Gain more control over user profiles

Out of the box, Windows NT Workstation and Windows 9x aren't as secure as they could be. If numerous users are going to share a workstation, you need to configure it so that unwanted actions don't occur on that system. To make these adjustments you can configure the system manually, employ Service Pack 4's (SP4's) Security Configuration Manager, use a policy editor, or purchase third-party products. Citadel Technology's WinShield is a desktop management and security package for NT Workstation and Win9x systems that lets an administrator define and control the desktop at a fairly granular level.

How It Works
WinShield is a network-enabled application that you install on a network file server for shared use. After you install the product on workstations and at least one file server, it enforces its security policies when a user logs on.

The software enforces policies at a system level; after you enable a system to run WinShield, any user who logs on to that system is subject to the security enforcement of the product. WinShield decides what security to enforce on the user through the use of its profiles. You can define specific profiles for specific users, and if a user doesn't have a specific profile, the software enforces a default profile. Users can roam from system to system and have this profile follow them. The product keeps a copy of the default profile on each WinShield-enabled system so that if a system is unable to communicate with the server where you have WinShield installed, the software enforces the default profile.

Permission Controls
WinShield has 10 categories of controls for defining permissions: System, Open & Save, CD-ROMs, Printers, Network, Explorer, Start Menu, Appearance, Sharing, and DOS. Each category contains items that an administrator can enable or disable.

The System controls prohibit users from executing Registry editing tools and uninstalling or changing drivers. This control can also prevent users from modifying items that affect performance, such as cache and virtual memory sizes. Open & Save options define restrictions that limit locations where users can open and save files. The CD-ROMs controls specify which CD-ROM volumes users can mount locally on the system. This restriction works based on the CD-ROM's volume name, where WinShield reads the volume name and checks whether the administrator has authorized it for use. The Printers category forbids users from modifying drivers, ports, and spool settings and can prevent changes to printers.

Network controls define which aspects of the available network the user can see—the entire available network or none of it, the local machine only, and the local machine and its workgroup. These controls can also prevent changes to network hardware and software configurations and disallow remote administration of the workstation.

The Explorer categories provide controls over the desktop (e.g., you can remove all icons from the desktop so that none appear). This control lets users open items only on the Start Menu. WinShield also lets you disable the Explorer Options menu, prevent users from employing the rename and delete commands, disable the use of the right-click pop-up menu, disable the use of NT Explorer, and limit which drives are available to the user.

With WinShield, the Start Menu is highly customizable, letting the administrator define which submenus users can access, such as Programs, Settings, and Find. In addition, WinShield can prevent users from customizing the Start Menu, and you can configure it to display only selected shortcuts.

Under the Appearance category, administrators can disallow changes to the screen saver settings, wallpaper, display resolution, and general appearance aspects, such as the desktop color scheme. Sharing controls can prevent file and printer sharing and dial-in networking, but on the downside it can't stop a user from dialing out to a remote network. DOS controls can forbid access to the DOS command shell command prompt and prevent any DOS applications from running on the workstation.

Taking a Test Drive
I installed WinShield on an NT 4.0 server for network access and used NT Workstation 4.0 to test the software. Installing the product was easy and consisted of three basic phases: installing the software on a file server, configuring its profiles, and adjusting NT user profiles to execute a WinShield logon script.

During the initial installation, WinShield limited which file servers I could install the software on. Because the setup program relies entirely on Microsoft network API calls to determine which servers are visible, I had to log on in the same domain or workgroup as the file server. The setup program doesn't let you manually enter a server name; you must choose it from the list of servers that WinShield discovers using the API calls.

After I installed the software on the file server, I ran the Citadel Administrator, which Screen 1 shows. I used Citadel Administrator to configure the default profile with my preferences. Any user logging on to a WinShield-enabled workstation uses the default profile if you haven't already configured the product to assign that user a specific profile.

After I configured the default profile, I defined several other profiles for different departmental networks to use. Defining the profiles includes establishing preferences based on the available configuration settings and identifying which NT-based users and groups WinShield assigns to the profile. After I defined the WinShield profiles, I adjusted the NT user account profiles with User Manager to run the WinShield logon script, which installs the software onto the workstation when the user logs on. You can use a single server-based installation of WinShield for NT Workstation and Win9x systems.

Not Bad
WinShield is more robust than NT's built-in Profile Editor, but it still lacks a few features you find in products such as AXENT Technologies' PCShield. (WinShield doesn't offer any NT audit trail or enforce any type of password restrictions—PCShield does.) But I think WinShield is a good product and deserves a close look. If you're in the market for desktop management and security enhancement, consider WinShield.

WinShield
Contact: Citadel Technology * 800-962-0701
Web: http://www.citadel.com
Price: $69.95
System Requirements: Windows NT Workstation 4.0 or Windows 9x