Showing posts with label Current User. Show all posts
Showing posts with label Current User. Show all posts

Tuesday, November 29, 2022

Three system policies for Recent Documents in Windows

Removes the Documents menu from the Start menu

The Recent Items menu contains links to the nonprogram files that users have most recently opened. It appears so that users can easily reopen their documents. If you enable this setting, the system saves document shortcuts but does not display them in the Recent Items menu. If you later disable it or set it to Not Configured, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu. Note: This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the Do not keep history of recently opened documents setting. Also, see the Do not keep history of recently opened documents and Clear history of recently opened documents on exit policies in this folder. This setting also does not hide document shortcuts displayed in the Open dialog box.
NoRecentDocsMenu

Clear history of recently opened documents on exit

If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Documents menu on the Start menu is always empty when the user logs on. If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on the Documents menu appears just as it did when the user logged off. Note: The system saves document shortcuts in the user profile in the System-drive\Documents and Settings\User-name\Recent folder. Also, see the Remove Documents menu from Start Menu and Do not keep history of recently opened documents policies in this folder. The system only uses this setting when neither of these related settings are selected. This setting does not clear the list of recent files that Windows programs display at the bottom of the File menu. See the Do not keep history of recently opened documents setting. This policy setting also does not hide document shortcuts displayed in the Open dialog box.
ClearRecentDocsOnExit

Do not keep history of recently opened documents

Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents. If you enable this setting, the system and Windows programs do not create shortcuts to documents opened while the setting is in effect. Also, they retain but do not display existing document shortcuts. The system empties the Documents menu on the Start menu, and Windows programs do not display shortcuts at the bottom of the File menu. If you disable this setting, the system defaults are enforced. Disabling this setting has no effect on the system. Note: The system saves document shortcuts in the user profile in the System-drive\Documents and Settings\User-name\Recent folder. Also, see the Remove Documents menu from Start Menu and Clear history of recently opened documents on exit policies in this folder. If you enable this setting but do not enable the Remove Documents menu from Start Menu setting, the Documents menu appears on the Start menu, but it is empty. If you enable this setting, but then later disable it or set it to Not Configured, the document shortcuts saved before the setting was enabled reappear in the Documents menu and program File menus. This setting does not hide document shortcuts displayed in the Open dialog box.
NoRecentDocsHistory
The System Registry branch for all these System Policies is the same - Software\Microsoft\Windows\CurrentVersion\Policies\Explorer on hive - HKEY_CURRENT_USER
Value Type: REG_DWORD
Value Data: 0 (also absent) or 1

As Microsoft gives in their Administrative Templates spreadsheets, all of these three system policies are applied on User-based scope, despite the fact that they could be enabled on Local-machine as well, what I found while testing my software.
Another fact, Microsoft Administrative Templates tell that these system policies act at least since Windows 2000. No, they can be applied in Windows Me, Windows NT 3.51 and Windows NT 4.0

AAAnalyzer Logo
All these system policies are realized in Activity and Authentication Analyzer
Download

Thursday, February 20, 2003

Policies for the Windows startup management

mad hack

The article describes the System Policies, which allow to manage the application startup in Windows 98/ME/2000/XP.

This article describes four system policies managing the startup lists, which contents are processed by Windows during the initial system boot. The talk will be about four lists, which values, containing the documents or applications names, are stored in the following keys:

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Here are few notes of these lists. The lists, which are located in HKEY_LOCAL_MACHINE hive, as it follows from the name, are common for all the system, and the HKEY_CURRENT_USER lists are worked through only for the current user registered in the system. The lists stored in HKEY_LOCAL_MACHINE hive are processed before the lists, stored in HKEY_CURRENT_USER hive. As it follows from the very name of key, the launch of document or application, registered in the key "RunOnce" occurs one time, notwithstanding whether the launch has been successful or not. The value stored in key "RunOnce", is deleted before the launch of application, which name it contains.

To avoid the reiteration I introduce the features common for all the policies. All the policies are applicable for Windows versions 98, ME, 2000 and XP. Their states are stored in numeric values of DWORD type. The values can be of binary type for Windows 98, ME. All the policies are of Boolean type. For the DWORD-values the value "1" stands for the active state, the value "0" blocks the policy, turning it to the disabled state. Two values "01 00 00 00" and "00 00 00 00" will represent the corresponding states of policy for the values of binary type. "By default" the policies are not enabled in the system. The missing of corresponding value in the system registry is equivalent to the disabled state of the policy. All the values must be stored in "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" key.

The values standing for the state of the policy can be in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hive. The value, located in HKEY_LOCAL_MACHINE hive, has an effect on the whole system, in comparison with value in HKEY_CURRENT_USER affecting the current user. If the same policy appears in both hives of the system registry, the policy, which value is in HKEY_LOCAL_MACHINE hive, has the priority over the policy with the value in HKEY_CURRENT_USER.

Disable the LOCAL MACHINE Run list

The state of this policy is stored in the "DisableLocalMachineRun" value. When the policy is in active state, the system ignores the content of "Run" list, locating in LOCAL MACHINE.

Disable the LOCAL MACHINE Run Once list

The value "DisableLocalMachineRunOnce" is responsible for the state of this policy. If the policy is in active state, the system ignores the "RunOnce" content in LOCAL MACHINE.

Disable the CURRENT USER Run list

"DisableCurrentUserRun" value represents the state of this not documented policy. This policy is directed to prohibit the system from processing the content of "Run" list, locating in the HKEY_CURRENT_USER hive of the system registry.

Disable the CURRENT USER Run Once list

Microsoft does not document this system policy either. Its state is stored in the "DisableCurrentUserRunOnce" value. When the policy is enabled, the system ignores the content of "RunOnce", storing in HKEY_CURRENT_USER.

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, then Windows StartUp and find in the right list items corresponding to these policies named:

  • Disable the CURRENT USER Run list
  • Disable the CURRENT USER Run Once list
  • Disable the LOCAL MACHINE Run list
  • Disable the LOCAL MACHINE Run Once list

Thursday, February 6, 2003

Disable Save Password in Dial-Up Connections

mad hack
The article describes the System Policy, which controls the password caching in Dial-Up Connections in Windows NT4/2000/XP.

"By default", in Dial-Up connections the entered password is saved after successful connection, if the option "Save password", located on Dial-Up dialog box, is selected. After the password has been saved, it is not to be entered again, it is suggested automatically to corresponding edit box. The users used to have feeble memory or simply do not want to force it. For such category of users the password caching in Dial-Up connections is a definite convenience. The password caching may be the serious gap in the system security or the network security on the whole. And, under the security considerations, the administrator may wish to disable caching of the Dial-Up passwords.

The numeric DWORD-value "DisableSavePassword", which must be stored in the "SYSTEM\CurrentControlSet\Services\RasMan\Parameters" system registry key, in the HKEY_LOCAL_MACHINE hive, stands for the system policy, which while being in active state, disables the save password in Dial-Up connections. The "1" value enables the policy, "0" or missing of the value set the policy to not active state. When it is set to active state, the option "Save password" will; be hidden, and cached passwords will be lost.

And the last note: the policy is applicable in Windows NT 4, 2000, XP.

In order to see the state of above-mention policy "Disable Save Password in Dial-Up Connections" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, then Passwords and find it in the right list item corresponding to this policies named:

  • Disable Save Password in Dial-Up Networking

Friday, January 10, 2003

System Policies for the Windows network passwords caching management

mad hack

The article is dedicated to the System Policies, which controls the network passwords caching in Windows 95/98/ME.

The problem of passwords caching, on the other hand, their storage on the local drive, and concerning this the security threat, appeared in Windows for Workgroups 3.11 and still exists in 32-bit Windows. The files with "*.PWL" extensions, which were used to store the enciphered local copies of passwords used for access to the network and net resources in Windows for Workgroups 3.11, passed to the 32-bit Windows versions: 95/98/ME.

The Microsoft realisation of DES algorithm, which enciphers the password, was compromised several times. Discussion of this is out of frames of this article, dedicated to the Windows administering there were published a lot of articles and utilities breaking the weak cryptographic defense.

These files are created in the folder, where the Windows was installed. This folder will be the booting one. Soon of all, this directory will be "C:\Windows" for Windows 9.X/ME. If this folder was renamed, it is possible to determine its location simultaneously with all environmental variables through typing "set" in DOS command prompt. The environmental variable "windir" reveals the sought path. The passwords are cached to the files named USERNAME.PWL, where "USERNAME" is user named given while logging on or accessing the resource.

Besides, the list of files for cached passwords copies is kept in the in "System.ini" initialisation file, which is also stored in Windows boot directory. The section "[Password Lists]" is created in this file, where are stored the strings like "USERNAME =C:\WINDOWS\USERNAME.PWL", "User name=full file name with cached password". When user registers in the system, Windows check this list containing the references to the files with passwords. First eight letters of user name are taken to form the file name. If the file with such a name exits, it is overwritten.

Microsoft solved partially the problem of weak cryptographic algorithm released the Service Pack 1 for Windows 95 and updated version of Windows 95 OSR1 (OEM Service Release 1). The key length was enhanced from 32 bit to 128.

The Windows 9.X and ME operating system can be classified as D class of protection according to the "Orange Book". In them it is possible to stroke simply the Esc key or Cancel button in order to bypass the password dialog box, on condition that the system is not a part of domain and not demanded the obligatory verification procedure. The password in Windows 9.X/ME is necessary for the network resources access and not crucial for the boot of very operating system. On the other hand, they can be classified as systems allowing "the open and not restricted access". The protection of client machines working under Windows 9.X/ME control can not be even compared with the protection of servers. The breakers are ruled with the same "admissible hypothesis", to attack them, gaining later the access to the protected resources.

Microsoft offers the next system policies as one of the partial solution to this problem.

Disable Password Caching

This system policy disables the network passwords caching. When it is in active state, the passwords are not cached, but user is to enter the password each time while attempting to access the password-protected resource. "By default" the policy is disabled in the system.

Its state is represented with the pair of Boolean values, which is stored in "DisablePwdCaching" parameter, in the "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network" system registry key. Although, the type DWORD is recommended for this value in MSDN, this policy will work in Windows 95/98/ME with "DisablePwdCaching" value of binary type. DWORD-value takes "1" and "0", the binary - "01 00 00 00" and "00 00 00 00". The first of pair of values stands for the active state of the policy. The missing of value in the system registry sets the policy to disabled state.

This key is located in HKEY_LOCAL_MACHINE hive and the range of this policy covers not the Current User, but all the system (Local Machine). When it is enabled, the "Change Windows Password" password is blocked in the "Passwords" applet in "Control Panel", showing that the passwords can not be changed. The second dialog box for the confirmation of new password is also disappeared.

If the persistent connections with the password-protected resources are created, then after enabling the policy, the Quick Logon feature for the Microsoft network client can not be used effectively, when there is no automatic verification that all network connections are ready, but network connections are restored while they are required.

"Disable Password Caching" does not erase the file list in "System.ini". The files with "*.PWL" are also remained and, and they must be deleted manually, if needed.

The active state of this policy has an effect for the caching of passwords, which are entered in the forms of browser Internet Explorer, when the AutoComplete is enabled. The cached passwords are "lost" after the system reboot, notwithstanding the states of check boxes "Prompt me to save passwords" and "User names and passwords on forms" which control the password caching in browser. These boxes are on the "Content" page in "Personal information" in browser "Internet Options (Properties)".

Disable Domain Password Caching

While in active state this system policy disables the caching of the passwords for the access to domain or domain network resources.

The numeric "NoDomainPwdCaching" value, located in "Network\Logon" key, in HKEY_LOCAL_MACHINE system registry hive, stands for its representation. The range of the policy covers all the system. The "1" value brings it to enabled state, "0" or absence - to disabled. "By default" the policy is not present in the system.

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mention policy "Disable Password Caching" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, then Passwords and find it in the right list item corresponding to this policies named:

  • Disable Password Caching

Friday, November 8, 2002

Policies for the passwords caching management in Internet Explorer

mad hack

The article gives the System Policies, which manage the caching, on the other hand, saving to the local drive, the passwords in Internet Explorer.

The dialog box will appear, requesting additional credentials whether to save or not password, after the password is entered to the form window in Internet Explorer. Later, the password will not to be entered once more time, when the same page with the same input form is opened. That is the very password caching.

On the one hand, the password caching is the obvious facility for user, who may even forget the entered password, on other hand, is the serious security threat, because the unhampered access to password-protected resource is possible, it is enough for this to know its exact name. If in Windows the automatic completion for the addresses or forms in Windows or Internet Explorer is enabled, so called AutoComplete, the task is simplified to minimum. The very feature of automatic completion gives out the item list, while exploring which it is possible to guess the exact name of resource. The one taken item given by automatic completion can be deleted from the list. The item must be selected and the DEL must be clicked afterwards. However, this feature does not for the drop-down addresses list entered in Internet Explorer address box.

If one opens in browser "Internet Options (Properties)" the page with "Content" tab, one can see the "AutoComplete" button. On clicking this button, the dialog box appears containing the check boxes for the control over "Use AutoComplete for": "Web addresses", "Forms", "User names and passwords on forms" and "Prompt me to save passwords". The password caching in Web pages forms can be totally disabled with check box named "User names and passwords on forms". The check box "Prompt me to save passwords" deselecting disables all the further caching, but, the passwords, entered before, are still automatically suggested, when the user name is entered in the same form. The passwords AutoComplete prohibition in settings does not clean the information on names and passwords corresponding to them, which is already entered before, which; there are to buttons for this to "Clear AutoComplete history", which are located below, in the same dialog box, named: "Clear Forms", "Clear Passwords".

The full consideration of the AutoComplete feature is out of this article topic. I note two facts in conclusion. The AutoComplete settings, stored addresses, are common either for Internet or Windows Explorer. The last fact: the AutoComplete is nice tool to implement the activity analysis and to reconstruct the user's work.

To avoid unnecessary reiteration and potential discrepancies, caused by the difference inherent to various browsers versions, presence the installed services packs, various Windows versions, I must at once notice, that all the given information was tested on Windows ME, Internet Explorer 5.5, with installed service pack for 128-bit cipher strength.

Disable Password Caching

Here the talk will be about how to disable the password caching in Internet Explorer. This system policy has restricted application. The information given here concerns: the Internet Explorer of 4.01 version with the 2nd service pack installed, the Internet Explorer of 5 and 5.01 versions, working on Windows 95, 98, NT 4.0 and the Internet Explorer 5.01 for Windows 98 Second Edition. For instance, the Internet Explorer of 5.5 version ignored this policy, while performing the test on Windows ME.

The state of this system policy is stored in the numeric "DisablePasswordCaching" value, which must be in "Software\Microsoft\Windows\CurrentVersion\Internet Settings" system registry key, in HKEY_CURRENT_USER hive. Correspondingly, the policy range spreads over the Current User only, but not over all the system. The "1" value enables the policy, the "0" value or its missing disables the policy. "By default" this policy is in disabled state in Internet Explorer and there is password caching in Internet Explorer.

The Microsoft company releases the article Q229940 in MSDN titled: "How to Disable Internet Explorer Password Caching".

Do not allow AutoComplete to save passwords

This system policy has the similar purpose to the previous one. While in active state this system policy disables the automatic completion of the names and passwords in Web-pages forms and prevents from appearance the dialog boxes requesting whether to save or new password. If this policy is enabled, the check boxes "User names and passwords on forms" and "Prompt me to save passwords" become dimmed, showing that blocked both these features and the very possibility to switch them on.

One must select the page with "Content" tab in "Internet Options (Properties)" settings, and later click the "AutoComplete" button in order to see these check boxes.

The value "FormSuggest Passwords", storing this policy, is located in "Software\Policies\Microsoft\Internet Explorer\Control Panel", in HKEY_CURRENT_USER hive. The range of this policy covers only the Current User, registered in the system, but not all the system on the whole. It is not necessary to reboot all the system but will be enough to reload the very browser, closed before this all its instances, to take this policy into effect, when its state is changed.

It is demonstrative, that the Microsoft realisation of this policy provokes more than perplexity. The "FormSuggest Passwords" value can be either of numeric (DWORD) or binary or string type. The missing of value in the system registry brings the policy to the disabled state - state "by default". If the value is of numeric type, the two Boolean values: "1", gives the active state, and "0", which gives disabled, respectively, stands for the representation of two states. When the value is of binary type, it can have two possible values: "01 00 00 00" for active state and "00 00 00 00" for not active.

The strangest reaction of this policy was on the content of this value of string type. The empty string or the "yes", "no", "1" and "0"content bring the policy to active state. The strings "true" and "false" or total missing of value cancel its effect. The symbol case had no effect.

The active state of the policy for "prohibition for AutoComplete to save passwords" does not lead to erasing the information that is already entered into history journal, which stores the names and corresponding to them passwords.

And last note: the "FormSuggest Passwords" value, storing in "Software\Policies\Microsoft\Internet Explorer\Control Panel" key and the value with the same name, which can be stored in "Software\Microsoft\Internet Explorer\Main" key, possibly appearing in either HKEY_LOCAL_MACHINE, or HKEY_CURRENT_USER hives are not to be mixed. The last value belongs to the browser setting, storing the state of check box with name "User names and passwords on forms".

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mention policy "Disable Password Caching" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Internet Explorer and find it in the right list item corresponding to this policies named:

  • Disable Password Caching

In order to see the state of above-mention policy "Do not allow AutoComplete to save passwords" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Internet Explorer, then IE Tools and find it in the right list item corresponding to this policies named:

  • Do not allow AutoComplete to save passwords

Thursday, September 12, 2002

System Policies for Password applet of Control Panel

mad hack

The article is dedicated to the System Policies for the Password applet of Control Panel for Windows 95, 98, ME.

Passwords in the common sense resemble the key and the lock and, when humankind begot the division to the native and the strange, there appeared the problem of authentication. The password management is inseparable part of any system security rules and simultaneously the main target for the computer malefactors.

The system policies for Windows 95, 98 and ME, destined for the restriction of the accessible for the user actions in Passwords applet, which is located in Control Panel are represented in this article. The Password applet has three pages: "Change Passwords", "Remote Administration" and "User Profiles". The "Remote Administration" page will appear after the installation of the relevant services. The "Change Passwords" tab contains the controls: "Change Windows" and "Change other Passwords". The "Remote Administration" tab is used for enabling and further managing the "Remote administration". The customised (personal) preferences for the different users for the Desktop, Network Neighbourhood, Start menu and Programs menus can be enabled on the "User Profiles" page. The below-given system policies were designed for single-user, or how it went in fashion to name: "client", Windows systems. I do not intentionally introduce the detailed descriptions for the functions or purposes of these or others settings of "User Profiles" or "Remote Administration" in order not to go away from the topic of Password administration in Windows 9.x. The Passwords management in Windows NT or 2000 is also out of this article topic.

All the policies given in the article have a lot of common features. All of them are Boolean, in other words, can have only two states. They have the scope of the Current User only, and all are stored in the HKEY_CURRENT_USER system registry hive. The values corresponding to their states are numeric (DWORD) and can be equal to "1", enabling the policy and to "0", disabling it. The policies are absent in the system by default. If there is no corresponding value in the system registry, this is equivalent to the "0" and disables the policy. All the policies are stored in "Software\Microsoft\Windows\CurrentVersion\Policies\System" key.

Disable Passwords in Control Panel

This policy, stored in "NoSecCPL" value, prohibits from launching the Passwords applet in Control Panel, thus, protecting from changing the system settings concerned with the system security. While making an attempt to access there appears the message that the system administrator restricted the Passwords applet.

Hide Change Passwords Page

The state of this policy is stored in the "NoPwdPage" value. When the policy is in enabled state, the access to the "Change Passwords" page is closed. This page is removed from the Passwords applet and Windows passwords can not be changed through this applet in Control Panel.

Hide Remote Administration Page

The value "NoAdminPage" responds for the hiding of the "Remote Administration" page. If the policy is enabled, there is no access to "Remote Administration" page, since the page is removed from the Passwords applet and it will be impossible to change the settings through the applet in Control Panel.

Hide User Profiles Page

The value "NoProfilePage", being equal to "1", turns this policy to the enabled state and the "User Profiles" page is removed from the Passwords applet. Thus, the applet using to change "User Profiles" settings is forbidden.

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, Passwords item after this, and find in the right list items corresponding to these policies named:

  • Disable Passwords in Control Panel
  • Hide Change Passwords Page
  • Hide Remote Administration Page
  • Hide User Profiles Page

Thursday, August 22, 2002

System Policies for the restriction of Display settings (Part 2)

mad hack
The description of the system policies intended for the Display settings restriction is continued in this article.

Screen Saver, besides the functionality of User Interface decoration, can have the functions of security and discretionary access, when it has enabled the password protection. Screen Saver, like every application, demands substantial resources to work. The latest versions of screen savers are drastically saturated with graphics, what could slow the system down, especially during initial start. This can have an effect, for example, on performance of the disk defragmentation program. Next three system policies are dedicated to restrictions imposing on Screen Saver.

Disable screen savers from running while Disk Defragmenter Active

This system policy can be applied to Windows versions 9.x and ME. It is stored in the "Default" value, in the "Software\Microsoft\Windows\CurrentVersion\ Applets\Defrag\Settings\DisableScreenSaver" key, located in the HKEY_CURRENT_USER hive. Two Boolean values: "Yes" and "No" respond for the state of this policy. Which of values corresponds to which state of this policy, I think, is clear from the literal meanings of these words in English. If the "Default" value does not store anything, this means that the policy is not enabled. While in enabled state, this policy blocks the screen saver launching when the Disk Defragmenter is active.

The launch of screen saver during the disk defragmenter active can slow down or interrupt the disk defragmenter routine. Here it is necessary to note that this policy affects only the defragmentation program which is provided together with Windows. This system policy does watch the work of disk defragmentors from other vendors, for example, from the Norton Utilities package.

No screen saver

This system policy works in Windows versions 2000 and XP. If this policy is enabled, it will prohibit Screen Saver from launching and blocks all "Screen Saver" section with saver settings. It is stored in DWORD "ScreenSaveActive" value in "Software\Policies\Microsoft\Windows\Control Panel\Desktop" key of HKEY_CURRENT_USER system registry hive. The "0" value means active state of this policy and protection of the Screen Saver launch. The "1" or its absence is analogous to the state, when the policy is not configured and there is no prohibition to Screen Saver against launching or their settings adjusting.

Password protect the screen saver

This system policy can be also applied only in Windows versions 2000 and XP. Comparing with other system policies given in this article, its state can be represented by a pair of Boolean values, coming to the binary "yes" or "no". It has three states. This policy is stored in HKEY_CURRENT_USER hive in DWORD "ScreenSaverIsSecure" value, which must be located in "Software\Policies\Microsoft\Windows\Control Panel\Desktop" key. This policy responds to, whether the Screen Savers, which are used in Windows system, resort to passwords and prohibits setting (changing) Screen Saver password by means of Display Properties application.

This policy has three states:

  1. The "ScreenSaverIsSecure" value is absent in system registry. The behavior of screen saver is usual and the passwords can be changed, set or using of them can be canceled with the aid of check box window "Password protected".
  2. The value stores "0". In this case, the password protection is compulsorily disabled.
  3. When the value is "1" the passwords for screen savers are compulsorily enabled.

If the "ScreenSaverIsSecure" value is present in "Software\Policies\Microsoft\Windows\Control Panel\Desktop" system registry key and it stores any of "1" or "0" values, it means that the policy is in active state and the check box window is blocked. On the other hand, it will be impossible to enable or disable password protection until the value is deleted from the registry.

The above-described policy "No Screen Saver" has the priority over this policy. If the policy "No Screen Saver" is enabled state, the system ignores the state of "Password protect the screen saver" policy.

Allow only bitmapped wallpaper

This system policy, having the range of Current User, allows using only bitmapped images of bmp-format for the Desktop wallpaper. It ought just now to mention that it can be applied for Windows 98, ME, 2000 and XP. The policy will work in Windows 95 and NT, with Explorer 4.0x or higher installed together with the "Active Desktop". And, on condition, that the "Active Desktop" is not disabled by the system policy. It is related to the "Active Desktop" management and that is why its consideration is out of topic of present article.

The DWORD "NoHTMLWallPaper" value, stored in "Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" key in HKEY_CURRENT_USER hive, responds for state of this policy. This value accepts two states "1" or "0". The "0" value or its absence disables the system policy.

Disable Changing Wallpaper

This system policy, having also the range of Current User, prohibits from Desktop wallpaper changing. Like previous policy, it is related to the policies for "Active Desktop" management and works in Windows 98, ME, 200 and XP. "Disable Changing Wallpaper" can be applied in Windows 95 and NT, when Internet Explorer 4.0x is installed with the "Active Desktop".

The DWORD "NoChangingWallpaper" value, located in "Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" key, in HKEY_CURRENT_USER hive. This value can have two states: "1", when the policy is enabled, or "0" (absence of value), when the policy is not activated. If the "Active Desktop" is not installed or it is disabled by the policy, this policy is ignored.

Disable Display in Control Panel

This policy prohibits Display application from launching and using. When it is activated, it will be necessary to work directly with registry by means Regedit or third-party vendors utilities to change the Display settings. Its range is Current User. The message is appeared, while attempt to launch Display application, explaining that Administrator disabled Display.

DWORD "NoDispCPL" value accepts two of Boolean values: "1" or "0". Its "0" value or its absence disables the system policy. The value "1" activates the system policy. This value is stored in "Software\Microsoft\Windows\CurrentVersion\Policies\System" key, in HKEY_CURRENT_USER hive.

The implementation in Activity and Authentication Analyzer

In order to see the state of some of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, later Display and find in the right list items corresponding to these policies named:

  • Disable Screen Saver while Disk Defragmenter Active
  • No screen saver
  • Password protect the screen saver

In order to see the state of some of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Active Desktop and find in the right list items corresponding to these policies named:

  • Allow only bitmapped wallpaper
  • Disable Changing Wallpaper

To see the state of Disable Display in Control Panel policy or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel and find in the right list item corresponding to the policy named:

  • Disable Display in Control Panel

Thursday, August 15, 2002

System Policies for the restriction of Display settings

mad hack
The article gives the System Policies intended to restrict the change of Display settings.

This article is dedicated in the most to the system policies allow restricting the access to the settings available through the Display applet in the Control Panel. The Display applet is accessible in Windows in several places. It is located in the Control Panel. Or it can be called using context menu, by clicking with right mouse button on the empty place on the Desktop and later by selecting the corresponding menu item.

There can be the situation, when the system administrator encounters the necessity to restrict access of the not skilled users to the Display settings. For instance, wrong refresh rate may have the result of physical damage to the monitor. The proper adjustment of Display settings may increase video subsystem performance rate as well as system general performance rate. The increasing of refresh rate diminishes the flicker effect, betters the comfort of work. That is called the ergonomic features. The Active Desktop settings are closely linked with Display settings. The last: the Active Desktop can be the breach in the system security. But, the Active Desktop has a lot of own settings and system policies, which consideration is out of topic of this article.

The most of the system policies illustrated in this article are stored in the values, which are or can be located in HKEY_CURRENT_USER system registry hive. It ought to note the general rule. That is to say: the policies stored in the HKEY_CURRENT_USER have the Current User scope, but not the entire Computer.

Hide Screen Saver Page

This policy works in all Windows versions and, being enabled, removes the Screen Saver page from the applet for the Display settings in Control Panel. The Screen Saver selection, its settings customisation, Energy saving features of monitor and computer will not be accessible, but through the direct work with the system registry. For instance, exit from the hibernation mode can lead to the hang-up of mouse or system in the whole. The Screen Saver removing, customisation and password change respectively will not be available, what can create the additional illusion of being secured for user and administrator.

The state of this system policy is stored in numeric value "NoDispScrSavPage" in key "Software\Microsoft\Windows\CurrentVersion\Policies\System" of HKEY_CURRENT_USER hive. The value equal to "1" is the active state of policy. The value "0" or its absence, what is equivalent to the state by default, means that policy is not applied or what is the same that the policy is in disabled state.

Disable UI to change menu animation setting

The animation effects for the Windows, menus and lists are created to vary that user's work, who likes transition effects, but can annoy or distract others from the work, who get accustomed to the classic interface or tired from long stay before the computer. The menu shading effect, drawing with explosion or sliding effects are, for example, considered as the animation effects.

The check box "Use transition effects for menus and tooltips", standing for the enabled or disabled state of the animation effects, is located on the Effects page of Display applet.

This system policy, fit for the Windows versions ME, 2000 and XP, while enabled, removes all the video animation effects. The option for the "Use transition effects for menus and tooltips" is also disabled, the dimming effect is applied on the check box, showing that the very possibility to turn on the animation effects is not available. This policy state is stored in the numeric value "NoChangeAnimation" in "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" registry key. This policy can be stored in both either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER hives, and has the scope of either Current User or Local Machine respectively. A pair of Boolean values: "1" (enabled state) and "0" (disabled state) respond for representation of this policy. If the value is not present, this is equivalent to state by default - disabled policy. If conflict exists between policies applied both to Local Machine and Current User, the policy stored in HKEY_LOCAL_MACHINE has the priority over the policy which value stored in HKEY_CURRENT_USER.

Disable UI to change keyboard navigation indicator setting

This system policy, which works in Windows 2000 and XP is kindred to above-described system policy "Disable UI to change menu animation setting". The keyboard navigation indicator is the underlining indicating the hot key. If this policy is enabled, the navigation indicators are displayed only when the "Alt" key is pressed. The underlining, like animation effects for windows, menus and lists are also created for diversification of work for user, who likes the transition effects, but can embarrass or distract form job.

The option, which is the check box for turning on the effect of underlining, is located on the Effects page and named: "Hide keyboard navigation indicators until I use the ALT key". While the option "Hide keyboard navigation indicators until I use the ALT key" is blocked, the check box is dimmed to show that the possibility of turning on the navigation indicators is not accessible. The system policy, canceling the navigation indicators and forbidding the manipulation of their enabled (disabled) state, is stored in the numeric value "NoChangeKeyboardNavigationIndicators". This value is stored in the "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" system registry key. This policy can be present either in HKEY_LOCAL_MACHINE hive and have the Local Machine range or HKEY_CURRENT_USER hive, with Current User range. When the conflict exists between the same policies with the Local Machine and Current User ranges, the system policy, stored in HKEY_LOCAL_MACHINE has the priority over the policy, stored in HKEY_CURRENT_USER hive. This policy state is represented with the pair of Boolean values: "1" and "0". The absence of value is equivalent to the state by default - "0", in other words, the disabled state of the policy.

Hide Appearance Page

This policy is applicable in all Windows versions and removes the Appearance page from the applet for Display settings in Control Panel after being enabled. It is stored in the numeric value "NoDispAppearancePage" of "Software\Microsoft\Windows\CurrentVersion\Policies\System" key in HKEY_CURRENT_USER hive. After appliance the Appearance page is hidden, and applet for Display settings can not be used for the customisation of colour or appearance scheme for the Desktop and windows.

A pair of Boolean values: "1" (enabled state) and "0" (disabled state) respond for representation of the policy. The absence of "NoDispAppearancePage" value means that the policy is not set or what is the same if it is in disabled state.

Hide Background Page

This policy works in all Windows versions and removes the Background page from the applet for Display settings in Control Panel after being set to the enabled state. The state of policy is stored in the "NoDispBackgroundPage" numeric value in "Software\Microsoft\Windows\CurrentVersion\Policies\System" key of HKEY_CURRENT_USER system registry hive. When this policy is in active state, the Background page is removed and applet for Display settings can not be used for the customisation of patterns or wallpapers for Desktop.

There can be in the value one of Boolean values: "1", i.e. the policy is enabled, or "0", when the policy is in disabled state. When the "NoDispBackgroundPage" value is absent in "Software\Microsoft\Windows\CurrentVersion\Policies\System" key, the applet for Display settings behaves in common way.

Hide Settings Page

This policy is applicable in all Windows versions and removes the Settings page from the applet for Display settings in Control Panel after being enabled applet for settings can not be used for the settings customisation of Display, video card, colour management. The numeric value "NoDispSettingsPage" of "Software\Microsoft\Windows\CurrentVersion\Policies\System" in HKEY_CURRENT_USER system registry hive responds for this policy state.

A pair of Boolean values: "1" (enabled state) and "0" (disabled state) respond for representation of two states of this policy. The absence of "NoDispSettingsPage" value is equivalent to its zero value state.

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, later Display and find in the right list items corresponding to these policies named:

  • Hide Screen Saver Page
  • Disable UI to change menu animation setting
  • Disable UI to change keyboard navigation indicator setting
  • Hide Appearance Page
  • Hide Background Page
  • Hide Settings Page

Thursday, July 18, 2002

System Policies for the restriction of printers

mad hack

The article describes the System Policies, which restrict the access to the adjustments, forbids deleting or adding new printers to the system.

While elaborating on the security rules for computer system, the part of rules are dedicated to the printer management. The prohibitions against: settings adjustment, addition or new printers installation are included to management of printers in the framework of security rules. The second, what can be emphasised while creating stricter rules - the access to printers must be under proper supervision to avoid undesirable, on the reason of elementary paper and supplying materials economy, or not authorised, on the reason of conducting confidentiality measures.

As far as I revealed, all the illustrated policies for management of printers can be located in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER system registry hives and applied to Local Machine or Current User respectively. If the same policy was applied both to HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, while conflict exists, the policy with Local Machine range has the priority over the policy with the range of Current User.

All the values have numeric DWORD type. The value equals "1" stands for the active state of the policy, its absence or value "0" cancels the restriction introduced by the system policy.

The last, what I would like to give the accent to in the preface is in order to put for sure into the effect the system policy, Windows must be restarted.

Disable Addition of Printers

The numeric value "NoAddPrinter" located in the branch "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" is responsible for this policy. This system policy prohibits from using the applet Printers from the Control Panel to add new printers to the system.

While attempt to install new printer using Printers folder, the message appears explaining that due to restrictions set by system administrator this action is impossible.

Disable Deletion of Printers

DWORD-value "NoDeletePrinter" stores the state of this system policy, which is created in the branch "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer". This policy prohibits from deleting of printers from the system. Printer can be deleted by selecting the Delete menu item in short-cut menu of the corresponding printer shown in Printers folder in Control Panel. While attempt to delete printer using Printers folder, the message appears explaining that this is impossible due to restrictions introduced by system administrator.

Hide General and Details Pages

This policy can be applied under Windows 95, 98 and ME.

The value "NoPrinterTabs" stores the state of this policy, which must be located in the same "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" branch as above-mentioned system policies. If this policy is enabled, the General and Details pages are hidden in the printer property dialog box, thus protecting from the changing of specific settings. Since the Details page allows manipulating the system settings, therefore there may be the need to remove the access to it for not experienced users.


The implementation in Activity and Authentication Analyzer

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, Printers item after this, and find in the right list items corresponding to these policies named:

  • Disable Addition of Printers
  • Disable Deletion of Printers
  • Hide General and Details Pages

Thursday, July 11, 2002

System Policies for the restriction of MS-DOS

mad hack

The article is dedicated to the System Policies destined for the restriction of MS-DOS.

When developing the operating system, the Microsoft Corporation encounters all the time the next dilemma. On the one hand the need to provide with the backward compatibility with the previous operating systems and programs, developed for them, including MS-DOS. On the other hand, the urgent demand to get rid of the very MS-DOS to provide secure and stable functioning, to design operating system with genuine multitasking and correct resource sharing. The literal reading of the abbreviation, which gives the name to system registry key storing the policies destined for the MS-DOS restriction: "WinOldApp" - Windows Old Applications.

Time by time, the administrator faces the need to forbid the users to launch the MS-DOS applications or reboot the computer to the single MS-DOS mode, while conducting the administration of either net client or servers.

I deliver few thoughts to ensure the benefits of the policies, which are resorted to for MS-DOS restriction in Windows systems. The 16-bit Windows applications are unsecured for the safety and stability of the working under Windows systems. While the most of the MS-DOS applications are finely performed simultaneously in the 32-bit Windows environment, some MS-DOS applications demand the monopoly access to the system resources for the performance. The Virtual Machine Manager (VMM) creates the system environment with the exclusive rights, so-called the Single MS-DOS mode. When MS-DOS application is launched in the MS-DOS mode, it is gained the exclusive rights for the system resources and no other applications or processes have any rights to access the system resources. Therefore the MS-DOS applications are also the threat because of the possible capture of the control over the system resources. Besides, the MS-DOS prohibition disables execution of the game programs, designed for MS-DOS, which distract from job, and are often, like other computer games, potential virus containers.

To tell the truth, all above-given argumentation, like the system policies, developed by Microsoft for the MS-DOS restriction are no more than palliation.

Disable MS-DOS Command Prompt

This policy prohibits the MS-DOS Command Prompt usage in Windows or launch of the MS-DOS applications from within the Windows shell.

The numeric value "Disabled" responds for this system policy state, which is stored in the HKEY_CURRENT_USER hive of the system registry in the "Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp" branch. The value "1" enables the restriction for the MS-DOS applications launch, the value "0" or the absence of the value is the default state and removes this prohibition.

While attempting the DOS application launch or "MS-DOS Command Prompt" activation using the icon containing the link to the command interpreter "COMMAND.COM", Windows gives out the message that the administrator prohibits the launch. I do not deliver the literal message text, which is varied depending on the Windows version.

Disable Single Mode MS-DOS Applications

This policy is intended for the prohibition of the Windows reboot to the Single MS-DOS mode. Its state does not affect the usage of MS-DOS Command Prompt in Windows or the MS-DOS applications launch from within the Windows shell.

The state of this system policy is stored in the numeric value "NoRealMode", which is located in the same system registry branch as above-described value: "Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp" in the hive HKEY_CURRENT_USER. The value equals to "1" stands for the prohibition of the MS-DOS launch in the Single mode. The value "0", which is default state, or its absence removes the prohibition of the Single MS-DOS mode.

When this policy is enabled in Windows 95/98 the menu item "Restart in MS-DOS mode" is removed from the "Shut Down" dialog box. However, it must be noted here, that this does not prohibit entirely the MS-DOS launch in the Single mode. The Single MS-DOS mode can be entered, while Windows booting by clicking F8 key and than selecting any item, which contains the "Command Prompt".

In Windows ME and later this value can be stored in the system registry in two hives: HKEY_CURRENT_USER and in HKEY_LOCAL_MACHINE hive, and spreads the scope either on the Local Machine or Current User respectively. There is no conflict between the policies having the different scopes: any policy disables the Single MS-DOS mode.

Another attempt to get rid of MS-DOS was undertaken in Windows ME - the menu item "Restart in MS-DOS mode" was removed from the "Shut Down" dialog box in a difference from the Windows 9.x. However, it inherits a lot o interface from the previous versions. That is why, the policy "Disable Single Mode MS-DOS Applications" applied on the Local Machine is used to remove some unnecessary elements. If deleting the value from the system registry has disabled this policy, there will be an interesting effect: the menu item "Restart in MS-DOS mode" will appear in the "Shut Down" dialog box. But an attempt to reboot to MS-DOS gives nothing; there will be the message explaining that this version of Windows does not support the MS-DOS mode.

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then MS DOS and find in the right list items corresponding to these policies named:

  • Disable MS-DOS Command Prompt
  • Disable Single Mode MS-DOS Applications

Activity and Authentication Analyzer history

"Activity and Authentication Analyzer" takes into account what system policies and what histories of user activity are inherent in...