Guest xamigax@gmail.com Posted November 30, 2007 Posted November 30, 2007 Hi there! I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each) into barcode readers. The society I have my mission in wants to have W98se on them (for many PCs won't be supporting more than this, plus we need USB to work for WiFi keys). I have set up a prototype wich is perfectly working for it's supposed to do. Here's the prototype description: Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers Since the company does NOT want users to do anything BUT barcode, I used POLEDIT to set up few restrictions (well, when I'm saying few that very much "understatement"!). I have set up two users: administrator: no restriction at all, of course. cbar: almost everything is forbiden (I can post the poledit settings) Since W98 logon also allow to "escape" from login, I managed (just can't remember how!) to copy cbar settings to the default user. So, as said before, the proto is working fine. Few people will have enough knowledge to tweak the security, for all users have access to is the keyboard & the mouse (I know F8 is still a solution while booting). My problem is that I am now struggling to have the same settings on the others machines. All machines are ready to work, but none of them is "secured". I wanted to know if anyone has any idea on how to duplicate the POLEDITed security from one PC to the others. My main trouble is the very large range of different machine: I tried to use Acronis TrueImage, but the machine reboot is then endlessly trying to add new hardware/drivers. Any help VERY welcome! Share & Enjoy, Manolo
Guest AlmostBob Posted November 30, 2007 Posted November 30, 2007 Re: POLEDIT 1 open poledit on the secure pc 2 save the settings to a policy (.pol) file 3a copy the .pol file to each pc's root folder 4a point the local poledit on each pc load from the policy file or 3b save the .pol file to an accessible network shared folder 4b point each network pc to that shared policy file 3b 4b is easier to maintain, and modify the policies There is a good howto on 'network policies on a stand alone computer' at microsoft. Go to http://www.dougknox.com for a regedit &.vbs script to force login, no escape key. -- -- -- -- -- -- Adaware http://www.lavasoft.de spybot http://www.safer-networking.org AVG free antivirus http://free.grisoft.com/ Etrust/Vet/CA.online Antivirus scan http://www3.ca.com/securityadvisor/virusinfo/scan.aspx Super Antispyware http://www.superantispyware.com/ Panda online AntiVirus scan http://www.activescan.com Panda online AntiSpyware Scan http://www.pandasoftware.com/virus_info/spyware/test/ Catalog of removal tools (1) http://www.pandasoftware.com/download/utilities/ Catalog of removal tools (2) http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?CID=40387 Trouble Shooting guide to Windows http://mvps.org/winhelp2002/ Blocking Unwanted Parasites with a Hosts file http://mvps.org/winhelp2002/hosts.htm links provided as a courtesy, read all instructions on the pages before use Grateful thanks to the authors/webmasters _ <xamigax@gmail.com> wrote in message news:755f1e12-6d04-4e92-ac63-328fc3c00e26@i29g2000prf.googlegroups.com... > Hi there! > > I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each) > into barcode readers. > The society I have my mission in wants to have W98se on them (for many > PCs won't be supporting more than this, plus we need USB to work for > WiFi keys). > > I have set up a prototype wich is perfectly working for it's supposed > to do. > > Here's the prototype description: > Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader > application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers > > > Since the company does NOT want users to do anything BUT barcode, I > used POLEDIT to set up few restrictions (well, when I'm saying few > that very much "understatement"!). > > I have set up two users: > administrator: no restriction at all, of course. > cbar: almost everything is forbiden (I can post the poledit settings) > > Since W98 logon also allow to "escape" from login, I managed (just > can't remember how!) to copy cbar settings to the default user. > > So, as said before, the proto is working fine. > Few people will have enough knowledge to tweak the security, for all > users have access to is the keyboard & the mouse (I know F8 is still a > solution while booting). > > My problem is that I am now struggling to have the same settings on > the others machines. > > All machines are ready to work, but none of them is "secured". > I wanted to know if anyone has any idea on how to duplicate the > POLEDITed security from one PC to the others. > > My main trouble is the very large range of different machine: I tried > to use Acronis TrueImage, but the machine reboot is then endlessly > trying to add new hardware/drivers. > > Any help VERY welcome! > > > Share & Enjoy, > Manolo
Guest MEB Posted December 1, 2007 Posted December 1, 2007 Re: POLEDIT <xamigax@gmail.com> wrote in message news:755f1e12-6d04-4e92-ac63-328fc3c00e26@i29g2000prf.googlegroups.com... | Hi there! | | I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each) | into barcode readers. | The society I have my mission in wants to have W98se on them (for many | PCs won't be supporting more than this, plus we need USB to work for | WiFi keys). | | I have set up a prototype which is perfectly working for it's supposed | to do. | | Here's the prototype description: | Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader | application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers | | | Since the company does NOT want users to do anything BUT barcode, I | used POLEDIT to set up few restrictions (well, when I'm saying few | that very much "understatement"!). Let's hope so. If you left anything open which should have been shutdown, someone will likely find it. | | I have set up two users: | administrator: no restriction at all, of course. | cbar: almost everything is forbidden (I can post the poledit settings) You could post them, I suppose unless someone complains first. | | Since W98 logon also allow to "escape" from login, I managed (just | can't remember how!) to copy cbar settings to the default user. | | So, as said before, the proto is working fine. | Few people will have enough knowledge to tweak the security, for all | users have access to is the keyboard & the mouse (I know F8 is still a | solution while booting). | | My problem is that I am now struggling to have the same settings on | the others machines. | | All machines are ready to work, but none of them is "secured". | I wanted to know if anyone has any idea on how to duplicate the | POLEDITed security from one PC to the others. | | My main trouble is the very large range of different machine: I tried | to use Acronis TrueImage, but the machine reboot is then endlessly | trying to add new hardware/drivers. | | Any help VERY welcome! | | | Share & Enjoy, | Manolo AlmostBob posted some suggestions related to how to address the policies, others may join in ... Policies can be difficult to set up, but there is some information available on the Internet. In that regard I have created a small page of some of the settings you may want to check. http://peoplescounsel.orgfree.com/ref/gen/security/after_policies.htm NOTE: this is nowhere near a definitive work, just some things to check after/during policy creation [or locking down a local network]... check the Internet for other.. My page presumes you have already shut-down the most common issues that may be related. -- MEB http://peoplescounsel.orgfree.com ________
Guest xamigax@gmail.com Posted December 3, 2007 Posted December 3, 2007 Re: POLEDIT On 30 nov, 14:20, xami...@gmail.com wrote: > Hi there! > > I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each) > into barcode readers. > The society I have my mission in wants to have W98se on them (for many > PCs won't be supporting more than this, plus we need USB to work for > WiFi keys). > > I have set up a prototype wich is perfectly working for it's supposed > to do. > > Here's the prototype description: > Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader > application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers > > Since the company does NOT want users to do anything BUT barcode, I > used POLEDIT to set up few restrictions (well, when I'm saying few > that very much "understatement"!). > > I have set up two users: > administrator: no restriction at all, of course. > cbar: almost everything is forbiden (I can post the poledit settings) > > Since W98 logon also allow to "escape" from login, I managed (just > can't remember how!) to copy cbar settings to the default user. > > So, as said before, the proto is working fine. > Few people will have enough knowledge to tweak the security, for all > users have access to is the keyboard & the mouse (I know F8 is still a > solution while booting). > > My problem is that I am now struggling to have the same settings on > the others machines. > > All machines are ready to work, but none of them is "secured". > I wanted to know if anyone has any idea on how to duplicate the > POLEDITed security from one PC to the others. > > My main trouble is the very large range of different machine: I tried > to use Acronis TrueImage, but the machine reboot is then endlessly > trying to add new hardware/drivers. > > Any help VERY welcome! > > Share & Enjoy, > Manolo Thanks both of you for answering. I finally found a way to duplicate all policies quite easily (easier than having to set-up each one of the remaining PCs). Help welcomed, even if some of the suggestions could not be done (company 's decision). Like having the policy on a network location. Plus I faced *many* troubles having exactly the same settings doing exactly the same results! Do I need to blame the poor W98 multi-user capabilities, the high variety of hardware involved from one PC to another...? Or both :-) So, here's what I ended with: I set up Poledit on each PC, then only define the users I need (Administrator & BarCode), leaving all settings to default. Then I copy the user.dat (3 different: default user + admin + barcode) into their respective folders. And the job seems to be done! I successfully "secured" one machine doing so, now trying for a second one (can't believe how often I am asked to help poor educated users around the building... Costing me a lot of time & energy. I'll come back later to post the result I got doing things the way I am... So if someone needs help in the future (is there still a future for W98, appart from industrial company like the one I am working for?), he might found these posts usefull. Share & enjoy, Manolo
Guest xamigax@gmail.com Posted December 17, 2007 Posted December 17, 2007 Re: POLEDIT On 3 déc, 13:11, xami...@gmail.com wrote: > On 30 nov, 14:20, xami...@gmail.com wrote: > > > > > Hi there! > > > I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each) > > into barcode readers. > > The society I have my mission in wants to have W98se on them (for many > > PCs won't be supporting more than this, plus we need USB to work for > > WiFi keys). > > > I have set up a prototype wich is perfectly working for it's supposed > > to do. > > > Here's the prototype description: > > Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader > > application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers > > > Since the company does NOT want users to do anything BUT barcode, I > > used POLEDIT to set up few restrictions (well, when I'm saying few > > that very much "understatement"!). > > > I have set up two users: > > administrator: no restriction at all, of course. > > cbar: almost everything is forbiden (I can post the poledit settings) > > > Since W98 logon also allow to "escape" from login, I managed (just > > can't remember how!) to copy cbar settings to the default user. > > > So, as said before, the proto is working fine. > > Few people will have enough knowledge to tweak the security, for all > > users have access to is the keyboard & the mouse (I know F8 is still a > > solution while booting). > > > My problem is that I am now struggling to have the same settings on > > the others machines. > > > All machines are ready to work, but none of them is "secured". > > I wanted to know if anyone has any idea on how to duplicate the > > POLEDITed security from one PC to the others. > > > My main trouble is the very large range of different machine: I tried > > to use Acronis TrueImage, but the machine reboot is then endlessly > > trying to add new hardware/drivers. > > > Any help VERY welcome! > > > Share & Enjoy, > > Manolo > > Thanks both of you for answering. > I finally found a way to duplicate all policies quite easily (easier > than having to set-up each one of the remaining PCs). > Help welcomed, even if some of the suggestions could not be done > (company 's decision). > Like having the policy on a network location. > > Plus I faced *many* troubles having exactly the same settings doing > exactly the same results! > Do I need to blame the poor W98 multi-user capabilities, the high > variety of hardware involved from one PC to another...? > Or both :-) > > So, here's what I ended with: > I set up Poledit on each PC, then only define the users I need > (Administrator & BarCode), leaving all settings to default. > Then I copy the user.dat (3 different: default user + admin + barcode) > into their respective folders. > And the job seems to be done! > > I successfully "secured" one machine doing so, now trying for a second > one (can't believe how often I am asked to help poor educated users > around the building... Costing me a lot of time & energy. > > I'll come back later to post the result I got doing things the way I > am... > So if someone needs help in the future (is there still a future for > W98, appart from industrial company like the one I am working for?), > he might found these posts usefull. > > Share & enjoy, > > Manolo Back for more: As said in this previous post, my choice was to duplicate USER.DAT from one PC to the others. Things turned out to be much easier this way. I now have 17 machines, working perfectly the way the company wanted them to! After we (company's responsibles & I) validated the first "prototype", I did an image (thanks acronis!) of the entire disk... I picked up the machine I had set up earlier, wich were held in the archives room, to aply the policies on them, one by one. I had installed each PC with all the "barcode" application requiered: Win98SE (USB support for Wifi) MSInstaller2.0 IE5.5 (most "economical" choice, since most PC are old and with little (64Mo) RAM) DotNet2.0 NOO_RemotePC (barcode app) believe me: a lot of reboot for each machine :-) ! Then I "fine" tuned each: Telling W98 that users can have their own profiles, Adding two users to the default "esc on login": admin + cbar Having once logged each and cleaned up their desktop & start menu Install the "POLEDIT" manager copy the "config.pol" from the prototype Then replacing each "USER.DAT" with the one I copied form my prototype. Here the trick: by default all users have "all rights" So the order you copy the "USER.DAT" DOES matter. So, when you're ready to have your policies copied, "escape" the login request. Then replace the USER.DAT located in "c:\windows\profiles\admin\" & "c: \windows\profiles\cbar\" with the ones from your prototype. Restart the PC (DO NOT LOG OFF) Log in as admin Then replace the "c:\windows\user.dat" with the one form your prototype. Then restart (DO NOT LOG OFF) You now have your 3 "profiles" working 100% Don't forget to save some "image" (Acronis True Image, still the best) of the result! My last advice: do multiple images, so you can have various "restoration points" (IE: before replacing all USER.DAT is a minimum if you don't want to have a full reinstall to be requiered, in case of troubles) So, my prime mission is successfull; I can now give more time to poorly skilled, and way too few "updated knowledges" (talking from a computer point of view) employes ;-) ! Share & Enjoy, Manolo
Guest MEB Posted December 17, 2007 Posted December 17, 2007 Re: POLEDIT <xamigax@gmail.com> wrote in message news:cbf586fc-50e0-43df-9e5f-552d5a8fdca0@j20g2000hsi.googlegroups.com... On 3 dc, 13:11, xami...@gmail.com wrote: > On 30 nov, 14:20, xami...@gmail.com wrote: > > > > > Hi there! > > > I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each) > > into barcode readers. > > The society I have my mission in wants to have W98se on them (for many > > PCs won't be supporting more than this, plus we need USB to work for > > WiFi keys). > > > I have set up a prototype wich is perfectly working for it's supposed > > to do. > > > Here's the prototype description: > > Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader > > application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers > > > Since the company does NOT want users to do anything BUT barcode, I > > used POLEDIT to set up few restrictions (well, when I'm saying few > > that very much "understatement"!). > > > I have set up two users: > > administrator: no restriction at all, of course. > > cbar: almost everything is forbiden (I can post the poledit settings) > > > Since W98 logon also allow to "escape" from login, I managed (just > > can't remember how!) to copy cbar settings to the default user. > > > So, as said before, the proto is working fine. > > Few people will have enough knowledge to tweak the security, for all > > users have access to is the keyboard & the mouse (I know F8 is still a > > solution while booting). > > > My problem is that I am now struggling to have the same settings on > > the others machines. > > > All machines are ready to work, but none of them is "secured". > > I wanted to know if anyone has any idea on how to duplicate the > > POLEDITed security from one PC to the others. > > > My main trouble is the very large range of different machine: I tried > > to use Acronis TrueImage, but the machine reboot is then endlessly > > trying to add new hardware/drivers. > > > Any help VERY welcome! > |> > Share & Enjoy, |> > Manolo |> |> Thanks both of you for answering. |> I finally found a way to duplicate all policies quite easily (easier |> than having to set-up each one of the remaining PCs). |> Help welcomed, even if some of the suggestions could not be done |> (company 's decision). |> Like having the policy on a network location. |> |> Plus I faced *many* troubles having exactly the same settings doing |> exactly the same results! |> Do I need to blame the poor W98 multi-user capabilities, the high |> variety of hardware involved from one PC to another...? |> Or both :-) |> |> So, here's what I ended with: |> I set up Poledit on each PC, then only define the users I need |> (Administrator & BarCode), leaving all settings to default. |> Then I copy the user.dat (3 different: default user + admin + barcode) |> into their respective folders. |> And the job seems to be done! |> |> I successfully "secured" one machine doing so, now trying for a second |> one (can't believe how often I am asked to help poor educated users |> around the building... Costing me a lot of time & energy. |> |> I'll come back later to post the result I got doing things the way I |> am... |> So if someone needs help in the future (is there still a future for |> W98, appart from industrial company like the one I am working for?), |> he might found these posts usefull. |> |> Share & enjoy, |> |> Manolo | | |Back for more: | |As said in this previous post, my choice was to duplicate USER.DAT |from one PC to the others. |Things turned out to be much easier this way. |I now have 17 machines, working perfectly the way the company wanted |them to! |After we (company's responsibles & I) validated the first "prototype", |I did an image (thanks acronis!) of the entire disk... | |I picked up the machine I had set up earlier, wich were held in the |archives room, to aply the policies on them, one by one. | |I had installed each PC with all the "barcode" application requiered: |Win98SE (USB support for Wifi) |MSInstaller2.0 |IE5.5 (most "economical" choice, since most PC are old and with little |(64Mo) RAM) |DotNet2.0 |NOO_RemotePC (barcode app) | |believe me: a lot of reboot for each machine :-) ! | |Then I "fine" tuned each: |Telling W98 that users can have their own profiles, |Adding two users to the default "esc on login": admin + cbar |Having once logged each and cleaned up their desktop & start menu | |Install the "POLEDIT" manager |copy the "config.pol" from the prototype | |Then replacing each "USER.DAT" with the one I copied form my |prototype. |Here the trick: |by default all users have "all rights" | |So the order you copy the "USER.DAT" DOES matter. |So, when you're ready to have your policies copied, "escape" the login |request. |Then replace the USER.DAT located in "c:\windows\profiles\admin\" & "c: |\windows\profiles\cbar\" with the ones from your prototype. |Restart the PC (DO NOT LOG OFF) |Log in as admin |Then replace the "c:\windows\user.dat" with the one form your |prototype. |Then restart (DO NOT LOG OFF) |You now have your 3 "profiles" working 100% | |Don't forget to save some "image" (Acronis True Image, still the best) |of the result! |My last advice: |do multiple images, so you can have various "restoration points" (IE: |before replacing all USER.DAT is a minimum if you don't want to have a |full reinstall to be requiered, in case of troubles) | |So, my prime mission is successfull; I can now give more time to |poorly skilled, and way too few "updated knowledges" (talking from a |computer point of view) employes ;-) ! | | |Share & Enjoy, | |Manolo Thanks for posting back with your results. The difficulty with our supplying answers to your issues related to your indications of specific policies required by the company. We could not know exactly what those were, moreover, you had indicated that these would over-rule any suggestions that might have been made. This is not unusual when setting up ANY OS and network with company defined policies. IT and testing departments [and the like] suffer under those same issues whenever a portion of the network is changed in some form, be it for new VISTA computers, a network printer, web access, changes limiting previous allowed activity, and dozens of other allowances or limits; or as in your case, machines for consumer and/or other defined simple and/or specific use. Many have been in your position before, and many have used something similar to what you did. Others, however, have needed to proceed in a different manner, such as: by using the base clone for basic roll-out, but distribute specific additional setups or updated setups via the master server(s)..There are numerous *white papers* and other help distributed by Microsoft and others, but they can only example or provide a direction, as individual network setups may be close, but need other specialized aspects addressed on individual segments or specific computers. Again, thanks for posting your method and successful results. Be aware though, that you must remain diligent related to these special nodes in the network, as they require monitoring for potential tweaks and potentially may still be compromised [sometimes it takes many tweaks to plug the holes, or the eventual maintenance. {Hint: People hate being limited on a business's computer, most think that computer is THEIR'S to use as they wish. Block their external contact with a firewall and policies, and they will attempt to install an anti-firewall and bypass those policies; block usage of E-Mail and they will seek a way to circumvent that; block installation of personal programs and they will ask somewhere for information on how to circumvent that. Its a never ending battle. It doesn't really matter whether its 98 or VISTA, if there is a determined individual, they WILL search for a way around the restrictions/limitations, and be irate when confronted that they can't do these things or can be fired when they do.} Good luck... -- MEB http://peoplescounsel.orgfree.com/ ________
Recommended Posts