Lock IT Down: Prevent Windows 98 users from bypassing the logon screen

Windows 98 users can press [Esc] on the network logon screen, bypassing network authentication and leaving company data vulnerable. Here's how to disable the bypass.

When arguing about how inherently unsecure Windows 98 is, one of the things that most people point to is the fact that Windows 98 allows basically anyone to access the desktop, whether or not they've logged into the network. All someone has to do is press [Esc] at the login screen, and, even if you've set the Microsoft client to authenticate against your server, Windows 98 will bypass the login screen and happily take you to a default desktop. Users won't be able to access any network data, but they can then get access to anything stored locally on the computer. Here's how to stop that from happening.

This article discusses making changes to your server's registry. Before performing any technique in this article, make sure you have a complete backup of your workstation. If you make a mistake when making changes to your workstation's registry, you may cause your server to become unbootable, which would require a reinstallation of Windows to correct. Proceed with extreme caution.

Before you begin
Before you disable the bypass logon, you should ensure that your workstation already has some type of network authentication available to it. Windows 98 will maintain a local database of users, but the best way to authenticate users is against your server. Right-click Network Neighborhood, and select Properties. When the Properties window appears, select Client For Microsoft Networks and click the Properties button. In the Logon Validation box, select Logon To Windows NT Domain and enter the Domain name in the Windows NT Domain box.

Don't panic if you're not using Windows NT but are instead authenticating against some other network operating system. The registry setting below will work with most other NOS authentication schemes. Just make sure your workstation is configured to make sure that the network client is set as the Primary Network Logon on the Network properties screen.

Bypassing the bypass
To prevent Windows 98 users from bypassing the logon screen, log on to your workstation. Ironically enough, if you want to, you can bypass the logon screen by pressing [Esc].

Start the registry editor by selecting Run from the Start menu, typing regedit in the Open text box, and clicking OK. When the Registry Editor window opens, navigate through the left pane until you get to the HKEY_LOCAL_MACHINE\Network\Logon. In the right pane, look for the value named MustBeValidated.

If the value exists, it's probably set to 0. To change the value, double-click it. You'll then see the Edit DWORD Value screen. Enter a value of 1 in the Value Data field and click OK.

If the value doesn't exist, you'll need to add it. Select New | DWORD Value from the Edit menu. The new value will appear in the right pane, prompting you for a value name. Type MustBeValidated and press [Enter]. Double-click the new value. You'll then see the Edit DWORD Value screen. Enter a value of 1 in the Value Data field and click OK. When you're done, your Regedit screen will look like the one in Figure A.

Figure A
Add the MustBeValidated key to your registry.

When you're done, close Regedit. Your registry changes will be saved automatically. Reboot your workstation. When your workstation restarts, you can test to see if the registry change worked by pressing [Esc] at the logon screen. Rather than going to a desktop, you should see the screen shown in Figure B.

Figure B
Windows 98 no longer allows you to press [Esc] to bypass authentication.

Editor's Picks