REDHAND - SECURITY MONITORING FOR WINDOWS 3.X ---- DISCLAIMER OF WARRANTY THIS SOFTWARE AND MANUAL ARE SOLD "AS IS" AND WITHOUT WARRANTIES AS TO PERFORMANCE OF MERCHANTABILITY OR ANY OTHER WARRANTIES WHETHER EXPRESSED OR IMPLIED. BECAUSE OF THE VARIOUS HARDWARE AND SOFTWARE ENVIRONMENTS INTO WHICH THIS PROGRAM MAY BE PUT, NO WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE IS OFFERED. GOOD DATA PROCESSING PROCEDURE DICTATES THAT ANY PROGRAM BE THOROUGHLY TESTED WITH NON-CRITICAL DATA BEFORE RELYING ON IT. THE USER MUST ASSUME THE ENTIRE RISK OF USING THE PROGRAM. ANY LIABILITY OF THE SELLER WILL BE LIMITED EXCLUSIVELY TO PRODUCT REPLACEMENT OR REFUND OF PURCHASE PRICE. ---- I welcome any suggestions/comments, if something doesn't work as YOU want it to, please tell me! -------------------------------------------------------- Contents: 1. Overview 2. Setting up "Red Hand" v2.40 3. Controls 4. Interpreting the Log 5. Registering RedHand 6. Examples 7. Ombudsman ---- THE DEFAULT PASSWORD IS "redhand" - NOT "RedHand" OR "REDHAND" Before you ring me -check that your "Caps Lock" is not on! ---- New features for this version: Window locks with error messages now work in both visible and invisible modes. The users logon name can now be appended to the log. Option to lock the desktop. Keyphrases can now be locked in context (i.e. "run" but not "runaround") Option to lock entire machine for 2 minutes after user attempts to Access 3 locked windows within 30 seconds. Keep secret password feature for users who need to access RedHand when others are watching. Easy jump to end of log by double clicking on log display. Option to use keydisk to disable locks when locked window is encountered. --- 1. Overview. On startup, RedHand minimises, runs as an "icon on the desktop and begins recording. Once running, it will record the title of every window used, and store them away in its data file. You (with the password, or the keydisk) can then view or print all activity on your computer up to the present time. Once the valid password has been entered you can, of course, stop the recording, change the configuration or end the program. Alternatively, RedHand can go completely invisible, removing all traces of itself from the desktop. A floppy "KeyDisk" is then needed to make it visible again. You can monitor your computer even if it is switched off when you leave it, Just put a shortcut to redhand in your startup group, and the program will run as soon as windows starts. I have gone to great lengths to ensure that RedHand will not damage your system files should anything go wrong. In fact, RedHand is one of very few security programs that makes no changes whatsoever to your existing system files at any time. For a network machine, a copy of the log can be automatically saved to a network directory and then viewed from another station. Redhand will recover the password and configuration settings even if the registry settings are deleted or damaged. So don't forget your password... --- 2. Setting up RedHand. This program requires that the Visual Basic 3.0 runtime file vbrun300.dll is in your windows/system directory. a) Unzip all the files into an empty directory. b) Start the program. You will need a blank formatted disk when you run RedHand for the first time. ---- 3. Controls Entering your password. Redhand is visible... If RedHand is visible, there are two ways of entering the password. Apart from the obvious one, there is also a padlock icon in the password box. If you insert your keydisk and click on the padlock, RedHand will allow you in. If the keydisk isn't there, then the padlock just opens and shuts again. This has been added for teachers, who may need to access the controls while their students are watching, and do not want to type the password. Other areas of RedHand that require the password also have the padlock icon, and react in the same way. ---- Redhand is invisible... Once invisible, RedHand can only be viewed or stopped by forcing the password to appear in a windows' title text. This is where your KeyDisk comes in. To gain access when RedHand is invisible: 1. Insert your KeyDisk. 2. Start windows Notepad or another similar program. 3. Select "Open" from the "File" menu, and browse to your password file on the KeyDisk in "a" or "b". 4. Select your password and click OK to load the file in Notepad, Notepad will close immediately and RedHand will open. Alternatively, or if you lose your KeyDisk, start Notepad and type something (anything), then choose "Save" from the File menu, enter your password as the filename and click OK. If you use this method, you must delete the file you created manually, as RedHand has no way of knowing where Notepad saved it to. ---- Main Log Window The main Log viewing window shows the window title in the first column, the time of entering the window in the second, the time actually spent using the window in the third, and the fourth column displays an "X" if the window was closed by RedHands' locking facility. "Stop/Start Recording" stops RedHand from adding any more entries to the Log, and disables window locking. Click again to resume. "Resume" - resumes recording and closes the Log viewing window. Once you have selected this option, you will need to enter your password again to get back in. (Note - Do not use the minimize button at the top right of the window, this is not the same as "Resume", and will allow re-entry with out a password.) "Print Selected Area" - prints the currently selected records from the list. Select an area by dragging the mouse across the records you want to print, or click the first record and hold down shift while clicking the last, then click "Print Selected Area". To select all records, drag the mouse across the grey title bar at the top of the grid. RedHand will print as many pages as necessary, about 30 records to a page. "Exit" - stops recording and closes the program. ---- File Menu "Goto Next User..." - Locates the point at which the next user logged on. "Print Selected Area" - as above. "Clear Log" - deletes all current records and resets the display. "Refresh Display" also from the file menu, causes the Log display to be updated with the very latest information, up to the "RedHand" window itself. If a remote file was being viewed, this command returns control to your own machine. "Find..." Opens a dialog box which allows you to search the log for any piece of text. "Exit" - As above. ---- Record Menu "Start Recording" - re-starts recording if it was switched off with "Stop Recording" "Stop Recording" - temporarily stops recording. ---- Network Options "Network Options..." - opens the Network configuration window - see below. "View Network File..." - Allows you to view a remote file saved from your, or another machine. ---- Security Options "Security options..." - opens the security settings window - see below. "Change Password" allows you to enter your own password. The password is encrypted and hidden pretty well, and is not easily cracked, so don't forget it! If you intend to use RedHand in "Invisible Mode", then do not use a standard dictionary word, as it could easily turn up as part of a window title. See "Invisible Mode" for more information. Note: Because of the way RedHand operates when in "Invisible Mode", it is very wise to update your keydisk every time you change the password. This is because if RedHand's registry settings are tampered with, it will immediately go invisible. ---- Help Menu "Quick Guide" - opens the quick guide window, with basic instructions on how to use RedHand. "Full Info" - opens this file within the program. ---- About Menu Version information and contact address For Hard Drive Software. Also gives the current size of your data file, and the number of records that it contains. ---- Security options... "Record only the last ---- windows used" Sets the number of entries (window titles) allowed to remain in the data file. The minimum number allowed is 10 and the maximum is 2,000. The default is 500. RedHand will remove the oldest records first, and this operation is performed when the program starts up. Set to 1,000 RedHand will keep a record of the past few days and erase anything older. If the file size exceeds 2,000 records when RedHand starts up, then it will save the file to the network directory with the name "username" 1.ott. It will then clear the log and start with a blank file. If the log exceeds this size again in the future, RedHand will add another file "username" 2.ott and so on. You may also stop recording the log file altogether from here, if you want to use only the security features. ---- "Enable window locking" - Check this box to switch the window locks on. "Hide RedHand Directory" - Hides RedHand's directory from other applications. "Lock Exit from Windows" - Prevents the user from exiting windows. "Invisible Mode" - Removes the program from the desktop and the alt-tab order. ---- "Message to be displayed when closing locked window" Select an error message, or type in one of your own, which RedHand will use when closing a "locked" window. Discrete messages like "System Error - Cannot Open File" should help to maintain the secrecy of the program, as the user will think that a real program error has ocurred. Alternatively, if you don't mind people knowing what's going on, then "Get Lost!" might be more appropriate! Select "No Message - Close Window Immediately (Default)" from the drop down list if you want no message displayed. "Lock Desktop" The lock desktop feature has been added to prevent system damage, where access to only a few applications is required. This is particularly useful in classroom/home situations where children are involved. Set to "Lock desktop", RedHand will replace the Windows desktop with its own customizable screen. The RedHand desktop also allows the user to change the desktop colour, work with a disk in "a", and Exit Windows but not exit to dos. To add a program to the safe list, click "Add program" and browse to, or enter the path to, the executable file that you want to add. RedHand will then ask you for a name for the program, this is the name that will appear in the launch program box on the safe desktop. ---- "Keyphrase Window Locks" Type in part of the title of any window you want to "lock". Click "Add Keyphrase" to add your text to the list. To delete a keyphrase, select it and then click "Delete Keyphrase" If RedHand finds any of the words listed in any part of a windows' title, it will immediately close that window. If you need to lock a word that appears in a window you do NOT want to lock, then enter that window title in the "Do not lock these keyphrases" box. i.e. You can lock "run", but allow "text runaround". Note: Not all windows can be locked, if the window does not have a "control box" (the little box with a "-" sign in it) then locking will not work. "Lock Adult Sites" This feature is under development, and its' usefulness will depend on a number of factors. At the time of writing, this feature will add the alt.binaries newsgroups to the keyphrase list, in addition to a number of known adult sites. As soon as a more comprehensive list is available I will publish details on my website. "Lock Machine after 3 Attempts" Checking this box will cause RedHand to lock the machine for 2 minutes if 3 wrong attempts are made at entering the password within a 30 second period. The machine will also be locked if repeated attempts are made at opening a locked window. ---- "Auto-record Keyphrases" Entering all the windows that you wish to lock manually can be cumbersome, so this feature has been added to make life easier. Click "Auto-record" from the keyphrases window, and a small display will appear. This window will stay on top. Drag the window to any convenient place on your screen and open a window that you wish to lock. Click "add" on the auto-record window (do not click the window first), and the title will be added to the list. Continue until you have added all the titles you want and then click "Done". Note: window locking and recording will be disabled while the auto-record window is on screen. ---- "Network Options" Window This window allows you to specify when and where you would like RedHand to copy the data file. This feature has been added to allow network administrators to monitor all individual PCs on a whole network, without leaving their desk. "Target Directory" - type in, or browse to the directory you want the file saved to. Make sure that the directory exists! RedHand is not going to pop up on someones' computer and announce that it can't find the "spy" directory if it isn't there!! In this case RedHand will do nothing, just keep recording... "When to copy the file" - Sets the times you wan't RedHand to update the file in the target directory. Choose "On Windows Exit" to copy the log when the user exits windows. Enter a number of minutes for regular saving. (If this field is blank RedHand will not save the file at intervals) Enter a time of day if you want the Log updated at a certain time of each day. (If this field is blank RedHand will not save the file at any time of day) The three options can be mixed to suit your needs, but remember that every time the file is copied, the existing file in the target directory is overwritten. "User Name" - Allows you to enter a name for each machine RedHand is monitoring. Tip: I recommend setting up this feature anyway, even if you do not have a network. This is because in some cirumstances (unorthodox windows exits like power outages) the "rhspll.dat" file may be corrupted, and RedHand will start with a blank file if this happens. Late Additional Feature: If you are using your computer and have inadvertently left the window locks on, there is a quick way to disable window locking. With the "Error" message box is on screen, put your keydisk in and double-click the exclamation mark picture and the display will change to "Locking is off". Do not click the ok button. You may now continue to use your computer without restriction. To restore RedHand's normal operation, simply bring the "error" box to the front and click the button, which now says "Restore". ---- 4. Interpreting the Log While RedHand accurately represents all activity on your computer, there are a few occasions when things are not quite what they appear to be. So to avoid the embarrassment of falsely accusing your secretary of embezzling the company's funds, or your children of playing games (or worse!) rather than doing their homework, please take a few minutes to consider the following points. RedHand gets its information from the title bar of the window that the user is currently using - ie if you are using Windows Notepad to read a readme.txt" file, then RedHand would record "Notepad - README.TXT" and then the current date, time, and finally the amount of time the user spent before moving to another window. (It will also record whether the window was locked) The first entry in a recording session gives the user name (the name that the current user logged on as). If no name is available (or the companion file is missing), RedHand reports "name unavailable". Sometimes a window has no title (screen savers and some registration reminder screens for example) and if this is the case then RedHand records "Unknown-(See Interpreting the Log)". This can be misleading, and the only way to get an idea of what was going on is to study the entries immediately before and after the "Unknown". Screen Savers can be difficult to identify, but if the unknown is a Screen Saver, then the windows immediately preceding and following will always be the same. RedHand can usually identify a screensaver in Win95. Another thing to consider, is how many times have you accidentally clicked on the wrong icon, or the wrong file? People do make mistakes, and if the sensitive "Off Shore Bank Accounts" ledger suddenly appears in your secretary's log, she may have done just that. If it was a genuine mistake, then you would expect to see a speedy exit from the program, file or whatever. 15 seconds is not unreasonable, especially if she is not sure how to get out of it. However, if the next entries in the Log are "Printing" or "Copying File" or "Save As", then you should be worried! Don't jump to conclusions. The best way to see how the Log works is to record your own actions for an hour or two. This will help you to be objective when you read the actions of someone else. ---- 5. Registering RedHand RedHand costs £12 ($25) + £2 ($3) postage and packing. Site licences are available: Up to 10 PCs - £85 Up to 100 PCs - £250 Up to 1000 PCs - £500 Sent on 3.5" disk by first class post, usually the same day. To order your registered copy of "RedHand", simply print the form below, (or use "Print Reg. Form" from the program) fill in the details and send it with your cheque, postal order, or credit card details to: Hard Drive Software 2 Old Ansford Inn Ansford Castle Cary Somerset BA7 7JG ENGLAND or phone your credit card details on +44 (0)1963 351470 Cut Here.......Cut Here.......Cut Here.......Cut Here.......Cut Here.. Your Name....................... Address......................... ................................ ................................ ................................ Country......................... eMail .......................... Credit Card Details: Mastercard [ ] Visa [ ] No. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Exp. Date _ _ / _ _ Signature.............................. Where did you get RedHand 2.40?.................................. Thank you for your support :-) Cut Here.......Cut Here.......Cut Here.......Cut Here.......Cut Here.. ---- 6. Examples of use: a.Personal Use b.Employer with a Network c.Teacher ---- Personal Use: For a standalone PC, you can set the configuration to any combination to suit your needs, but the most common is: From the "Security Options" screen, choose "Stealth Security", and then add the titles of the windows that you would like to prevent access to in the "Keyphrases" window. This will allow your computer to operate normally, with RedHand monitoring its' use, and protecting your locked windows. If RedHand starts when your computer starts, then you will need to use your keydisk to view the log and stop recording while you are using the machine. When you-leave your desk, bring RedHand to the front and click "Resume" to enable the protection once again. Alternatively, there is no need to enter your password every time you return to your machine. You can turn off window locking by opening any locked window, and then (with your keydisk in the drive) double-click the exclamation mark icon. This will suspend recording and window locking until you click "Resume" on the "Error" box. ---- Employer: Install RedHand on all the machines you want to monitor, and select "Maximum Stealth" from the "Security Options" window. Then, from the "Network Options" window,select a directory to which all the machines involved have access. Select the times that you want RedHand to copy the log, and specify a unique name for each machine. From the server (or any other machine with access to the specified directory) you can view the log of any machine on the network. If you have a large number of machines, I can write a small executable program that will install the registry keys an window locks to your specification, this will make installation considerably easier. You just have to enter the machine name. Let me have all the details of the settings that you wish to use on all your machines when you register. The way in which you start RedHand from bootup may need to be varied according to your network configuration, but if you decide to use the "run=" command in win.ini then I can have the installation program add the entry for you. Teacher: In a typical classroom situation, access to the Windows desktop is not required. Select "Maximum Security" from the "Security Options" window. This will cause the desktop to be hidden, but allow Alt-Tab switching (this will be required to recall applications that will disappear when minimised). Select "Safe Program Launcher" and enter the programs that you want your students to have access to. You can, of course, also specify any window locks that you like to prevent access to specific areas within the "safe" programs. Access to drive "a" only is provided from the RedHand desktop for creating and deleting folders. Be aware that in order to protect the machine during the boot-up period, any programs started before RedHand has initiallised will be automatically added to the "locked" list for that session. Therefore, if you start RedHand while "Notepad-readme.txt" is open, RedHand will close it immediately if Alt-Tab is invoked to re-activate it. 7. Ombudsman "RedHand" is produced by "Hard Drive Software" a member of the Association of Shareware Professionals (ASP). ASP wants to make sure that the shareware principle works for you. If you are unable to resolve a shareware-related problem with an ASP member by contacting the member directly, ASP may be able to help. The ASP Ombudsman can help you resolve a dispute or problem with an ASP member, but does not provide technical support for members' products. Please write to the ASP Ombudsman at 545 Grover Rd., Muskegon, MI USA, or send a Compuserve message via CIS MAIL to ASP Ombudsman 72050,1433.