PC TimeCop Security Guide
The purpose of this guide is to help users secure WatchDog in their Windows environment. Early versions of Windows (including Windows 95, 98 and ME) were not built with user security in mind. WatchDog attempts to implement its own security restrictions to make sure unauthorized access does not occur. Windows NT, 2000 and XP can also be improved upon with some of the security features that WatchDog provides. General Security Guide Here are notes about some of the security features that WatchDog provides:
Atomic Clock Synchronization
Atomic clock synchronization will automatically keep the computer's clock in sync with the rest of the world. Several public time servers are provided. Another good list of public time servers can be found here. Networking
Please read the Networking Guide.
Windows Policy Integration
WatchDog has the functionality to directly interact with several Windows policy restrictions. These policies are provided by Microsoft to secure the Windows environment. WatchDog can apply these policies on a per-user basis. If you do not want WatchDog to interact with any of the policies, you may enable "Do not modify Windows policy settings" in the options. Windows Login Integration
With Windows Login Integration, WatchDog will automatically use the current Windows user to validate the login. You must generate the user database either the first time WatchDog is run or later in the Options. This user list is not automatically updated with the Windows user database. If you add additional users to the Windows user database, you must generate the users again in the Options. Deleted Windows
users are not automatically removed from the WatchDog database. Windows Login Integration also allows for direct saving of Windows Policy options into the user profiles. This removes the need for WatchDog to restart the shell when enforcing restrictions. Enabling Windows Login Integration will remove the need to login twice -- once into Windows, and once into
WatchDog. However, the Windows Login screen, especially in earlier versions of Windows (95, 98 and ME) is very insecure. The WatchDog Login screen also provides additional functionality that Windows does not such as hiding the user list and the login timer. Windows Login Integration cannot be used with networking.
Windows Security Guide
Windows can be set up for controlled access to the system without much additional hassle. This guide will go through several levels of security. Each level is progressively harder for someone to disable WatchDog, but may forfeit some convenience. The Quick Configuration is available to quickly change security levels.
Suggest for all security levels
Load WatchDog on Windows Startup Minimal Security
The minimal security level is the lowest level. It will force users to use WatchDog, but more advanced users may be able to get around it. Options to enable are: Force user to login to WatchDog before using Windows
Hide & disallow Task Manager to close program
Disable Fast User Switching (XP only) Medium Security
The medium security level should be used to stop users from getting around WatchDog. In addition to all of the options in the previous level, these options are suggested: Atomic Clock Synchronization
Disable Cancel on Windows Login screen (95, 98 & ME only)
Close all open programs High Security
These options forfeit some convenience for higher security. They are not intended for normal users. They may cause you to be locked out of your computer if something goes wrong. Use the following in addition to the above two security levels. Before enabling any of these options, it is suggested that you make a boot up disk. This will
save you from locking yourself out of your computer. You can do this by going to the Start Menu | Settings | Control Panel | Add/Remove Software | Startup Disk. Disallow booting to old MS-DOS version (95, 98 & ME only)
Disallow function keys (F5-F8) during boot process (95, 98 & ME only)
Boot menu is hidden (95, 98 & ME only)
Disable Safe Mode check (95, 98 & ME only)
Secure CONFIG.SYS (95, 98 & ME only)
CTRL-ALT-DEL reboots computer instead of bringing up Task Manager (95, 98 & ME only)
User Security Guide
Many security options are available on a per-user basis, which provide for great flexibility in securing your Windows environment. Below are some settings you may wish to enable for various user setups:
Parent Users
Time-Restricted Users
Activities Monitoring Users
Parent Users
You should not need to change your Parent User's configuration from the default. If you wish to test any security options, it is advisable to create a new test user. If you lock yourself out of the Parent User, you will not be able to access Windows. Time-Restricted Users Restrictions
Time Limits determine how much time the user has per period. The period can be monthly, weekly, daily, one time or unlimited. There are options available to limit the maximum time per period and minimum time between logins. Time restrictions can be enabled to stop the user from logging in during a
particular hour of the week. Program restrictions can be used to stop certain programs from running, either based on their .exe name or their window caption. Security
There are several options you should enable to stop users from bypassing WatchDog. The most important ones are listed below, though the there are many other security policies that you can also enable on
these pages. All of these options are available in the User Setup, Security tab. User Security
Do not allow user to change the time or date
Forcefully close all open programs before logging out Start Menu Security
Settings
Administrative Tools Control Panel Security
Misc Security
Disable registry tools
Disable Task Manager Activities Monitoring Users
If you wish to configure WatchDog to allow for activities monitoring, you may wish to read this part of the installation guide. Monitoring
The monitoring options are available in the User Setup, Monitoring tab. The following monitoring options are available: - Web page visits
- Applications ran
- Keyboard strokes entered
- Screen captures
Security All of the options for Time-Restricted users should apply to these users as well.
Problem-Solving Guide WatchDog is being killed while it's running Problem: WatchDog can be killed while it's running by pressing CTRL-ALT-DEL to bring up the Task Manger.
Related Problems: See WatchDog can be killed momentarily on startup before it hides itself Solution(s): - Hide from & disallow Task Manager to close program
- CTRL-ALT-DEL reboots computer instead of bringing up Task Manager
- Disable Task Manager
- Password protect configuration screens - If a Parent User steps away from the computer, another user may be able to edit the configuration or exit WatchDog.
- Disable Fast User Switching - WatchDog cannot track multiple users logged in with Fast User Switching.
- Forcefully close
all open programs before running out - Some programs may try to keep running after WatchDog tells the computer to shut down. WatchDog will close all other programs before it exits itself.
WatchDog has been deleted Problem: WatchDog has been deleted; either while Windows is running or in MS-DOS Mode. Information: You cannot delete a program that is running. However, some versions of Windows (98 and ME) allow you to delete the "WatchDog\" directory even though a program inside the directory is running. WatchDog will run until the Windows session ends, and is then deleted.
You can also delete WatchDog in MS-DOS. Solution(s): - Disallow booting to old MS-DOS version - To stop the computer from entering MS-DOS.
- Disallow function keys (F4-F8) during boot process
- Hide boot menu
- Install into C:\Windows - If you install to C:\windows, the user cannot delete the Windows\ directory to remove WatchDog.
- Disable Safe Mode check
- Hide drives - Hides the WatchDog folder from users
- Password protect configuration screens
- Disable registry tools - Editing the registry would allow users to stop WatchDog from loading on startup.
User is getting more time than they are allowed Problem: User is going over their allotted time amount. Solution(s):
This could also be related to any of the other problems. Please try some of their solutions. The Windows Security Guide may also help. User is not logged off when their time runs out. Problem: User continues to use programs after time runs out. WatchDog Login is displayed but not in the foreground.
Solution(s): - Forcefully close all open programs before logging out
- Close all open programs (Login screen)
- Login timer
Users are ignoring the WatchDog Login Screen Problem: Users simply ignore the Login Screen and use Windows without logging in.
Solution(s): - Close all open programs (Login screen)
- Login timer
Windows time/date is being changed to allow for more time. Problem: Computer time/date is changed. Setting date ahead will allow user to use more time.
Solution(s):
The time and date can be changed in Windows, MS-DOS or the BIOS. These are some options to secure them. - Do not allow user to change time or date
- Disallow booting to old MS-DOS version (95, 98 & ME only)
- Disallow function keys (F5-F8) during boot process (95, 98 & ME only)
- Boot menu is hidden (95, 98 & ME only)
- Disable Safe Mode check (95, 98 & ME only)
- Secure CONFIG.SYS (95, 98 & ME only)
- Disable tray clock
- Password protect the BIOS
- Atomic clock synchronization
- Password protect configuration screens
Security Settings Options General Load WatchDog on Windows startup
Should be enabled for all security levels, otherwise WatchDog will not enforce access. Do not modify Windows policy settings
If you enable this, WatchDog will not be allowed to modify several Windows security options. Enabling this is not recommended unless you another application is enforcing security settings. Atomic clock synchronization
This will keep your computer's time in sync with the rest of the world.
Networking Windows Environment Disallow booting to old MS-DOS version (95, 98 & ME only) Side Effects: In the case of a problem in loading Windows, you may not be able to boot to
MS-DOS to fix it. Making a Startup Disk is highly suggested. Go to the Start Menu | Settings | Control Panel | Add/Remove Programs | Startup Disk to make one.
Hide from & do not allow Task Manager to close program Password protect configuration screens
Disallow function keys (F4-F8) during boot process (95, 98 & ME only) Side Effects: In the case of a problem in loading Windows, you may not be able to boot to MS-DOS to fix it. Making a Startup Disk is highly suggested. Go
to the Start Menu | Settings | Control Panel | Add/Remove Programs | Startup Disk to make one.
Boot menu is hidden (95, 98 & ME only) Disable Safe Mode check (95, 98 & ME only) Side Effects: In the case of a
problem in loading Windows, you may not be able to boot to MS-DOS to fix it. Making a Startup Disk is highly suggested. Go to the Start Menu | Settings | Control Panel | Add/Remove Programs | Startup Disk to make one.
Secure CONFIG.SYS (95, 98 & ME only) Disable Cancel on Windows Login Screen (95, 98 & ME only) Normally a user can press Cancel on the default Windows Login screen to login as a 'blank' user. Enabling this option will cause Windows to forcefully log out this user as soon as they log in.
CTRL-ALT-DEL reboots computer instead of bringing up the Task Manager (95, 98 & ME
only) Disable Fast User Switching (XP only) Disabling Fast Use Switching is recommended when running WatchDog. WatchDog is not able to track multiple logged in users.
Login Screen Force users to login to WatchDog before using Windows Forcing the user to login to WatchDog should be enabled for all security levels. If this is not enabled, other programs can be run before the user logs in.
Close all open programs Login timer Case-sensitive password checking If you enable this, password
verification will be CaSe SeNsItIvE.
After 3 unsuccessful login attempts, deny access for 1 minute If the user fails to log in several times in a row, the login screen will be disabled for 1 minute.
Hide user list This option will cause the dropdown user list to
be blank. All users will still be able to log in if they type their name.
User Setup Other Security Ideas Install WatchDog into C:\windows If you install WatchDog into C:\Windows (Or C:\WinNT), the user will not be able to delete any of the WatchDog directory.
Password-protect the BIOS Reboot your computer and go into the BIOS by hitting the "Setup key" (often Del or F1 or F2). There is a password option to password protect your BIOS.
| 
