If you support a combination of Windows 9x and Windows 2000/XP systems, chances are that you’ve wished Windows 9x’s first line of defense for protecting the local system, the Enter Network Password dialog box, was more secure.
However, as you know, this so-called protection system is as weak as they come. Unlike the logon dialog box in Windows 2000/XP, anyone can bypass the Enter Network Password dialog box (shown in Figure A) and gain access to any data stored on the local hard disk. There are two ways to do so. First, you can type a new user name and password in the Enter Network Password dialog box and access the system with a dummy user account. Second, you can simply click the Cancel button in the Enter Network Password dialog box and access the system with the default user account.
|Any unauthorized user can bypass the Enter Network Password dialog box and gain access to data stored on the local hard disk.|
In Windows XP and Windows 2000, neither of these techniques will get you anywhere. Wouldn’t it be great if you could prevent unauthorized users from bypassing Windows 9x’s Enter Network Password dialog box by clicking the Cancel button or attempting to create a dummy account?
Fortunately, I’ve discovered a technique that will allow you to tighten the security of the Windows 9x Enter Network Password dialog box in such a way that an attempt to use either of these methods of unauthorized access will cause the system to essentially lock down. Depending on how you want to handle the situation, you can choose to have the system automatically shut down or run a password-protected screen saver.
In this Daily Drill Down, I’ll show you how to tighten the security of the Enter Network Password dialog box on your Windows 9x systems using this lockdown technique. As I do, I’ll explain each step in detail. Then, I’ll show you how to back up the lockdown technique with some additional security measures.
An overview of the lockdown technique
Before I get started with the actual procedure, let’s take a few moments to briefly look at how the lockdown technique actually works. To begin with, it’s important to understand that Windows 9x’s Enter Network Password dialog box has two functions depending on how the system is configured. First, on a computer connected to a network, it works in conjunction with the Client For Microsoft Networks component to allow access to the network. Second, on a computer configured for multiple users, it allows the operating system to determine which user is logging on so that it can enable the appropriate user account profile.
The lockdown technique takes advantage of the second function. Therefore, in order for the lockdown technique to work correctly, you’ll configure the Windows 9x system for multiple users via the User Profiles feature—even though only a single user may be working on the system. You’ll then lock down the default user account by adding a special configuration setting to the registry. As such, the only way that you could access the system normally would be with the correct user name and password.
Activating the User Profiles feature
The first thing you have to do when employing the lockdown technique is enable the User Profiles feature, if it’s not already enabled. In addition, you must make sure that the Include Start Menu And Program Groups In User Settings option is enabled.
To begin, access the Control Panel and double-click the Passwords icon. When you see the Passwords Properties dialog box, select the User Profiles tab. Then, select the Users Can Customize Their Preferences And Desktop Settings option and select the Include Start Menu And Program Groups In User Settings check box, as shown in Figure B. (While not necessary, you can also select the Include Desktop Icons And Network Neighborhood Contents In User Settings option as well.) To complete the operation, click OK and restart the system when prompted.
|You’ll begin the lockdown procedure by enabling the User Profiles feature.|
Once the system restarts, you’ll see the Welcome To Windows logon dialog box, shown in Figure C, just as if you’ve never logged on to the system before. To continue, all you have to do is type the exact same user account name and password.
|When the system restarts after enabling the User Profiles feature, you’ll see the Welcome To Windows logon dialog box just as if you’ve never logged on to the system before.|
You’ll then see a Windows Networking dialog box, which basically prompts you to create a new user profile for the person who uses that system, as shown in Figure D. To continue, just click Yes.
|You’ll then be prompted to create and save a user profile on the system.|
Preparing the registry
Now that you’ve activated the User Profiles feature, you need to make a few modifications in the registry. To do so, you’ll launch the Registry Editor by typing Regedit.exe in the Run dialog box. Once you have the Registry Editor up and running, navigate to the following key:
If the Run key doesn’t already exist inside the CurrentVersion key, you can create it by pulling down the Edit menu and selecting the New | Key command. After the new key appears, rename it Run and press [Enter].
To continue, you’ll open the Run key, pull down the Edit menu, and select the New | String Value command. When you see the New Value appear inside the Run key, name it FixLogon and press [Enter].
At this point, you’re ready to choose your lockdown method. As I mentioned in the introduction, you can choose to have the operating system shut itself down in the event of an unauthorized access attempt or you can have the operating system immediately run a password-protected screen saver.
Configuring the shutdown method
To configure the shutdown method, double-click the FixLogon String Value to open the Edit String dialog box. Then, type the following special command sequence in the Value Data text box (as shown in Figure E):
Be sure that you don’t add a space between the comma and the EXITWINDOWS command. If you do, the command sequence won’t work correctly.
|Once you access the Edit String dialog box, type the special command sequence in the Value Data text box.|
Configuring the screen saver method
To configure the password-protected screen saver lockdown method, double-click the FixLogon String Value to open the Edit String dialog box. Then, type the filename of one of Windows 9x’s two text-based screen savers in the Value Data text box. For example, if you want to use the Scrolling Marquee screen saver, you’d use the command:
On the other hand, if you want to use the 3D Text screen saver, you’d use the following command (as shown in Figure F):
Be sure to enclose the screen saver filename in quotes since both filenames contain spaces. To continue, click OK to close the Edit String dialog box and then close the Registry Editor.
|When you see the Edit String dialog box for the FixLogon value, you’ll type the filename of one of Windows 9x’s text-based screen savers in the Value Data text box.|
To complete the screen saver method configuration, click OK to close the Edit String dialog box and then close the Registry Editor.
Setting up the password-protected screen saver
After you’ve configured the FixLogin setting in the registry in order to run a screen saver, you need to configure the screen saver to run in the Default user account. To do so, click the Start button and select the Log Off command. When you see the Enter Network Password dialog box, click the Cancel button.
Once Windows 9x loads, the screen saver will immediately launch, but you can dismiss it by pressing the spacebar. Next, right-click on the desktop and select Properties to access the Display Properties dialog box. Then, click the Screen Savers tab and select either the 3D Text or Scrolling Marquee screen saver. Finally, configure the screen saver to display a warning message, such as the one shown in Figure G. Keep in mind that with the 3D Text screen saver, you’re limited to a 16-character message, while with the Scrolling Marquee screen saver, your message can contain up to 240 characters.
|A text-based screen saver will allow you to display a warning message.|
Once you configure your screen saver, assign a password to it. Make sure that you create a password that would be difficult to crack. For example, you might create a password that is made up of numbers, letters, and special characters.
Additional security measures
It’s important to keep in mind that locking down Windows 9x’s Enter Network Password dialog box using just the lockdown technique isn’t foolproof. A determined hacker can still bypass the Enter Network Password dialog box by starting Windows 9x in Safe Mode or booting with a bootable floppy disk. As such, you’ll need to employ some additional security measures.
Preventing Safe Mode access
To prevent an unauthorized user from starting Windows 9x in Safe Mode, you need to disable the Safe Mode Startup keys: F4, F5, F6, F8, Ctrl, and Shift. To do so, you’ll add a special setting to the Msdos.sys file.
To begin, use the Find utility to locate the Msdos.sys file in the root folder. Then, disable the Read-Only attribute so you can edit the file. To do so, right-click the file, select Properties from the shortcut, deselect the Read-Only check box, and click OK.
Now, with the Find window still open, launch Notepad and drag the Msdos.sys file from the Find window to Notepad. Next, locate the Options section and add the setting BootKeys=0, as shown in Figure H. Then, save the file and close Notepad. To complete the operation, return to the Find window, access the Msdos.sys file’s properties sheet again, select the Read-Only check box, and click OK.
|Adding the BootKeys=0 setting to the Msdos.sys file will prevent an unauthorized user from accessing a Windows 9x system via Safe Mode.|
Preventing floppy disk access
To prevent an unauthorized user from booting a Windows 9x system with a bootable floppy disk, you’ll want to disable the computer’s ability to boot from a floppy disk. Fortunately, the CMOS boot settings for most computers will allow you to disable booting from the floppy disk. If you don’t want to completely disable booting from the floppy disk, you can change the computer’s boot sequence so that it boots from the hard disk first and then from the floppy disk.
Accessing the CMOS setup program
On most systems, you’ll access the CMOS setup program by pressing [Delete], or another special key sequence, during the initial boot-up sequence before Windows 9x starts. You can watch the screen after you turn on the computer for information on accessing the CMOS setup program or consult the manual that came with the computer for detailed information on using the CMOS setup program.
Testing the lockdown technique
At this point, you’ll want to test the lockdown technique to make sure that everything is correctly configured. To do so, restart the system. When you see the Enter Network Password dialog box, click the Cancel button or type a new user name and password. Once you do, Windows 9x will begin the load normally, but as soon as the startup operation is complete, Windows 9x will immediately shut down or run the password-protected screen saver.