Workstations that use Windows 98 will never be as secure as those that use Windows NT, Linux, or UNIX. Although Windows 98 lacks file level security, however, it still can guard your users’ workstations. In this Daily Drill Down, I’ll discuss seven steps that you can take in order to strengthen the security of your Windows 98 machines. Each step has certain advantages and disadvantages. Creating a good security policy for your company involves deciding which features you want to enable. For example, very small businesses or small networks may decide to implement all of them, but administrators of large networks may decide that the disadvantages to administration outweigh the extra security.
Step 1: Use good password sense
Follow these guidelines to make passwords harder to crack:
Make your passwords seven characters or longer.
Use a mix of lowercase and uppercase characters.
Use numbers in passwords. These numbers don’t have to appear just at the end of the password. For example, you might replace “s” with 5 or “i” with 1.
Don’t use a word or phrase that would be obvious, such as your own name.
By changing the registry, you can require Windows 98 (and NT) users to choose passwords of a certain length. Use Regedit to open the key:
Add a new REG_BINARY value called MinPwdLen. Set the required minimum number of characters that you want for each valid password. This registry setting will affect only new or changed passwords. Old passwords remain the same.
Editing the registry can have potentially disastrous results. Edit the registry only if you’re an experienced computer user, and always back up the registry before you make any changes.
You also can set the password length—and exert even more password control—by creating a system policy through a Windows 98 utility called the System Policy Editor (Poledit.exe). You can learn how to use this resource by reading “Using the System Policy Editor” and “Understanding System Policies.”
There is no significant downside to this step. Improving your security more than compensates for the slight inconvenience of having a password policy.
Step 2: Set a BIOS password
A password that’s stored in the computer (not in the OS) is a great candidate for added security because it prevents unauthorized users from even booting. To set a BIOS password (also known as a power-on password), boot the computer and start its setup program. You’ll need to know the right key to press; Compaqs typically use [F10], and Dells use [F2]. Once you’re in Setup, look for an option to set a power-on password and choose Yes. Add the new password and reboot.
If you have users who like to change their settings and cause you lots of support headaches, you can set another password to prevent access to the setup program itself. It keeps users from clearing power-on passwords from the BIOS.
You’ll have to remember and enter one more password each time you start your computer. BIOS passwords can be cleared, but it takes some work to do. In most cases, you need to open the computer and remove the CMOS battery. Leaving the battery out for five to 20 minutes will clear the power-on password. On some motherboards, it’s easier to change a jumper setting.
Step 3: Create a login screen for Windows 98
Although it’s one of the weakest features of Windows 98, creating a login account for your users still prevents computer-illiterate snoopers from playing with your users’ desktops. They won’t know that this feature is just a bluff and that all they have to do to bypass the login screen in Windows 98 (unlike NT or 2000) is press [Esc]! To create a login screen, follow these steps:
- Go to Start | Settings | Control Panel.
- Click the Passwords icon in the Control Panel window.
- On the Change Passwords tab, choose the Change Windows Password box. (This box is shown in Figure A.)
- Enter the information that’s requested. If you’re setting a password for the first time, leave the Old Password area empty.
|Change your password in this box.|
It doesn’t really add much security. Anyone who hits [Esc] can get to the desktop.
Step 4: Add a screen saver password
If your desktop’s security is so important that you’re bothering with BIOS and login passwords, then you won’t want to leave your computer vulnerable every time you step away from your office. Why not add a screen saver password to keep curious eyes off of your desktop? You can do so by following these steps:
- Right-click on some blank desktop real estate.
- Select Properties.
- Choose the Screen Saver tab from the Display Properties dialog box.
- Choose a screen saver (if you haven’t already) and adjust its delay value to a time period that’s reasonably brief—three to five minutes would be fine.
- Check the box next to Password Protected, click change (as shown in Figure B), and add or change your password. If you set a password length restriction earlier, it will be enforced here.
|Adding a screen saver password is as easy as checking the appropriate box.|
Having screen saver passwords on many machines creates an administrative headache. What happens if you need to maintain a computer when the user isn’t available? Furthermore, if you don’t reset the screen saver first, it tends to start up when you’re in the middle of a download or an upgrade.
Step 5: Turn off file and printer sharing
There isn’t much point to protecting your desktop if every user on the network has access to your files. You need to prevent general network access to your hard disk by removing file and print sharing from network properties. If you right-click a folder and choose properties when sharing is enabled, the resulting dialog box will contain a tab called Sharing. When sharing is removed, that tab will disappear. If a folder is shared, it will appear on the network with the name you give to it in this tab. You can specify access as read-only, full, or password-dependent. You have an option of specifying one password for read-only access and another password for full access. When you turn on a share, the folder icon changes. In Windows Explorer, shared folders appear to be offered by a hand with the palm up. This scheme is referred to as share-level security.
Although you may have good reasons for sharing resources on your network, there are a few drawbacks to using share-level security. First, the share information is stored on your workstation, and anyone who gains access to the computer can modify the shares. Second, shares aren’t authenticated. Again, anyone on the network who obtains the password can access your resources. Third, share-level security provides only one password per folder. Put this aspect together with the lack of authentication, and there isn’t any way to secure your folders at the user level. Finally, unlike Windows NT or Windows 2000 when it’s running NTFS, you can’t protect files—just folders.
To remove file and printer sharing, go to the Control Panel and click the Network icon. In the Configuration Tab, scroll down the network components list to File and printer sharing for Microsoft Networks, as shown in Figure C. Highlight that option and click the Remove button. Afterwards, your hard drive will become much more secure.
|Remove file and printer sharing from the Network applet.|
You will lose your ability to share your resources on the network.
If you absolutely must share the contents of a folder with members of a workgroup or domain, opt for user-level security instead of share-level security. Although you can’t protect resources down to individual files and your shares are still stored on your computer, you can authenticate users against a list of authorized accounts on a Windows NT or NetWare server. To enable user-level security, follow these steps:
- Make sure that you’ve installed file and printer sharing.
- Click on the Network icon in Control Panel.
- Select the Access Control tab and choose User-level Access Control.
- In the box below, fill in the name of the Windows NT domain or workstation that has user accounts (if it’s not filled in already).
If you’re running a NetWare network, you’ll want to install File and Printer Sharing for NetWare Networks. Then, follow the same steps as above. When you come to the last step, however, fill in the NetWare server (not the NT domain or workstation) that has your user accounts.
To share a folder, highlight it in Windows Explorer and right-click. Select Properties and click the Sharing tab. You can keep the same share name or revise it. Then, click Add. The Add Users dialog box will open. It contains a list of all of the groups and users on the Windows NT domain or workstation that you selected. Select a user or group and click one of the buttons marked Read Only, Full Access, or Custom to move the user or group to that level of access. Figure D shows a user who has been added to Full Access. You may choose as many users or groups as you want.
|You can add any user to Full Access.|
Custom access needs to be defined before you can save it. When you close the Add Users dialog box, the Change Access Rights dialog box will open, as shown in Figure E. Check a box that corresponds to the access that you want the user or group to have. You can allow custom users to read, write, create, and delete files; change file attributes; list files; and change their own access control.
|The Change Access Rights dialog box lets you customize user access.|
Sometimes a user who tries to log on to your shared resources may receive an Access Denied message. The user, who may have more than one workstation, may be coming in through a different domain. If a trust relationship hasn’t been established between the two domains, then access isn’t possible.
Step 6: Turn off remote administration
Remote administration allows specified groups or users, such as the IT department or help desk staff, to access your personal computer and make changes from a central location. Remote users can browse and manage shared resources, manage the file system, edit the registry, and monitor the performance of the remote computer. Although it’s convenient for the IT staff, you may want to turn off remote administration when your computer needs to be extra secure. To do so, double-click the Passwords icon in Control Panel, click the Remote Administration tab, and uncheck Enable remote administration of this server. Please note that the change won’t take effect until the next time you boot.
You’ll make it more difficult to administer your network.
Step 7: Disable password caching
When you’re asked for a password in Windows 98, you’re given the choice of having the OS remember the password for you so that you don’t have to fill it in next time. Once you check the Save Password box, your password is encrypted in a file with the extension .pwl. If someone gains access to your desktop, this person can send and receive your e-mail and access any other resources for which the passwords are cached. Password caching makes you vulnerable. On the other hand, some of us have so many passwords that we would have to possess a remarkable memory just to recall all of them.
If you can store all of your passwords in your head, then feel free turn off password caching. Doing so will protect your desktop against many threats. To turn off caching, follow these steps:
- To open the registry, click Start | Run and type Regedit.
- Navigate to this key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network.
- Add a new DWord value called DisablePwdCaching.
- Give a value of 1 to enable this feature.
You also can disable password caching by creating or modifying a system policy with the System Policy Editor (Poledit.exe).
Users will have to remember each password. If they start making lists of their passwords to help their memories, then security is even more threatened than it was before. It also takes time to type a password every time you log on.
When it comes to security, every enhancement is a trade-off. To gain more security, you lose a certain measure of convenience. You’ll want to weigh the gains in security against your losses in user-friendliness and IT administration before you make drastic changes to your machines. If you have suggestions, tips, or comments about security and Windows 98, send me an e-mail.
Mike Jackman is an editor in chief of TechProGuild, an editor of PC Troubleshooter and Windows Support Professional, and also works as a freelance Web designer and consultant. In his spare time (when he can find some), Mike’s an avid devourer and writer of science fiction, parent to two perpetually adolescent cats, and a hiking enthusiast.
The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.