Is there a gaping hole in the MS policy model?
Results 1 to 10 of 10

Thread: Is there a gaping hole in the MS policy model?

  1. #1
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670

    Post Is there a gaping hole in the MS policy model?

    I haven't seen too much documentation on the effective use of the Windows 95/98 policy model (even though I AM a Win98 MCP). I know how to implement them, and from what I've been able to accomplish through just playing around it seems to me that you should be able to make a fairly secure Windows 95/98 machine with an effective use of the BIOS password, and using the Windows 95/98 policies and profiles. Based on a user profile, you can lock the box down to nothing but a disabled Start Menu and a blank desktop. I haven't heard too much hooplah (positive or negative) about the effectiveness of this configuration, however. Can anyone tell me any cons to the policies/profiles method?
    /* You are not expected to understand this. */

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I've never done it with win9x. I have however extensively used the policy editor in win2k and XP. I worked a contract for the Olympics this past year where we managed about a hundred desktops in the village and they were all locked way down. Basically a start button with about 5 different options and that is it. Disable the ability to download anything from the web and the machines are pretty much locked, with no ability to install programs.

    I would guess that you can pretty easily get around policies in Win9x. It might keep the computer illiterate from doing things, but like most things Win9x related, a little knowledge and you can get around anything.

  3. #3
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    That's what I'm wondering. The Windows 9x policies and profiles scheme is much like the win2k scheme in terms of configuration and policy syntax. I would like to know what the concerns are for the Win9x implementation in terms of security standards (other than the share -password / user-password model difference).
    /* You are not expected to understand this. */

  4. #4
    Banned
    Join Date
    Jun 2002
    Posts
    101
    Once I had to reset the BIOS on a winME box i had in a corner when I enabled a BIOS password and then it wouldn't let me type in the password.

  5. #5
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Let's hope that's not typical behavior for most BIOS', cyb3rn3tik.

    /* You are not expected to understand this. */

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by roswell1329
    That's what I'm wondering. The Windows 9x policies and profiles scheme is much like the win2k scheme in terms of configuration and policy syntax. I would like to know what the concerns are for the Win9x implementation in terms of security standards (other than the share -password / user-password model difference).
    Well it is those things and also the lack of file level security. It is almost impossible to properly enforce policies without file level access controls. Also the fact that win9x will allow a user to access the machine without having credentials assigned via login.

    In NT, 2k or XP I can force you to have to login, and then I can force a policy upon your session, and also control what files you can execute, view, etc.. . This type of access control is not available at all in Win9x. Which is not really a shortcoming of the OS. Win95 was in development before the internet became so popular, most internet access of the time was through dial-up shell accounts. PPP access was just becoming popular at the time that 95 was released.

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    Just remember folks: There are other 3rd-party programs that will do what you're trying to do and more. Just look around, cuz there's some really good crap that some places use to lock down systems. I've not worked with what you're speaking of very very much, but back in the Win95 day I did mess a little and it's not nearly as managable as a lot of other software out there.

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    One of my favorite MS quotes out of my randsig quote file:

    Code:
    "We have always been quite clear that Win95 and Win98 are not the systems
     to use if you are in a hostile security environment. We recommend Windows
     NT for those environments."           -- Paul Leach <paulle@MICROSOFT.COM>
    Or the other infamous GNU quote:

    Code:
    "Windows 95: n. 32 bit extensions and a graphical shell for a 16 bit patch
     to an 8 bit operating system originally coded for a 4 bit microprocessor,
     written by a 2 bit company that can't stand 1 bit of competition."
             - Gnu-Win32/CygWin32 FAQ (http://www.cygnus.com/misc/gnu-win32)
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  9. #9
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    Hehe, my ex-chemistry teacher had that last one about the 32-16-8 etc posted in the front of the room. He absolutely hated Windows, hehe.

  10. #10
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Well it is those things and also the lack of file level security. It is almost impossible to properly enforce policies without file level access controls. Also the fact that win9x will allow a user to access the machine without having credentials assigned via login.
    Very true. Access to a system on ANY level (even a reduced access level) constitutes a breech in security. Generic accounts are a big no-no.

    We have always been quite clear that Win95 and Win98 are not the systems
    to use if you are in a hostile security environment. We recommend Windows
    NT for those environments. -- Paul Leach <paulle@MICROSOFT.COM>
    Also very true.

    Forgive me, AO...I stand very, very corrected.
    /* You are not expected to understand this. */

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •