXE in directory \WPERF on drive C:. See the description of the WHO utility below for more information. FLUSHLOG.COM [+] - This PC-Vault Plus utility causes any log entries remaining in memory to be written out to the ACCESS.SYS file as described in the section on log control on page 24. PC-Vault 4.4 Administrator's Manual - Page 27 LOG.EXE [+] - This PC-Vault Plus utility is used to read the log file produced by PC-Vault Plus and generate a user readable log or journal of the users' activity. A sample of the output from this utility is shown in the section on log control on page 24. To use this utility enter LOG in-file-name out-file-name at the DOS prompt. For example one might use the commands FLUSHLOG RENAME C:\ACCESS.SYS OLDLOG LOG OLDLOG PRN to flush any log entries remaining in memory to the disk, ensure (by renaming) that no new log entries will be added to the file, and write a user readable log of system activity to the printer. PC-VAULT.EXE - This is the main PC-Vault program and is described in the preceding sections of this manual. SET-TIME.COM - With this program you can: Set the keyboard/mouse idle time from a batch file, Place the machine into LunchBreak immediately, and Eliminate incompatibilities caused by other programs. To set the maximum idle time from a batch file or from the DOS prompt, use the command: SET-TIME time where time is any value between 3 and 61 minutes (or the maximum allowed by the system administrator). For more information on automatic LunchBreak see "Selecting automatic LunchBreak" on page 21. To place the computer into LunchBreak immediately, use the command SET-TIME 0 from the DOS prompt or a batch file. This will not alter the maximum keyboard idle time setting. VMOUSE.COM - This utility causes the automatic LunchBreak feature to treat mouse activity as keyboard activity. It also prevents anyone from using the mouse while your computer is in LunchBreak. VMOUSE should be loaded after your mouse driver. If your mouse driver is a device driver (commonly MOUSE.SYS or MSCMOUSE.SYS) place a VMOUSE statement near the beginning of your AUTOEXEC.BAT file. If your mouse driver is loaded from your AUTOEXEC,BAT file, place the VMOUSE statement immediately after the statement that loads your mouse driver. PC-Vault 4.4 Administrator's Manual - Page 28 WHO.COM - This utility allows the system administrator to have the AUTOEXEC file do different things when different users boot the system. The WHO program may be used by structuring your AUTOEXEC file as shown in the following example. Upper case characters indicate actual lines of the AUTOEXEC file. . . commands common to all users . . WHO IF ERRORLEVEL 3 GOTO ERROR IF ERRORLEVEL 2 GOTO USER2 IF ERRORLEVEL 1 GOTO USER1 . . commands to be executed when the administrator's password was used. . . GOTO COMMON :USER1 . . commands for user 1 . . GOTO COMMON :USER2 . . commands for user 2 . . GOTO COMMON :ERROR . . commands to be used when PC-Vault is not installed or User 3 or above logged on. . . :COMMON . . commands common to all users PC-Vault 4.4 Administrator's Manual - Page 29 For more information in the use of "IF" statements and "ERRORLEVEL" within batch files, see the section on BATCH commands in your DOS reference manual. VIOLS.COM - PC-Vault records each unsuccessful attempt to enter a password or a user name/password combination. Such attempts are called "violations". When a correct password is entered, PC-Vault erases the record of any violations which occurred during the immediately preceding two or three minutes. This prevents recording "typos" made by a valid user. The record of each violation contains the user number for the name entered (if any), and the date and time of the violation. When booting the computer, the DOS clock has not yet been set, so we must use the hardware clock. Since XT class machines do not have a standard hardware clock, we cannot record the times on these machines. We do, however, keep a record of each violation. This program has three separate functions related to password entry violations. One, two or all three of the functions may be used on a single execution of VIOLS.COM. The command: VIOLS /L=FileName /C /R will perform all three functions. The "/L=FileName" will generate a report of all recorded violations. If "=FileName" is present, the report will be written to the file specified by "FileName". If it is not present the report will be written to the screen. The "/C" will clear the violation record. If both /L and /C are present, the record will be cleared after the report is generated. The "/R" will cause VIOLS.COM to remain resident. This should not be done more than once per system boot. Violations during LunchBreak will not be recorded unless VIOLS is resident. VIOLS terminates with a DOS error level of 8 if an error occurs, 4 if violations are reported, and 0 otherwise. The following statements in your AUTOEXEC.BAT file would automatically install VIOLS as resident and alert the user to any previous violations: VIOLS /L /R IF NOT ERRORLEVEL 4 GOTO CONTINUE ECHO WARNING --- Violations are listed above PAUSE :CONTINUE PC-Vault 4.4 Administrator's Manual - Page 30 OPTIONAL PC-VAULT FILES These programs, available separately, are designed to work with PC-Vault. The DesMaster program can be used by itself. DES.EXE - (Available soon) DesMaster provides Data Encryption Standard (DES), QuickDes, and Flash encryption of files. DES is a national encryption standard defined by the National Bureau of Standards. DesMaster is the fastest software implementation of full DES we know of. QuickDes provides a significant increase in encryption and decryption speeds by eliminating two of the steps used in standard DES. The steps eliminated are widely regarded as time consuming operations which do not contribute to the strength of the DES algorithm. Flash encryption is an extremely fast proprietary method of encrypting files which is not as secure as either DES or QuickDes. It may be used to protect data from those who would not have the ability or inclination to crack encrypted files, and is probably sufficient for most applications. HELPUSER.COM - This optional utility allows a corporate security officer (CSO) to grant access to a PC-Vault protected computer on a one time basis. The CSO does not need to know any passwords, does not need to be physically present, and cannot grant access to another organization's computers. For more information see "The HELPUSER Program" on page 11. LOGO.EXE - This optional utility may be used with both PC-Vault and PC- Vault Plus. It allows the system administrator to design the appearance of the screen when the system is booted. Our logo may be completely replaced with one of your own design. Use of color is supported. For more information see "The LOGO Program" on page 10. IN CASE OF DIFFICULTY The fastest way to solve most problems is to review the appropriate section(s) of this manual. If the problem might be a conflict with other resident software, try renaming your AUTOEXEC.BAT file to another name such as AUTOEXEC.1, and then rebooting your computer. If the problem disappears, rename the AUTOEXEC file back to its original name PC-Vault 4.4 Administrator's Manual - Page 31 and then remove statements one at a time until the conflicting software is identified. Call for technical support if more help is needed. In the event that you should need technical support please: 1. Corporate customers using PC-Vault on a large number of computers are supported ONLY through their corporate PC support staff. We will provide technical assistance to them as needed. 2. Contact us by phone (804) 872-9583, or call our BBS at (804) 877-6261 (available soon). 3. Please be prepared to provide: a. Your serial number, b. The dates shown by doing a DIR of the PC-Vault diskette, c. The EXACT text of any error messages displayed, d. The selection status of each item in the options menu. e. The value of each item in the Limits menu. f. As much information about your system as possible such as brand, model, hard disk(s), video cards, DOS version, resident software, content of your AUTOEXEC.BAT and CONFIG.SYS files, etc. If you do not have this information available when you call, we will most likely be unable to provide correct answers or solutions, and we may have to request that you call again with the correct information. 4. If at all possible, call when you are at the computer in question. We can most often resolve a problem immediately if you can be at the computer while we are talking together. PC-Vault 4.4 Administrator's Manual - Page 32 HOW TO ORDER PC-VAULT 4.4 PC-Vault may be ordered from: Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 Voice (804) 872-9583 FAX (804) 874-8090 We accept: Your personal or company check with your order, Money Orders, Purchase orders over $50.00 (Net 30 days), VISA or MasterCard, and COD orders. Orders are usually shipped within one working day, but may occasionally take longer. The price of PC-Vault consists of the following: 1. A license fee which is dependent on the number of computers on which you wish to have PC-Vault concurrently installed: No. of Concurrent PC-Vault License PC-Vault Plus Installations per Computer per Computer 1 - 5 30.00 90.00 6 - 15 26.00 75.00 16 - 99 22.00 55.00 100 - 999 18.00 Call 1000 - Up 15.00 Call 2. A media fee of $5.00 ($7.50 outside the U.S. and Canada) for each PC-Vault diskette you wish us to ship to you. We only require you to buy one diskette. 3. There is an additional $5.00 collection fee for Canadian checks not payable through a U.S. bank and a $7.50 fee for electronic fund transfers. These fees are those charged by our bank. All other foreign checks MUST be payable through a U.S. bank. We pay shipping via First-Class air mail to all locations. Add actual shipping costs for other carriers. Overnight service is also available. All prices are subject to change without notice. Our warranty and your return privileges are described in the DISCLAIMER OF WARRANTY section on page 7. PC-Vault 4.4 Administrator's Manual - Page 33 PC-VAULT VERSION 4.4 ORDER FORM To: Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 Voice (804) 872-9583 FAX (804) 874-8090 Please accept our order for PC-Vault version 4.4 as indicated below: ______ Concurrent Installations of PC-Vault $_________ ______ Concurrent Installations of PC-Vault Plus _________ ______ PC-Vault diskette(s) at $5.00 each _________ (%7.50 outside U.S./Canada) ______ LOGO ($100.00 per organization) _________ ______ HelpUser ($100.00 per organization) _________ Shipping charge (See preceding page) _________ Virginia State Sales Tax (Ship/Bill address in VA) _________ Total Order _________ Purchase Order _________________________ Date __________________ Company Name ____________________________________________________ Attention _______________________________________________________ Dept./Mail Stop _________________________________________________ City, State, Zip ________________________________________________ Phone: Daytime ____________________ Evening ____________________ Credit card: VISA MasterCard Name on Card ___________________________________________________ Card Number ______________________________ Expires: ___________ PC-Vault 4.4 Administrator's Manual - Page 34 ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4 ║ ║ (C)Copyright 1988 by Johnson Computer Systems, Inc. ║ ║ 20 Dinwiddie Place, Newport News VA. ║ ║ ║ ║ ║ ║ PC-Vault Pre-Installation Setup ║ ║ ║ ║ You have chosen the pre-installation set up option. The ║ ║ choices you make will be recorded in the PC-Vault program ║ ║ on the drive A: diskette. When you use that copy to ║ ║ install PC-Vault your selections will already be in effect. ║ ║ ║ ║ Nothing you do during this run will have any effect on ║ ║ any machine on which PC-Vault is already installed. To ║ ║ change installed values run PC-Vault without the /P. ║ ║ ║ ║ Please place the diskette containing the copy of PC-VAULT ║ ║ to be modified in drive A: and then press any key. ║ ║ ║ ║ ║ ║ Do NOT use your original PC-Vault diskette. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 1 - Pre-installation Notice ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4 ║ ║ ║ ║ ║ ║ Are you CERTAIN the diskette in drive A is a COPY? ║ ║ ║ ║ Please press Y or N. ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 2 - Pre-installation Warning ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4 ║ ║ ║ ║ An administrator password has already been assigned to this ║ ║ file. You must enter that password to make additional ║ ║ changes. ║ ║ ║ ║ Do you wish to continue? (Please enter Y or N) ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 3 - Pre-installation Password Request ╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Pre-Installation Setup Menu ║ ║ ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ ║ ║ H. HOW to use this menu. ║ ║ ║ ║ R. RECORD your choices for later use. ║ ║ ║ ║ P. Define original passwords and names. ║ ║ ║ ║ O. Select OPTIONS. ║ ║ ║ ║ S. SET limits. ║ ║ ║ ║ L. LOCK files during installation. ║ ║ ║ ║ W. Choose WHO will install PC-Vault. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 4 - Pre-installation Main Menu ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4 ║ ║ (C)Copyright 1988 by Johnson Computer Systems, Inc. ║ ║ 20 Dinwiddie Place, Newport News VA. (804) 872-9583 ║ ║ ║ ║ ║ ║ PC-Vault is not installed on this computer. ║ ║ ║ ║ ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ ║ ║ H. HOW to use this menu. ║ ║ ║ ║ I. INSTALL PC-Vault. ║ ║ ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 5 - PC-Vault Installation Menu ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4+ ║ ║ ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ H. HOW to use this menu. ║ ║ ║ ║ P. Change PASSWORD. ║ ║ O. Select OPTIONS. ║ ║ ║ ║ L. LOCK PC-Vault related files. ║ ║ U. UNLOCK PC-Vault related files. ║ ║ ║ ║ A. ACCESS fixed disk after diskette boot. ║ ║ R. REMOVE PC-Vault from this computer. ║ ║ ║ ║ K. Define new hot KEY combination. ║ ║ I. Set maximum keyboard IDLE time. ║ ║ ║ ║ D. Control DIRECTORY access by user. ║ ║ F. Select FILE accesses to be logged. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 6 - PC-Vault Plus Administrator's Main Menu ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4 ║ ║ ║ ║ ║ ║ Please press: A to change the ADMINISTRATOR password. ║ ║ 1-6 to change a USER password and/or name. ║ ║ ESC to RETURN to the main menu. ║ ║ ║ ║ User No. User Name ║ ║ A. Admin ║ ║ 1. N. Sand ║ ║ 2. John ║ ║ 3. User 3 ║ ║ 4. User 4 ║ ║ 5. User 5 ║ ║ 6. User 6 ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 7 - Administrator's User Selection Screen ╔═══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Name Definition ║ ║ ║ ║ ║ ║ The current name for this user is: Admin ║ ║ ║ ║ Press return to retain this name, or enter a new name: Tiny ║ ║ ║ ║ Please enter the new name again to be sure its correct: Tiny ║ ║ You may be required to enter this name to gain access. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 8 - Change User Name Screen ╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Password Definition ║ ║ ║ ║ ║ ║ Passwords may be one to sixteen key strokes, and include ║ ║ letters, numbers, and the keys: space - = [ ] ; , . ║ ║ ║ ║ Case is not significant. Three special keys are: ║ ║ Backspace - Used to correct an error in the normal way. ║ ║ Return - Means, "Password entry is complete." ║ ║ Escape - Means, "I don't want to enter a password." ║ ║ ║ ║ ║ ║ Please enter new password and press return: SECRET-STUFF ║ ║ ║ ║ Your new password is defined. Whenever PC-Vault asks for ║ ║ your password, type it in and then press return. You MUST ║ ║ be able to enter it correctly. We suggest you use your ║ ║ print screen key and then keep it in a safe place. ║ ║ ║ ║ ║ ║ Please press any key to continue. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 9 - Password Definition Screen ╔═════════════════════════════════════════════════════════════╗ ║ ║ ║ Administrator Options Selections Menu ║ ║ ║ ║ Please press the LETTER of the option you wish to change. ║ ║ ║ ║ E. END option selection and return to main menu. ║ ║ H. HOW to use this menu, how to get additional help. ║ ║ ║ ║ M. MAXIMUM floppy boot protection - Selected. ║ ║ D. DISPLAY password entry asterisks. - Selected. ║ ║ ║ ║ K. SIDEKICK compatibility mode. - Not Selected. ║ ║ C. CTRL-BREAK prohibited during boot. - Not Selected. ║ ║ ║ ║ B. BLANK screen during LunchBreak. - Selected. ║ ║ F. FREEZE computer during LunchBreak. - Not Selected. ║ ║ ║ ║ A. ALL users may exit LunchBreak. - Not Selected. ║ ║ S. SPECIAL Display blanking - Not Selected. ║ ║ ║ ║ N. User NAMES are required. - Not Selected. ║ ║ U. USER may change his/her user name. - Not Selected. ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 10 - Administrator's Options Menu ╔═════════════════════════════════════════════════════════════╗ ║ ║ ║ Administrator Limits Selection Menu ║ ║ ║ ║ ║ ║ Please press the LETTER of the option you wish to change. ║ ║ ║ ║ ║ ║ E. END option selection and return to main menu. ║ ║ H. HOW to use this menu, how to get additional help. ║ ║ ║ ║ I. Maximum keyboard IDLE time (minutes). - Currently 61 ║ ║ P. Minimum number of PASSWORD characters. - Currently 0 ║ ║ ║ ║ D. Number of DAYS passwords remain valid. - Currently 0 ║ ║ N. Minimum number of different passwords. - Currently 0 ║ ║ ║ ║ A. Maximum invalid logons before ALARM. - Currently 5 ║ ║ L. Maximum invalid logons before LOCKOUT. - Currently 0 ║ ║ ║ ║ S. SECONDS to wait before auto logon. - Currently 0 ║ ║ K. Alternate KEYBOARD/Clock handling. - Currently 0 ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 11 - Administrator's Limits Selection Screen ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4 ║ ║ ║ ║ You may now select the keys which will cause your computer's ║ ║ screen to blank (if selected) and your keyboard to lock ║ ║ until you enter your password. ║ ║ ║ ║ Please press any two or more of the following keys: ║ ║ ║ ║ Left Shift Right Shift Alt Ctrl ║ ║ ║ ║ Hold them down until you hear a two tone beep and you are ║ ║ asked to release them. You will have to hold the keys down ║ ║ approximately four seconds. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 12 - Hot Key Selection Screen ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4 ║ ║ ║ ║ You may request that your machine automatically go into the ║ ║ LunchBreak state if the keyboard is idle for a specified ║ ║ time period. You may select a time period from 3 to 61 ║ ║ minutes. ║ ║ ║ ║ A time of 61 minutes means that automatic LunchBreak will ║ ║ never occur. ║ ║ ║ ║ The current keyboard idle time is 5 minutes. ║ ║ ║ ║ Please enter new keyboard idle time in minutes: ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 13 - Maximum Idle Time Selection Screen ╔═══════════════════╦════════╤════════╤════════╗ ║ Directory / Area ║ Jim T. │ User 2 │ User 3 ║ Select User ╠═══════════════════╬════════╪════════╪════════╣ Lft/Rt Arrow ║ Diskette Access ║ R-W-X │ R-W-- │ R-W-X ║ ╟───────────────────╫────────┼────────┼────────╢ Select Dir. ║ HardDisk Abs I/O ║ R-W-- │ ----- │ R-W-- ║ Up/Dn Arrow ╟───────────────────╫────────┼────────┼────────╢ PgUp/PgDn ║ .EXE, .COM Files ║ ----X │ R---X │ R-W-X ║ Home/End ╟───────────────────╫────────┼────────┼────────╢ ║ C:\ ║ ----- │ R-W-X │ R-W-X ║ Toggle Access ╟───────────────────╫────────┼────────┼────────╢ R = Read ║ C:\SPRSHEET ║ R---- │ ----- │ ----- ║ W = Write ╟───────────────────╫────────┼────────┼────────╢ X = Execute ║ C:\WORDPROC ║ R-W-X │ ----- │ ----- ║ ╟───────────────────╫────────┼────────┼────────╢ All Accesses ║ C:\JOE ║ R-W-X │ ----- │ ----- ║ A = This Dir ╟───────────────────╫────────┼────────┼────────╢ Ctl-A = All ║ D:\ ║ R-W-X │ ----- │ ----- ║ ╟───────────────────╫────────┼────────┼────────╢ No Access ║ D:\DOS33 ║ R-W-X │ ----X │ ----X ║ N = This Dir ╟───────────────────╫────────┼────────┼────────╢ Ctl-N = All ║ D:\EGAUTILS ║ R-W-X │ ----- │ ----- ║ ╟───────────────────╫────────┼────────┼────────╢ Save Choices ║ D:\OTHER.ONE ║ R-W-X │ ----- │ ----- ║ Esc or E ╚═══════════════════╩════════╧════════╧════════╝ Fig. 14 - Directory Access Control Table ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.4+ ║ ║ ║ ║ ╔═════════════════════════════════════════════════╗ ║ ║ ║ Log Control ║ ║ ║ ╠═════════╤═════════╤═════════╤═════════╤═════════╣ ║ ║ ║ Admin │ John T. │ User 2 │ User 3 │ User 4 ║ ║ ║ ╟─────────┼─────────┼─────────┼─────────┼─────────╢ ║ ║ ║ ----- │ D-X-- │ D-X-O │ D---- │ D---- ║ ║ ║ ╚═════════╧═════════╧═════════╧═════════╧═════════╝ ║ ║ ║ ║ Press: Right/Left cursor keys to select a user. ║ ║ D - to toggle logging of denied accesses. ║ ║ X - to toggle logging of programs executed. ║ ║ O - to toggle logging of all other accesses. ║ ║ A - to select all of the above (D, X, F). ║ ║ N - to select none of the above (D, X, F). ║ ║ Esc to save your choices, go to main menu. ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 15 - Logging Control Table