Solved

Poledit work-around for MS-DOS limitation

Posted on 1997-08-31
21
235 Views
Last Modified: 2013-12-16
At our school, I have installed system policies via POLEDIT and have
included a restriction on running MSDOS programs for all students. This is
one bit of POLEDIT which actually works!

However I have received some subject resource CDs which run from MSDOS
applications so I need to circumvent the MSDOS limitation for these
applications only.

Every time a student runs the application they, of course, get rejected
because "the system administrator has restricted access to this
application". I'd like to get around this without removing the restriction
on running other MSDOS programs.

I did come across a batch file which someone had written to do this. It
goes something like this:

SET COMSPEC=C:\BOGUS.COM
CD\APPDIR
DOSPROG.EXE

However, I can't get it to work. Can someone suggest what else I might need
to set - program properties etc. Is the above information incorrect
altogether? Any advice would be appreciated.
0
Comment
Question by:dwyerp
  • 11
  • 4
  • 4
  • +2
21 Comments
 
LVL 12

Expert Comment

by:j2
ID: 1750296
You might wanna look into a program like this
http://www.neosoft.com/~kmlslip/KMLProducts/winshield95.htm


0
 

Author Comment

by:dwyerp
ID: 1750297
I am not interested in looking at yet another security package. My question related specifically to Poledit.

I do not want to throw yet another security package at the system as it might resolve one problem but open up a pile of others. I am the sole administrator in this school of 1100 students and I don't have the time to evaluate and implement a new opackage every time I come across a problem with the existing one.
0
 
LVL 12

Expert Comment

by:j2
ID: 1750298
Then you are out of luck, there is NO policy option to discriminate between different non-windows applications.. So, you manage over 1100 students.. I manage over 1300 workstations with approx 8000 users... and Winshield is a great tool for the "non essential stations"
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:dwyerp
ID: 1750299
This is not an answer. So far "experts exchange" has scored 0. I want my hundred points back!
0
 
LVL 12

Expert Comment

by:j2
ID: 1750300
Well, then just delete the question and refund yourself the points, as easy as that. Ever appeard to you that some problems cannot be solved for "out of the box" programs, that sometimes you _must_ use 3rd party software?
0
 
LVL 12

Expert Comment

by:j2
ID: 1750301
Sorry, the above was meant as a comment... so sorry.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750302
You should just be able to make a list of program file names that can be run, and take off the restriction to MSDOS based programs.  This will then allow only the programs you specify.  Make sure however, that you don't restrict at least one login, such as Admin, because if you do, you won't be able to use Poledit or Regedit, and other system utilities.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750303
Oh, buy the way, if my answer is correct, then they should give me the points because the other guy that locked the question didn't mean too.
0
 
LVL 12

Expert Comment

by:j2
ID: 1750304
the drawback is: The user can then make a bat or exe file with the same name as an allowed program, and happily run it.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750305
Actually, I am pretty sure that they can't run anything in the batch file that isn't an allowed application.
0
 
LVL 12

Expert Comment

by:j2
ID: 1750306
Nooo, but if you allow the use of for insyance "abc.bat" a user can create a "abc,bat" anywhere on the system and run that.

If you allow the use of "xyz.exe" a user can either compile an own program named "xyz.exe" or use "bat2exe" to turn a batfile into an .exe file and execute it. Beleive me, this works.

There is NO way to make the built in restrictions use a absolute path to an allowed program, you can ONLY tell it what program names you can/can not run.
0
 
LVL 1

Expert Comment

by:tadams
ID: 1750307
Where would some kid in a school get bat2exe though?  There isn't very many kids that can even make batch files rather than know how to make them into an exe!  

Oh and another thing.  Seeing that not very many kids are computer smart, if you don't allow any batch files to run, then they can't run such files.

Also, is there anyway they can find out what files they are allowed to run other than trial and error (assuming they don't have access to changing the StartMenu)

The below text is a test.  I just want to see what HTML code will do on this page.

<A HREF="mailto:trent_adams@usa.net">test</a>
0
 
LVL 12

Expert Comment

by:j2
ID: 1750308
Trial and error? ANY user can see what programs are allowed to run, and you would be AMAZED how smart kids are :)

Now, if your assumption is correct that kids arent computer smart, why impose policies at all?
0
 
LVL 12

Expert Comment

by:j2
ID: 1750309
and furthermore.. the fact that the school has more then 1100 students leaads me to beleive that the school should hold a variety of ages...  And teenagers are definitely computersmart ;)
0
 
LVL 2

Expert Comment

by:jerryd
ID: 1750310
dwyerp,

I assume that the reason you included the batch file is because someone said they were able to restrict DOS apps with system policy restrictions, but allow selected DOS apps to run using a similar batch file.

I do use System Policies at my office, but have not used this restriction.  However, the implication of the batch file is that Win95 is resricting the loading of COMMAND.COM - not really the DOS app itself.  The reason I think this is because there's a separate entry for restricting the DOS prompt.

IF this is the case, what you would need to do is copy C:\COMMAND.COM to C:\BOGUS.COM - then the batch file would use BOGUS.COM as the shell for the DOS app.

Your only other alternative is the (EXTREEMLY UGLY) option of generating a list of allowable applications under the - User/System/Restrictions/Only Run Allowed Windowed Applications.

Under this option, however, you must list EVERY executable allowed!

0
 
LVL 12

Expert Comment

by:j2
ID: 1750311
and even if you DO list every allowed application, you an still circumvent it by creating your own executionable program.
0
 

Author Comment

by:dwyerp
ID: 1750312
I have resolved the problem myself. Please delete this message and stop sending me email.
0
 
LVL 12

Expert Comment

by:j2
ID: 1750313
Howabout offering us an explanation how you did if? (if nothing else, it will give me some info as to how to cirumvent it ;) )
0
 
LVL 14

Accepted Solution

by:
smeebud earned 100 total points
ID: 1750314
How about a Not poledit possible answer: Restrictions:
--------------------------BE SURE TO SEE #9
If you want to make restrictions to what users can do without having to running Poledit, changes can
be made directly to the Registry.
This will allow you to make a REG file with the spefice restrictions you want and importing them all
at once.
1. Start Regedit
2. Go to HKEY_Current_User / Software / Microsoft /Windows/CurrentVersion /Policies
3. There should already be at least a Explorer.
4. Additional keys that can be created under Policies are System, Network and WinOldApp
5. You can then add DWORD values set to 1 in the appropriate keys 6. In the Explorer key you
can add:
o NoDeletePrinter - Disables Deletion of Printers
o NoAddPrinter - Disables Additon of Printers
o NoRun - Disables Run Command
o NoSetFolders - Removes Folders from Settings on Start Menu
o NoSetTaskbar - Removes Taskbar from Settings on Start Menu
o NoFind - Removes the Find Command
o NoDrives - Hides Drives in My Computers
o NoNetHood - Hides the Network Neighborhood
o NoDesktop - Hides all items on the Desktop
o NoClose - Disables Shutdown
o NoSaveSettings - Don't save settings on exit
o DisableRegistryTools - Disable Registry Editing Tools -
NOTE: BeCareful of this one
7. In the System key you can enter:
o NoDispCPL - Disable Display Control Panel
o NoDispBackgroundPage - Hide Background Page
o NoDispScrSavPage - Hide Screen Saver Page
o NoDispAppearancePage - Hide Appearance Page
o NoDispSettingsPage - Hide Settings Page
o NoSecCPL - Disable Password Control Panel
o NoPwdPage - Hide Password Change Page
o NoAdminPage - Hide Remote Administration Page
o NoProfilePage - Hide User Profiles Page
o NoDevMgrPage - Hide Device Manager Page
o NoConfigPage - Hide Hardware Profiles Page
o NoFileSysPage - Hide File System Button
o NoVirtMemPage - Hide Virtual Memory Button
8. In the Network key you can enter:
o NoNetSetupSecurityPage - H
o NoNetSetup - Disable the Network Control Panel
o NoNetSetupIDPage - Hide Identification Page
o NoNetSetupSecurityPage - Hide Access Control Page
o NoFileSharingControl - Disable File Sharing Controls
o NoPrintSharing - Disable Print Sharing Controls
9. In the WinOldApp key you can enter:
o Disabled - Disable MS-DOS Prompt
o NoRealMode - Disables Single-Mode MS-DOS
0
 

Author Comment

by:dwyerp
ID: 1750315
Does not exactly answer my question but gives a good background in the usage of existing tools.

Maybe some of the other "try-hards" who attempted this one and suggested further third-party packages should learn more about the system they are working with.

This problem can be closed
0
 
LVL 12

Expert Comment

by:j2
ID: 1750316
This is my last comment, since it costs me 10 points everytime i look at this question: The abovementioned restrictions can _easily_ be circumvented... they work if you want a "semi safe" system, but it is BY FAR _not_ fool proof!

For instance.. Look up a small util called "lophtrak" (or similar) it will bypass ANY restrictions on ANY W95 machine the user can physically log on to... A very nasty exploit for a huge bug in W95.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question