HIR Issue 6: Windows 95: User Friendly means Hacker Friendly
by Axon
Everyone knows that Windows 95 is extremely insecure. I would argue that if you're going to plop Windows 95 on a machine in a public place, you might as well put a sticky note on the monitor that proclaims "Hack Me!". From the very genesis of Windows, it's been a huge hacker target. Microsoft has tried their damnedest to make it more secure, but even with the way Windows can use the "magic" registry mechanism for "security", there are still many holes that need help. Even the registry has its holes. In this article, I'll discuss several of the little inner workings that lie under the "gee whiz" graphical loser interface that Bill stole from other companies anyway.
In short: Many things that add power or ease of use to Windows will also decrease privacy and security:
I. The registry
- a. Why the registry is so good for security
- b. Registry keys that are used for security
- c. Why the registry's "security" features mean absolutely nothing
II. OLE (Object Linking and Embedding)
- a. OLE features that make the user cheer "OLE!"
- b. Why OLE opens up some major security holes
III. Windows 95 Login Screen (Secure? I'd doubt it.)
IV. Windows 95 AutoRun
- a. Advantages
- b. Problems
V. Help
- a. Useful applications for Windows Help
- b. Windows help needs to practice what it preaches
VI. Find (A great utility, but...)
VII. Boot Menu
- a. Explanation of the Boot Menu
- b. Dangers of the Boot Menu
- c. Customizing MSDOS.SYS (Contains Boot Menu Information)
Appendix A: Advanced Registry Fun
Appendix B: Some final stuff
Closing Remarks on Windows 95 Security
------------------------------------------------------------------------------
In long: I'll expand on that outline, but keep its structure.
I. The registry
The registry is a good idea. It does everything from getting rid of the need for .INI files for Windows programs, to keeping track of what applications should be used for each file extension type (which was its only function in Windows 3.x). In windows 95 and NT, it's even an okay security mechanism. If you find this section interesting, then I'd suggest checking out Appendix A of this article, "Advanced Registry Fun" which covers more complex registry toys. Note: Due to the power that is held within the registry, I am telling you now: "Back up your registry before you play with it, EACH AND EVERY TIME YOU PLAY WITH IT!!!" This is easily accomplished by running Regedit.exe, and selecting the file menu, and exporting your registry file. I usually save it with the date, such as 6-3-98.reg. if your registry gets messed up, it is easy to blow away and restore it with this backup. Also, looking at this backup with a text editor will show you a great example of a huge registry patch file (see below).
a. Why the registry is good for security
It would seem like the ideal way to enforce security permissions: Alter the registry so that it no longer allows certain things to be done anymore, and then, throw in a registry value that keeps the user from running the registry editor.
b. A registry patch file is one of several ways to make "Cookie-Cutter" changes to the registry (I will cover a more advanced method of creating registry-editing files, .INF files) in Appendix A, Advanced Registry Fun). The first line of any registry patch file is "REGEDIT4". The keys are stored in registry patch files in the following format:
--
REGEDIT4
[HKEY_...\PATH\WITHIN\REGISTRY\TREE\TO\KEY1]
"NameOfKey1Value1"=dword:xxxxxxxx (Hexadecimal)
[HKEY_...\PATH\WITHIN\REGISTRY\TREE\TO\KEY2]
"NameOfKey2Value1"="blahblah" (String value, text)
"NameOfKey2Value2"=dword:xxxxxxxx (Hexadecimal)
"NameOfKey2Value3"=hex:ff,00,20,1c...(Hexadecimal Bytes)
"NameOfKey2Value4"=dword:xxxxxxxx (Hexadecimal)
"NameOfKey2Value5"=dword:xxxxxxxx (Hexadecimal)
--
You get the picture...
Here are some of the registry keys and values used for security. These values are mostly policy values. I will explain a LOT more on policies at the end of this article. (values are all DWord.) 00000000 is basically a "No" and 00000001 is basically a "Yes" for these values. This is not true with ALL the values in the registry! This is true with the values listed here, though. All of the following values are DWORDs, not Hex or String.
You can probably figure out what most (or some) of these values do: I'll explain some archaic values in ()'s next to the value.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer
* NoAddPrinter
* NoDeletePrinter
* NoSaveSettings
* NoRun ("Run" item doesn't show up in Start Menu if 00000001)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Network
* NoNetSetup (Won't let ya use "Network" from control panel)
* NoFileSharingControl
* NoPrintSharingControl
* NoEntireNetwork (Can't see entire network on Net 'hood)
* DisablePwdCaching (stuff you type in Run doesn't stay in the list box below.)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\System (Stuff under System/Display Properties Control panels)
* NoDispCPL
* NoDispScrSavPage
* NoDispSettingsPage
* NoSecCPL
* NoDevMgrPage
* NoConfigPage
* NoFileSysPage
* NoVirtMemPage
* DisableRegistryTools (Keeps regedit from being run...kinda)NoDispScrSavPage
* NoDispSettingsPage
* NoSecCPL
* NoDevMgrPage
* NoConfigPage
* NoFileSysPage
* NoVirtMemPage
* DisableRegistryTools (Keeps regedit from being run...kinda) c. Why the registry's security features mean nothing.
The registry editor might not allow you to open it and screw with the underlying registry (thanks to the DisableRegistryTools value) but the funny thing is that you can create registry patches (using the format I described above) and name them with a .REG extension. If you double click on a .REG file, the registry editor reads the registry patch file and des a "merge", or in other words, changes the values contained in the registry to match the ones in the patch file. This means fun for the little guys! Here's a snippit from my favorite registry patch file that I keep on my Windows 95 disk o' death (anything in parenthesis isn't part of the registry patch. Square brackets ARE a part of the patch!!!). Here we go:
----------------------< Cut Edit-reg.REG >-----------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000 (Lets us use the regedit now)
----------------------< Cut >------------------------------------ If you double click on Edit-Reg.REG (Or double click a link to it via OLE), you will be able to launch registry editor without the "Registry Editing has been disabled..." message. The rest of the system is yours once you "adjust" the setting for those other values I listed in section Ib.
By the same token, replacing the 00000000 with 00000001 in the "DisableRegistryTools" value in the registry itself, or in the patch file (of course you need to run the patch file first) will disallow access to registry-altering tools such as regedit. This is why the registry needs some work. How do you fix it?
I would advise giving technicians a copy of regedit.exe (and other stuff like a registry patch file like this one) on a floppy disk, and erase regedit.exe from the machines. Regedit accepts command line arguments, running "A:\regedit.exe a:\Edit-Reg.REG" will then allow the technician to run "A:\regedit.exe", then edit the registry for that system. (Then, before quitting the registry editor, modify the DisbleRegistryTools value again, or run another patch to lock the registry down again.) Secure? If someone has a copy of regedit.exe on a floppy and can fabricate a patch (not hard to do, as shown above) then you're not much better off.
II. OLE (Object Linking and Embedding)
a. OLE features that make the user cheer "OLE!" OLE isn't necessarily a bad thing. It allows tons of funky things to be done, such as throwing a digital image into a plain-old text document. Introduced full-force in win3.x, it was very similar to what the people at APPLE had been toying with for a while. Add sounds to your documents or plop part of your spreadsheet into a fiscal report for your boss, and even attach a whole file to the essay you e-mailed to your English teacher! OLE handles 2 types of connection methods, Linking and Embedding (imagine that...). Linking will not place a copy of the linked document into the work in progress. It merely points to it on the current computer. Any changes you make to the linked file will be reflected equally in any document that it is linked to. Embedding a file places a copy of the embedded file INTO the work in progress. Any changes made to the embedded part do not have any effect on the original file, nor do changes to the original have an effect on the embedded one. You use OLE often when doing clipboard operations such as cut, copy and paste. OLE is not a bad thing...at first glance...
b. Why OLE opens some major security holes OLE allows you to attach or link to almost any file that Windows knows how to handle. One can link to a bitmap file and Windows will access Paintbrush, and use it to show the bitmap as if it were PART of the document. If an executable file is embedded, it will be handled like Windows normally handles an executable (runs it). Granted, some times command.com still won't work (This is a registry thing again... See "Advanced Registry Fun, Appendix A of this article.), but there are still a lot of things you can pull off. I know of no workaround for problems with OLE, because it's impossible (I think) to disable it. Frogman is experimenting with the idea of removing OLE from Windows. This far, he's seeing that apps which do not require OLE to function work fine, but many programs use OLE to communicate between modules, as well. These programs do not run properly, and sometimes not at all. It is a hypothesis that if a secure system is needed, anti-OLE mods can be made, and specially chosen software programs (which don't require OLE). Perhaps an article on anti-OLE techniques later, if we find a decent way to pull it off...
III. Windows 95 Login Screen
I really don't have a lot to say about the login screen. It is an extremely pathetic (almost worthless) security mechanism. It's basically good for each user having a customized desktop. By hitting the Windows key (CTRL-ESC), you can launch the task manager, and go to the file menu, select "RUN", and browse through anything you'd want to run. A fun thing is to run "explorer.exe", as this is what creates the desktop environment. Granted, you still have a login dialog box on-screen, but you have a desktop and start menu. Often enough, if the system is REALLY insecure, you do not even need to go through that mess. Just hit the escape key at the login and it'll give you a desktop. Fun stuff. To fix this, there are 2 paths to be taken. If your system does not give a desktop when escape is hit at the login, all you must do is delete taskman.exe out of the C:\Windows folder. As long as A:\ isn't in your path (so that someone with taskman.exe on a floppy could still use this bug), you should be secure in this aspect. If your login screen gives up the desktop when escape is pressed, then you need to not only erase taskman.exe, but you must either modify the registry to disallow this behavior, or modify the desktop settings so that it is locked down in the registry and nothing can be run from within the default desktop.
IV. Windows AutoRun
AutoRun is a feature that was introduced in Windows 95. It senses when a CD is inserted into the CD-ROM drive, then scans the root directory of the CD for a file called AUTORUN.INF. This file contains only a file name and an extension. No path, just a file name. This is usually (but not limited to being) an executable that is found in the root of the CD-ROM. If AutoRun is enabled, Windows opens (or runs) the file.
- a. AutoRun is obviously a very handy thing. Programs that use AutoRun will seem to launch themselves when you insert the CD-ROM. Some programs will launch a menu that allows you to install the software (in case it isn't installed yet), change installation options, launch the program, or quit. The original idea behind this feature was to add yet another level of convenience and ease-of-use.
- b. AutoRun can spell disaster for your dreams of a secure computer. Not only does it allow people to walk up to your system and install a game they bought down the street somewhere with ease, even if they can't SEE the CD-ROM drive, or run an install program; there are several other problems that AutoRun introduces. One that is less obvious than most is that AutoRun is willing and able to bypass the screensaver password (if one exists), bomb out of the screensaver, and run whatever it was that the AUTORUN.INF file points to. This is an easy way around a screen saver password. Also, with the advent of CD-ROM Writers (Burners), and the falling prices of the same, more and more people (hackers, crackers, little kids with rich parents, etc) are getting ahold of 'em. Those who can program worth a darn could easily make their custom program run as soon as they inserted the CD-ROM they just burned, just by making AUTORUN.INF point to it. Do you REALLY want anyone to be able to run whatever they can program/copy on your computer?
- c. Disabling AutoRun On my desktop, I leave AutoRun enabled. It's convenient. But when I am trying to secure a system, this is not a hole I wish to leave unscathed. It takes me all of 30 seconds (or less) to disable AutoRun, and it'll probably be one of the quickest security modifications you will make. The first step is to get to System Properties. This is done by right clicking on the "My Computer" icon, and selecting the "Properties" item on the pop-up menu, or by selecting "System" from the Control Panel. Next, choose the "Device Manager" tab. Find "CDROM" on the Device Manager tree, and expand it (by clicking the + sign to the left of it). This shows a list of all CD-ROM devices attached to your system. Select the CD-ROM that you want to disable AutoRun on, and click the "Properties" button. Then, click on the "Settings" tab. The check box labeled "Auto Insert Notification" is the key here. If it is checked (which it probably is), then AutoRun is enabled. Uncheck it to disable AutoRun. This is one of those settings that don't get read in again until the system is restarted. If you have other modifications to make, make them before restarting (or else you'll probably reboot 4 or 5 times). If you want to (re) enable AutoRun, it should be fairly obvious how to do it.
V. Help
- a. Help is a very useful aspect of Windows programs. It's like having a personal online quick reference for many of the programs. When you select a help screen (or when you press F1 while on the desktop), one of two programs are usually executed: WINHELP.EXE or WINHLP32.EXE in the Windows folder. Pressing F1 at the desktop will give you a very large and possibly exhaustive database of answers about various user-level Windows stuff. It has a very powerful find utility that allows the user to quickly seek answers, and to do so with quite a bit of speed. Very handy, indeed.
- b. Sometimes, however, Windows' help facility can "help" a little too much, for instance it can "help" people circumvent those restrictions that you've worked so hard to fortify. By searching for the right help topics, such as help topics on installing software, one might be able to navigate the hard drive, delete files, and even execute any file on the system, including things on floppy disk. This is very bad. The only way to get around this is by deleting the Windows help executables: WINHELP.EXE and WINHLP32.EXE in the C:\Windows folder. Not always the best way, as this will disable Windows' help, and most likely help will not work in many other applications, either.
VI. Find
Find is a great utility for locating those files that get lost in the maze of your hard drive's directory structure. It can be accessed by pressing the F3 key when you're at the desktop. Find, similar to help, can also sometimes allow people to run illicit programs, delete files, or copy stuff from your system to a floppy disk. The only workaround I know of is to remove the find option from the start menu (Another registry toy I'll discuss in Appendix A), and then rip the F3 key off of your keyboard. This can be circumvented by a psycho who brings in a keyboard when trying to take over your machine.
VII. Boot Menu
- a. Explanation of the Boot Menu. The Boot Menu is a menu that is accessed a few different ways. It is most commonly accessed when Windows Does not start all the way up, and the boot menu prompts for a safe-mode boot, but the user can choose what boot option to proceed with. This menu is also accessible by pressing the F8 key right when the computer starts to load Windows 95 (if you see the splash screen, it's too late). This allows access to a normal DOS mode session, which is typically option #6 on the menu. Sometimes this is a good option if some of your DOS apps just don't like Windows.
- b. Dangers of the Boot Menu Hackers will often try to reboot the computer and use F8 to get into a DOS session (where Windows' petty security settings haven't even been enforced). This is an extremely dangerous hole, in that any monkey with half a brain could look through anyone else's stuff, and Crackers could format your hard drive or plant viruses with ease. When Windows 95 is booted into safe mode, ALL policy setting are TOTALLY IGNORED. This is a Bad Thing, as almost all of your security settings have temporarily (or permanently, assuming the user knows his stuff) bitten the dust.
- c. Modifying MSDOS.SYS (Which contains Boot Menu options) MSDOS.SYS is a hidden system file, usually found in the root directory of the Booting Hard Drive. You will need to change its attributes in order to edit it. This is done with the "attrib" command. If you don't know how to use it, read a DOS manual, and it'll help you out. This is what a typical MSDOS.SYS file looks like:
[Paths]
UninstallDir=C:\
WinDir=C:\WINDOWS
WinBootDir=C:\WINDOWS
HostWinBootDrv=C
[Options]
BootGUI=1
DoubleBuffer=1
Network=1
;
;The following lines are required for compatibility with other programs.
;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
...(File continues with xxxxxxxxxx...ending in letters a-s)...
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs It is not hard to disable the F8 (and other) keys while booting. All you need to do is to add a line under [Options] saying "BootKeys=0". It is still possible to induce a Boot Menu by restarting the computer, then pressing the RESET button or turning it off and back on again while the Splash screen is still up (Windows 95 still loading). You can also add another line saying "BootMenuDelay=1" so that the menu will only appear for 1 second. If you set this to 0, the boot menu will display for an indefinite period of time. Below is a full table of all (that i know of) options that can be placed under the [Options] section of MSDOS.SYS.
BootMulti= If set to 1, allows booting into previous operating System with the F4 Key. Default is 0.
BootDelay=n Initial Delay before boot (This Determines how many Seconds the user is given to hit a Startup Key such as F4 or F8, before the system boots) Default is 2.
BootMenu= If Set to 1, Boot menu Will appear whenever the Machine is booted up. Default is 0.
BootMenuDefault= This sets the default menu item on the Boot Menu. Look at the boot menu if you want to know what all the options are on your machine.
BootMenuDelay=n This sets the number of seconds that the boot menu will wait for a user to enter an option before using the default option as set with BootMenuDefault. Default is 30 seconds.
BootKeys= When set to 1, Boot Keys are enabled. When set to 0, User cannot use boot keys to access boot menu. Default is 1.
BootGUI= When set to 1, Machine boots into windows mode. If Set to 0, machine will always boot into DOS mode. Default is 1.
Logo= If set to 1, The Splash Screen logo will appear while Machine starts up. If set to 0, no logo will be displayed on startup. Default is 1.
BootWarn= Enables starting in SafeMode without warning. Default is 1.
DoubleBuffer= Enables Double-Buffering driver for SCSI controllers. Default is 0.
Network= Enables Safe Mode with Networking as a Boot Menu option. Default is 0.
Apendix A: Advanced Registry Fun
The registry contains more power than the human mind can comprehend. Through it, a lot of very scary things may be accomplished, as well as quite a few useful things. At any rate, This section is not for people who just started learning about the registry as they read the first part of this article. I strongly urge you to back up your registry before you do anything here.
The first thing I really must explain is the idea of policies. Microsoft has a "policy editor" called "poledit.exe" which is basically a cheap-ass cheesy, user-friendly registry editor that edits a very small and specific portion of the registry that contains policy information. It also creates ".POL" files, where a handfull of other elusive policies are stored. I don't intend on covering the Policy Editor, though. In my eyes, the policies are easier to edit with the registry editor (or through patches) than through the policy editor. If you know the locations of each policy key and can remember what subkeys and values are under the policies, then you'll be in good shape. More likely than not, you'll have to create the policy keys and values in the registry editor. They won't already be in place. If they are, someone knew what they were doing.
The policy key is actually locted in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
There are 4 Subkeys under policies: Explorer, Network (If the computer is networked), System, and WinOldApp. For those of you who still aren't getting this, I'll do a little tree thing:
HKEY_CURRENT_USER
|
Software
|
Microsoft
|
Windows
|
CurrentVersion
|
Policies
|
Explorer
Network
System
WinOldApp
In this segment, We'll only be dealing with stuff under policies, as this alone is a very powerful part of the registry. There are other parts as well, but I would need to write a novel if i were to cover it all. I won't talk about an HKEY path anymore. I'll just talk about "This and that value under the Explorer subkey". Remember, if the policies key and the 4 subkeys under it don't exist, then CREATE THEM in the place I said they should be.
Locking Down the default user (When ESCAPE is pressed at login screen). HKEY_USERS contains a list of all users with accounts on the machine. when expanded, there is a list of subkeys that, when the user logs on, will become the structure of HKEY_CUERRENT_USER key. By editing the .default user under HKEY_USERS, you can lock down the default desktop to allow next to nothing to occur.
Restricting Programs From Being Executed. Restricting the command prompt is somewhat easy, but I'll tell you that restricting executables is extremely messy. This does not work the way you think it should, though. You can specify what executables you want to be able to run, and all others will be locked out. There is no way to lock out a handfull of specific applications. The value that locks down executables is the "RestrictRun" Value under the Explorer subkey.
When RestrictRun is set to 0, no execute restrictions are placed into effect. If RestrictRun is set to 1, restrictions are placed into effect. Before you take off and enable this, please be sure to set the names of programs you wish to allow run access. These are values labeled 1, 2, 3, 4, etc. These are string values under the RestrictRun SUBKEY of the Explorer Subkey. Do not confuse this with the value by the same name. I'll do a Mini-Tree (this one just goes back to the policies key, not all the way back to the HKEY)
...
Policies
|
Explorer ------------> RestrictRun=0x00000001 (1)
|
RestrictRun ------> 1="Niceprog.exe"
| 2="Regedit.exe"
| 3="cdplayer.exe"
------> 4="telnet.exe" A registry patch that would lock out all software except for regedit, poledit (Policy editor), netscape, wordpad, and explorer would look like this:
(This is a file snippit. Text may run off the right margin. Please look carefully at this segment)
----------------------------<Software-lock.reg>-------------------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
"RestrictRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"1"="REGEDIT.EXE"
"2"="POLEDIT.EXE"
"3"="NETSCAPE.EXE"
"4"="WORDPAD.EXE"
"5"="EXPLORER.EXE"
----------------------------<END>--------------------------------------------- If this has been inserted into the registry, nothing will run except the applications you listed. I believe this modification kicks in after reboot. This is really not an efficient method to go about locking out programs, and I would advise using EXTREME caution when playing with this aspect.
To disable a command prompt while in windows, you just need to set the value called "Disabled" (under WinOldApp subkey) to dword 1. The drawback to this is that no dos-based programs or executables will run (due to the possibility that they might induce a shell). This is good for security unless old DOS-based apps are still being used.
Desktop Effects:
Sometimes, a good way to hinder a user's ability to do harm is to make it harder to navigate through the hard drive. One common trick is to remove all of the desktop icons. This makes it harder for them to execute anything that is not in the start menu, and makes it difficult to browse through the hard drive. If that's too drastic for you, you may just want to hide all the drives under My Computer, and disallow "Entire Network" browsing under Network Neighborhood. There are many options. All of the below values are under Explorer unless noted by another subkey (i.e. Network\NoNetHood)
To do this: Set this value to a dword 1
Remove all desktop icons NoDesktop
Hide all drives in My Computer NoDrives
Hide Network Neighborhood Network\NoNetHood
Disable "Entire Network" in NetHood Network\NoEntireNetwork
Start Menu stuff:
It's always nice to remove as many intrusive things from the Start Menu as possible. This is also achieved with policies. Since the "Start Menu" and taskbar are all handled by EXPLORER.EXE, these values will need to be under the explorer subkey of policies.
To do this: Set this value to a dword 1
Remove Run option from Start Menu NoRun
Remove all folders from "Settings"* NoSetFolders
Remove Taskbar Properties from "Settings"* NoSetTaskbar
Remove Find option from Start Menu NoFind
Disable Shutdown Command% NoClose * if both values are set to 1, Settings will not show up on Start Menu % This is not adviseable, as it is no longer possible to "correctly" shut down the machine.
Another way to edit the registry is through an ".INF" file. These files are similar to patch files, except for a few slight differences.
.REG (Patch) files and .INF files compared:
Similarities:
- Both can seriously mess up a registry file
- Both can add values or edit existing values
- Neither are restricted via the "DisableRegistryTools" stuff
Differences:
- .INF files are MUCH more difficult to create.
- .INF files can delete registry values and keys.
- .INF files need to be Right-Clicked and the "Install" option selected in order to affect the registry, therefore they are a little safer.
Using .INF files for registry editing:
All .inf files start with:
--------<CUT>---------
[Version]
Signature="$Chicago$"
---------------------- After that, you need to make a section called "DefaultInstall", and include the names of the sections that will hold registry editing Data. Then you need to create the proper sections (Called Add.Entries and Del.Entries in this example). If you place a semicolon (;) at the beginning of a line, it will be ignored, for commenting purposes. Look at the following example:
------------------------------------------------------------------------
[DefaultInstall]
AddReg=Edd.Entries
DelReg=Del.Entries
[Add.Entries]
HKCU,Software\Microsoft\,BillShallDie,,"Down With Bill!!!"
;Registry Entries are stored in the following format:
;Branch (Abbreviated), Key (Path), ValueName, ValueDataType, ValueData
;
;There are a few things that need explaining here. The first is
;"Branch Abreviations", the next is "DataTypes". Here We Go...
;
;Abbreviations:
;HKEY_CURRENT_USER = HKCU
;HKEY_LOCAL_MACHINE = HKLM
;HKEY_CURRENT_CONFIG = HKCC
;HKEY_USERS = HKU
;HKEY_CLASSES_ROOT = HKCR
;HKEY_DYN_DATA = HKDD
;
;datatypes:
;0=string
;1=hex:01,ff,...
;2=string (but don't replace value if it already exists)
;3=hex (but don't replace value if it already exists)
; Note: As shown in the example, if the DataType value is left blank,
; A DataType value of "0" is assumed.
[Del.Entries]
HKCU,Software\Microsoft\,BillShallDie
;The format for Delete Entries is similar:
;Branch (Abbreviated), Key (Path), ValueName
------------------------------------------------------------------------ Appendix B: Some final stuff
Although you might be able to restrict executables from being run with policies, in some cases, the shortcuts in help files will still allow an application to be run.
The registry is almost impossible to secure. As noted in section I, it's fairly easy to mess around with the registry restrictions by using simple little patch files. There are also rumors that Norton's Registry editor is fully capable and willing to mess with the registry, regardless of the setting contained within the registry that supposedly will protect the registry from "Tools" that access the registry.
About policies, if the .POL files are stored on the local computer, and not on a network, then it's potentially easy for someone to locate and delete these files. This would ultimately result in a loss of certain policy restrictions. If your Windows 95 machines are on a network, you would be wise to keep the policy files stored on the server, rather than on each machine. Be sure to restrict user access to these files via your network's access restrictions. This will make it more difficult to mess with the policies.
Closing Remarks on Windows 95 Security
The point of this article was to bring to light some of the major security flaws that are associated with Windows 95. There are some really good 3rd party programs that will totally patch some of these holes and many others, but the programs themselves might have a few little flaws of their own. Please do not rip any keys off of your keyboard, though. Most of these little modifications do nothing more than keep the newbies and wanna-be's from being little destructive punks. Some examples in here were simply to show you that no matter how hard you try, someone will almost inevitably find a way in if it means enough to them.
