IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.104 System guidelines for restricting usage of
Windows 95
Initiation responsibility: IT Security Management
Implementation responsibility: Administrators
If navigation under Windows 95 needs to be eased for inexperienced users, or
if certain resources need to be restricted for operational reasons, certain
restrictions can be provided for the user environment via the system guidelines
under Windows 95. However, it must be noted that users might take a cold
attitude towards an IT system, if restrictions are not immediately
comprehensible. Thus a restriction should only occur when absolutely
necessary or if this will go unnoticed by the user.
As soon as system guidelines are activated, Windows 95 will check upon
starting whether user-specific restrictions have been set up for the present
user. If this is the case, they will be loaded. If it is not the case, restrictions for
standard users will be applied. In the following, the principal restrictions that
can be set via the system guidelines are described. It is then listed how these
restrictions can be established and activated via the system guideline editor
(POLEDIT.EXE).
The essential restrictions to be set via system guidelines for a non-networked
Windows 95 computer are as follows:
- Access to the control panel can be restricted via the options DISPLAY,
NETWORK, PASSWORDS, PRINTER SETTINGS and SYSTEM
PROPERTIES. Each option can be completely deactivated or restricted to
single register cards.
For these options the following points are essential:
- Entries for screen colours can be made from an ergonomic point of
view.
- It is possible to allow users to change their own passwords.
- Printer configurations and hardware settings can be securely set.
- Access to single functions of the user interface can be restricted. For
example, the commands RUN, SEARCH and END can be removed. This
will prevent users from searching for relevant security files or programs
and, if possible, executing them. Drives can be removed from the
DESKTOP and the EXPLORER (previously FILE-MANAGER). As only
the start drive (e.g. C:\) is available when booting, partitions (drives) can
only be switched by using applications.
- The Program start of executable files can be restricted and the DOS
prompt can be deactivated. Applications available to single users can be
explicitly provided (e.g. WINWORD.EXE, EXCEL.EXE and the
EXPLORER.EXE)
Additionally, the computer can be arranged so that Windows 95 log-on
passwords must consist of letters as well as numbers or symbols and must
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000