Solved

Poledit work-around for MS-DOS limitation

Posted on 1997-08-31
21
232 Views
Last Modified: 2013-12-16
At our school, I have installed system policies via POLEDIT and have
included a restriction on running MSDOS programs for all students. This is
one bit of POLEDIT which actually works!

However I have received some subject resource CDs which run from MSDOS
applications so I need to circumvent the MSDOS limitation for these
applications only.

Every time a student runs the application they, of course, get rejected
because "the system administrator has restricted access to this
application". I'd like to get around this without removing the restriction
on running other MSDOS programs.

I did come across a batch file which someone had written to do this. It
goes something like this:

SET COMSPEC=C:\BOGUS.COM
CD\APPDIR
DOSPROG.EXE

However, I can't get it to work. Can someone suggest what else I might need
to set - program properties etc. Is the above information incorrect
altogether? Any advice would be appreciated.
0
Comment
Question by:dwyerp
  • 11
  • 4
  • 4
  • +2
21 Comments
 
LVL 12

Expert Comment

by:j2
ID: 1750296
You might wanna look into a program like this
http://www.neosoft.com/~kmlslip/KMLProducts/winshield95.htm


0
 

Author Comment

by:dwyerp
ID: 1750297
I am not interested in looking at yet another security package. My question related specifically to Poledit.

I do not want to throw yet another security package at the system as it might resolve one problem but open up a pile of others. I am the sole administrator in this school of 1100 students and I don't have the time to evaluate and implement a new opackage every time I come across a problem with the existing one.
0
 
LVL 12

Expert Comment

by:j2
ID: 1750298
Then you are out of luck, there is NO policy option to discriminate between different non-windows applications.. So, you manage over 1100 students.. I manage over 1300 workstations with approx 8000 users... and Winshield is a great tool for the "non essential stations"
0
 

Author Comment

by:dwyerp
ID: 1750299
This is not an answer. So far "experts exchange" has scored 0. I want my hundred points back!
0
 
LVL 12

Expert Comment

by:j2
ID: 1750300
Well, then just delete the question and refund yourself the points, as easy as that. Ever appeard to you that some problems cannot be solved for "out of the box" programs, that sometimes you _must_ use 3rd party software?
0
 
LVL 12

Expert Comment

by:j2
ID: 1750301
Sorry, the above was meant as a comment... so sorry.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750302
You should just be able to make a list of program file names that can be run, and take off the restriction to MSDOS based programs.  This will then allow only the programs you specify.  Make sure however, that you don't restrict at least one login, such as Admin, because if you do, you won't be able to use Poledit or Regedit, and other system utilities.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750303
Oh, buy the way, if my answer is correct, then they should give me the points because the other guy that locked the question didn't mean too.
0
 
LVL 12

Expert Comment

by:j2
ID: 1750304
the drawback is: The user can then make a bat or exe file with the same name as an allowed program, and happily run it.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750305
Actually, I am pretty sure that they can't run anything in the batch file that isn't an allowed application.
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 12

Expert Comment

by:j2
ID: 1750306
Nooo, but if you allow the use of for insyance "abc.bat" a user can create a "abc,bat" anywhere on the system and run that.

If you allow the use of "xyz.exe" a user can either compile an own program named "xyz.exe" or use "bat2exe" to turn a batfile into an .exe file and execute it. Beleive me, this works.

There is NO way to make the built in restrictions use a absolute path to an allowed program, you can ONLY tell it what program names you can/can not run.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750307
Where would some kid in a school get bat2exe though?  There isn't very many kids that can even make batch files rather than know how to make them into an exe!  

Oh and another thing.  Seeing that not very many kids are computer smart, if you don't allow any batch files to run, then they can't run such files.

Also, is there anyway they can find out what files they are allowed to run other than trial and error (assuming they don't have access to changing the StartMenu)

The below text is a test.  I just want to see what HTML code will do on this page.

<A HREF="mailto:trent_adams@usa.net">test</a>
0
 
LVL 12

Expert Comment

by:j2
ID: 1750308
Trial and error? ANY user can see what programs are allowed to run, and you would be AMAZED how smart kids are :)

Now, if your assumption is correct that kids arent computer smart, why impose policies at all?
0
 
LVL 12

Expert Comment

by:j2
ID: 1750309
and furthermore.. the fact that the school has more then 1100 students leaads me to beleive that the school should hold a variety of ages...  And teenagers are definitely computersmart ;)
0
 
LVL 2

Expert Comment

by:jerryd
ID: 1750310
dwyerp,

I assume that the reason you included the batch file is because someone said they were able to restrict DOS apps with system policy restrictions, but allow selected DOS apps to run using a similar batch file.

I do use System Policies at my office, but have not used this restriction.  However, the implication of the batch file is that Win95 is resricting the loading of COMMAND.COM - not really the DOS app itself.  The reason I think this is because there's a separate entry for restricting the DOS prompt.

IF this is the case, what you would need to do is copy C:\COMMAND.COM to C:\BOGUS.COM - then the batch file would use BOGUS.COM as the shell for the DOS app.

Your only other alternative is the (EXTREEMLY UGLY) option of generating a list of allowable applications under the - User/System/Restrictions/Only Run Allowed Windowed Applications.

Under this option, however, you must list EVERY executable allowed!

0
 
LVL 12

Expert Comment

by:j2
ID: 1750311
and even if you DO list every allowed application, you an still circumvent it by creating your own executionable program.
0
 

Author Comment

by:dwyerp
ID: 1750312
I have resolved the problem myself. Please delete this message and stop sending me email.
0
 
LVL 12

Expert Comment

by:j2
ID: 1750313
Howabout offering us an explanation how you did if? (if nothing else, it will give me some info as to how to cirumvent it ;) )
0
 
LVL 14

Accepted Solution

by:
smeebud earned 100 total points
ID: 1750314
How about a Not poledit possible answer: Restrictions:
--------------------------BE SURE TO SEE #9
If you want to make restrictions to what users can do without having to running Poledit, changes can
be made directly to the Registry.
This will allow you to make a REG file with the spefice restrictions you want and importing them all
at once.
1. Start Regedit
2. Go to HKEY_Current_User / Software / Microsoft /Windows/CurrentVersion /Policies
3. There should already be at least a Explorer.
4. Additional keys that can be created under Policies are System, Network and WinOldApp
5. You can then add DWORD values set to 1 in the appropriate keys 6. In the Explorer key you
can add:
o NoDeletePrinter - Disables Deletion of Printers
o NoAddPrinter - Disables Additon of Printers
o NoRun - Disables Run Command
o NoSetFolders - Removes Folders from Settings on Start Menu
o NoSetTaskbar - Removes Taskbar from Settings on Start Menu
o NoFind - Removes the Find Command
o NoDrives - Hides Drives in My Computers
o NoNetHood - Hides the Network Neighborhood
o NoDesktop - Hides all items on the Desktop
o NoClose - Disables Shutdown
o NoSaveSettings - Don't save settings on exit
o DisableRegistryTools - Disable Registry Editing Tools -
NOTE: BeCareful of this one
7. In the System key you can enter:
o NoDispCPL - Disable Display Control Panel
o NoDispBackgroundPage - Hide Background Page
o NoDispScrSavPage - Hide Screen Saver Page
o NoDispAppearancePage - Hide Appearance Page
o NoDispSettingsPage - Hide Settings Page
o NoSecCPL - Disable Password Control Panel
o NoPwdPage - Hide Password Change Page
o NoAdminPage - Hide Remote Administration Page
o NoProfilePage - Hide User Profiles Page
o NoDevMgrPage - Hide Device Manager Page
o NoConfigPage - Hide Hardware Profiles Page
o NoFileSysPage - Hide File System Button
o NoVirtMemPage - Hide Virtual Memory Button
8. In the Network key you can enter:
o NoNetSetupSecurityPage - H
o NoNetSetup - Disable the Network Control Panel
o NoNetSetupIDPage - Hide Identification Page
o NoNetSetupSecurityPage - Hide Access Control Page
o NoFileSharingControl - Disable File Sharing Controls
o NoPrintSharing - Disable Print Sharing Controls
9. In the WinOldApp key you can enter:
o Disabled - Disable MS-DOS Prompt
o NoRealMode - Disables Single-Mode MS-DOS
0
 

Author Comment

by:dwyerp
ID: 1750315
Does not exactly answer my question but gives a good background in the usage of existing tools.

Maybe some of the other "try-hards" who attempted this one and suggested further third-party packages should learn more about the system they are working with.

This problem can be closed
0
 
LVL 12

Expert Comment

by:j2
ID: 1750316
This is my last comment, since it costs me 10 points everytime i look at this question: The abovementioned restrictions can _easily_ be circumvented... they work if you want a "semi safe" system, but it is BY FAR _not_ fool proof!

For instance.. Look up a small util called "lophtrak" (or similar) it will bypass ANY restrictions on ANY W95 machine the user can physically log on to... A very nasty exploit for a huge bug in W95.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

For a variety of reasons, it sometimes makes sense to reboot a Windows-based computer on a regular, perhaps daily basis. This "cures" a lot of ills by resetting processes, flushing caches, refreshing memory, and reestablish network connections. In a…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now