StopLight ELS Entry Level Security System Demonstration Version This product is not freeware or shareware. This product can be used for commercial or private evaluation purposes only. It is identical to the retail version with the following exceptions: 1. The hard drive is not protected from floppy disk boot access. 2. The Master Admin password is displayed on the login screen. To login as Master Admin, use the name SUPERMSF and password AKVPPEOK. For ordering information or assistance, please contact: Safetynet, Inc. Customer Service Dept. 55 Bleeker Street Millburn, NJ 07041-1414 USA Sales - 1-800-851-0188 Support - 1-201-467-1024 Fax - 1-201-467-1611 BBS - 1-201-467-1581 (14400,N,8,1) CompuServe - GO SAFE E-Mail - 74431.1646@compuserve.com International Sales - +1 908-276-9641 International Fax - +1 908-276-6575 Safetynet products are available on GSA Schedule. Single unit, volume discount and site license pricing is available. For information on becoming a reseller of our products, please contact our dealer sales department at the address listed above. Our complete product line is found on page 3. -------------------------------------------------------------------------- Safetynet, Inc. is a member of the National Computer Security Association (NCSA), Information Systems Security Association (ISSA), and Software Publisher's Association (SPA). Copyright Notice This software package and document are copyrighted (c) 1991-1994 by Safetynet, Inc. Portions (c) Eliashim, Inc. All rights are reserved. No part of this publication may be reproduced, transmitted, stored in any retrieval system, or translated into any language by any means without the express written permission of Safetynet, Inc. Disclaimer Safetynet, Inc. makes no warranties as to the contents of this documentation and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Safetynet, Inc. further reserves the right to alter the specifications of the program and/or the contents of the manual without obligation to notify any person or organization of these changes. Trademark Notice StopLight and Drive-In are registered trademarks, and StopLight/ELS, VirusNet/Pro and ProfileNet are trademarks of Safetynet, Inc. All other trademark names referenced are for identification purposes only and are proprietary to their respective companies. TABLE OF CONTENTS Safetynet Product Line..............................3 System Requirements.................................5 Technical Support...................................5 1. Security Features.....................................7 Password Management.................................7 Super Password.....................................8 Restricted Directory................................9 Audit Trail Log.....................................9 Screen Blanker / Keyboard Lock......................9 MS-Windows Screen Blanker...........................10 Hot Key Protection..................................10 2. Installation..........................................11 Initial System Preparation..........................11 Security Module Installation........................11 Uninstalling Stoplight ELS..........................12 Emergency Unlocking Procedure.......................13 Method 1.......................................13 Method 2.......................................13 3. Security Setup (ELSUTIL)..............................14 Setup Global Security...............................14 Administrator Name.............................14 Administrator Password.........................14 Exp. (Password Expiration).....................15 System-Wide Settings...........................15 Read Only/Public Directory.....................15 Audit Trail Log................................16 Request User Name On Boot......................16 Request Password On Boot.......................16 Minimum Password Length........................16 Customize Password Screen......................16 Initial Users Privileges (Window)...................17 Floppy Disk Write Protect.................17 Floppy Disk Read Protect..................17 Disable Printer Access....................17 Disable Serial Port (Rs-232) Access.......17 Keyboard Lock During Screen Blank.........17 Virus Protection..........................17 Disable DOS Shell Access..................18 Disable Break.............................18 Hard Disk Format/FDISK Protect............18 Disable Date/Time Change..................18 Disable CONFIG.SYS & AUTOEXEC.BAT Change..18 Disable Copying EXE & COM Files...........18 Setup User Profiles.................................19 User Name......................................19 User Active....................................19 Boot Password..................................19 Exp. (Password Expiration).....................19 Auto Screen Saver..............................20 StopLight ELS Demonstration Guide Page 1 Hot Keys.......................................20 Allow Password Change..........................21 Trustee Assignments (Window)...................21 Trustee Assignment Rights......................21 Protecting A Specific Directory................21 Protecting A Directory And Its Sub-Directories.21 Protecting A Specific Drive....................22 Protecting A Specific File.....................22 Protecting A Pattern Of Files..................22 Trustee Assignment Examples....................23 Privileges (Window)............................23 Audit Trail Log Reports Generation..................23 Optional Elsutil Switches...........................24 4. End-User Operation....................................25 Log In..............................................25 Password............................................25 Screen Blanker / Keyboard Lock......................26 Hot Key Activation..................................27 What A User Cannot Do...............................27 Security Violations.................................28 Logging Off.........................................28 5. Special Programs......................................29 PCC.................................................29 Overview.......................................29 Environment....................................29 Memory Map.....................................29 Adapters.......................................30 Files..........................................30 Hard Drive Parameters..........................30 Hard Drive Fix.................................30 Network........................................30 ALERT...............................................30 DEFMSG..............................................31 EX..................................................31 KEYBFIX.............................................31 LOGON...............................................31 WHOAMI..............................................31 UNLOCK..............................................31 Appendix.................................................32 Solutions To Common Problems........................32 New Solutions.......................................33 List Of Violation Messages..........................33 Error Messages That Users May Encounter.............34 Index....................................................36 StopLight ELS Demonstration Guide Page 2 SAFETYNET PRODUCT LINE Safetynet, Inc. is a development and marketing company focusing on security software. Our current line of DOS-based products for PCs and networks include: * StopLight - StopLight builds on the features of StopLight ELS. It provides up to 16 distinct users, and adds additional security settings, real-time and DES data encryption, and password management. VirusNet/Pro and Drive-In are included with StopLight. * StopLight LAN - With a comprehensive list of security features, StopLight LAN can centrally control the security of your network and their workstations. Included are access control, single-signon, secure directories and files, and control over floppy drives, serial, and parallel ports. * Drive-In - A powerful menu system that provides fast access to programs. An ideal corporate standard since it shares the same interface as our LAN and security versions, and uses no-memory overhead. * Drive-In LAN - Add sophisticated menuing to your network with Drive-In LAN. Offering unlimited group and user menu setups, all of your menuing needs can be handled with no memory overhead. Drive-In LAN can be easily upgraded to its anti-virus version, providing automatic virus protection for your entire network. * VirusNet/Pro - Rated #1, VirusNet/Pro lets you create a virus-free computing environment. With advanced detection, correction, and prevention features, VirusNet/Pro is your total solution to virus problems. Its sophisticated scanner quickly checks PC and network drives for infections. Continuous protection is provided by a TSR monitor which prevents infected programs from being run or copied. Heuristic and checksum scanning allows VirusNet/Pro to find new viruses before they spread. Also included is disaster recovery which revives PCs that fail to boot, and a comprehensive scheduler which runs virus scans at certain times or intervals. * VirusNet/Pro LAN - The LAN version of VirusNet/Pro provides protection across your entire network. Its TSR monitor can be loaded during login to protect all workstations from virus infection and prevent infected files from being copied to your file server. Infected programs are prevented from running, instead displaying a custom user help message. The scanner can be scheduled to scan workstations at specific intervals. Central scheduling and workstation disaster recovery make VirusNet/Pro indespensible for network virus protection. * Drive-In AntiVirus - Launch your programs without worry of virus infection. Before accessing a program, Drive-In AntiVirus quickly scans for viruses. A few seconds later, your program will be run, and you'll know that the program is virus free. If Drive-In AntiVirus detects a virus, your system will be automatically scanned and StopLight ELS Demonstration Guide Page 3 disinfected. Drive-In AntiVirus includes menu choices for one-key scanning of hard drives, floppy diskettes, and network drives. * ProfileNet - Automatically inventory software and hardware for all your PCs and network workstations. With ProfileNet, a job that would take days can be done automatically in minutes. ProfileNet also tracks user information and support notes, making it a valuable tool for Help Desk management. Workstation startup files are cataloged and can be modified from the server. Inventories can be scheduled at specific intervals to detect changes. StopLight ELS Demonstration Guide Page 4 Welcome to StopLight(R) ELS. StopLight ELS is a PC security system that combines exceptional power with ease of use. StopLight ELS is the Entry Level version of our widely acclaimed StopLight security system. It provides the essential features required for protecting PCs and laptop computers. With its very low memory and disk requirements and simple operation, StopLight ELS can easily integrate with your system. During normal operation, you will not even know that security is there. But if an intruder or hacker attempts to get at your sensitive information, or perform an unwanted action, StopLight ELS will immediately come to the rescue. StopLight ELS provides security by preventing unauthorized users from accessing the computer. Security profiles can be set up quickly for the administrator and two users. An almost unlimited number of possibilities can be assigned to each user based on the type of access that is deemed appropriate. And through its log file, user activity and attempted violations can be tracked. StopLight ELS quietly protects your computer and its files from unauthorized activity in the background, providing you with a secure and highly productive environment. SYSTEM REQUIREMENTS Hardware IBM PC, XT, AT, PS/2 or true compatible PC with 400K free space on Hard Drive C. Operating PC-DOS and MS-DOS 3.0 or higher, System Microsoft Windows 3.0 and 3.1 Network Supports Novell, LAN Manager, Banyan, and all networks supporting a DOS client Video Display MDA, CGA, EGA, VGA, SVGA and compatibles. The screen saver blanks all DOS text and graphics video modes including those used by Microsoft Windows. Memory 384K of free RAM required. StopLight ELS uses 12K memory for its security kernel. Mouse Any Microsoft and MS-Mouse compatible mouse is supported, although its use is optional. TECHNICAL SUPPORT We have included many features which make StopLight ELS as user-friendly and helpful as possible. If you run into a problem during its installation or use, please refer to the section in the manual covering that topic. If you have found a problem or situation that is not covered in this documentation, contact our technical support department as described at the beginning of this guide. StopLight ELS Demonstration Guide Page 5 When calling for technical support, you should be at the computer in question so that our support personnel can effectively work with you. You may need to be logged in as System Administrator to properly solve the problem. StopLight ELS Demonstration Guide Page 6 1. Security Features This chapter provides an overview of security concepts and how they are implemented in StopLight ELS. To successfully implement a security strategy, you should become familiar with this chapter. If you are already proficient with security systems, you may only need to skim over this information before moving onto the installation instructions found in the next chapter. PASSWORD MANAGEMENT Use of passwords, variously controlled and managed in the background, is the essence of protection offered by StopLight ELS. The system administrator may establish a flexible security system by defining users and their passwords in different combinations described below. Use of individual passwords for access to the system during login is the first stage of security offered by StopLight ELS. Examples of user name and password combinations offered by StopLight ELS follow: a) Name and Password: This is the default setting and is deemed appropriate for most situations. The user name will be displayed on the screen but the password will remain concealed. b) Password, No Name: It is possible to enter a password without the need to have a user's name. In this case the user will simply enter the password and skip the name entry. c) No Password, No Name: In some cases, for example, in classrooms where users do not require confidentiality from each other, security can be provided without assigning user names and passwords. Initial PC access will be possible by merely pressing when prompted at the login screen. Students will then receive the security profile defined by USER1 in the Setup Users section described below. Along with other protection, security can be provided for the AUTOEXEC.BAT and CONFIG.SYS files, virus protection can be activated, and the hard disk can be protected against formatting. d) No Password, Many Names: A fourth possibility is to allow access by entering the user's name only (no need for a password). This option is particularly useful for systems where every user has equal access to the system but the output itself must be separated (for example, an accountant may want to compute the total time spent on one customer for billing purposes). For security reasons, when logging in as SYSADMIN the password will still be required. The system administrator controls the use of passwords by the users in different ways. A minimum valid length for the password may be specified. Thus, even if users are allowed to replace their password, it may not be shorter than the minimum length. The system administrator may also specify the number of times or days that a given password may be used. After the StopLight ELS Demonstration Guide Page 7 password has expired, access to the system with this password will be denied. The user's name is not normally a password since it is visible to all when entered on the screen. However, the password itself is known only to the individual user. The password is stored in encrypted form to ensure its confidentiality. The system administrator has access to the hard disk with an administrator password. Once logged in, the administrator has access to the complete system including every users' privileges and secure directories. Further, the administrator also has access to the main security menu and to the Global Security Setup and Setup Users. In other words, when logging in as administrator, all security protection (except virus protection) is suspended from the computer. Therefore, it is recommended that great care be taken to keep the administrator password completely confidential. When you login as system administrator, you have all privileges including access to the \SAFER directory. It is advisable that you also define yourself as a USER and login as a user while normally using the system. Login as a system administrator only when making changes to the StopLight ELS security system. This will avoid unnecessary exposure to the security system and to the administrator password. SUPER PASSWORD There may be occasions when the administrator password is not available (resignation, vacation, forgotten password), or the security system needs to be uninstalled after booting from a floppy disk (corrupted hard disk, etc.). Under these circumstances, the StopLight ELS Super Password is required. This password is linked to your unique StopLight ELS serial number and cannot be used to access another StopLight ELS package. The Super Password cannot be changed by the administrator and should only be used for emergency purposes. Since the Super Password can access or unlock the system, it is very important that you keep it safe and secure at all times. You may wish to store the Super Password away from the computer in a locked filing cabinet or safe. To login to the system with the Super Password, follow these steps: Boot the computer from the hard disk. At the ELS login screen, for the User Name, type SUPERMSF (and press ) At the password prompt, type in your Super Password (and press ). In the eval version, the Super Password is AKVPPEOK. StopLight ELS Demonstration Guide Page 8 If your computer does not boot and you must uninstall StopLight ELS, please refer to the Appendix section - Hard Disk Problems. RESTRICTED DIRECTORY SAFER Directory The \SAFER directory (usually on drive C:) contains all the security parameters and configuration as set by the system administrator. It contains the security configuration file, the Log file and all other security files generated by StopLight ELS. Only the system administrator has access to this directory. To define access rights to specific files and directories, please see the Trustee Assignments section of this manual. AUDIT TRAIL LOG The Audit Trail Log records DOS and security-related activity performed at any time by each user from the moment of login. By consulting the contents of the Audit Trail Log, the system administrator can globally supervise the activity in the system, check each user's activity, check any attempts to get access to unauthorized areas of the disk, violations, etc., and even get statistical reports of the activity conducted on the computer. The options for Audit Trail tracking are Off, Full, and Brief. Selecting Off prevents any actions from being tracked. It is used when you do not wish to monitor activity. Full and Brief settings track login and logout times, violation messages and programs that are run. The Full tracking option also records all data file activity including Read, Write, Create and Delete. Since most user activity involves data file access, the Full tracking option generates significantely larger log files than the Brief option. Full tracking should only be used if you will be frequently monitoring the audit log. The log file should be periodically cleared to conserve disk space. A flexible Audit Trail report generator helps the administrator manage audit information. Reports are generated based on date ranges, users and activity. Report information is displayed to the screen or exported to data file for use with other programs. Violations are emphasized on the screen in Red for easy recognition. On monochrome systems, violations will appear in Bold. SCREEN BLANKER / KEYBOARD LOCK When a user leaves the computer unattended for a period of time, StopLight ELS can blank out the screen to prevent monitor burn. The computer system will continue to work, but nothing but a moving box will appear (for text mode applications). In graphics applications other than Microsoft Windows, the screen will not display the moving box. Instead, it will be blanked to blue for the Screen Saver and red for the Keyboard Lock. The result is the StopLight ELS Demonstration Guide Page 9 same, since information on the screen will not be visible to users and the monitor will be protected from burn in. The Screen Blanker / Keyboard Lock can be activated automatically if the computer keyboard and mouse are not used after a period of time. This period of inactivity is adjustable from 2 minutes to 60 minutes. An adjustable hot-key is also available to activate the Screen Blanker / Keyboard Lock on demand. When the Screen Blanker is activated, the user simply presses to restore the screen. All underlying screen information will be properly restored. Normally, only the Screen Blanker will appear when you step away from your computer. However, if you want your keyboard lock to activate along with your Screen Blanker, select the "Keyboard Lock During Screen Saver" option on the Users' Privileges window during set-up. For non-Windows graphics programs, a color other than red or blue may be displayed for the Screen Blanker / Keyboard Lock. MS-WINDOWS SCREEN BLANKER A program (MSWIN.EXE) is provided to blank the screen while using Microsoft Windows. During the StopLight ELS installation process, your system is automatically configured to run this program when Windows is started. To activate the screen blanker, double-click on its icon. If you change your Windows configuration and the blanker does not start automatically with Windows, you will have to manually reinsert the MSWIN command. To start the MSWIN.EXE program automatically each time your run Windows, edit your "LOAD=" line in the Windows WIN.INI file and add the MSWIN.EXE program to it: LOAD=C:\PUBLIC\MSWIN.EXE If another program is already loaded by this line, make sure there is a space after the program and then add MSWIN.EXE: LOAD=ANYPROG.EXE C:\PUBLIC\MSWIN.EXE HOT KEY PROTECTION A hot-key is provided to activate the Screen Saver / Keyboard Lock immediately. Press and hold the together for five seconds to blank or lock your screen. The administrator can redefine the hot keys or even add a letter to be pressed after the first hot-key is pressed. Hot keys can be changed by using the ELSUTIL security setup program. StopLight ELS Demonstration Guide Page 10 2. Installation This chapter lets you install and get acquainted with StopLight ELS and test it with the default settings. When you are more familiar with the system and determine what your requirements are, StopLight ELS can be configured to meet your security needs. StopLight ELS Security Defaults are as follows: System Administrator Name: SYSADMIN System Administrator Password: PASSWORD Superuser Name: SUPERMSF Superuser Password: AKVPPEOK User 1 Name: USER1 User 1 Password: PASSWORD User 2 Name: USER2 User 2 Password: PASSWORD INITIAL SYSTEM PREPARATION Before installing StopLight ELS, please be sure to follow these steps: 1. The COMMAND.COM program must be in the root directory of drive C:. If it is not, please place a copy of it there. 2. If you are using a SHELL program in your CONFIG.SYS file other than COMMAND.COM (e.g. NDOS from Norton Utilities), you must find an alternate way to run that program. StopLight ELS loads itself as a SHELL and unlike DEVICE drivers, DOS cannot run more than one SHELL statement. Consult your SHELL program documentation for alternate ways to run the program, or try running it from the DOS prompt or AUTOEXEC.BAT file. SECURITY MODULE INSTALLATION The ELSUTIL security administration program is responsible for the installation and configuration of the security module. Insert StopLight ELS disk in Drive A; or B:, change to the drive letter, type ELSUTIL and press . 1. Using the ELSUTIL program, configure your security as appropriate or simply use the default security setup described at the beginning of this chapter. 2. Highlight "Install Security System" from the ELSUTIL Main Menu and press . Without selecting Install, the Security System will not be installed. StopLight ELS Demonstration Guide Page 11 3. After selecting "Install Security System", you will be prompted to select the drive letter where the StopLight ELS disk is inserted. Once you select the drive, the StopLight ELS security files will be installed to the C:\SAFER and C:\PUBLIC directories. 4. On completion of the install process, remove the StopLight ELS disk from the floppy drive and press any key to reboot the computer. 6. When the computer reboots, StopLight ELS will ask if it should lock the hard drive. Select "No" the first time to make sure the computer completes the boot process and you can successfully login. 7. When the login screen appears, type in your system administrator name and password. The default is SYSADMIN for the name and PASSWORD for the password. 8. If PASSWORD is your password, after you login to the system, StopLight ELS will display a message that this is the default password and that you must change it. Type in a new password in the space provided and then verify the password by retyping it. 9. You are ready to explore the many features of StopLight ELS that can increase your security and productivity. This completes your installation of the StopLight ELS. UNINSTALLING STOPLIGHT ELS Never try to uninstall StopLight ELS by manually removing the SHELL=C:\SAFER\SAFER.PGM line from the CONFIG.SYS file. The computer will not boot if this line is removed. Instead, use the standard technique described below. To uninstall StopLight ELS, insert the first StopLight ELS disk into a floppy drive and run ELSUTIL. Select the Uninstall option from the menu. Uninstalling will be automatically performed. If you are performing UNINSTALL for a system that is locked up for any reason, you may be asked to enter the Super Password which can be found at the beginning of this guide. On completion of the uninstall procedure, the following message will appear on the screen: System successfully uninstalled. Must BOOT the computer now... StopLight ELS Demonstration Guide Page 12 Remove the original disk from the drive, and BOOT the computer. The security login will be removed and you will have access to your system. EMERGENCY UNLOCKING PROCEDURE (This section does not apply to the DEMO version of StopLight/ELS since it does not lock the hard disk.) StopLight ELS has been enhanced to restore hard drives that fail to boot. If, after installing StopLight ELS, a problem arises that prevents access to the hard drive, do not use FDISK, FORMAT or a disk recovery software such as Norton Disk Doctor. By following the steps listed below, you should be able to unlock the hard drive and recover your data. This procedure should only be used if you have already tried the standard uninstall procedure as described above and still cannot gain access to the hard drive. Do not format your hard drive if you cannot access your data. Call for help if anything goes wrong. METHOD 1 Use this method only if the standard uninstallation described previously did not work. 1. Boot the computer with a DOS diskette. 2. Place the ELS disk into a floppy drive. 3. Run ELSUTIL /US 4. Follow the on-screen prompts. 5. Type in the Super Password listed at the beginning of this guide. 6. Follow the on-screen prompts and reboot from the hard drive. If you still cannot boot from the hard drive, boot from a floppy disk and switch to the C: drive. If you can gain access to C:, you may need to perform a SYS C: command to transfer the system files back to the hard drive. METHOD 2 Use this method only if the above method did not work. 1. Boot the computer with a DOS diskette. 2. Place the ELS diskette into the floppy drive. 3. Run PCC 4. Highlight the HD Fix choice and press 5. Follow the on-screen prompts. 6. Contact Safetynet when prompted for a password. StopLight ELS Demonstration Guide Page 13 3. Security Setup (ELSUTIL) The following instructions are meant exclusively for the system administrator. Since this section includes sensitive information, please make sure that this information is never accessible to others. This chapter will allow you to customize StopLight ELS to suit your particular needs. Before you can effectively use the security system, you must configure it to your needs and to the needs of each additional user. The ELSUTIL program allows you to do this. To run ELSUTIL, follow these steps: 1. Type C: and press 2. Type CD \SAFER and press 3. Type ELSUTIL and press A Main Menu screen will appear showing various options. At the top of the menu selection, you will see the message "Security System Active". This means that your system has StopLight ELS security installed. If the Security System is not active, please install it by referring to the installation instructions given in the previous chapter. SETUP GLOBAL SECURITY You may now configure StopLight ELS to meet your specific security needs. From the menu window, highlight the selection entitled: "Setup Global Security", and press . This screen allows you to set up Global Security features for all users. The following pages in this section give a detailed explanation of each entry on the setup screen. Please read these carefully before you make entries on the screen. Use the Help Windows when required. Press to create a report of your security settings. The administrator shares two settings with USER1, the password expiration unit of login times or days, and the Keyboard Lock hot key. Making a change to either of these settings for USER1 will also change them for the administrator. User security settings are discussed later in this chapter. ADMINISTRATOR NAME The default name of the system administrator is SYSADMIN. It is not a password and will be displayed when typed. It may be changed to any suitable name up to eight characters. ADMINISTRATOR PASSWORD This is the password used by the administrator to gain access to the system. You can select any combination of up to eight alphanumeric characters. After your password is entered, you will be requested to verify the password. If the password entered after verify does not match the StopLight ELS Demonstration Guide Page 14 password entered on the first request, the message: "Password/Key Mismatch" will appear along with the request to enter the password again. An existing password can be replaced from the StopLight ELS login screen by pressing instead of after the user name and password are entered. In this case, a field will open to accommodate the new password. Please remember not to reveal your password to any user as it leaves your system unprotected and accessible to others. If, for any reason, you must give your password to another person, remember to replace it by a new one and update other related sensitive information as soon as you recover control of the system. If you forget your password, please refer to the Super Password section in Chapter 1. EXP. (PASSWORD EXPIRATION) Password expiration, also known as password aging, may be specified here. StopLight ELS ages administrator passwords based on the number of days or uses. Use the +/- keys to select the number of days/uses before the password expires. Based on the setting of USER1, the administrator password will expire in the selected number of days or logins. The system administrator's password should be replaced as soon as the password expiration warning is given. In case the password is not replaced and expires, the system administrator will be denied access to the system. If this happens, only the Super Password will unlock the system. SYSTEM-WIDE SETTINGS Your next step will be to define a global configuration of your security system. Follow the directions on screen for each step and consult the Help Windows when necessary. The following information applies to the system in general and not to individual users. READ ONLY/PUBLIC DIRECTORY This choice allows you to create read only directories anywhere on your system by matching the directory name with the Read Only directory pattern. Files in Read Only directories can be accessed by any user but can only be modified by the system administrator. This feature is included with your version of StopLight ELS for compatibility with previous releases. We highly recommend that you use Trustee Assignments to protect files and directories. Trustee Assignments are described later in this chapter. For example, to make all directories Read Only that end with an RDO extension (e.g. PROGRAM.RDO, DOS.RDO), select Rd Only in the left field and press . In the field to the right, type *.RDO or ????????.RDO. You will have to rename existing directories to include them in this pattern. Public directories take the opposite approach to Rd Only directories, allowing Read and Write access to directories matching the Public pattern and Read Only access to directories outside the pattern. For example, to StopLight ELS Demonstration Guide Page 15 have Read/Write access to your data files, select Public for the field on the left and *.PUB for the field on the right. Then make a directory called DATA.PUB and place your data files in this directory. Users will have Read and Write access to these files, but programs and other files outside of this directory definition will be Read Only. AUDIT TRAIL LOG If this option is set to Full or Brief, a file named SAFER.LOG will be created in the C:\SAFER directory, in which all the information on supervised activities will be recorded for the administrator's use. The Full log tracks user logins and logouts, program, data, and violation activities. This log provides maximum details, but also grows the fastest. The Brief log option reports all activity except data file activity. Since data file activity represents the largest portion of typical Audit Logs, Brief tracking will result in substantially smaller Audit Trail Logs. If you do not need an audit log, choose Off for this selection REQUEST USER NAME ON BOOT Determine whether users must enter their User Name in order to have access to the system. Press the or +/- keys to change between Yes and No. REQUEST PASSWORD ON BOOT Determine whether a valid password must be entered to gain access to the system. Press the or +/- keys to change between Yes and No. For security reasons, the System Administrator login password is always required to gain access to the system. It is very useful in classrooms to turn off the User Name and Password prompts on the login screen, displaying "Press Enter to continue" instead. The student simply presses to gain access to the computer and is automatically assigned the security profile of USER1. This is ideal for preventing CONFIG.SYS and AUTOEXEC.BAT deletions, and activating virus protection and Hard Disk Format protection. The student can even be prevented from adding or copying software. MINIMUM PASSWORD LENGTH StopLight ELS passwords can be up to 8 characters in length. To set a minimum password length, enter it here by pressing the or +/- keys to move through valid lengths. CUSTOMIZE PASSWORD SCREEN The login screen contains a large StopLight ELS banner. This area can be changed to meet your needs. Highlight this choice and press . An editing window will allow you to make changes to this banner. The banner information is saved in a file named LOGO in the C:\SAFER directory. This file may also be edited with any standard text editor. To put your banner changes in effect, you must exit the "Global Security Setup" screen and save your changes. StopLight ELS Demonstration Guide Page 16 INITIAL USERS PRIVILEGES (WINDOW) Highlight this choice and press to access the Privileges window. This is a global setup that will be applicable to all users, but may be changed during the configuration of individual user's setup. If you want to set the same configuration for all users of the system, press when the window is active and answer Yes to "Duplicate this configuration to all users?". You can then customize this starting point for each user individually from the "Setup Users" option of the Main Menu. Select the initial privileges that you are authorizing the users to have by pressing the or +/- keys. Choices with a check mark in front of them are enabled. The following user privileges may be set in the privileges window: Floppy Disk Write Protect By turning on this option, you prevent any writing to diskettes inserted in the disk drives. Thus copying software/data is prevented, but reading new information into the computer from the floppy disk is still allowed. Floppy Disk Read Protect In a similar manner to the previous option, when active, this option will prevent reading your diskettes. Since the floppy disk must be read before it can be written to, choosing this option will totally disable the use of the floppy drives. Disable Printer Access No printer access will be allowed on PRN or any of the LPT ports. A network printer is not protected with this option, but generally can be protected from the network server. Also, if you need to protect a serial printer, refer to the following option. Disable Serial Port (RS-232) Access This option is used to prevent serial port access via BIOS. A computer mouse connected to the serial port will not be affected by this option, allowing you to restrict a serial printer while continuing to use a serial mouse. Keyboard Lock During Screen Blank This option adds more security to the screen blanking option when you leave the computer unattended. With this option, the keyboard is locked when the screen saver is activated by time out. Only upon entering your login password will access be allowed to the PC. If this option is not selected, only the screen blanker will be activated, with access to the blanked program granted by pressing . Virus Protection Activates the real-time virus protection feature, which detects many common viruses. This option should be on at all times. If a virus is found in the system, both the virus and the infected program will be stopped from running. This option only applies to users and not the system StopLight ELS Demonstration Guide Page 17 administrator. No security or virus protection is provided during a system administrator session. This option does not detect a significant number of viruses. For top-rated virus detection and removal, please contact Safetynet or your dealer for information on our VirusNet/Pro anti-virus system. Disable DOS Shell Access No DOS prompt access will be allowed by shelling out of applications. For example, in Word Perfect, the user cannot reach the DOS prompt by pressing and selecting "Go to DOS". Instead, a warning message will be displayed and control will return back to the program. Disable Break The and keys will be disabled, preventing the user from breaking out of and stopping the AUTOEXEC.BAT and other batch files. Disabling both DOS Shell Access and Break are most useful when combined with a menu system since the user can be completely isolated from the DOS prompt. In a typical scenario, the user logs into the system and is brought into the menu system by the AUTOEXEC file. The menu system can be set to restrict exiting to DOS and accessing menu Setup by passwords. Choices on the menu can be run, and control will return to the menu after the program choice is finished. No possibility will exist to get to the DOS prompt, since back door attempts such as shelling out of application programs will be denied. This effectively locks the user into the menu environment, and prevents running programs and performing DOS actions that are not set up in the menu. Hard Disk Format/FDisk Protect Formatting and repartitioning of the hard disk (FORMAT and FDISK programs) will not be permitted. Disable Date/Time Change The user will not be able to change the system time and date, providing for the integrity of the Audit Trail Log. Do not select this option if you are receiving StopLight ELS Date/Time change warning messages or experiencing problems when logging to a Novell or similar network. Some networks try to synchronize the workstations date and time, and will not allow a login if they cannot be changed. Disable Config.sys & Autoexec.bat Change This feature should always be enabled since StopLight's security shell must be loaded from the CONFIG.SYS file. By choosing this option, no permission will be granted to users to delete, replace, alter or rename these files. The administrator login always has full access to these files. Disable Copying EXE & COM Files With this option selected, users will be prevented from copying programs to or from the hard drive, but they still can use the floppy drives for reading or writing data files. This option is a highly effective tool for preventing software piracy. It can be used to keep your software licenses legal. StopLight ELS Demonstration Guide Page 18 SETUP USER PROFILES After the global security is configured, the system administrator should configure the user's information for every individual who is authorized to use the system. From the ELSUTIL Main Menu, select the Setup Users option, then press . Select a user from the pop-up Select User window and press . After you have finished editing a particular profile, press to return to the Select User window. You can then select a different user or press to return to the Main Menu. USER NAME Two different user profiles may be defined in StopLight ELS. If you need more than 2 users to access a PC, please contact Safetynet or your dealer for information about the StopLight Security System. A user's name is a combination of up to eight alphanumeric characters. Please note that this is not a password and is visible to all users. USER ACTIVE Is the user active? Select Yes or No by using the or +/- keys. This option can be temporarily set to No when the user is away, on vacation, etc., or when the system administrator decides to deny the user access to the system. By selecting No, the administrator will completely prevent access by the user or any one who is familiar with this user's password. Anyone attempting to enter under an inactive user's password will receive the message: "User Not Active, Log-In Denied!". BOOT PASSWORD Enter a unique login password for this user. Select any combination of up to eight alphanumeric characters. After this password is entered, there will be a request to verify password. If the password entered after Verify is wrong, the message: "Password/Key mismatch" will appear, followed by a request to enter the password again. This could be an initial password for the specific user, and you may want to authorize the user to replace it with another one. Please refer to the `` Allow Password Change option described below. In this case, the new '' password will be entered by the user by pressing instead of , after typing the old password on the login screen. EXP. (PASSWORD EXPIRATION) Password expiration, also known as password aging, may be specified here. StopLight ELS can age passwords based on the date or by number of uses. First, select the number (either days or uses) before the password expires by using the or +/- keys. Then press to move the cursor to the field immediately to the right. Use the or +/- keys to select between "Times" and "Days" depending on your requirements. StopLight ELS Demonstration Guide Page 19 If you decide to use password expiration, the user will receive the following message before the password actually expires: "Password usage expires, MUST change password" If the user has permission to change their login password, a New Password and Verify Password field will be displayed on the login screen. If the user is not allowed to change their password, or if they allow their password to expire, they must contact the administrator for a new password. AUTO SCREEN SAVER The screen blanker can be activated automatically after the keyboard has been inactive for a predetermined time. In the User Privileges window, if "Keyboard Lock During Screen Saver" is selected, the login password will be required to regain access to the computer. Select values from two minutes up to 60 minutes with the or +/- keys. If you do not want the screen saver to activate automatically, select OFF. Please note that the screen blanker can be instantly activated anytime using the hot keys as discussed in the "Screen Blanker / Keyboard Lock" section of Chapter 1. HOT KEYS The hot key combination used to activate the screen saver, keyboard lock, and reboot on program exit can be redefined by modifying this choice. It is made up of a combination of , , and keys followed by an optional letter. By requiring a letter after the initial combination, several security features can be activated on demand. With the cursor on the left Hot Keys field, press the to bring up a list of key combinations. Select the initial hot key and press . The cursor will then move to the hot key field on the right. Use the or +/- keys to choose between "+ Letter" and "No Letter". By selecting "+ Letter" along with the initial key sequence, the screen saver, keyboard lock, and reboot on program exit features can be accessed. Hold down the key sequence in the left field for five seconds. When the computer speaker makes a clicking sound, press D to activate the screen saver, S to activate the screen saver with keyboard lock, K to activate the keyboard lock, and B to reboot the computer after the current application is exited. See Chapter 1 for more details. For users who wish to activate the hot key sequence in Microsoft Windows, "No Letter" must be selected for the field on the right. Holding the key sequence in the left field for five seconds will activate the screen saver with or without the keyboard lock (the reboot and keyboard lock only features will not be available). You can make the keyboard lock activate by setting the "Keyboard Lock during Screen Saver" choice found in the "Initial Users Privileges" window (described earlier in this chapter). StopLight ELS Demonstration Guide Page 20 For Microsoft Windows users, a special program (MSWIN.EXE) is provided to activate the screen saver by clicking on an icon. See Chapter 1 for more details. ALLOW PASSWORD CHANGE You may authorize some users to replace their initial password by a different one. Indicate for every user whether they may or may not change their login password. A user who is authorized to do so can replace their password by pressing the key instead of after the password is typed on the login screen. A field will appear on the screen prompting them for the new password. TRUSTEE ASSIGNMENTS (WINDOW) Each user can be assigned Trustee Assignments for files and directories. Trustee Assignments can control the type of access available for files, directories and drives. If Trustee Assignments overlap for a particular file or directory, the most specific assignment will be used. For example, assume that an entire drive is set to Read Only and a Trustee Assignment for a file on that drive is set Read and Write. Since the file assignment is more specific than the drive assignment, the user will have Read / Write access to that file. Highlight the "Trustee Assignment (window)" choice and press to display the Trustee Assignment setup screen. TRUSTEE ASSIGNMENT RIGHTS Trustee Assignments can be added to drives, directories and files. Rights which can be granted (or denied) include (C)reate, (D)elete, (E)xecute, (R)ead and (W)rite. If a right is not given, it is not allowed. Trustee Assignments that are blank for an object mean that the user will have no access to that object. (C)reate - Allows a user to use the DOS Create function to add a new file to a drive or directory. (D)elete - Allows a user to delete a file from the drive or directory. (E)xecute - Allows a user to run a program from the drive or directory. This must be accompanied by the (R)ead privilege. (R)ead - Allows a user to have Read file access. (W)rite - Allows a user to have Write file access. It is usually accompanied by the (R)ead privilege. When a drive, directory or file is not listed, either explicitly, or by a pattern, the user has full rights. Only items that are included in the Trustee Assignment window are protected. PROTECTING A SPECIFIC DIRECTORY 1. Display the Drive and Directory window by pressing the function key. 2. Highlight the drive to work with and press . 3. Select the directory to protect and press . PROTECTING A DIRECTORY AND ITS SUB-DIRECTORIES Directories and Drives with a trailing backslash (e.g. C:\DOS\) do not include their subdirectories as part of their Trustee Assignment StopLight ELS Demonstration Guide Page 21 protection. Remove the trailing backslash to include subdirectories as part of the Trustee Assignment protection. 1. Display the Drive and Directory window by pressing the function key. 2. Highlight the drive to work with and press . 3. Select the directory to protect and press . 4. Remove the Trailing Backslash from the Directory Name. PROTECTING A SPECIFIC DRIVE 1. Press when the highlight bar is on the Trustee Assignment window. 2. Type in the name of the drive you wish to protect (e.g. C:) and press . 3. Remove the trailing backslash from the entry by pressing the key on the drive item and editing the choice. 4. Add various Trustee Assignments as described in the Trustee Assignment Rights section above. PROTECTING A SPECIFIC FILE 1. Select a directory by following the Protecting a Specific Directory steps 1-3 above. 2. With the Trustee Assignment highlight bar on that directory, press to display the Edit window. 3. Type in the full path of the file you wish to protect. Standard DOS wildcards are allowed. 4. Then add the appropriate Trustee Assignments as described in Trustee Assignment Rights above. PROTECTING A PATTERN OF FILES (DOS wildcards * and ? can be used to protect a pattern of files.) Method 1: 1. Press and type in the drive, directory and pattern of files to protect. The syntax for protecting multiple files is the same as the syntax used to select multiple files with a DOS DIR or COPY command. (e.g. C:\WINDOWS\*.INI) 2. Then add the appropriate Trustee Assignments to the selected file pattern. Method 2: 1. Select a directory by following the Protecting a Specific Directory steps 1-3 above. 2. With the Trustee Assignment highlight bar on that directory, press to display the Edit window. 3. Add to the directory the wildcard file pattern you wish to protect (e.g. C:\DATA\*.DBF). 4. Then add the appropriate Trustee Assignments to the selected file pattern. StopLight ELS Demonstration Guide Page 22 C:\WKS\ [RW ] Files in C:\WKS will be Read and Write Only. The trailing "\" after WKS means that files in directories under C:\WKS are not affected by these rights and will remain with full access. C:\WKS [RW ] Files in C:\WKS and directories below it have Read Write privileges. (Notice that no trailing backslash is placed after WKS.) C:\SECURE [ ] The C:\SECURE directory (and directories below it) are not accessible to the user since no rights were granted. C:\123\TS.WKS [RWCD] User has full rights to the TS.WKS file. PRIVILEGES (WINDOW) Press to select the Privileges window for the current user. From this window, you can mark the privileges available to the user by pressing the or the +/- keys. Remember that the system administrator has complete privileges to the system, including removing or altering the security configuration. If the administrator needs to use the computer for reasons other than security setup, a separate user login should be provided. Detailed descriptions of each privilege option can be found in the "Initial Users' Privileges" section earlier in this chapter. AUDIT TRAIL LOG REPORTS GENERATION StopLight ELS automatically records the users LogIn/LogOff date and time in the SAFER.LOG file. Depending on your Audit Log setting (Off, Brief, or Full), various amounts of user activity will be recorded and kept in the log including attempts to perform illegal activities. The administrator can create a report according to the following criteria: All: Any activities that matches a definition below will be registered. User Name: List activities of the user whose name is specified. Sys.Admin.: Lists the login, logout, and virus warnings generated by the system administrator. Violation: Any activity that does not conform to the privileges authorized will be highlighted in the report. Statistics: The total computer time spent by every user will be recorded. After the criterion for the production of the report is selected, you may be asked the output destination: StopLight ELS Demonstration Guide Page 23 Screen: The report will be displayed on the screen. Printer: A printed listing will be sent to the printer connected to LPT1:. File: The file option will write the output to a SAFER.REP file. Data file: This report is produced in the form of a data file under the name of SAFER.REP (fields are written between quotation marks, and separated by commas). The data can then be analyzed with a database or spreadsheet program. OPTIONAL ELSUTIL SWITCHES ELSUTIL accepts command-line instructions for various features. An example of the syntax is as follows: ELSUTIL /U - To select the uninstall option. ELSUTIL /W - To display black and white screens. Since new switches may be added that are not documented in this guide, run ELSUTIL /? to display a complete description of the current switches. Following are switches that ELSUTIL can accept: /U Runs the Uninstall Security System choice. /SG Directly runs the Setup Global Security window. /SU Directly runs the Setup Users window. /RU Produces a report of the Global and User security settings. /R Runs the Generate Audit Log Reports menu selection. /RD=S|P|F Selects a report Destination of (S)creen, (P)rinter or (F)ile. (e.g. MSUTIL /RD=F will produce a report to a file.) /CO Runs the Configuration menu choice. /HI Used during installation to tell the security system that you have more that 640K of conventional memory. /P Selects a non-IBM/Epson printer for printing audit trail reports. /L Selects a HP Laser printer for printing audit trail reports. /W Optimizes the display for non-color screens. /S Removes sound effects from pop-up windows. /? or /H Views the help screen. StopLight ELS Demonstration Guide Page 24 4. End-User Operation This chapter should be read by all users of StopLight ELS. It covers operation when you are logged in as a User (non-administrator). StopLight ELS is a sophisticated security system that will protect your important information and make your computer time more enjoyable. It gives you the privacy and levels of security that will guarantee that no unauthorized user has access to your private files or programs. * StopLight ELS is user-transparent. In other words, it will not inhibit you in any of your activities, unless you do something that your system administrator has not authorized you to do (for example, trying to have access to another user's files!). The system administrator may have assigned a separate safe directory to you where you can store your files without worrying about other users gaining access to them. * StopLight ELS cannot be by-passed. It is not possible to boot the system from a diskette and gain access to the hard drive. Also, certain directories and files may be restricted from being accessed. You are one of the authorized users who has been assigned certain access and user privileges by your administrator. This chapter will help you to understand and use the security features of your system. LOG IN When the PC is first powered on, the StopLight ELS login screen will appear, asking you for your Login Name and Password. Type in the information requested and press after each line. Upon supplying the correct information, you will gain access to the computer with a certain security profile assigned by the system administrator. Access to the computer will not be granted until you supply the correct information. PASSWORD Proper use of your login password is very important to the security of your information stored on the PC. The system administrator has assigned each user a unique login password. With your password you can prevent other users from gaining access to your files. If you disclose your password to another user, they will then have access to your files. Along with your Login Name you must use this password to enter the system, or access will be denied. If you forget your password, ask your system administrator. Don't try to randomly guess your password at the login screen. Proper password use is critical to the StopLight ELS system. The following sections provide important information regarding password use. StopLight ELS Demonstration Guide Page 25 Default password If the administrator gave you a password of PASSWORD, you will be asked to change the password to a new one. Type in a new password and press . Then type it in again to verify that it was typed correctly. You will then use this new password to access the system. Invalid password Three consecutive attempts to enter the system with a wrong user name or password will produce the message: "System Halted!". You may unlock the system by pressing the reset button and try to login again with your correct user name and password. Expired password For additional security, your system administrator may decide that your password will be valid for a certain period of time or number of valid logins, and then expire. When your password is due to expire, the following message will be displayed on your screen: "Password usage expires, MUST change password!". If you are authorized to replace your password, do so AT ONCE! If not, please notify your system administrator as soon as possible. After the password expires, you will no longer have access to the system! Changing your password An existing password can be replaced on the login screen by following these instructions. 1. Type in your user name and press . 2. Type in your current password and press . (If you are authorized to change your password, two new fields will appear.) 3. Type in your new password and press . 4. Type in your new password again to verify that it was typed in correctly and press . Your new password will remain in effect until you change it voluntarily, the system administrator changes it for you, or the system requires you to change it. If the administrator has not allowed you to change your password, pressing after you type in your user name and password will not work. You must notify the administrator that your password needs to be changed. The system administrator may have specified a minimum password length. If the new password you entered is less than the minimum length, a "Password too short" message will be displayed. Please enter a longer password (maximum eight characters). SCREEN BLANKER / KEYBOARD LOCK When the computer is left unattended for a period of time, it is possible to implement a Screen Blanker or Keyboard Lock. Each one blanks out the screen to protect sensitive information and prevent monitor burn. While StopLight ELS Demonstration Guide Page 26 the screen is blanked, any programs which were running will continue to run. The screen will be replaced by a moving message display. The Screen Blanker is cleared by pressing , and the Keyboard Lock is cleared by pressing , typing in your login password and pressing again. The system will be unlocked and its screen information will be restored. The Microsoft Windows keyboard lock clears the screen and displays a moving message window. DOS-based programs will also be replaced by a moving display. In graphics applications other than Microsoft Windows, the Screen Blanker and Keyboard Lock will blank the screen with a solid color. For most programs, the Screen Blanker will display a blue screen, and the Keyboard Lock will display a red screen. Some programs may change the video display and alter these colors. To regain access to the system, press to clear the keyboard buffer. If the screen is not restored, the Keyboard Lock is active. Type in your login password and press to restore the screen. Normally, only the Screen Blanker will appear when you step away from your computer. However, to activate the keyboard lock instead of your Screen Blanker, ask the administrator to select the "Keyboard Lock during Screen Saver" choice in ELSUTIL. HOT KEY ACTIVATION A hot-key is provided to activate the Screen Saver / Keyboard Lock immediately. Press and hold together for five seconds to blank or lock your screen. If the administrator requires a letter to be pressed along with the hot key, press the hot key and hold it down for five seconds. The computer speaker will then make a clicking sound. Without lifting the hot key, press one of the following keys: D key: Dims the screen (Screen Blanker). S key: Secures the keyboard and dims the screen (Keyboard Lock & Screen Blanker.) K key: Keyboard lock but does not dim the screen. B key: Boots the computer after the current program is exited. When activated, two beeps will be heard to confirm that the feature is activated. This feature is ideal for unattended modem transfers and tape backups when you wish to ensure that no other programs will be run from the computer. WHAT A USER CANNOT DO By being granted User access to the computer, you inherit certain restrictions which will keep your computer operating correctly. * A user cannot access the \SAFER Directory. This is the directory where the security parameters are defined by the system administrator. StopLight ELS Demonstration Guide Page 27 * A user cannot alter or write to the Boot sectors. * A user cannot use the CHKDSK program since no access is granted to the \SAFER directory and other private user directories. If you must use CHKDSK, please contact your system administrator. SECURITY VIOLATIONS If an action results in the breach of any security rules, a warning message is displayed and the action is denied. Typical actions which may breach security include unauthorized access to the CONFIG.SYS and AUTOEXEC.BAT files, and attempting to change to a secure directory. A complete list of messages can be found in the Appendix. LOGGING OFF When you are done working with the PC, you must exit the system in one of the following manners: a) By pressing ; or, b) By running LOGON when you wish to return to the initial login screen without rebooting the computer. As in the example above, this command may be located in the C:\PUBLIC directory. Your logoff time will be recorded in the Audit Log file when you exit the system in one of the above ways. If you exit the system by turning the computer off, the system will not be able to record the logoff time. Instead, the security system will record this as an "INVALID LOGOFF" and include it as a violation in a report to the system administrator. StopLight ELS Demonstration Guide Page 28 5. Special Programs Several programs are included with StopLight ELS to enhance its overall performance and flexibility. Some programs are especially useful when placed in batch files. Each of these programs can be used at the DOS prompt or incorporated in a menu system. PCC PC Checkup (PCC.EXE) is a powerful tool for examining your system configuration and recovering from hard drive failure. It is located in the C:\SAFER directory. When PCC is first run, it displays an overview of your computer's specifications. OVERVIEW Information about your hardware includes the computer, CPU and numeric processing unit types. The video adapter card type and monitor type are also detected. Super VGA or SVGA cards are reported as VGA-class cards. Also reported is your DOS version, your Microsoft Windows operating mode if PCC is being run under Windows, and the date of your BIOS chipset. An overview of your memory is then provided, including extended and expanded memory sizes and versions. Finally, information about your serial (COM) and parallel (LPT) ports is displayed, including the number of each detected and their addresses. Press the key to display a second screen of overview information. This screen displays detailed information about your floppy drives, hard drives, RAM drives and network drives. Depending on the amount of information collected, a third screen may also be available. Press to view the following screen. This third Overview screen displays detailed hard drive specifications. First, information about the number of heads, cylinders and sectors is displayed. Then, for certain drive types, the serial number of the hard drive, the hard drive controller version, and the model ID of the drive are displayed. ENVIRONMENT Press the key to highlight the Environment menu choice. This window will display all variables defined in your DOS environment. MEMORY MAP Highlight the Memory Map choice to display detailed information about the programs, TSRs and device drivers running on your system. Included in this display is the address that the program is running in, its environment size, the total amount of memory it is occupying, its name, and the interrupts that it is using. This information is very useful for optimizing your system and determining if there are any conflicts between programs. If you have a large memory map, press to view additional pages. StopLight ELS Demonstration Guide Page 29 ADAPTERS Highlight the Adapters menu choice to display information about your BIOS and adapter cards. This window searches for identification fingerprints in memory. The first column displays the memory location that the fingerprint was found. The second column shows the information that was found in that location. Depending on the adapter cards that are in your system, some cards may not be shown in this display. FILES The files menu item enables you to easily edit your DOS configuration files, run CHKDSK and search for files. If you press on the AUTOEXEC.BAT or CONFIG.SYS choices, you will be presented with a simple editor which can be used to view and modify these files. The keys listed at the bottom of the screen can be used to edit, insert, delete and move (transfer) lines. When you are finished editing or viewing the file, press to either save or cancel your changes. HARD DRIVE PARAMETERS Highlight the HD Params menu item to display detailed information about your DOS drives. Use the and keys to move among the various drives. Information is displayed about the drive's sectors, clusters, FAT table and directory table. Also, media descriptor byte, total number of clusters and total drive size are displayed. HARD DRIVE FIX The HD Fix menu choice should only be selected if your hard drive fails to boot. It should not be used to uninstall StopLight ELS unless hard drive corruption prevents the standard uninstall procedure from working. HD Fix should only be used as a last resort to restoring a damaged hard drive. You will be required to contact Safetynet technical support to fix a damaged drive using this method. NETWORK If you are connected to a network such as Novell Netware, the network menu choice will be displayed. Selecting this choice will display information about your file servers, network shell version and node address of your network interface card (NIC address). ALERT When a program attempts to perform an action that is not allowed by the user's security definition, StopLight ELS generates a warning beep and displays a message indicating the type of offense. To prevent this violation alert, run ALERT OFF before running your program. After the program is finished, ALERT ON will reactivate security alerts. These commands can be placed in a batch file to automate this process. It is important to note that turning alerts off has no effect on the user's security priviledges, just on the warning that is given. StopLight ELS Demonstration Guide Page 30 DEFMSG The DEFMSG command allows you to insert a new or different message that will appear when the screen is blanked. Syntax: DEFMSG message When the screen blank option is active, your personal message will be displayed. EX Fixes access denied errors in some programs that try to access secure directories. When these programs encounter a directory that is restricted, they either stop and issue an error message, or rescan the drive in an infinite loop. The EX program will allow these programs to skip secure directories and continue to read the drive properly. Syntax: EX ProgramName KEYBFIX Keyboard fix is for international language KEYBxx support when certain hot- keys are used. This program must be executed in the AUTOEXEC.BAT immediately after KEYBxx is loaded. LOGON Utility to login as another user without rebooting the computer. This utility is essential for accessing a secured system remotely. WHOAMI Displays the current user name, system date and time. UNLOCK Used by the system administrator to temporarily unlock the hard drive. This is useful when making modifications to the CONFIG.SYS or AUTOEXEC.BAT files. When the computer is rebooted, the security system will ask if the hard drive should be relocked. After testing that the boot process completes successfully, the computer can be rebooted and the hard drive locked. If someone logged in as a USER tries to access this utility, they will be denied. StopLight ELS Demonstration Guide Page 31 Appendix This chapter starts with solutions to common problems that can occur with security software. Then, a list of error messages that the system generates is presented. The final section of the chapter briefly describes other Safetynet products which can complement StopLight ELS. SOLUTIONS TO COMMON PROBLEMS The following section represents situations and suggestions that have been compiled from our customers. Some programs cause the computer to issue warning beeps during their startup or normal operation. Solution beeps may be coming from the security system, signaling that some The program actions are being prevented because they break a security rule for the current user. Check your audit log to see what kind of violations are being registered. Then modify your security settings to allow this activity. If you do not wish to allow this activity, but still wish to prevent the warning messages and beeps, use the ALERT.EXE command with an OFF parameter (ALERT OFF). This will prevent StopLight ELS from generating any visual or audible error messages. To turn security alerts back on, use the ALERT ON command. More information about the ALERT program is found in the previous chapter. Netware does not allow a user to login to the network. A Date/Time Change warning is given. Solution Upon login to Netware networks, the network may try to synchronize your PC's date and time. If you Disable DATE/TIME Change, the network may not let you login. Do not select Disable DATE/TIME Change if you are experiencing this problem. After logging into the network, DOS Shell Access is no longer disabled. Solution Some network drivers (e.g. NETx.COM) do not allow Prevent DOS Shell Access to work properly. To restore this feature, make a batch file that runs these drivers and then runs the StopLight ELS NETFIX.COM utility. Programs that scan the hard disk stop when they encounter a secure directory. Solution Run the program by using the EX.EXE utility to prevent warning messages while scanning the disk. StopLight ELS Demonstration Guide Page 32 NEW SOLUTIONS If you have implemented StopLight ELS to solve a difficult problem, please let us know. We would like to pass the knowledge on to others. Also, if you have any programs that need special handling when working in a security environment, we would like to hear from you. Please contact our Technical Support department and share your experiences with them. LIST OF VIOLATION MESSAGES The following is a list of Error and Security Violation Messages that may appear on your screen. For your convenience, we have listed first the messages that you may encounter when installing or accessing your system as a system administrator. It is followed by the messages that the users will get whenever they execute a function that may not conform to the security provisions. Security System Not Installed Your PC is not protected by StopLight ELS presently, because the system is not installed. Error while reading security system from Hard Drive Non-standard hard drive, or hard drive failure. Run a diagnostics program such as Norton Disk Doctor to see if the problem can be corrected. Installation was already done from this diskette This disk was already used for installation of security system on one PC and contains information for unlocking the hard disk of that machine. If you continue with the installation, you will overwrite the unlocking information of the first computer. This will prevent the security system from unlocking the hard drive and uninstalling from the first computer. You may continue with the installation, but if you do so, you will NOT be able to uninstall the security system from the first PC. If you are reinstalling the system to the same PC and receive this warning message, you can continue with the installation without risking proper uninstallation. CONFIG.SYS is not accessible. Must clear attributes. Continue installation? CONFIG.SYS is read-only. Therefore, attributes must be cleared before installation can be completed. If you answer YES, all attributes will be cleared. Security system is already installed on this computer! If you are trying to install the security system on a computer that already has it active, you will be warned that StopLight ELS was already installed and will not be able to complete the installation. The system only needs to be installed once per PC. Any changes made to the system setup will take place after the next user logs into the computer (preferably after rebooting). StopLight ELS Demonstration Guide Page 33 The security system was not installed on this computer. Cannot Uninstall. You cannot uninstall the system as it was not installed (or, perhaps, it was installed and already uninstalled). If you cannot uninstall the system even though StopLight ELS is installed, contact Safetynet for further assistance. Serial Number mismatch! Cannot UnInstall The installation was not done from the diskette inserted in the drive. Therefore, please use the diskette that the system was installed with to uninstall StopLight ELS. This precaution is implemented to prevent uninstall information from a different computer from being written to the hard disk. The security system was not installed from this diskette. Cannot UnInstall. There is no uninstall information on this diskette for StopLight ELS to use to unlock the computer. Most likely, the diskette was not the one used during installation. If you are sure this is the diskette used for installation, contact Safetynet for further instructions. Security file error, System Halted! SAFER.LOG file in which the Audit Trail is logged cannot be The accessed. The possible causes could be that the file is missing, or the disk is full. In rare cases, there may not be enough file handles to write the log file and continue your program operation. If there is disk space remaining, try increasing your FILES= statement in the CONFIG.SYS file. For further assistance, please contact Safetynet Technical Support. ERROR MESSAGES THAT USERS MAY ENCOUNTER Password too short, reenter! There is a minimum length requirement for your password. Please choose another password accordingly. Password Expires, must change! Your password will expire soon. If you cannot change your password, please contact your system administrator. If you are authorized to replace your password, do so at once by logging in with the old password and entering a new one in the field that will open on the screen for this purpose. Password Usage expired! This is the last of the five consecutive warnings that the login password is about to expire. The user will not be allowed into the system until the administrator assigns a new password using ELSUTIL. Default password, must change! When a user or system administrator logs into the system with the default password of PASSWORD, StopLight ELS requires that a new password be provided. StopLight ELS Demonstration Guide Page 34 User Not Active, Log-in Denied! When a user is set to inactive from ELSUTIL, this message will be displayed. To reactivate the user, use the Setup Users section of ELSUTIL and set the User Active choice to Yes. Password Mismatch, Reenter! The password you entered does not match the valid password. Try again. Invalid Password, System Halted! The user must reset the computer to return to the login screen. Same Password as Old, Reenter! The user was requested to choose a new password but has selected the old password again. A different password must be used for the new password. System Locked for all Users! Too many attempts were made to enter the system with a wrong password. After this occurs, no user is authorized to enter the system. The system administrator must unlock the system by logging in as Administrator. Hardware access denied to: (HD, Boot Sector, etc.) The user is not authorized to carry out this activity since it was denied in the User Privileges window by the administrator. Access Denied to: (File Name, Directory Name, etc.) An attempt to access the specified part of the system represents a violation and will be denied. If the user must have permission to access the given feature, the administrator must make the modification in the security setup of ELSUTIL. StopLight ELS Demonstration Guide Page 35 INDEX Adapters, 30 ALERT.EXE, 30, 32 Audit Log, 28 Audit Trail Log, 9, 16 brief, 16 full, 16 full tracking, 9 report, 23 report generator, 9 SAFER.REP, 24 user's activity, 9 AUTOEXEC.BAT, 28 disable modification, 18 Beeps, 32 Boot, 25 Boot Sector, 28 Break disable, 18 CHKDSK, 28 CONFIG.SYS, 28 disable modification, 18 Customer Service, 5 Date change disable, 18, 32 DEFMSG.EXE, 31 Directories Public, 15 Read Only, 15 SAFER, 8 Trustee Assignments, 21 DOS Shell Disable, 18, 32 Drive-In, 3 Drive-In AntiVirus, 3 Drive-In LAN, 3 Encryption of password, 8 Environment, 29 Error Messages, 33 EX.EXE, 31, 32 Files, 30 Log, 9 SAFER.LOG, 16 security, 9 Setup, 9 Trustee Assignments, 21 Floppy Disk read protect, 17 write protect, 17 Function Keys , 14 F5, 14 Hard Disk format/fdisk protection, 18 StopLight ELS Demonstration Guide Page 36 Hard Drive Fix, 30 Hard Drive Parameters, 30 Hot Keys, 14, 20 Initial Users Privileges, 17, 20 International language support, 31 KEYBFIX.EXE, 31 KEYBFIX.EXE, 31 Keyboard Lock during screen blank, 17 hot key, 14 Windows, 9 License Control, 18 Login, 8 name, 16 password, 16 system administrator, 8 user, 8 valid, 26 Logoff, 28 invalid, 28 LOGON.EXE, 28, 31 Memory Map, 29 MSWIN.EXE, 21 NETFIX.COM, 32 Network, 5, 30, 32 drivers, 32 Password aging, 15, 19 change, 12, 15 changing, 26 combinations, 7 default, 26, 34 encrypted, 8 expiration, 15, 19, 34 expired, 26, 34 invalid, 26 login, 7, 19 minimum length, 16, 34 mismatch, 35 replace, 15, 19, 21, 26 super password, 15 system administrator, 14 system halted, 35 user, 7 valid, 7 verify, 14, 19 Password expiration, 14 PC Checkup, 29 PCC.EXE, 31 Printer access disable, 17 Private Directory, 28 Privileges, 17 user, 17, 23 ProfileNet, 4 StopLight ELS Demonstration Guide Page 37 SAFER Directory, 9, 27 SAFER.LOG, 34 SAFER.REP, 24 Screen Blanking, 26 activate instantly, 20 automatic, 20 DEFMSG.EXE, 31 Windows, 9 Security, 9 configuration, 9 global, 19 global configuration, 15 parameters, 9 report of settings, 14 unprotected, 8 Serial Number, 34 Serial port access disable, 17 Software piracy prevention, 18 StopLight, 3 StopLight LAN, 3 Super Password, 8 Super Password, 15 System Requirements, 5 memory overhead, 5 Technical Support, 5 Time change disable, 18, 32 Trustee Assignments, 9, 15, 21, 35 directory, 21 error messages, 32 EX.EXE, 32 UNLOCK.EXE, 31 User active, 19, 35 authorized, 25 privileges, 25 Virus Protection, 17 VirusNet/Pro, 3 VirusNet/Pro LAN, 3 VirusNet/Pro, 3 VirusNet/Pro LAN, 3 WHOAMI.EXE, 31 WIN.INI, 10 Windows, 9 hot keys, 20 MSWIN.EXE, 21 StopLight ELS Demonstration Guide Page 38