Re: Force User to Login into Novell Date: 17 Mar 2000 From: Guido van Laar (=================================) (==== A very Good Read , Josh ====) (=================================) Hi Sean, An answer to both your question follows: Here's some pasted text about security with the Novell Win9x clients. An answer to your first question is in there. In Novell's client32 v2.5 or later, you will find an option "Cancel Desktop Login" (Start, Settings, Control Panel, Network, Novell Netware Client, Properties, Advanced Settings, Cancel Desktop Login) If set to "Off", the user will have the opportunity to login to the Windows95/98 desktop and other network providers after cancelling the Initial Novell Client Login. If set to "On", there will be no subsequent login opportunities. It might be necessary to also change the following setting: Use regedit and go to hkey_local_machine, network, logon and create a new dword value called MustBeValidated with a (hex) value of 1. This prevents users from gaining access to Windows itself when pressing on the Cancel button in the Client Login Screen. (instead of regedit you can use PolEdit or ZEN to set the "Require validation from network" policy) Three problems remain: 1. Users can sometimes (while the Novell Login screen is showing) use the Windows key or [Ctrl]-[Esc] key combinations to enable taskman and run programs (check this on your systems). Solution: you can remove taskman.exe from their system although I'm not very comfortable with this solution, but I've not heard of any ill side effects (for another solution see below) 2. Users can press the [F1] key or click on the ? button (upper right corner of the login screen ) and select f.e. the Username field and a help window appears from which you can choose File Open .... Although it seems you can only open help files here there is a problem when they right click on folder or file names and choose delete. An even bigger problem is that by right clicking on a folder name they can also choose Explore or Explore from here and unfortunately they can now use windows. Solutions: - Use Client 3.2 (with the patches) - You can try to to edit c:\windows\system\loginw32.dll with a resource editor (f.e. MS Visual C++) and try disabling the (?) Help button. You need to edit the loginw32.dll on an NT workstation. - or see the 3rd party solution mentioned below. 3. "Smart" users can disconnect their PC temporarily from the network (in which case they can enter windows without having to login on the network). Solution: none that I know of except: If you don't mind using a third party product you can look into a program which I created called "PreLog" which among other things can disable the Windows key, [Ctrl]-[Esc], [Alt]-[Tab] and [Ctrl]-[Alt]-[Del] key combinations until successfully logged in. PreLog can also secure your Windows PC with a password if it detects that there is no network connection. You can download version 1.0.8 from: www.pobox.com/~prelog In the readme file on the same page is some more information about security with regard to the bios and msdos.sys file. Be warned that some bioses have a backdoor so users can access the bios with a backdoor password and f.e. enable booting from a: again. Here's some pasted text from the readme: You can also implement the following "features" and settings on your PC to make your PC more secure but it's a fact that Window 9x is very difficult to secure. Besides the following ground rules you could look into a program called Fortress 101 for Win9x for near 100% security (see: www.fortres.com). - Disable in your PC's BIOS settings booting from diskdrive A: - Password protect your systems BIOS - Remove files like regedit.exe and poledit.exe from your system. - Use PreLog's option to disable the [Ctrl]-[Alt]-[Del], [Ctrl]-[Esc], [Alt]-[Tab] and [Windows] keys during and before login. - Use PreLog's option to force a Blank Windows password (so users cannot find out each others or your Novell password by applying a .pwl cracker to your local windows password (.pwl) files. Or you can apply a registry setting which disables Windows Password caching (use the nowinpwd.reg and winpwdon.reg files to disable or enable windows password caching in .pwl files). - Add the following line as the first line of Config.sys: SWITCHES /N You can also use a utility like break.sys (search for it on the web) to prevent users from breaking out of autoexec.bat. - Add the following 5 lines under the options setting in MSDOS.SYS [Options] BootKeys=0 BootSafe=0 BootWarn=0 Network=0 BootKeys=0 Disables Function keys to boot to Dos BootSafe=0 Disables booting in Safe Mode BootWarn=0 Disables Safe Mode in your Startup Menu Network=0 Disables Safe Mode with Network in your Startup Menu For your second question: Do you really need those Windows passwords ? If you do, try to make them blank instead of the same as Novell's password (if local windows security is not an issue). If not just get rid of the local windows passwords and their .pwl files altogether with the following: To disable local windows password caching: Paste the following 4 lines (the lines between the -----) in notepad and save the file as winpwdoff.reg. Now double click on this file in explorer and password caching will be disabled. ------------------------------------------------------ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network] "DisablePwdCaching"=dword:00000001 ------------------------------------------------------ (dword:00000000 will enable password caching again). This will not prevent the windows password boxes coming up but at least it doesn't matter anymore if the user fills in wrong passwords there. To get rid of all those windows password syncing boxes altogether (they will reappear if the users novell password expires) you can also use the program I wrote and mentioned above. Hth, Guido van Laar. Sean Kotvasz wrote: >Hi, > >I would like to find out if there is anyway of making a user login into >the novell login screen, without tem being able to click cancel?? > >Another question is after a user logins, I am asked to login to windows >the first time to sync.. passswords. I don't want to get this windows >login box at all. > >Thanks in advance, > >Sean Kotvasz