IT Baseline Protection Manual S 4.51 User profiles to restrict the usage possibilities of Windows NT
S 4.51 User profiles to restrict the usage possibilities of Windows NT
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
User profiles are used to store user specific settings in the system environment. This includes the contents of program groups, network connections, used printers, and the colour scheme of the screen. The capabilities of users for working with Windows NT can be restricted in various respects by means of user profiles. Profiles are administrated using User Profile Editor (UPEDIT.EXE under Windows NT 3.51 or POLEDIT.EXE under Windows NT 4.0).
User profiles can be created for various usage purposes:
in the case of single-user systems, to recover the settings originally specified following a repeated log-on,
in the case of multi-user systems, to specify their own settings for each user,
so that, in the case of server-stored user profiles, each user receives the same interface from each NT workstation,
to specify uniform user environments centrally (both for stand-alone and networked systems),
to establish a restricted user environment, for example, to prevent users from making changes to desktop settings or restrict access to the control panel.
A distinction must be drawn in principle between local and server-stored user profiles. Local user profiles are only stored on the local IT system, whereas server-stored user profiles are administrated centrally on the NT server.
If the server breaks down when using server-stored user profiles, recourse is had to the local copy.
Alongside this, a distinction must be drawn between personal and mandatory user profiles. Personal user profiles can be changed by the user at will, mandatory ones are specified by the administrator.
Mandatory profiles are maintained from one session to the next, changes made during a session are lost when logging-off. These profiles are stored in the directory which is specified in the profile entry of the relevant account, and under version 3.51 of Windows NT they carry the file name extension.MAN. As from version 4.0, a profile is identified as a mandatory profile by renaming the file NTUSER.DAT in NTUSER.MAN.
Personal profiles which are stored on a server can be used to provide users with the same environment, irrespective of the workstation from which they are logging on. Personal profiles are stored in the directory which is specified in the profile entry of the relevant account, and under version 3.51 they have the file name extension.USR.
Under version 3.51, the user profiles are stored in the directory %SystemRoot%\system32\config in the files allocated to the users. The following settings are stored in the user profile:
Program Manager: all options which can be set by the user, including program groups, programs and their characteristics, together with all settings which can be stored
File Manager: all options which can be chosen by the user, including the network connections
Command Mode: all settings which can be chosen by the user
Print Manager: network-wide printer connections, together with all settings which can be stored
Control Panel: all settings for colours, mouse, desktop, pointer, keyboard, country settings and sounds as well as the entries for the user environment in the "System" component
Accessories: all user-specific settings of the applications
External Applications: all settings which are supported by these applications as user-specific options
Annotations in On-line Help: all notes of the relevant user entered there
As from version 4.0, user profiles are stored as a directory tree under the sub-directory Profiles of the Windows directory%SystemRoot%, i.e. in general\WINNT\Profiles, as a directory with the name of the user, e.g.\WINNT\Profiles\Smith. In addition, the overall structure of the working interface and, in particular, the structure of the individual program groups is stored there. The following sub-directories can be featured:
Application data: Application-specific data
Desktop: Components of the working interface including the files and short cuts stored directly on the working interface
PrintHood: Short cuts to the entries in the printer settings
Favourites: Short cuts to program entries and directories with favourites
NetHood: Short cuts to the entries of the network environment
Personal: Short cuts to the entries in the private program groups
Recent: Short cuts to the most recently-used documents
SendTo: Short cuts to the entries which can be used in the Context Menu as destinations of transmission operations, such as for instance to a floppy disk drive
Start menu: Structure of the overall start menu including all short cuts to programs and program groups
Masters: Short cuts to document masters
Other settings, such as, for instance, the reference to the image used as the background, to the working interface or other user-specific settings of the system control, are stored in the standing file called Profiles in the file NTUSER.DAT.
The following options can be used under version 3.51, in order to restrict the capabilities of users for working with Windows NT in various respects:
Settings for Program Manager: It can be specified here whether programs may be started via "File - Execute", whether the current settings may be stored and whether general program groups are listed. In addition, the auto-start group can be determined.
Settings for program groups: Here, access to designated program groups can be locked out and for program groups which are not locked out, various amendment authorisations can be allocated.
Users can be allowed or forbidden to connect and disconnect network printers via Print Manager.
Waiting for the execution of the log-on script can be forced before Program Manager is started. This option should always be activated, so that the actions specified in the log-on script are performed in any event.
As from version 4.0, the following restrictions can be laid down with the aid of System Policy Editor:
Control Panel: Here, access can be limited to the control panel option " Display ". If this option was chosen, in addition the register cards " Background ", " Screen Saver ", " Appearance " and " Settings " can be still be masked individually, and the option " Display " can also be deactivated as a whole.
Access to the control panel should be withdrawn from normal users, as unintentional changes to the system settings can cause problems. If, in addition, access to the control panel option " Display " and the register card " Screen Saver " is withdrawn, users can be prevented from deactivating the screen lock. Then, when setting up users, the administrator naturally has to activate the screen lock.
Shell: Here the following restrictions can be laid down:
Remove " Execute " command
Remove folder under Settings in the " Start " menu
Remove " Task bar " under settings in the " Start " menu
Remove " Find " command
Mask drives in the " My Computer " window
Mask network environment
No " Entire Network " symbol in the network environment
No workgroups computers in network environment
Mask all desktop components
Deactivate "Shut Down" command
Do not store settings when ending
System: Here the following restrictions can be laid down:
Deactivate programs for editing the registry
Only execute approved applications for Windows
For normal users, access to the registry should not be possible, as changes to the registry can cause serious problems.
Most users only have to discharge certain tasks with the IT system and accordingly only require certain applications. For this reason their access should also be restricted to these applications, such as, for example, a word processing program.
Windows NT Shell: Here the following restrictions can be laid down:
Use only permitted Shell extensions
Remove general program groups from the " Start " menu
Under Windows NT, very sophisticated user profiles can be created. These should be drawn up in accordance with the security policy of the authority or the company. This can be time-consuming, as for different user groups user profiles tailored to each of the groups should also be created. All user profiles must be tested beforehand to determine whether they neither leave open loopholes nor obstruct users in carrying out their tasks. Consideration should also be given to the fact that restrictions which are too far-reaching can not only lead to user dissatisfaction even to the point of the complete rejection of the system, but can also cause the administrators a great deal of work, if the latter continually have to implement users' wishes such as, for example, setting another type size.
The Windows NT environment is determined by the values of the current user profile, even if the current user has neither a prescribed nor a personal profile or even if no-one is currently logged in. The User Default Profile is loaded under the following conditions:
if the current user does not have his own (prescribed or personal) profile and has not yet logged in to the current computer;
if a user logs in to the guest account.
In the first case, the current values of the user environment are stored in a newly-created local personal profile, in the second case they are lost when logging off.
If no-one is logged in, the current values for the screen background and other environment variables are determined by the System Default Profile.
Additional controls:
Is the guest account, provided it is not locked out, restricted by a profile to the minimum functionality required?