Business Heaven

home *** CD-ROM | disk | FTP | other *** search

/ Business Heaven / Business Heaven.iso / security / pcv46 / admin.doc next >

Wrap

Text File | 1993-08-09 | 138KB | 2,689 lines

PC-Vault Version 4.6 Hard Disk Protection System Administrator's Manual (c) Copyright 1985, 1993 by Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 (804) 872-9583 Limited Warranty Johnson Computer Systems, Inc. (JCS) warrants that the SOFTWARE will perform substantially as described in this manual for a period of 90 days of the purchase date. You may return the SOFTWARE for a FULL REFUND if, during the 90 day period, you remove it from each computer on which it was installed and return the original diskette(s) and any manuals in resalable condition together with a letter stating that you have retained no copies of the SOFTWARE. A FULL REFUND is defined as the lesser of (a) the price you paid for the SOFTWARE or, (b) the JCS retail price in effect on the date you purchased the SOFTWARE. JCS's entire liability and your only remedy is the FULL REFUND defined above. Because of the vast number of combinations of hardware and software that may be used with the SOFTWARE, it is impossible to be certain that the SOFTWARE will function properly on your system. Therefore the SOFTWARE and all documentation are sold AS IS. You assume the entire risk of using the SOFTWARE. You are STRONGLY ADVISED to make a complete back-up of your data before installing the SOFTWARE and to test it thoroughly before using it. The seller's salespersons and/or documentation provided by JCS may have made statements about the SOFTWARE. Any such statements do not constitute warranties and shall not be relied on by the buyer in deciding whether to purchase and/or use this program. JCS EXPLICITLY DISCLAIMS ALL OTHER WARRANTIES EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH RESPECT TO THE SOFTWARE, MANUALS AND ANY OTHER DOCUMENTATION. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. IN NO EVENT SHALL JCS, ITS SUPPLIERS OR RESELLERS BE LIABLE FOR ANY OTHER DAMAGES WHATSOEVER, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF INFORMATION, BUSINESS INTERRUPTION, LOSS OF BUSINESS PROFITS, OR OTHER PECUNIARY LOSS ARISING AS A RESULT OF USING OR INABILITY TO USE THE SOFTWARE, EVEN IF JCS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY AND EVERY CASE, JCS'S ENTIRE LIABILITY UNDER ANY PROVISION OF THIS AGREEMENT SHALL BE LIMITED TO A FULL REFUND. License Agreement AFTER you have read and AGREED TO the terms of this paragraph and the Limited Warranty on the preceding page, you are licensed to install the SOFTWARE on the number of computers for which you have paid the license fee. Removing PC-Vault from one computer and installing it on another is specifically permitted without payment of any additional license fee. You may make copies of the SOFTWARE only for back-up purposes. You may not make any copies of any printed manual. Any form of disassembly or reverse engineering of any portion of PC-Vault is explicitly prohibited. You must not export or re- export any software licensed from Johnson Computer Systems in violation of the laws and regulations of the United States of America. Our software may be exported to most countries. If you have ANY questions, please contact us. PC-Vault software and manuals are fully copyrighted and Johnson Computer Systems, Inc. reserves all rights which are not specifically granted in this license. Table of Contents Limited Warranty . . . . . . . . . . . . . . . . . . . . . . . i License Agreement . . . . . . . . . . . . . . . . . . . . . . ii THANK YOU . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 ABOUT THIS MANUAL . . . . . . . . . . . . . . . . . . . . . . . 3 WHAT PC-VAULT DOES . . . . . . . . . . . . . . . . . . . . . . 4 RESTRICTIONS . . . . . . . . . . . . . . . . . . . . . . . . . 5 USING PC-VAULT MENUS . . . . . . . . . . . . . . . . . . . . . 6 PC-VAULT PASSWORDS AND USER NAMES . . . . . . . . . . . . . . . 6 BEFORE INSTALLING PC-VAULT . . . . . . . . . . . . . . . . . . 7 The Logo Program . . . . . . . . . . . . . . . . . . . . . 8 The HelpUser Program . . . . . . . . . . . . . . . . . . . 8 Pre-installation Setup . . . . . . . . . . . . . . . . . . 9 HOW TO INSTALL PC-VAULT . . . . . . . . . . . . . . . . . . . 11 USING THE PC-VAULT MAIN PROGRAM . . . . . . . . . . . . . . . 13 HOW TO USE THE MAIN MENU . . . . . . . . . . . . . . . . . . 14 Installing PC-Vault MS-Windows Support . . . . . . . . . 14 Changing User Names, Passwords and Attributes . . . . . 14 Changing a User's Name or Password . . . . . . . . 14 Setting Password Expiration . . . . . . . . . . . . 15 Changing number of Different Passwords REQUIRED . . 16 Selecting Who Can Change Expired Passwords . . . . 16 Selecting What is Displayed During Definition . . . 16 Selecting PC-Vault Options . . . . . . . . . . . . . . . 17 MAXIMUM floppy boot protection . . . . . . . . . . 17 DISPLAY password entry asterisks . . . . . . . . . 17 RELAXED MBR protection . . . . . . . . . . . . . . 17 SIDEKICK compatibility mode . . . . . . . . . . . . 17 CTRL-BREAK prohibited during boot . . . . . . . . . 18 TIME/date change prohibited . . . . . . . . . . . . 18 BLANK screen during LunchBreak . . . . . . . . . . 18 FREEZE computer during LunchBreak . . . . . . . . . 18 ALL users may exit LunchBreak . . . . . . . . . . . 18 SPECIAL display blanking . . . . . . . . . . . . . 18 User NAMES are required . . . . . . . . . . . . . . 19 PC-Vault 4.6 Administrator's Manual - Page 3 USER may change his/her name . . . . . . . . . . . 19 Selecting Limits . . . . . . . . . . . . . . . . . . . . 19 Maximum keyboard IDLE time . . . . . . . . . . . . 19 Minimum number of PASSWORD characters . . . . . . . 19 Maximum invalid logons before ALARM . . . . . . . . 19 Maximum invalid logons before LOCKOUT . . . . . . . 19 SECONDS to wait before auto logon . . . . . . . . . 20 Alternate KEYBOARD/clock handling . . . . . . . . . 20 Locking and Unlocking PC-Vault Related Files . . . . . . 21 Fixed Disk Access When Booting From a Diskette . . . . . 21 Removing PC-Vault From Your Computer . . . . . . . . . . 21 The PC-Vault Hot Key . . . . . . . . . . . . . . . . . . 22 Selecting Automatic LunchBreak . . . . . . . . . . . . . 22 Controlling Users' Access to Directories [+ Only] . . . 22 Controlling User access to I/O Ports [+ Only] . . . . . 25 Controlling Logging of User Activity [+ Only] . . . . . 25 USING THE PC-VAULT PROGRAM AFTER PC-VAULT IS INSTALLED . . . 26 USING PC-VAULT ON LIMITED SYSTEMS . . . . . . . . . . . . . . 27 YOUR PC-VAULT FILES . . . . . . . . . . . . . . . . . . . . . 27 ACCESS.SYS [+ Only] . . . . . . . . . . . . . . . . . . 27 BRK-CNTL.COM . . . . . . . . . . . . . . . . . . . . . . 27 CLEANDSK.DRV . . . . . . . . . . . . . . . . . . . . . . 28 EXEC.COM . . . . . . . . . . . . . . . . . . . . . . . . 28 FLUSHLOG.COM [+ Only] . . . . . . . . . . . . . . . . . 29 FPERMF.INF [+ Only] . . . . . . . . . . . . . . . . . . 29 LOG.EXE [+ Only] . . . . . . . . . . . . . . . . . . . . 29 LOGOFF.COM . . . . . . . . . . . . . . . . . . . . . . . 30 MEM-STAT.SYS . . . . . . . . . . . . . . . . . . . . . . 30 PC-VAULT.EXE . . . . . . . . . . . . . . . . . . . . . . 30 PCVCRYPT.COM . . . . . . . . . . . . . . . . . . . . . . 30 SET-TIME.COM . . . . . . . . . . . . . . . . . . . . . . 32 VIOLS.COM . . . . . . . . . . . . . . . . . . . . . . . 33 VMOUSE.COM . . . . . . . . . . . . . . . . . . . . . . . 34 WHO.COM . . . . . . . . . . . . . . . . . . . . . . . . 34 WIPE.COM . . . . . . . . . . . . . . . . . . . . . . . . 35 OPTIONAL PC-VAULT FILES . . . . . . . . . . . . . . . . . . . 36 IN CASE OF DIFFICULTY . . . . . . . . . . . . . . . . . . . . 36 HOW TO ORDER PC-VAULT . . . . . . . . . . . . . . . . . . . . 38 PC-VAULT ORDER FORM . . . . . . . . . . . . . . . . . . . . . 39 PC-Vault 4.6 Administrator's Manual - Page 4 THANK YOU Thank you for investing in PC-Vault (formerly PC-Lock). We believe you will find PC-Vault to be an effective and convenient security system for your IBM-PC/XT/AT/PS2 or compatible. Version 1.1 was reviewed in the June 23, 1987 issue of PC-Magazine and listed among "The Best of the Best Utilities." Subsequent versions have provided enhanced security and many new features. Please note that you are not licensed to use this software until you have read and agree to the "Limited Warranty" and "License Agreement" located just prior to the table of contents. If you have any suggestions for improvements, please tell us about them. While we cannot make every change in either the manuals or the programs which has been suggested by our users, we do give careful consideration to each suggestion and have implemented many of them. ABOUT THIS MANUAL This Administrator's Manual is written for the PC-Vault and/or PC-Vault Plus administrator. It provides complete information for installing and using both products. The name "PC-Vault" is used to refer to both PC-Vault and PC-Vault Plus unless the text explicitly states otherwise. Sections which describe features which are only available in PC-Vault Plus are indicated by "[+ Only]". The features of PC-Vault are accessed from a few simple menus. This manual describes each menu and provides a detailed description of each feature accessible from that menu. Several features, such as defining a password, may be accessed from more than one menu. These features are fully described along with the administrator's main menu. The following optional programs are briefly described in this manual: Logo - Allows you to design your own logon screen, HelpUser - Allows granting one-time emergency access without knowing any passwords and without compromising security. If there is a file named READ-ME.1ST on your distribution diskette, please read it before proceeding. It contains information on last minute enhancements to the program and its associated manuals. PC-Vault 4.6 Administrator's Manual - Page 5 WHAT PC-VAULT DOES After you install PC-Vault you will be asked to enter a password each time your computer is booted from its hard disk. Just type your password and press Enter. The boot process will then continue normally. Even when you boot from a diskette, your password will be required in order to access the hard disk(s). The PC-Vault LunchBreak feature provides protection for your computer when it is running but the operator is not physically present. When a computer is in the LunchBreak state: The screen is completely blank, The keyboard, and optionally, the mouse, are locked, and Processing continues normally. This means that a large spread sheet computation, data base operation, or other process will continue normally during LunchBreak. A "would be" observer will not be able either to see or exercise control over the operation. LunchBreak may be activated by pressing the user selectable PC- Vault hot key. If you so choose, the LunchBreak feature will be automatically activated after a selectable period of keyboard and mouse inactivity. When the correct password is entered, the screen and keyboard will return to normal operation. This feature not only provides protection for the data on the PC's hard disk but also protects any mainframe or network to which the PC is logged on. As PC-Vault administrator you may: - Prevent users from using Ctrl-Brk to exit AUTOEXEC.BAT, - Force each user into a specific application, - Prevent users from obtaining a DOS prompt, - Change any user's name and/or password, - Define a minimum password length, - Require users to enter both their user name and password, - Require automatic LunchBreak and select a maximum keyboard idle time, - Remove PC-Vault from the computer, - Display a list of illegal logon attempts, - Access the hard disk when booting from a diskette, - Control several other aspects of PC-Vault operation, and - Much more. PC-Vault 4.6 Administrator's Manual - Page 6 As PC-Vault Plus administrator you may also, - Grant or deny read/write/execute access to specific hard disk directories on a per user basis, - Disallow sector oriented disk read/writes, - Grant or deny access to serial (COM) and parallel ports, - Grant or deny read/write/execute access to diskettes, and - Obtain a log (history) of the activity of each user including illegal access attempts, programs executed, and files accessed. RESTRICTIONS Norton Cache Version 6.0 Only - This versions contains a very serious bug which may destroy all of the data on your hard disk if you have both Norton Cache Intelliwrites and PC-Vault Maximum Floppy Boot Protection enabled at the same time. (It may also cause similar problems when used with other disk related software products.) This bug was fixed in Norton Cache version 6.01 which was distributed free to all registered version 6.0 users. We strongly recommend that you upgrade to version 6.01 or above on all your machines whether or not you plan to use PC-Vault on them. MS Windows - PC-Vault may work with Windows versions 1.x or 2.x but we no longer explicitly support versions prior to 3.0. Currently, the LunchBreak feature does not work reliably when you are in a Windows DOS Box. This will be fixed in a forthcoming release. If you define your own PC-Vault hot key combination, do not include an Alt key if you are using Windows. Stacker Version 3.1 Only - In order for PC-Vault's Maximum Floppy Boot Protection Option to afford the highest level of security, you must place PC-Vault's Device statement following Stacker's device statement in your CONFIG.SYS file. Due to a deficiency in Stacker's boot time processing, if you have host volumes other than the one you boot from, you may have to place a Stacker command to mount their compressed volumes in your AUTOEXEC.BAT file. Non-Standard Sector Size - PC-Vault will not install if your hard disk uses a sector size other than 512 bytes. Non-DOS Partitions - Your hard drive(s) must not contain partitions belonging to operating systems other than DOS. PC-Vault 4.6 Administrator's Manual - Page 7 FDISK - Do not use FDISK or other partitioning software while PC-Vault is installed. USING PC-VAULT MENUS Each menu contains the list of functions which you may perform when that menu is displayed. You may select any item from a menu simply by Pressing the letter displayed in front of that item, or Using the "up" and/or "down" cursor control keys to position the light-bar (inverse video bar) over the item and pressing Enter. Additional information about a function may be displayed by moving the light bar to the item and pressing the "?" key. Letters and the "?" may be typed in either upper or lower case. Either the Escape or the "E" keys may be used to exit any menu. The menus shown in this manual may differ slightly from those displayed on the screen due to page size limitations. PC-VAULT PASSWORDS AND USER NAMES All PC-Vault passwords consist of zero to sixteen characters (key-strokes). The minimum password length may be set to any value from zero to sixteen. User names are optional. If used, they must be from one to seven characters in length. User names are set by the administrator, and may also be set by the user if the administrator has granted that permission. You must enter a password (and at the administrator's option, a user name) whenever the computer is booted from the hard disk, whenever you wish to exit LunchBreak, and whenever the PC-VAULT program is started. If user names are required, begin by entering your user name and pressing the Enter key. Then enter your password and press the Enter key. If the entry is incorrect you will hear a beep and the system will wait for you to start the process over with the user name. The backspace key may be used to correct errors in the normal manner. The escape key may be used to terminate the present attempt and start all over. The Enter key signifies the end of your user name or password. PC-Vault 4.6 Administrator's Manual - Page 8 After entering a password, you may hear a sequence of "beeps" alternating between two tones. This is called an alarm and occurs when a number of consecutive incorrect user name/password entries have been entered. The number of consecutive incorrect entries required to trigger the alarm is determined by the administrator. If the number of consecutive errors exceeds another limit, also chosen by the administrator, the machine will sound the alarm and then lock for five minutes following each incorrect entry. Turning the machine off will not influence the count of incorrect entries. If the machine is turned off during a five minute lock-up, the five minutes will be repeated from the beginning when the machine is next re-booted. For more information on user names and passwords, see the section on changing passwords on page 14. BEFORE INSTALLING PC-VAULT You may skip this section and go directly to the "INSTALLING PC- VAULT" section if: You are not using PC-Vault Plus, and You only want one password on your computer, and You do not have the optional HelpUser or Logo programs. You, as administrator, may select an original administrator password and make several other choices about how you want PC- Vault to work on your computer(s). This is done by using one or more of the three programs described in this section to modify a copy of the PC-Vault program itself before you install it. You may then use the modified copy to install PC-Vault on one or more computers and your administrator password and other selections will automatically be in effect. Please place a diskette containing a COPY of the file PC- VAULT.EXE in drive A:. Your original PC-Vault diskette is not copy protected and may easily be copied using the COPY command. The DISKCOPY command will not work, so please use COPY. THE CHOICES YOU MAKE IN THIS SECTION WILL ONLY AFFECT THE COPY OF PC-VAULT.EXE THAT IS ON THE DISKETTE IN DRIVE A:. NO CHANGES WILL BE MADE TO THE COMPUTER YOU ARE USING. The three programs which may be used are HelpUser, Logo, and PC- Vault itself. These programs may be used in any order. HelpUser and Logo are optional programs whose functions are described in the next two sections. Detailed instructions for using PC-Vault to select an initial administrator password and other features of PC-Vault 4.6 Administrator's Manual - Page 9 PC-Vault are included in the "Pre-installation Setup" section starting on page 9. The Logo Program The Logo program allows you to design the appearance of the user name/password request screen that is displayed when you boot your computer. You may completely replace our logo and messages. Logo provides something similar to a full screen editor which is used to design your logon screen. Once it is designed, you may save your design to a file which you can recall at any later time for additional editing, and/or you may install your design into PC-VAULT.EXE replacing our screen with your design. You may wish to install your company's logo, or have a misleading screen such as "System Board Error 101". If you are using PC- Vault Plus, you might provide very restricted access to anyone who desires to use the system and greater access to specified users. You could accomplish this by assigning a password of GUEST and using Logo to create a boot time message such as, "Please enter your password (if you only wish to use the modem, enter GUEST)." Complete documentation is provided with the Logo program. The HelpUser Program The HelpUser program allows a corporate security officer (CSO) to grant one time access to a machine without the physical presence of the security officer and without either the CSO or the user knowing any passwords. Subsequent access to the same or another machine will require a new approval by the security officer. The CSO will not be able to grant access to machines other than those in his organization. Each copy of HelpUser is unique, and may be run in either the normal mode or in a special configuration mode. When HelpUser is run in the configuration mode, it reads a copy of PC-Vault from a diskette, modifies it to work only with that specific copy of HelpUser and writes PC-Vault back to the diskette. The modified copy of PC-Vault may then be installed on the organization's computers. When an individual needs to gain access to a computer, but doesn't know a valid password, he must call the CSO and convince him/her to grant the access. The CSO then instructs the user to start the PC-Vault program with a special parameter. Instead of requesting the user to enter a password, PC-Vault will display the message: PC-Vault 4.6 Administrator's Manual - Page 10 Please read the following string to your security officer: AZq9-Q=4. Then enter the EXACT string you receive in return: The string displayed (AZq9-Q=4 in the above example) is randomly generated and will be different each time. PC-Vault will use the displayed string to compute, but not display, two response strings. The CSO must start HelpUser and enter the exact string which the user read to him. HelpUser will then display both of the responses for which PC-Vault is waiting. One response will have the same result as entering the administrator's password. The other will have the same result as entering the password for User 1. The CSO simply tells the user the string which corresponds to the privilege he wishes to grant. Complete documentation is provided with the HelpUser program. Pre-installation Setup Pre-installation setup is a simple process that allows the system administrator to modify a copy of the PC-Vault main program (PC- VAULT.EXE) so that it automatically works as desired on each computer on which it is subsequently installed. Pre-installation set up is optional for PC-Vault but is required for PC-Vault Plus. If the setup is not done, you will be able to use only one password. If you do not wish to perform the setup you may go to the "HOW TO INSTALL PC-VAULT" section on page 11. THE PRE-INSTALLATION PROCESS DESCRIBED IN THIS SECTION MAKES NO CHANGES TO THE COMPUTER USED TO PERFORM IT. IT ONLY MODIFIES A COPY OF THE PC-Vault MAIN PROGRAM, PC-VAULT.EXE. To setup PC-Vault, place a diskette containing a copy of the file PC-VAULT.EXE (not your original please) in a floppy drive or copy PC-VAULT.EXE to a directory on any drive. Then enter: PC-VAULT /P or PC-VAULT /P=Path where Path is the drive/directory where the PC-VAULT.EXE to be modified is located. If you use the first form PC-Vault will look for PC-VAULT.EXE in the root directory of drive A:. Thus PC-VAULT /P is equivalent to PC-VAULT /P=A:\ The screen shown in Fig. 1 will be displayed. Read the screen and then press Y to continue pre-installation or N to return to DOS. PC-Vault 4.6 Administrator's Manual - Page 11 If you have not previously defined an administrator password, the pre-installation main menu shown in Fig. 3 will be immediately displayed. If you have already done pre-installation setup on the copy of PC-Vault in drive A: to define an administrator password, the screen shown in Fig. 2 will be displayed. In this case you must enter your password in order to get to the screen shown in Fig. 3. Please review USING PC-VAULT MENUS on page 6 for general information on menus. An original administrator password must be defined prior to installation in any of the following situations: - You are using PC-Vault Plus, - You wish to have an administrator password, or - You wish to have more than one user password. The P (Define Original PASSWORDS and Names) menu item allows you to define original passwords, user names, password lifetimes, etc. for each user. Defining an administrator password enables PC-Vault's multi-user features. The exact procedure and the screens you will see are discussed in "Changing User Names, Passwords and Password Attributes" on page 14. The O (Select OPTIONS) menu item allows you to determine the way PC-Vault will operate once it is installed. Any options you select at this time may also be selected and/or deselected by you, as administrator, after installation. For additional information on this subject see "Selecting PC-Vault Options" on page 17. The S (SET Limits) menu item allows you to set bounds on certain user selections such as minimum password length, maximum invalid logons, and maximum keyboard/mouse idle time before LunchBreak is automatically invoked, etc. For detailed information on limits see "Setting Limits" on page 19. The K (Define Hot KEY) item allows you to define the Hot Key Combination that will invoke the LunchBreak feature. Simply follow the instructions on the screen. Your hot key may be any combination of two or more of the Left Shift, Right Shift, Ctrl and Alt keys. If you are using Windows, you should avoid using the Alt key. The L (LOCK files during installation) option will cause the CONFIG.SYS, AUTOEXEC.BAT, and CLEANDSK.DRV (the PC-Vault device driver) files to be locked during installation. Locked files can not be altered by anyone other than the system administrator. A user cannot delete them or change their names, contents, or attributes. For additional information on locked files see "Locking and Unlocking PC-Vault Related Files" on page 21. PC-Vault 4.6 Administrator's Manual - Page 12 The W (Choose WHO will install PC-Vault) option allows you to choose whether the administrator's or user's menu will be displayed after PC-Vault is installed. If the administrator's menu is displayed, the person who installed PC-Vault will be able to change all user names, passwords, options, and limits. In the case of PC-Vault Plus, directory access permissions and logging levels can also be changed. If the user's menu is displayed, the user may change only the User 1 password and perform other functions available to all users. If you choose to have the administrator's menu displayed, you will be asked if you wish to: Require the administrator's password to be entered in order to install PC-Vault, Require the installer to choose a new administrator password, Give the installer a choice of either of the above, or Have PC-Vault install itself without any password being entered. Requiring a password will prevent unauthorized persons from installing PC-Vault, and ensure that the installer knows the administrator password. The R (RECORD your choices for later use) option causes the file PC-VAULT.EXE in drive A: to be modified to incorporate your administrator password and other selections. When you use this copy of PC-VAULT.EXE to install PC-Vault on a computer, your selections will be written to the computer's hard disk and will automatically be in effect. HOW TO INSTALL PC-VAULT Before installing PC-Vault, it is important that you read the "Limited Warranty" and the "License Agreement" located just prior to the table of contents. You are not licensed to install and/or use this program until you have read and agreeg with the terms and conditions contained in those sections. Thank you. While we have a very high degree of confidence in PC-Vault, it is impossible to guarantee that any software program will work on all the millions of differently configured systems on which it may be used. For this reason we ask that you ensure you have a current backup of your hard disk before you install PC-Vault. We do not anticipate that you will experience any problems in PC-Vault 4.6 Administrator's Manual - Page 13 installing and using PC-Vault, but we do want you to be able to recover in the unlikely event a problem does occur. If you have an earlier version of PC-Vault installed on your computer, please remove it by using that version of PC-Vault. (NOTE: Your earlier version may have been called PC-Lock.) You will need to have the file PC-VAULT.EXE on a diskette drive or on your hard disk. To install or use PC-Vault simply enter PC-VAULT You may need to type the drive letter if the drive containing PC- Vault is not the default drive, for example: A:PC-VAULT or C:PC-VAULT or C:\PCV\PC-Vault If PC-Vault is not already installed, the menu shown in Fig. 4 will be displayed. Simply select the "INSTALL PC-Vault" option and PC-Vault will install itself on your computer. After PC- Vault installation has been completed a screen giving important information will be displayed. Please read the entire screen carefully. After reading the screen, press any key and a main menu will be displayed. Please note that a file named CLEANDSK.DRV has been placed in the root directory of your hard drive and the line DEVICE=CLEANDSK.DRV has been placed at the beginning of your CONFIG.SYS file. Do not delete the file or the device statement. They will be removed automatically if you ask Pc-Vault to remove itself from your computer. If you wish to remove PC-Vault, use the "Remove PC-Vault from this computer" option described on page 21. Please DO NOT attempt to remove it manually. The installation process is completed by selecting any desired items from the main menu. For a complete description of the use of this menu see "HOW TO USE THE MAIN MENU" on page 14. When all desired selections (if any) have been made, select the E (END THIS PROGRAM) option to return to DOS. Protection is now in effect. The LunchBreak feature will not be available until you reboot your computer. If you are using DOS 5.0 or above or are using a memory manager, you may wish to install the PC-Vault device driver in Upper Memory Blocks (UMB), or in rare instances, you may need to place the PC-Vault DEVICE statement at another location in your CONFIG.SYS file. You may use any text editor or word processor to modify the DEVICE = CLEANDSK.DRV statement and/or to move it to the desired location. If you expect to remove and re-install PC-Vault from time to time, we suggest placing one of the following lines in your CONFIG.SYS file: PC-Vault 4.6 Administrator's Manual - Page 14 Rem CLEANDSK.DRV here Rem CLEANDSK.DRV here (High) Rem CLEANDSK.DRV here (Special,text) PC-Vault will place its DEVICE statement immediately following any of the above lines. If you are using a DOS 6.0 or above multi-section CONFIG.SYS file, you may place one of the above lines in each section. If "(High)" is included, PC-Vault will use a standard DOS DEVICEHIGH statement. If "(Special, text)" is included, PC-Vault will create the following CONFIG.SYS line: Device=text CleanDsk.Drv This allows automatic creation of Device statements for QEMM or other memory managers. For example, using: Rem CleanDsk.Drv here (Special,c:\qemm\loadhi.sys /r:2) will create the line: Device=c:\qemm\loadhi.sys /r:2 CleanDsk.Drv Later versions of DOS ignore any CONFIG.SYS statement beginning with "Rem". Earlier versions will display a message stating that they cannot recognize the statement but will otherwise ignore it. If PC-Vault is already setup as you desire, you may do a quick installation by entering: PC-VAULT /I or PC-VAULT /I /W at the DOS prompt or from within a batch file instead of selecting Install from a menu. Use the second form if you wish to also install MS-Windows support (described on page 14). USING THE PC-VAULT MAIN PROGRAM If you run the PC-Vault program when PC-Vault is already installed on the computer, you will immediately be asked to enter your password. The administrator password or any user password may be entered. If the administrator has so required, you will also have to enter your user name. As soon as a password is correctly entered, one of three main menus will be displayed. The PC-Vault Plus administrator's main menu is shown in Fig. 5. The PC-Vault administrator's menu is the same except that the last three items which control access to directories, I/O ports PC-Vault 4.6 Administrator's Manual - Page 15 and logging (audit trail) are not present. The user's main menu contains only items E, H, W, P, K, and T. HOW TO USE THE MAIN MENU For general information on using menus, see "HOW TO USE PC-VAULT MENUS" on page 6. You may return to DOS from the main menu by selecting the E option or by pressing the Esc key. The following sections describe the use of each main menu option. Installing PC-Vault MS-Windows Support Before using the LunchBreak feature with Windows, you must install PC-Vault Windows support by either of two methods: (1) Use the /W switch on the PC-Vault command line when you are installing PC-Vault, or (2) Select the W option from the main menu. This method may be used any time after PC-Vault is installed. Either method will cause PC-Vault to search for your Windows directory, add the files DRVR-APP.EXE and DRVR-DLL.DLL to the directory, and append the characters "DRVR-APP.EXE" to the load statement in your WIN.INI file. If PC-Vault cannot find your Windows directory, it will ask you to enter the directory's drive and path. If you are using the /W switch you may specify the directory by /W=drive:path. For example, if your Window's directory is on drive E: and is named MAIN, you may use: PC-Vault /W=E:\MAIN If you will be using Windows, do not select the "Freeze Computer during LunchBreak" option (page 18) or set the "Alternate Keyboard/Clock Handling" limit (page 20) to a non-zero value. NOTE - It is no longer necessary to select the Special Display Blanking option when using a VGA display with Windows. Changing User Names, Passwords and Password Attributes You may change user names, passwords and password attributes by selecting the P (Change PASSWORD) option in the main menu. If the administrator is using PC-Vault, the screen shown in Fig. 6 will appear. - Changing a User's Name or Password PC-Vault 4.6 Administrator's Manual - Page 16 Enter the user number of the user whose name and/or password you wish to change. A screen similar to that shown in Fig. 7 will allow you to change the name associated with the selected user. If you just press Enter, the name will not be changed and you will go directly to the password definition screen shown in Fig. 8. If you enter a new name you will be asked to enter it again to be sure you entered it correctly. The administrator may require that user names be entered whenever a password is required, so please be certain that you remember your user name. If user names have not been assigned, the default names of Admin, User 1, User 2, etc., will be used. If you cannot change user names, please see "USING PC-VAULT ON LIMITED SYSTEMS" on page 27. After the name has been defined the upper portion of Fig. 8 is displayed. Please read the screen and then enter the new password of your choice. If you do not wish to change the password, press the escape key. The default password for User 1 is PASSWORD. There is no default password for other users. The example in the figure shows that the user has selected "SECRET- STUFF" as the new password. After you enter your password you will be asked to enter it one or two more times to be certain it has been entered correctly. The lower portion of the screen shown in Fig. 8 is then displayed and the new password is stored. Passwords are stored in an encrypted form such that they cannot be decrypted. Whenever you enter a password to gain access, it is encrypted and then compared to the stored value. Since it is impossible for us to decrypt passwords it is extremely important for the administrator to remember his/her password. If the password is forgotten and your organization has not already purchased and installed the HelpUser program, it will be necessary to perform a low level format of your hard disk. If you cannot low-level format your hard drive (some IDE drives) please call for technical support. We can help you avoid the necessity of a low level format, but all of the data on your drive will still be lost. If there were another way to get in, the security provided by PC-Vault would be seriously compromised. - Setting Password Expiration System security can be enhanced by requiring users to change their passwords periodically. If a password's entry in the "Days" column is not zero, it specifies the number of days a newly defined password remains valid. A value of zero means that a password will never expire. Any time you enter an expired password, you will be required to change it before gaining access. A user may try to prevent expiration by setting the PC's clock/calendar back. For this reason, all passwords are marked as expired whenever the clock regresses by four or more hours. Passwords defined during pre- PC-Vault 4.6 Administrator's Manual - Page 17 installation or user passwords re-defined by the administrator expire the first time they are used. To set password expiration, press E. You will then be asked to enter the user number for which the change is to be made. Enter the number, or enter "A" to change the value for all users. You will then be asked to enter the number of days. If you have an XT class computer and choose to have passwords expire, we can only check for expiration after DOS's clock has been set from a custom battery-backed clock/calendar installed in your machine. In this case, you MUST have PC-VAULT.EXE on your hard disk, and execute it on each boot by placing the line: PC-VAULT/A near the beginning of your AUTOEXEC.BAT file, but after the statement that sets DOS's clock from your battery operated clock. This is required for XT class machines only. - Changing the number of Different Passwords REQUIRED Password expiration is ineffective if a user is allowed to change to the same password he or she had before. As administrator, you can require that a user use several different passwords before being allowed to reuse an earlier one. You can specify that up to ten different passwords must be defined before the first one can be reused. To define the number of different passwords required, press R. You will then be asked to enter the user number for which the change is to be made. Enter the number, or enter "A" to change the value for all users. You will then be asked to enter the number of different passwords required. - Selecting Who Can Change Expired Passwords This option allows the administrator to prevent users from changing their password when it expires. This capability is provided for use in computer/software rental and similar situations. Even when users are not allowed to change their expired password, they may still change them before they expire. In this case, the changed password will still expire on the same date as the original password was set to expire. - Selecting What Will be Displayed During Password Definition You may select what PC-Vault displays during password definition. You may choose to display the actual password characters, asterisks, or nothing at all by pressing D. If you choose to display characters, you will be asked to enter passwords twice during the password definition process. Otherwise, you must enter it three times. PC-Vault 4.6 Administrator's Manual - Page 18 Selecting PC-Vault Options Selecting the O (Change OPTIONS) item from the main menu causes the screen shown in Fig. 9 to be displayed. Pressing the letter in front of the option will change its selection/deselection state. Each of the options is described in the following paragraphs. Except as noted, option changes are effective immediately. - MAXIMUM floppy boot protection This option makes it even more difficult for an unauthorized person to break into your computer by erecting a very significant additional barrier that they must overcome. Selecting this option causes no visible difference in the operation of your machine. If you are using or may use Norton Cache version 6.0 (as opposed to 6.01 or later), please see the VERY IMPORTANT note in the Restrictions section on page 5. This option becomes effective the next time you boot your computer after you select it. Deselecting this option is effective immediately. If the words "Not Available" appear by this option, please see "USING PC-VAULT ON LIMITED SYSTEMS" on page 27. - DISPLAY password entry asterisks This option controls what is displayed when a password is entered in order to gain access. Selecting this option causes an asterisk to be displayed for each password character entered. If this option is not selected, nothing will be displayed. To control what is displayed while passwords are being defined, please see "Selecting What Will be Displayed During Password Definition" on page 16. - RELAXED MBR protection Your Master Boot Record (MBR) and DOS boot record are areas of your hard disk that must be correct before you can boot your computer from its hard disk. PC-Vault provides very strong protection intended to keep even the most sophisticated viruses from writing to these records. Unfortunately, this level of protection prevents some anti-virus programs from running. Selecting this option weakens the protection afforded by PC-Vault in order to allow these anti-virus programs to run. - SIDEKICK compatibility mode This option prevents the computer from responding to Sidekick's hot key during LunchBreak. Select this option only if you are using Sidekick and you find that the computer responds to Sidekick's hot key during LunchBreak. This paragraph contains a detailed technical description of this option so feel free to skip to the next paragraph if you wish. PC-Vault 4.6 Administrator's Manual - Page 19 PC-Vault intercepts both the clock (IRQ 0) and keyboard (IRQ 1) interrupts at boot time and again on entry into LunchBreak. Each time the clock interrupt is issued, Sidekick determines if any program has intercepted the keyboard interrupt since it has. If so, it re-intercepts the keyboard interrupt. This is why they say it must be loaded last, and why it can see its hot key even during LunchBreak. If PC-Vault's Sidekick Compatibility option is selected, PC-Vault passes clock interrupts intercepted to the IRQ 0 interrupt address that was in effect when its device driver was loaded at boot time. This effectively passes clock interrupts around Sidekick (and perhaps other TSRs) so that it never re-intercepts the keyboard interrupt. This also assures that the DOS/BIOS system clock continues to run. - CTRL-BREAK prohibited during boot Selecting this option prevents anyone other than the administrator from breaking out of the AUTOEXEC.BAT file during boot. Breaks will be disabled until they are enabled by the BRK-CNTL.COM file described on page 27. - TIME/date change prohibited Selecting this option will prevent users, but not the administrator, from changing the system date and/or time. - BLANK screen during LunchBreak This option causes the screen to become completely blank during LunchBreak. If it is not selected, the keyboard will lock but the screen will remain active. This allows you to use the system to monitor some process while prohibiting observers from interfering with the process. - FREEZE computer during LunchBreak This option prevents the computer from continuing to process during LunchBreak and is rarely needed. It should not be selected if you will be running Windows. - ALL users may exit LunchBreak You may allow any user name/password to be used to exit LunchBreak. If this option is not selected, only the name/password used to boot the machine and the administrator's name/password will be accepted. The permissions in effect will be those of the user whose password was used to exit LunchBreak. - SPECIAL display blanking If the "BLANK screen during LunchBreak" option is selected, but your VGA or CGA screen will not blank and/or unblank as it should, please select this option. A very few non-standard display CGA and VGA display adapters require selection of this option to blank properly. PC-Vault 4.6 Administrator's Manual - Page 20 - User NAMES are required You may require that users enter a correct user name in addition to a password. The user must then type a user name followed by the enter key and then the corresponding password followed by the enter key. After both items have been entered, access will be granted, or a beep will sound to indicate that the entries were not correct. - USER may change his/her name This option allows a user to change his/her own name. If this option is not selected, only the administrator may change a user name. Selecting Limits Selecting this option from the administrator's main menu allows you to select certain limiting values which users are unable to change. Each of the limits is described in the following paragraphs. Except as noted, limit changes are effective immediately. - Maximum keyboard IDLE time Keyboard idle time is the time in minutes between the most recent keystroke or mouse activity and the time when the machine automatically goes into LunchBreak. This limit allows you to determine the maximum keyboard idle time a user can specify. If the user specifies a time of 61 minutes, automatic LunchBreak will never occur. If you set this limit to 10, a user may set the actual idle time to any value between 3 and 10 minutes. If you are using a mouse see VMOUSE on page 36. - Minimum number of PASSWORD characters This limit allows you to determine the minimum number of characters in a password. When you select this limit you will be asked to enter a number from 0 to 16. Newly defined passwords must contain at least the number of characters you specify. - Maximum invalid logons before ALARM After an excessive number of consecutive unsuccessful attempts to boot the computer and/or use the PC-Vault program, an alarm will sound. This is also true when exiting LunchBreak if the VIOLS /R utility has been loaded as explained on page 33. The alarm consists of several repetitions of a two tone signal. Turning the computer off between attempts will not keep the alarm from working. This limit allows you to select the number of failed attempts prior to the alarm being sounded. If you select the value zero, the alarm will not sound. - Maximum invalid logons before LOCKOUT PC-Vault 4.6 Administrator's Manual - Page 21 After an excessive number of consecutive unsuccessful attempts to boot the computer, exit LunchBreak, and/or use the PC-Vault program, the machine will lock for a period of five minutes. Turning the computer off during a lockout period will cause the five minute lockout to be restarted from the beginning on the next power up. This limit allows you to select the number of failed attempts prior to lockout. If you select the value zero, the lockout will never occur. - SECONDS to wait before auto logon This feature is frequently used when it is desirable to allow anyone restricted access to a computer while granting specific users less restricted access. It is also used to provide for unattended automatic boot-up. Normally, PC-Vault requires that a correct password (and optionally a user name) be entered each time the machine is booted. If this limit is set to a value other than zero, it specifies the number of seconds that PC-Vault will wait for a correct entry. If no correct entry is made during the specified interval, your computer will automatically boot as though the password for User 6 had been correctly entered. The LunchBreak feature will be disabled because it is assumed that the user does not know the User 6 password, and so could not exit LunchBreak. LunchBreak may be re-enabled with the SET-TIME command as described on page 32. This allows you, as administrator, to assign to User 6 those permissions, etc. that you wish to provide to anyone who uses the computer. Only those users requiring additional permissions will have to know a password. Using PC-Vault's ability to prevent breaking out of the AUTOEXEC.BAT file, will ensure that the statements it contains will be executed. The SET-TIME 0 command may be used in the AUTOEXEC.BAT file to re-enable LunchBreak and place the machine into LunchBreak immediately, thus providing for a secure unattended boot-up. - Alternate KEYBOARD/clock handling There are a few hardware and software combinations which cause the LunchBreak feature to operate incorrectly unless this limit is set to a non-zero value. If PC-Vault refuses to go into LunchBreak when it should or will not return from LunchBreak properly, try using this feature. Do not use this feature if you will also be using Windows. When you select this feature, you will be asked to choose one of several software interrupt groups for PC-Vault to use. (You do not have to know what an interrupt is to use this feature.) PC- Vault will list the values from which you may choose, and even PC-Vault 4.6 Administrator's Manual - Page 22 give a recommended choice. Changes you make to this limit become effective when you reboot your computer. Locking and Unlocking PC-Vault Related Files These options lock and unlock CONFIG.SYS, AUTOEXEC.BAT, and the PC-Vault device driver. (When a file is locked its DOS read-only and system attributes are set and the hidden attribute is not set.) Only the administrator can change the attributes or the name of a locked file. Since the file is read-only, DOS will not allow a user to write to or delete the file. (Note: Norton's FA utility may tell a user that it has changed the attributes of a locked file, but it cannot and does not actually change them unless the administrator's password is in use.) Accessing Your Fixed Disk When Booting From a Diskette It may become impossible to boot from your hard disk due to causes unrelated to PC-Vault. For example, if COMMAND.COM is accidentally deleted or a defective device driver is installed, you cannot boot from the hard disk whether PC-Vault is installed or not. You will then have to boot from a diskette and repair the problem. This option allows you to access your hard disk so that you can repair it. Simply boot from a diskette USING THE SAME VERSION OF DOS THAT YOU HAVE ON YOUR HARD DISK or a later version. Then run PC-Vault, enter the administrator's password and select "ACCESS fixed disk after diskette boot." You will be told that PC-Vault protection has been temporarily suspended and that the next time you boot from a floppy you will have access to your hard disk. The next time you boot from your hard disk after correcting the problem, full protection will be automatically restored. Removing PC-Vault From Your Computer Selecting the "REMOVE PC-Vault from this computer" option will completely de-install PC-Vault. The PC-Vault device driver will be deleted, the corresponding device statement(s) will be removed from the CONFIG.SYS file, Windows support will be removed, PC-Vault related files will be unlocked, and changes PC-Vault made to the system areas of your hard disk will be restored. The MEM-STAT.SYS and/or MEM_STAT.SYS file(s) (page 30) and the FPERMF.INF file (page 29) will not be removed because they contain information that may be used when PC-Vault is re- installed. PC-Vault 4.6 Administrator's Manual - Page 23 The PC-Vault Hot Key The PC-Vault hot key is used to place your computer in LunchBreak. (For more information on LunchBreak, see "WHAT PC- VAULT DOES" on page 4.) The hot key is actually a combination of two or more keys held down simultaneously. The original hot key consists of the left and right shift keys. You may change it to any combination of two or more of the following keys: Left Shift, Right Shift, Alt, and Ctrl. PC- Vault distinguishes between the left and right Ctrl and Alt keys, but you cannot have both Alt or both Ctrl keys in your hot key definition at the same time. NOTE: MS-Windows converts the right Ctrl key into the left Ctrl key. Therefore do not use the right Ctrl when defining a hot key which will be used from within MS-Windows. Do not include an Alt key when using MS-Windows. To change your hot key, select the K (Define new hot KEY) option from the main menu. The hot key selection screen shown in Fig. 11 will then be displayed. Simply follow the directions on the screen and your new hot key will be in effect for all users. Selecting Automatic LunchBreak You may choose to have your computer automatically enter the LunchBreak state when your keyboard and mouse have been idle for a specified period from 3 to 60 minutes. If you select a time of 61 minutes, automatic activation of LunchBreak is disabled and your computer will go into LunchBreak only when the hot key is pressed. If you find that PC-Vault places the maximum value you can enter below 61, the system administrator has selected that lower value as described on page 19. If you are using a mouse see VMOUSE on page 36. To select, deselect, or change the automatic LunchBreak time, choose the I (Select maximum keyboard IDLE time) item from the main menu. The screen shown in Fig. 12 will then be displayed. Simply enter the desired time and press Enter. The time you select will be effective for all users. Controlling Users' Access to Directories [+ Only] If you are using PC-Vault Plus, you may control each user's access to the sub-directories on your hard disk(s), to sector oriented hard disk I/O, and to diskettes. These functions are accomplished by selecting the "Control DIRECTORY access by user" PC-Vault 4.6 Administrator's Manual - Page 24 item from the administrator's main menu. When this item is selected, a table similar to the one shown in Fig. 13 will be displayed. Access rights assigned to a root directory apply only to that directory, while those assigned to a first level sub- directory also apply to all of its sub-directories. In all cases except HardDisk Abs I/O (described below), you may separately grant access rights to .EXE and .COM files (programs) and to all other files. The access that may be granted are "Read" and "Write", and in the case of programs, "Execute". READ access means that program can read data from files. WRITE access means that files can be created, written to, over written, renamed, deleted, and have their attributes changed. EXECUTE access means that files containing programs can be executed. For example, if the WordPerfect word processor program is a file named WP.EXE, it may be executed only by user's having Execute access to it. Execute access does not imply read access. Thus, if a user has only execute access to WP.EXE, the command, COPY C:WP.EXE A:WP.EXE will fail because the copy command is not allowed to read the file. Some programs such as WordPerfect sometimes modify themselves. If you are using DOS 3.1 or above, PC-Vault will always allow an executing program to read and write itself even if the access is not explicitly granted. In versions of DOS prior to 3.1, PC- Vault cannot determine exactly which file is executing and so the access is denied if it is not explicitly granted. Thus, WordPerfect running under DOS 3.1 or above will be allowed to modify itself even if Write permission has not been granted. Some programs are designed to read and/or write files that they require to be in the same directory as the executing program. If you wish to prevent such programs from being copied, grant only Execute access to .EXE/.COM files but full access to other files. Alternately, you could deny Write access to diskettes. All users are always granted read access to the file named AUTOEXEC.BAT in the root directory of the hard drive from which the system was booted. This is done to allow all users to execute AUTOEXEC.BAT when the system is booting. As shown in Fig. 13, the table begins with three special lines which do not contain directory names. The first line, labeled "Diskette Access," allows you to control user's access to diskettes. The permissions you grant apply to all directories in drives A: and B:. PC-Vault 4.6 Administrator's Manual - Page 25 A very few programs ask DOS to read/write specific physical locations on the disk rather than performing operations on files. If such a program can find the physical location of a file, it may be able to read data from the file even if the user does not have read access to its directory. The second line, labeled "HardDisk Abs I/O" allows the administrator to control this type of access. Preventing the access may prevent some programs from running, but will result in a more secure system. We suggest that you do not grant this access unless you find that the user must run a program that requires it. The column labeled .EXE/.COM is not applicable to absolute I/O. The "New Level 1 Dirs" line allows you to specify the permissions each user will be automatically given in newly created level 1 directories and their sub-directories. A user may create a new 1st level sub-directory only if you allow that user write permission to new level 1 sub-directories. Write permission to the root directory is not required. (A user may create new sub- directories at other levels if he/she has permission to write to its parent. For example a user having write permission to C:\INVEST is allowed to create C:\INVEST\TBILLS). Please note that in rare instances a program that runs well when PC-Vault Plus is not installed will fail to run correctly when PC-Vault Plus is installed. This does not necessarily indicate an error in PC-Vault Plus. For instance, a program may try to change the attribute of a file from read-only to read-write. If the user has not been granted appropriate access to the file's directory, DOS will return an "access denied" error. It is possible that the program may not handle the error correctly. This bug in the program may never have been noticed because the program never encountered that error before. A sample directory access control table is shown in Fig. 13. The first two lines allow control of diskette and sector oriented I/O access. The remaining lines control access to the root and first level sub-directories of your hard drive(s). Access granted to a root directory applies only to that directory. Access granted to a first level sub-directory applies to that directory and all of its sub-directories. Each column shows the access currently granted to the user whose name appears at the top of the column. User names are assigned using the PASSWORD option of the main menu. In the example shown, user 1 has been assigned to TheBoss and no name has been assigned to user 2. The cursor control, page up, page down, home, and end keys may be used to move the highlight bar from one position to another. Pressing the R, W, and X keys will toggle (turn on and off) read, write, and execute permissions respectively. To grant/deny all permissions in the highlighted square, press A or N respectively. PC-Vault 4.6 Administrator's Manual - Page 26 Pressing Ctrl with R, W, X, A, or N, will grant/deny the corresponding access to all directories (the entire column). Similarly, using the Alt key will affect all users' access to that directory (the entire row). Thus, if a user is to be granted access to almost everything, begin by moving the bar to the user's column and press Ctrl-A. Then remove the undesired accesses. Attempting to move the bar off the screen will cause more users or directory names to be displayed. When you have the access permissions set as you desire, press the escape or the "E" key to return to the main menu. If no new directories have been created since you last booted the computer, your selections will be in effect immediately. If this is not the case, you will be notified that your selections will be effective when you re-boot your computer. Controlling User access to I/O Ports [+ Only] Selecting "Control I/O PORT access by user" causes the table shown in Fig. 14 to be displayed. You may enable/disable each user's access to parallel (printer or LPT) ports and each serial (COM) port. Please note that if your system uses a serial mouse, you must leave its port enabled in order for the user to use the mouse. Controlling Logging of User Activity [+ Only] Choosing the "Select FILE accesses to be logged" item from the main menu causes the table shown in Fig. 15 to be displayed. You may then select which type(s) of file access you wish to log. Access types which may be selected are Denials, Program Executions, and All Other accesses. Denied accesses occur when PC-Vault Plus refuses to grant a requested access. For example, an attempt by a user to delete, write to, or change the name or attributes of a file in a directory to which the user has read only access will result in a denial. It is not possible to select logging of denied accesses for the administrator because all administrator access requests are granted. The following lines, extracted from an actual log, indicate the type of information that is available to the administrator: Log file starting date is 4-04-89 17:18:43 User 2 - Allowed: Open. C:\COMMAND.COM 17:18:40 User 2 - ═══════ RE-BOOT on 4-04-89 17:18:41 User 2 - Allowed: Open. C:\DOS3.31\ANSI.SYS 17:18:44 User 2 - Allowed: Open. C:\AUTOEXEC.BAT PC-Vault 4.6 Administrator's Manual - Page 27 17:18:44 User 2 - Execute: ExecPrgm. C:\SAV-DTAB.COM 17:18:55 User 2 - NotAlwd: Change Dir. C:\CBH\ 17:19:02 User 0 - Allowed: Change Dir. C:\CBH\ 17:19:39 User 0 - Allowed: FCB Rename. C:\CBH\SPC\EV.CFG 17:20:15 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:20:15 User 2 - Allowed: Open. C:\AUTOEXEC.BAT 17:20:27 User 2 - NotAlwd: Create. A:\AUTOEXEC.BAT 17:20:53 User 2 - Allowed: Change Dir. C:\DOC\ 17:21:08 User 2 - Allowed: FCB Delete. C:\JNK 17:21:41 User 1 - ═══════ RE-BOOT on 4-04-89 17:21:41 User 1 - Allowed: Open. C:\AUTOEXEC.BAT 17:21:41 User 1 - Execute: ExecPrgm. C:\SAV-DTAB.COM End of log file. A small portion of each line was deleted so that it would fit on one line in this document. This portion indicates if files were opened with write access, etc. The above sampescribed on page 29 to produce a file similar to the sample above. ACCESS.SYS is created as a locked file. The administrator can unlock this file by using the command FLUSHLOG /U. For more information on locked files see "Locking and Unlocking PC-Vault related files" on page 21. USING THE PC-VAULT PROGRAM AFTER PC-VAULT IS INSTALLED Whenever you run the PC-Vault program on a machine on which PC- Vault is already installed, you will be asked to enter your password. When you enter a correct password, the appropriate main menu will be displayed. If you enter any user password the main menu will contain only the items to which users have access. You may then select any of the options shown. Each of these is described in detail in the preceding sections. Your selections will be effective immediately except for Alternate Keyboard/Clock Handling which become effective the next time the machine is booted. When the system is in LunchBreak, the password used to boot the computer or the administrator's password may be used to exit LunchBreak. The administrator may choose to allow any user name/password to exit LunchBreak as described on page 18. The permissions and capabilities normally associated with the password used to exit LunchBreak will then be in effect. If you hear a two-tone beep when exiting LunchBreak, there are recorded password violations. (Someone may have tried to get into your computer while you were away.) For information on how to view PC-Vault 4.6 Administrator's Manual - Page 28 the violations record, see the description of the VIOLS utility on page 33. USING PC-VAULT ON LIMITED SYSTEMS Some small hard disks which have been set up with older DOS versions or computer vendor proprietary versions of DOS do not allow PC-Vault to implement Maximum Floppy Boot Protection, or user names. On such systems, the words "Not Available" will be displayed with the "Maximum Floppy Boot Protection" option in the "Select Options" menu, and user names will not be displayed when the administrator is defining passwords (see Fig. 5). There will be no change in the way you use PC-Vault on such systems, but they will not be quite as secure. Using a later version of the DOS FDISK command to set up your hard disk will probably correct the problem. Setting up your disk with FDISK will destroy all of the data on your disk, and will require that you run the DOS FORMAT command to reformat your disk. YOUR PC-VAULT FILES This section describes each of the files on your PC-Vault distribution diskette, as well as those files created by PC-Vault during or after installation. - ACCESS.SYS [+ Only] This PC-Vault Plus file is not on your diskette. It is created in the root directory of your first (or only) hard drive at any time it does not already exist and there are log entries to be written. This file is used by the LOG utility to generate the user readable log. The LOG utility is described below. - BRK-CNTL.COM This program is used to enable/disable Ctrl-Break, Ctrl-C, and Alt-NumericPad3 at any time after your computer is booted. The system administrator can prevent users from breaking out of the AUTOEXEC file during system boot. This program can be placed in the AUTOEXEC file to re-enable breaks. Use BRK-CNTL ON to enable breaks and BRK-CNTL OFF to disable them. Resident programs, such as some of the DOS keyboard utilities for various languages which completely take over the keyboard interrupt, will cause your machine to recognize breaks even when you have them disabled. They will also prevent PC-Vault from PC-Vault 4.6 Administrator's Manual - Page 29 "knowing" when you are typing on your keyboard. Thus, if you have selected the automatic LunchBreak feature, PC-Vault may go into LunchBreak right while you are typing. To prevent both of these anomalies you may also use the optional RES parameter. This will direct BRK-CNTL to remain resident. For example, BRK-CNTL ON RES will enable breaks and cause BRK-CNTL to remain resident. The RES parameter should be used after the resident program which takes over the keyboard and should be used only once per system boot. - CLEANDSK.DRV This file is a device driver. It is not on your PC-Vault diskette, but is created on your hard disk when you install PC- Vault. It will be automatically deleted when you remove PC- Vault. THIS FILE MUST NOT BE DELETED IN ANY OTHER WAY BECAUSE YOUR COMPUTER WILL NOT BOOT FROM ITS HARD DRIVE UNLESS IT IS PRESENT. - EXEC.COM This program allows the system administrator to execute a program for a user and prevent the user from escaping to the DOS prompt or executing any other program. Typically, EXEC would be placed in the AUTOEXEC.BAT file to call a program such as 123, DBase, or WordPerfect into execution. The EXEC command line has the form: EXEC [/R] [/Ln] [/Tn] drive:\fullpathname\prog.ext param-list The square brackets indicate the three optional parameters (or switches). Do not enter the []. For example, placing the following lines in the AUTOEXEC.BAT file will force users (but not the administrator) into WordPerfect to begin editing file LETTER.FRM. The WordPerfect "Go to DOS" command will not work. . . WHO IF NOT ERRORLEVEL 1 GOTO ADM EXEC C:\WPERF\WP.EXE LETTER.FRM :ADM . . PC-Vault 4.6 Administrator's Manual - Page 30 Note that you must give the drive, full path and complete name of the program you wish to execute. In the above example the program is WP.EXE in directory \WPERF on drive C:. See the description of the WHO utility below for more information. The /R parameter cause the program being executed (WP.EXE in the example above) to be restarted if it terminates. Thus if you use EXEC /R C:\WPERF\WP.EXE LETTER.FRM and the user terminates WP.EXE, it will be immediately re- started. Occasionally it is necessary for a program to start and execute another program. This is called a child program. The /Ln parameter allows the program started by EXEC to execute another program, which may execute another program, etc. to a depth of n levels. Thus if EXEC /L1 started a menu program (level 0), the menu program could execute any number of other programs (all at level 1). The level 1 programs started by the menu program could not execute any other programs because a depth of level 2 would not be allowed. The n may be any number from 0 (the default) through 9. The /Tn parameter allows a total of n programs to be executed, additional execution attempts will fail. The n may be any number from 0 (the default) through 9. This parameter is necessary to start Windows 3.1, for example, because it asks DOS to execute 2 or 3 programs (Standard or 386 modes) during its startup. Once started Windows could execute any number of Windows programs, but no DOS programs since that would exceed the selected value of a properly chosen n. - FLUSHLOG.COM [+ Only] This PC-Vault Plus utility causes any log entries remaining in memory to be written out to the ACCESS.SYS file as described in the section on log control on page 25. ACCESS.SYS is created as a locked file. The administrator may use the command FLUSHLOG /U to unlock ACCESS.SYS and write any remaining log entries to it. - FPERMF.INF [+ Only] This file is re-created whenever PC-Vault Plus directory access permissions are changed and is not deleted when PC-Vault Plus is removed. It will be used to recover the directory permissions the next time you install. - LOG.EXE [+ Only] This PC-Vault Plus utility is used to read the log file produced by PC-Vault Plus and generate a user readable log or journal of PC-Vault 4.6 Administrator's Manual - Page 31 the users' activity. A sample of the output from this utility is shown in the section on log control on page 25. To use this utility enter LOG in-file-name out-file-name at the DOS prompt. For example one might use the commands FLUSHLOG RENAME C:\ACCESS.SYS OLDLOG LOG OLDLOG PRN to flush any log entries remaining in memory to the disk, ensure (by renaming) that no new log entries will be added to the file, and write a user readable log of system activity to the printer. 4DOS users please note that LOG is an internal command to 4DOS so you will need to type drive:\path\LOG. - LOGOFF.COM The LOGOFF utility provides a means for one user to log off and another to log on without having to re-boot the computer. For PC-Vault Plus, this file should be placed in a directory having EXEC permission for all users. Typing LOGOFF at the DOS prompt will clear the screen, and display a box requesting the user to press any key to begin the logon process. When a key is pressed, the boot time logon screen will be displayed. Any valid user password will be accepted. PC-Vault will then control the machine just as though the corresponding user had booted it. - MEM-STAT.SYS and/or MEM_STAT.SYS These small files contain information about the state of your hard disk(s) before the first installation of PC-Vault. They can be used for disaster recovery, and have allowed us to help users to recover from a number of problems which had nothing to do with PC-Vault. If they do not already exist, these files are created when PC- Vault installs but are not deleted when PC-Vault is removed. We suggest that you allow them to remain on your disk if you may re- install PC-Vault at a later time. Please do not copy them from one hard disk to another. - PC-VAULT.EXE This is the main PC-Vault program and is described in the preceding sections of this manual. - PCVCRYPT.COM PC-Vault 4.6 Administrator's Manual - Page 32 PcvCrypt allows you to encrypt or decrypt one or more files using a key of your choice. It will optionally overwrite (wipe) the disk space formally occupied by the file you encrypted or decrypted. You may use PcvCrypt by entering the following command at the DOS prompt: PCVCRYPT /direction /K=key /W filespec1 filespec2 ... When you enter a PcvCrypt command, you will actually type the upper case letters shown. You will replace the lower case letters with specific values as follows: direction E to encrypt, or D to decrypt key A three to eight character key. Keys may contain letters, numbers, and the characters - = * , . and ?. Keys are not case sensitive. /W This optional parameter may be placed before any filespec in the list. All files following the /W will be wiped. filespecn File(s) to be encrypted/decrypted. Filespecs may contain a drive, a path and wild cards in the file name. Here are some examples of valid PcvCrypt commands: PCVCRYPT D K=WHOKNOWS SECRET.BIG pcvcrypt d k=whoknows secret.big PcvCrypt d K=WhoKnows secret.big PcvCrypt e K=Shhh /W secret*.* *.ans c:\priv\letters\*.* PcvCrypt e K=Shhh secret*.* /W *.ans c:\priv\letters\*.* Since PcvCrypt is not case sensitive, all three commands in the first group are considered identical. They each decrypt a file named SECRET.BIG using WHOKNOWS as the encryption key. The two commands in the second group encrypt all files in the current drive and directory whose names begin with SECRET or end with .ANS. They also encrypt all files that are in the \PRIV\LETTERS directory on drive C. The first command wipes all of the disk areas containing the unencrypted data. The second wipes only the unencrypted data that was in *.ANS and C:\PRIV\LETTERS\*.*. PC-Vault 4.6 Administrator's Manual - Page 33 You will be prompted to enter any of the required parameters which are missing from the command line. While PC-Vault must be installed when using PcvCrypt, PcvCrypt keys are entirely separate from PC-Vault passwords. You may make up any key you wish to encrypt a file. When decrypting a file you MUST supply the same key that was used to encrypt the file. If you cannot remember the key used to encrypt your file, IT CANNOT BE DECRYPTED and the data will be PERMANENTLY LOST. If you omit K=, you will be prompted to enter it. When you are entering a key in response to a prompt, your PC-Vault selection controlling what is displayed during password definition will also control what is displayed as you enter your key. If you have requested that actual characters be displayed, you will be asked to enter your key twice. If you have requested that asterisks or nothing at all be displayed, you will be asked to enter it three times. Each time PcvCrypt encrypts or decrypts a file (called the source file), it creates a temporary file named PCVCRYPT.TMP in the same directory as the source file and encrypts or decrypts the source file to the temporary file. If wipe has been requested, the area occupied by the source file is then overwritten. The source file is deleted and the temporary file is renamed to the same name as the source file. The last modification date and time of the original source file is preserved. This is the date and time displayed when you use the DOS DIR command. If you are using PC-Vault Plus, you must have write permission in the directory containing the files to be encrypted or decrypted. - SET-TIME.COM With this program you can: Set the keyboard/mouse idle time from a batch file, Re-enable LunchBreak after automatic logon, Place the machine into LunchBreak immediately, and Eliminate incompatibilities caused by other programs. To set the idle time from a batch file or from the DOS prompt, use the command: SET-TIME time where time is any value between 3 and 61 minutes (or the maximum allowed by the system administrator). For more information on automatic LunchBreak see "Selecting Automatic LunchBreak" on page 22. To place the computer into LunchBreak immediately, use SET-TIME 0 from the DOS prompt or from a batch file. This will not alter the maximum keyboard idle time setting. To return the idle time to the current default (selected from the PC-Vault main menu), use the command: SET-TIME D. PC-Vault 4.6 Administrator's Manual - Page 34 - VIOLS.COM PC-Vault records each unsuccessful attempt to enter a password or a user name/password combination. Such attempts are called "violations". When a correct password is entered, PC-Vault erases the record of any violations which occurred during the immediately preceding two or three minutes. This prevents recording "typos" made by a valid user. The record of each violation contains the user number of the name entered (if any), and the date and time of the violation. When booting the computer, the DOS clock has not yet been set, so we must use the hardware clock. Since XT class machines do not have a standard hardware clock, we cannot record the times on these machines. We do, however, keep a record of each violation. This program has three separate functions related to password entry violations. One, two or all three of the functions may be used on a single execution of VIOLS.COM. The command: VIOLS /L=FileName /C /R will perform all three functions. The "/L" will generate a report of any recorded violations and give the date and time that you last logged on. If a date and time when you know you weren't on the computer are displayed, it is an indication that someone else may know your password. If "=FileName" is present, the report will be written to the file specified by "FileName". If it is not present the report will be written to the screen. The "/C" will remove (clear) all entries from the violation record. If both /L and /C are present, the record will be cleared after the report is generated. The "/R" will cause VIOLS.COM to remain resident. This should not be done more than once per system boot. Violations during LunchBreak will not be recorded unless VIOLS is resident. In addition, the alarm and Lockout features will not work during LunchBreak unless VIOLS is resident. VIOLS terminates with a DOS error level of 8 if an error occurs, an error level of 4 if violations are reported, and 0 otherwise. The following statements in your AUTOEXEC.BAT file would automatically install VIOLS as resident and alert the user to any previous violations: VIOLS /L /R IF NOT ERRORLEVEL 4 GOTO CONTINUE ECHO WARNING --- Violations are listed above PAUSE PC-Vault 4.6 Administrator's Manual - Page 35 :CONTINUE - VMOUSE.COM This utility causes the automatic LunchBreak feature to treat mouse activity as keyboard activity. It also prevents anyone from using the mouse while your computer is in LunchBreak. VMOUSE should be loaded after your mouse driver. If your mouse driver is a device driver (commonly MOUSE.SYS or MSCMOUSE.SYS) place a VMOUSE statement near the beginning of your AUTOEXEC.BAT file. If your mouse driver is loaded from your AUTOEXEC.BAT file, place the VMOUSE statement immediately after the statement that loads your mouse driver. NOTE: PC-Vault Windows Support provides these capabilities while Windows is running. Thus if you use your mouse only while you are in Windows, you do not need to use VMOUSE. - WHO.COM This utility allows the AUTOEXEC or other batch files to do different things for different users. WHO will always return the user number as a DOS error level, or will return an errorlevel of 255 if PC-Vault is not installed. In addition WHO /L will display the name of the user, and WHO /E will set the DOS environment variable PCVU to the name of the current user. (Any spaces in the name will be deleted.) For more information on DOS errorlevels and environment variables and IF statements, please see your DOS manual. The error level facility of the WHO program may be used by structuring your AUTOEXEC file as shown in the following example. Upper case characters indicate actual lines of the AUTOEXEC file. . . commands common to all users . . WHO IF ERRORLEVEL 3 GOTO ERROR IF ERRORLEVEL 2 GOTO USER2 IF ERRORLEVEL 1 GOTO USER1 . . commands to be executed when the administrator's password was used. . . GOTO COMMON :USER1 PC-Vault 4.6 Administrator's Manual - Page 36 . . commands for user 1 . . GOTO COMMON :USER2 . . commands for user 2 . . GOTO COMMON :ERROR . . commands to be used when PC-Vault is not installed or User 3 or above logged on. . . :COMMON . . commands common to all users The environment variable facility may be used as follows: WHO /E IF %PCVU%==TheBoss GOTO SomeLabel IF %PCVU%==User2 GOTO SomeOtherLabel - WIPE.COM When you use the DOS ERASE or DEL commands to delete a file, DOS merely changes the first letter of the file name to a special character. The special character indicates that the file has been deleted and that its directory entry and disk space can be reused when they are needed. That is why files can be so easily unerased. Even after the directory entry is reused, many programs can search currently unused disk areas looking for the "deleted" information. The WIPE utility provides a secure method of deleting files. WIPE overwrites the data so that it can no longer be recovered. It then clears the file name, date, length and starting disk location from the directory entry. The format of the WIPE command is: WIPE filespec1 filespec2 filespec3 .... or, PC-Vault 4.6 Administrator's Manual - Page 37 WIPE or, WIPE /? Each file spec may include a drive and a path in addition to a file name. You may list up to 50 filespecs on the command line. If you give no filespecs, you will be prompted for them. If you use the /? as in the third format shown above, a help screen will be displayed. OPTIONAL PC-VAULT FILES These programs, available separately, are designed to work with PC-Vault. HELPUSER.COM This optional utility allows a corporate security officer (CSO) to grant access to a PC-Vault protected computer on a one time basis. The CSO does not need to know any passwords, does not need to be physically present, and cannot grant access to another organization's computers. For more information see "The HELPUSER Program" on page 8. LOGO.EXE This optional utility allows the system administrator to design the appearance of the screen when the system is booted. Our standard logo may be completely replaced with one of your own design. The use of color is supported. For more information see "The Logo Program" on page 8. IN CASE OF DIFFICULTY The fastest way to solve most problems is to review the appropriate section(s) of this manual. If the problem might be a conflict with other resident software, try renaming your AUTOEXEC.BAT file to another name such as AUTOEXEC.1, and then rebooting your computer. If the problem disappears, rename the AUTOEXEC file back to its original name and then remove statements one at a time until the conflicting software is identified. Call for technical support if more help is needed. PC-Vault 4.6 Administrator's Manual - Page 38 In the event that you should need technical support please: 1. Corporate customers using PC-Vault on a large number of computers are supported ONLY through their corporate PC support staff. We will provide technical assistance to them as needed. 2. Contact us by phone (804) 872-9583, or call our BBS at (804) 877-6261. Foreign customers only may also FAX us at (804) 874-8090. 3. Please be prepared to provide: a. Your serial number, b. The dates and times shown by doing a DIR of the PC-Vault diskette, c. The EXACT text of any error messages displayed, d. The selection status of each item in the Options menu, e. The value of each item in the Limits menu, and f. As much information about your system as possible such as brand, model, hard disk(s), video cards, DOS version, resident software, content of your AUTOEXEC.BAT and CONFIG.SYS files, etc. If you do not have this information available when you call, we will most likely be unable to provide correct answers or solutions, and we may have to request that you call again with more complete information. 4. If at all possible, call when you are at the computer in question. We can most often resolve a problem immediately if you can be at the computer while we are talking together. PC-Vault 4.6 Administrator's Manual - Page 39 HOW TO ORDER PC-VAULT PC-Vault version 4.6 may be ordered from: Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 Voice (804) 872-9583 FAX (804) 874-8090 BBS (804) 877-6261 We accept: Your personal or company check with your order, Money Orders, Purchase orders over $50.00 (Net 30 days), VISA or MasterCard, and COD orders (USA only). Orders are usually shipped within one working day, but may occasionally take longer. The price of PC-Vault consists of the following: 1. A license fee which is dependent on the number of computers on which you wish to have PC- Vault concurrently installed: No. of Concurrent PC-Vault License PC-Vault Plus Installations per Computer per Computer 1 - 5 30.00 90.00 6 - 15 26.00 75.00 16 - 99 22.00 55.00 100 - 999 18.00 Call 1000 - Up 15.00 Call 2. A media fee of $8.00 ($12.50 outside the U.S. and Canada) for each PC-Vault diskette and bound manual you wish us to ship to you. We only require you to buy one diskette and manual. 3. There is an additional $5.00 collection fee for Canadian checks not payable through a U.S. bank and a $15.00 fee for electronic fund transfers. All other foreign checks MUST be payable through a U.S. bank. We pay shipping via First-Class air mail to all locations. Add actual shipping costs for other carriers. Overnight service is also available. All prices are subject to change without notice. Our warranty and your return privileges are in the "Limited Warranty" and "License Agreement" located just prior to the table of contents. PC-Vault 4.6 Administrator's Manual - Page 40 PC-VAULT ORDER FORM To: Johnson Computer Systems, Inc. 20 Dinwiddie Place Newport News, VA 23602 Voice (804) 872-9583 FAX (804) 874-8090 Please accept our order for PC-Vault version 4.6 as indicated below: ______ Concurrent Installations of PC-Vault $_________ ______ Concurrent Installations of PC-Vault Plus _________ ______ PC-Vault diskette(s) and printed manuals(s) _________ ($8.00 each, $12.50 outside U.S./Canada) ______ Logo ($50.00 per organization) _________ ______ HelpUser ($100.00 per organization) _________ Shipping charge - Free if we choose the method. _________ (See the preceding page.) Virginia State Sales Tax (Ship/Bill address in VA) _________ Total Order _________ Purchase Order _________________________ Date __________________ Company Name ____________________________________________________ Attention _______________________________________________________ Dept./Mail Stop _________________________________________________ City, State, Zip ________________________________________________ Phone: Voice ______________________ FAX ________________________ Credit card: VISA MasterCard Name on Card ___________________________________________________ Card Number ______________________________ Expires: ___________ PC-Vault 4.6 Administrator's Manual - Page 41 ╔═══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.5+ ║ ║ (C)Copyright 1987,92 by Johnson Computer Systems, Inc. ║ ║ 20 Dinwiddie Place, Newport News VA. (804) 872-9583 ║ ║ ║ ║ ║ ║ PC-Vault Pre-Installation Setup ║ ║ ║ ║ You have chosen the pre-installation set up option. The ║ ║ selections you make will be recorded in the PC-Vault main ║ ║ program on the diskette in drive A:. When you use that copy ║ ║ of the program to install PC-Vault, you will be installing it ║ ║ with your selections already in effect. ║ ║ ║ ║ The next screen will display a list (menu) of the selections ║ ║ you can make. If you use the cursor control keys to move the ║ ║ marker to any item and press the ? key, additional ║ ║ information about that item will be displayed. (This is true ║ ║ for all PC-Vault menus.) ║ ║ ║ ║ Please place the diskette containing the copy of PC-VAULT to ║ ║ be modified in drive A: and then press any key. ║ ║ ║ ║ Do NOT use your original PC-Vault diskette. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 1 - Pre-installation Notice ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.6 ║ ║ ║ ║ ║ ║ Are you CERTAIN the diskette in drive A is a COPY? ║ ║ ║ ║ Please press Y or N. ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 2 - Pre-installation Warning ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.6 ║ ║ ║ ║ An administrator password has already been assigned to this ║ ║ file. You must enter that password to make additional ║ ║ changes. ║ ║ ║ ║ Do you wish to continue? (Please enter Y or N) ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 3 - Pre-installation Password Request ╔═══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Pre-Installation Setup Menu ║ ║ ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ ║ ║ H. HOW to use this menu. ║ ║ ║ ║ R. RECORD your choices for later use. ║ ║ ║ ║ P. Define original PASSWORDS and names. ║ ║ ║ ║ O. Select OPTIONS. ║ ║ ║ ║ S. SET limits. ║ ║ ║ ║ K. Define HOT Key. ║ ║ ║ ║ L. LOCK files during installation. ║ ║ ║ ║ W. Choose WHO will install PC-Vault. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 4 - Pre-Installation Main Menu ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.6 ║ ║ (C)Copyright 1988 by Johnson Computer Systems, Inc. ║ ║ 20 Dinwiddie Place, Newport News VA. (804) 872-9583 ║ ║ ║ ║ ║ ║ PC-Vault is not installed on this computer. ║ ║ ║ ║ ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ ║ ║ H. HOW to use this menu. ║ ║ ║ ║ I. INSTALL PC-Vault. ║ ║ ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 5 - PC-Vault Installation Menu ╔═══════════════════════════════════════════════════════════════╗ ║ PC-Vault Administrator's Main Menu ║ ║ Please press the LETTER in front of the option you wish. ║ ║ ║ ║ E. END this program. ║ ║ H. HOW to use this menu. ║ ║ W. Install WINDOWS support. ║ ║ ║ ║ P. Change PASSWORD, Set display attributes. ║ ║ O. Select OPTIONS. ║ ║ S. SET Limits. ║ ║ ║ ║ L. LOCK PC-Vault related files. ║ ║ U. UNLOCK PC-Vault related files. ║ ║ A. ACCESS fixed disk after diskette boot. ║ ║ ║ ║ R. REMOVE PC-Vault from this computer. ║ ║ K. Define new hot KEY combination. ║ ║ T. Set keyboard idle TIME. ║ ║ ║ ║ D. Control DIRECTORY access by user. ║ ║ I. Control I/O PORT access by user. ║ ║ F. Select FILE accesses to be logged. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 6 - PC-Vault Plus Administrator's Main Menu ╔═══════════════════════════════════════════════════════════════╗ ║ PC-Vault Name and Password Definition ║ ║ ║ ║ Please press: ║ ║ ║ ║ 0-12 to change a password and/or name. ║ ║ E to set password lifetimes, after which they EXPIRE. ║ ║ W to choose WHO can change expired passwords. ║ ║ R to set the number different passwords REQUIRED. ║ ║ D to choose char DISPLAYED when defining a password. ║ ║ Enter to return to the main menu. ║ ║ ? for help. ║ ║ ║ ║ Allowed to change expired passwords: Administrator, User ║ ║ Displayed during password definition: Actual Characters ║ ║ ║ ║ User Name Days Recycle User Name Days Recycle ║ ║ 0. Admin 0 0 7. User 7 0 0 ║ ║ 1. User 1 0 0 8. User 8 0 0 ║ ║ 2. User 2 0 0 9. User 9 0 0 ║ ║ 3. User 3 3 2 10. User 10 0 0 ║ ║ 4. User 4 0 0 11. User 11 0 0 ║ ║ 5. User 5 0 0 12. User 12 0 0 ║ ║ 6. User 6 0 0 ║ ║ ║ ║ Please enter your selection: ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 7 - Administrator's Name/Password Selection Screen ╔═══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Name Definition ║ ║ ║ ║ ║ ║ The current name for this user is: Admin ║ ║ ║ ║ Press return to retain this name, or enter a new name: Tiny ║ ║ ║ ║ Please enter the new name again to be sure its correct: Tiny ║ ║ You may be required to enter this name to gain access. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 8 - Change User Name Screen ╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ PC-Vault Password Definition ║ ║ ║ ║ ║ ║ Passwords may be one to sixteen key strokes, and include ║ ║ letters, numbers, and the keys: space - = [ ] ; , . ║ ║ ║ ║ Case is not significant. Three special keys are: ║ ║ Backspace - Used to correct an error in the normal way. ║ ║ Return - Means, "Password entry is complete." ║ ║ Escape - Means, "I don't want to enter a password." ║ ║ ║ ║ ║ ║ Please enter new password and press return: SECRET-STUFF ║ ║ ║ ║ Your new password is defined. Whenever PC-Vault asks for ║ ║ your password, type it in and then press return. You MUST ║ ║ be able to enter it correctly. We suggest you use your ║ ║ print screen key and then keep it in a safe place. ║ ║ ║ ║ ║ ║ Please press any key to continue. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 9 - Password Definition Screen ╔═══════════════════════════════════════════════════════════════╗ ║ Administrator Options Selections Menu ║ ║ ║ ║ Please press the LETTER of the option you wish to change. ║ ║ ║ ║ E. END option selection and return to main menu. ║ ║ H. HOW to use this menu, how to get additional help. ║ ║ ║ ║ M. MAXIMUM floppy boot protection - Not Selected. ║ ║ D. DISPLAY password entry asterisks. - Selected. ║ ║ R. RELAXED MBR protection. - Not Selected. ║ ║ ║ ║ K. SIDEKICK compatibility mode. - Not Selected. ║ ║ C. CTRL-BREAK prohibited during boot. - Not Selected. ║ ║ T. TIME/Date change prohibited. - Not Selected. ║ ║ ║ ║ B. BLANK screen during LunchBreak. - Selected. ║ ║ F. FREEZE computer during LunchBreak. - Not Selected. ║ ║ A. ALL users may exit LunchBreak. - Selected. ║ ║ S. SPECIAL Display blanking - Not Selected. ║ ║ ║ ║ N. User NAMES are required. - Not Selected. ║ ║ N. USER may change his/her name. - Not Selected. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 10 - Administrator's Options Menu ╔═══════════════════════════════════════════════════════════════╗ ║ ║ ║ Administrator Limits Selection Menu ║ ║ ║ ║ Please press the LETTER of the option you wish to change. ║ ║ ║ ║ E. END limit selection and return to main menu. ║ ║ ║ ║ H. HOW to use this menu, how to get additional help. ║ ║ ║ ║ I. Maximum keyboard IDLE time (minutes). - Currently 61 ║ ║ ║ ║ P. Minimum number of PASSWORD characters. - Currently 0 ║ ║ ║ ║ A. Maximum invalid logons before ALARM. - Currently 5 ║ ║ ║ ║ L. Maximum invalid logons before LOCKOUT. - Currently 0 ║ ║ ║ ║ S. SECONDS to wait before auto logon. - Currently 0 ║ ║ ║ ║ K. Alternate KEYBOARD/clock handling - Currently 0 ║ ║ ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 11 - Administrator's Limits Selection Screen ╔══════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.6 ║ ║ ║ ║ You may now select the keys which will cause your computer's ║ ║ screen to blank (if selected) and your keyboard to lock ║ ║ until you enter your password. ║ ║ ║ ║ Please press any two or more of the following keys: ║ ║ ║ ║ Left Shift Right Shift Alt Ctrl ║ ║ ║ ║ Hold them down until you hear a two tone beep and you are ║ ║ asked to release them. You will have to hold the keys down ║ ║ approximately four seconds. ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝ Fig. 12 - Hot Key Selection Screen ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.6 ║ ║ ║ ║ You may request that your machine automatically go into the ║ ║ LunchBreak state if the keyboard is idle for a specified ║ ║ time period. You may select a time period from 3 to 61 ║ ║ minutes. ║ ║ ║ ║ A time of 61 minutes means that automatic LunchBreak will ║ ║ never occur. ║ ║ ║ ║ The current keyboard idle time is 5 minutes. ║ ║ ║ ║ Please enter new keyboard idle time in minutes: ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 13 - Maximum Idle Time Selection Screen ╔════════════════╦═══════════════╦══════════════╦═══════════════╗ ║ Directory/Area ║ User 1 ║ User 2 ║ User 2 ║ ║ ║EXE/COM│ Other ║EXE/COM│ Other║EXE/COM│ Other ║ ╠════════════════╬═══════╪═══════╬═══════╪══════╬═══════╪═══════╣ ║Diskette Access ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║HardDisk Abs I/O║ ----- │ R-W-- ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║New Level 1 Dirs║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║C:\ ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║C:\4DOS ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║C:\ACR ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║C:\ARCH ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║C:\ASP ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║C:\ASSEM ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╟────────────────╫───────┼───────╫───────┼──────╫───────┼───────╢ ║C:\BRIEF ║ R-W-X │ R-W-X ║ ----- │ -----║ ----- │ ----- ║ ╚════════════════╩═══════╧═══════╩═══════╧══════╩═══════╧═══════╝ Press F1 to for help. Fig. 14 - Directory Access Control Table ╔═══════════════════════════════════════════════════════════════╗ ║ ║ ║ ╔═══════════════════════════════════════════════════════════╗ ║ ║ ║ Port Control ║ ║ ║ ╠═══════════╤═══════════╤═══════════╤═══════════╤═══════════╣ ║ ║ ║ User 1 │ User 2 │ User 3 │ User 4 │ User 5 ║ ║ ║ ╟───────────┼───────────┼───────────┼───────────┼───────────╢ ║ ║ ║ P-1-2-3-4 │ P-1-2-3-4 │ P-1-2-3-4 │ P-1-2-3-4 │ P-1-2-3-4 ║ ║ ║ ╚═══════════╧═══════════╧═══════════╧═══════════╧═══════════╝ ║ ║ ║ ║ Press: Right/Left cursor keys to select a user. ║ ║ P - to toggle access to parallel ports. ║ ║ 1 - to toggle serial port COM1. ║ ║ 2 - to toggle serial port COM2. ║ ║ 3 - to toggle serial port COM3. ║ ║ 4 - to toggle serial port COM4. ║ ║ A - to select all of the above (P, S) ║ ║ N - to select none of the above (P, S) ║ ║ Alt with one of the above makes it apply to all users ║ ║ Esc to save your choices, go to main menu. ║ ║ ║ ║ If there is a serial mouse, you may wish to grant access to ║ ║ its COM port. Remember that a user may be able to install ║ ║ another device there. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════╝ Fig. 15 - I/O Port Control Table ╔═════════════════════════════════════════════════════════════╗ ║ PC-Vault Hard Disk Protection System - Version 4.6+ ║ ║ ║ ║ ╔═════════════════════════════════════════════════╗ ║ ║ ║ Log Control ║ ║ ║ ╠═════════╤═════════╤═════════╤═════════╤═════════╣ ║ ║ ║ Admin │ John T. │ User 2 │ User 3 │ User 4 ║ ║ ║ ╟─────────┼─────────┼─────────┼─────────┼─────────╢ ║ ║ ║ ----- │ D-X-- │ D-X-O │ D---- │ D---- ║ ║ ║ ╚═════════╧═════════╧═════════╧═════════╧═════════╝ ║ ║ ║ ║ Press: Right/Left cursor keys to select a user. ║ ║ D - to toggle logging of denied accesses. ║ ║ X - to toggle logging of programs executed. ║ ║ O - to toggle logging of all other accesses. ║ ║ A - to select all of the above (D, X, F). ║ ║ N - to select none of the above (D, X, F). ║ ║ Esc to save your choices, go to main menu. ║ ║ ║ ╚═════════════════════════════════════════════════════════════╝ Fig. 16 - Logging Control Table