dwyerp
asked on
Poledit work-around for MS-DOS limitation
At our school, I have installed system policies via POLEDIT and have
included a restriction on running MSDOS programs for all students. This is
one bit of POLEDIT which actually works!
However I have received some subject resource CDs which run from MSDOS
applications so I need to circumvent the MSDOS limitation for these
applications only.
Every time a student runs the application they, of course, get rejected
because "the system administrator has restricted access to this
application". I'd like to get around this without removing the restriction
on running other MSDOS programs.
I did come across a batch file which someone had written to do this. It
goes something like this:
SET COMSPEC=C:\BOGUS.COM
CD\APPDIR
DOSPROG.EXE
However, I can't get it to work. Can someone suggest what else I might need
to set - program properties etc. Is the above information incorrect
altogether? Any advice would be appreciated.
included a restriction on running MSDOS programs for all students. This is
one bit of POLEDIT which actually works!
However I have received some subject resource CDs which run from MSDOS
applications so I need to circumvent the MSDOS limitation for these
applications only.
Every time a student runs the application they, of course, get rejected
because "the system administrator has restricted access to this
application". I'd like to get around this without removing the restriction
on running other MSDOS programs.
I did come across a batch file which someone had written to do this. It
goes something like this:
SET COMSPEC=C:\BOGUS.COM
CD\APPDIR
DOSPROG.EXE
However, I can't get it to work. Can someone suggest what else I might need
to set - program properties etc. Is the above information incorrect
altogether? Any advice would be appreciated.
ASKER
I am not interested in looking at yet another security package. My question related specifically to Poledit.
I do not want to throw yet another security package at the system as it might resolve one problem but open up a pile of others. I am the sole administrator in this school of 1100 students and I don't have the time to evaluate and implement a new opackage every time I come across a problem with the existing one.
I do not want to throw yet another security package at the system as it might resolve one problem but open up a pile of others. I am the sole administrator in this school of 1100 students and I don't have the time to evaluate and implement a new opackage every time I come across a problem with the existing one.
Then you are out of luck, there is NO policy option to discriminate between different non-windows applications.. So, you manage over 1100 students.. I manage over 1300 workstations with approx 8000 users... and Winshield is a great tool for the "non essential stations"
ASKER
This is not an answer. So far "experts exchange" has scored 0. I want my hundred points back!
Well, then just delete the question and refund yourself the points, as easy as that. Ever appeard to you that some problems cannot be solved for "out of the box" programs, that sometimes you _must_ use 3rd party software?
Sorry, the above was meant as a comment... so sorry.
You should just be able to make a list of program file names that can be run, and take off the restriction to MSDOS based programs. This will then allow only the programs you specify. Make sure however, that you don't restrict at least one login, such as Admin, because if you do, you won't be able to use Poledit or Regedit, and other system utilities.
Oh, buy the way, if my answer is correct, then they should give me the points because the other guy that locked the question didn't mean too.
the drawback is: The user can then make a bat or exe file with the same name as an allowed program, and happily run it.
Actually, I am pretty sure that they can't run anything in the batch file that isn't an allowed application.
Nooo, but if you allow the use of for insyance "abc.bat" a user can create a "abc,bat" anywhere on the system and run that.
If you allow the use of "xyz.exe" a user can either compile an own program named "xyz.exe" or use "bat2exe" to turn a batfile into an .exe file and execute it. Beleive me, this works.
There is NO way to make the built in restrictions use a absolute path to an allowed program, you can ONLY tell it what program names you can/can not run.
If you allow the use of "xyz.exe" a user can either compile an own program named "xyz.exe" or use "bat2exe" to turn a batfile into an .exe file and execute it. Beleive me, this works.
There is NO way to make the built in restrictions use a absolute path to an allowed program, you can ONLY tell it what program names you can/can not run.
Where would some kid in a school get bat2exe though? There isn't very many kids that can even make batch files rather than know how to make them into an exe!
Oh and another thing. Seeing that not very many kids are computer smart, if you don't allow any batch files to run, then they can't run such files.
Also, is there anyway they can find out what files they are allowed to run other than trial and error (assuming they don't have access to changing the StartMenu)
The below text is a test. I just want to see what HTML code will do on this page.
<A HREF="mailto:trent_adams@u
Oh and another thing. Seeing that not very many kids are computer smart, if you don't allow any batch files to run, then they can't run such files.
Also, is there anyway they can find out what files they are allowed to run other than trial and error (assuming they don't have access to changing the StartMenu)
The below text is a test. I just want to see what HTML code will do on this page.
<A HREF="mailto:trent_adams@u
Trial and error? ANY user can see what programs are allowed to run, and you would be AMAZED how smart kids are :)
Now, if your assumption is correct that kids arent computer smart, why impose policies at all?
Now, if your assumption is correct that kids arent computer smart, why impose policies at all?
and furthermore.. the fact that the school has more then 1100 students leaads me to beleive that the school should hold a variety of ages... And teenagers are definitely computersmart ;)
dwyerp,
I assume that the reason you included the batch file is because someone said they were able to restrict DOS apps with system policy restrictions, but allow selected DOS apps to run using a similar batch file.
I do use System Policies at my office, but have not used this restriction. However, the implication of the batch file is that Win95 is resricting the loading of COMMAND.COM - not really the DOS app itself. The reason I think this is because there's a separate entry for restricting the DOS prompt.
IF this is the case, what you would need to do is copy C:\COMMAND.COM to C:\BOGUS.COM - then the batch file would use BOGUS.COM as the shell for the DOS app.
Your only other alternative is the (EXTREEMLY UGLY) option of generating a list of allowable applications under the - User/System/Restrictions/O
Under this option, however, you must list EVERY executable allowed!
I assume that the reason you included the batch file is because someone said they were able to restrict DOS apps with system policy restrictions, but allow selected DOS apps to run using a similar batch file.
I do use System Policies at my office, but have not used this restriction. However, the implication of the batch file is that Win95 is resricting the loading of COMMAND.COM - not really the DOS app itself. The reason I think this is because there's a separate entry for restricting the DOS prompt.
IF this is the case, what you would need to do is copy C:\COMMAND.COM to C:\BOGUS.COM - then the batch file would use BOGUS.COM as the shell for the DOS app.
Your only other alternative is the (EXTREEMLY UGLY) option of generating a list of allowable applications under the - User/System/Restrictions/O
Under this option, however, you must list EVERY executable allowed!
and even if you DO list every allowed application, you an still circumvent it by creating your own executionable program.
ASKER
I have resolved the problem myself. Please delete this message and stop sending me email.
Howabout offering us an explanation how you did if? (if nothing else, it will give me some info as to how to cirumvent it ;) )
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Does not exactly answer my question but gives a good background in the usage of existing tools.
Maybe some of the other "try-hards" who attempted this one and suggested further third-party packages should learn more about the system they are working with.
This problem can be closed
Maybe some of the other "try-hards" who attempted this one and suggested further third-party packages should learn more about the system they are working with.
This problem can be closed
This is my last comment, since it costs me 10 points everytime i look at this question: The abovementioned restrictions can _easily_ be circumvented... they work if you want a "semi safe" system, but it is BY FAR _not_ fool proof!
For instance.. Look up a small util called "lophtrak" (or similar) it will bypass ANY restrictions on ANY W95 machine the user can physically log on to... A very nasty exploit for a huge bug in W95.
For instance.. Look up a small util called "lophtrak" (or similar) it will bypass ANY restrictions on ANY W95 machine the user can physically log on to... A very nasty exploit for a huge bug in W95.
http://www.neosoft.com/~kmlslip/KMLProducts/winshield95.htm