Security for Data Collection Terminals

>Good grief, Thad. I hope you aren't speaking from experience?

Well, there's only one solution when a user sets the bios password and
forgets it. Just make sure, if you happen to take the BIOS chip itself out
because you're not sure where the jumper is, don't reinsert the chip
backwards. (I'm certainly not speaking from experience on that one.....)

BTW, if you're using an old workstation for Data Collection, or any other
older workstation for which you need to make custom BIOS settings, remember
that the bios battery can go at any time. Once the bios battery is dead,
simply unplugging the computer from the wall will reset all bios passwords,
and possibly re-enable Floppy and CDROM. So whenever you make a change to
BIOS that you need to keep, unplug the unit, flip the power switch a few
times, plug it in, turn it back on, and make sure those settings are still
the way you set them.

Thaddeus












-----Original Message-----
From: Brian Boyes [mailto:brianb@...]
Sent: Friday, September 28, 2001 11:50 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Security for Data Collection Terminals


Good grief, Thad. I hope you aren't speaking from experience?

Seriously though, there is always a way around whatever security measures
you take. The cabinets we use are nema12 certified steel and locked with a
padlock. However in our situation, its not determined employees with
screwdrivers we are worried about, its clumsy employees with forklifts...

I have to agree with you though, that the best way to physically secure a
workstation is to put it in public view.

Brian

> -----Original Message-----
> Assuming no one in the shop has a screw driver, the
> inclination, and the
> knowledge with which to open the back cover, and flip the
> jumper to reset
> the BIOS back to defaults, and boot up with whatever floppy
> they want, and
> possibly disable the security software by editing / removing
> config files
> from DOS, or just plain reformatting the hard drive.
>
> Of course is a mute point if other employees have view of the
> unit, and
> everyone knows that only specific people are to be taking a
> screwdriver to
> the computer. A highly visible fake security camera looking in the
> direction of the monitor would do the trick as well....

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

I just set up 8 personal computers as data collection terminals. We are
going live on Ver 5.0, the server is Win2000, the pc's are Win98. How do I
set things up so that an experienced pc user can not access the rest of the
computers on the LAN? Vantage tech support is sending me a doc on how to
configure security on the server but they didn't know how to limit access
from one client to another.

Do I change the terminals to another workgroup? Do I do all of this from
the server? If you can help keep in mind that I am not a system admin and
have no formal training in Win2000 or network configurations. Having
humbled myself before you all, I would appreciate your responses.

Mitchell Kirby
V. P. Manufacturing
Riten Industries, Inc.

800-338-0027, ext 210
800-338-0717 FAX

Aside from W2K settings (which I can't comment on, yet) another couple
thoughts would be to remove any CD drive and also disable the floppy disk
drive in the BIOS setup (and set a supervisor password to prevent access to
BIOS settings). It took some of our night people about 2 days to figure out
they could boot from a DOS floppy and run small DOS games. Ditto for larger
CD based games. The one night supervisor can't be everywhere.
-Todd C.

-----Original Message-----
From: Mitchell Kirby [mailto:m.kirby@...]
Sent: Wednesday, September 26, 2001 3:45 PM
To: vantage@yahoogroups.com
Subject: [Vantage] Security for Data Collection Terminals


I just set up 8 personal computers as data collection terminals. We are
going live on Ver 5.0, the server is Win2000, the pc's are Win98. How do I
set things up so that an experienced pc user can not access the rest of the
computers on the LAN? Vantage tech support is sending me a doc on how to
configure security on the server but they didn't know how to limit access
from one client to another.

Do I change the terminals to another workgroup? Do I do all of this from
the server? If you can help keep in mind that I am not a system admin and
have no formal training in Win2000 or network configurations. Having
humbled myself before you all, I would appreciate your responses.

Mitchell Kirby
V. P. Manufacturing
Riten Industries, Inc.

800-338-0027, ext 210
800-338-0717 FAX



Yahoo! Groups Sponsor

ADVERTISEMENT


<http://us.a1.yimg.com/us.yimg.com/a/di/dietsmart/blueswim_top.gif>
<http://us.a1.yimg.com/us.yimg.com/a/di/dietsmart/blueswim_photo.jpg>

<http://us.a1.yimg.com/us.yimg.com/a/di/dietsmart/blueswim_starthere.gif>


Height:
3 4 5 6 7 8ft 0 1 2 3 4 5 6 7 8 9 10 11in
Weight:



<http://us.a1.yimg.com/us.yimg.com/a/di/dietsmart/clear.gif>
<http://us.a1.yimg.com/us.yimg.com/a/di/dietsmart/clear.gif>
<http://us.a1.yimg.com/us.yimg.com/a/di/dietsmart/blueswim_dslogo.gif>

<http://us.a1.yimg.com/us.yimg.com/a/di/dietsmart/clear.gif>

<http://us.adserver.yahoo.com/l?M=210544.1579876.3135161.1261774/D=egroupmai
l/S=1705007183:HM/A=792401/rand=289075772>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]

On our stations, I used poledit to hide everything and only allow vantage
and prowin32 to run. This works great. The systems are set to log on to the
network automatically using a data collection account and the Data
Collection program launches automatically when Windows starts. To make
administration a bit easier, I shared the hard drive on each unit as C$ and
put restrictions allowing only admins to use the share.

I also took everything out of the start menus, but that isn't absolutely
necessary if you use poledit to restrict what programs can run. I just did
it to discourage those who want to "play".

Other than that, the monitor and system unit is locked in a box, but that's
more for environmental protection in our shop. Disabling the floppy/CD
drives and putting on a supervisor password should be enough.

Let me know if you want any more details.

Brian Boyes,
Systems Administrator,
Precision Resource Canada Ltd.
<http://www.precisionresource.com>
<mailto:brianb@...>

> -----Original Message-----
> I just set up 8 personal computers as data collection
> terminals. We are
> going live on Ver 5.0, the server is Win2000, the pc's are
> Win98. How do I
> set things up so that an experienced pc user can not access
> the rest of the
> computers on the LAN? Vantage tech support is sending me a
> doc on how to
> configure security on the server but they didn't know how to
> limit access
> from one client to another..

You have to go to each specific windows 98 machine that has something shared
and specify the users that can use the shared item, and/or specify A
password.

Bottom line: If you are concerned with securing a client machines from
other client machines, turn file sharing off on all client machines, and
have users store their files on the file server, which can be secured
through NT permissions.

If you really need a peer-to-peer environment, and are concerned with
security, install NT or 2000 on the clients. Not saying either is
bulletproof, but the security would be a heck of a lot tighter than storing
sensitive files on a 9x machine.

As far as I know, there is no way for a 98 machine to block out users based
on what computer the user is on. Changing workgroup names may hide the
computer, but if someone knows the computer's name on the network, they can
just start->run and type \\[computername] and all the shared resources that
are not secured will be available to them.

I'm only an assistant admin, but I do know enough to say that 9x machines
are so easy to hack that you cant even consider it real hacking. Securing
files on an NT machine at least presents a challenge to the person seeking
the files.

Regards,

Thaddeus



-----Original Message-----
From: Mitchell Kirby [mailto:m.kirby@...]
Sent: Wednesday, September 26, 2001 3:45 PM
To: vantage@yahoogroups.com
Subject: [Vantage] Security for Data Collection Terminals


I just set up 8 personal computers as data collection terminals. We are
going live on Ver 5.0, the server is Win2000, the pc's are Win98. How do I
set things up so that an experienced pc user can not access the rest of the
computers on the LAN? Vantage tech support is sending me a doc on how to
configure security on the server but they didn't know how to limit access
from one client to another.

Do I change the terminals to another workgroup? Do I do all of this from
the server? If you can help keep in mind that I am not a system admin and
have no formal training in Win2000 or network configurations. Having
humbled myself before you all, I would appreciate your responses.

Mitchell Kirby
V. P. Manufacturing
Riten Industries, Inc.

800-338-0027, ext 210
800-338-0717 FAX



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

As Thad mentioned, if other clients on the network don't have file sharing on, nobody should be able to get on them. Also, you can password those shared folders on individual clients.

That doesn't stop malicious users from messing up your Data Collection stations, however. We use a program called FORTRESS, which locks down the DC stations so that ONLY Vantage can run (or whichever programs you pick) - No Start button, No windows explorer, etc.

I'm not sure if FORTRESS can block access to the floppy drive as well. I've never bothered to try it.

Troy Funte
Liberty Electronics

----- Original Message -----
From: Mitchell Kirby
To: vantage@yahoogroups.com
Sent: Wednesday, September 26, 2001 4:45 PM
Subject: [Vantage] Security for Data Collection Terminals


I just set up 8 personal computers as data collection terminals. We are
going live on Ver 5.0, the server is Win2000, the pc's are Win98. How do I
set things up so that an experienced pc user can not access the rest of the
computers on the LAN? Vantage tech support is sending me a doc on how to
configure security on the server but they didn't know how to limit access
from one client to another.

Do I change the terminals to another workgroup? Do I do all of this from
the server? If you can help keep in mind that I am not a system admin and
have no formal training in Win2000 or network configurations. Having
humbled myself before you all, I would appreciate your responses.

Mitchell Kirby
V. P. Manufacturing
Riten Industries, Inc.

800-338-0027, ext 210
800-338-0717 FAX


Yahoo! Groups Sponsor
ADVERTISEMENT



Height:
345678ft 01234567891011in
Weight:










Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and Crystal Reports and other 'goodies', please goto: http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto: http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto: http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]

Still trying to sent messages to group but can't. Maybe this one will work!

Jim Stetter

You could disable the floppy drive in the Bios Setup.


Ed Giallombardo
Computer Technician
Major Industries, Inc.
7120 Stewart Ave.
Wausau, WI 54402
phone: 715-842-4616 ext. 322
email: egiallombardo@...

-----Original Message-----
From: Troy Funte [mailto:tfunte@...]
Sent: Thursday, September 27, 2001 8:45 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Security for Data Collection Terminals


As Thad mentioned, if other clients on the network don't have file sharing
on, nobody should be able to get on them. Also, you can password those
shared folders on individual clients.

That doesn't stop malicious users from messing up your Data Collection
stations, however. We use a program called FORTRESS, which locks down the DC
stations so that ONLY Vantage can run (or whichever programs you pick) - No
Start button, No windows explorer, etc.

I'm not sure if FORTRESS can block access to the floppy drive as well. I've
never bothered to try it.

Troy Funte
Liberty Electronics

----- Original Message -----
From: Mitchell Kirby
To: vantage@yahoogroups.com
Sent: Wednesday, September 26, 2001 4:45 PM
Subject: [Vantage] Security for Data Collection Terminals


I just set up 8 personal computers as data collection terminals. We are
going live on Ver 5.0, the server is Win2000, the pc's are Win98. How do
I
set things up so that an experienced pc user can not access the rest of
the
computers on the LAN? Vantage tech support is sending me a doc on how to
configure security on the server but they didn't know how to limit access
from one client to another.

Do I change the terminals to another workgroup? Do I do all of this from
the server? If you can help keep in mind that I am not a system admin and
have no formal training in Win2000 or network configurations. Having
humbled myself before you all, I would appreciate your responses.

Mitchell Kirby
V. P. Manufacturing
Riten Industries, Inc.

800-338-0027, ext 210
800-338-0717 FAX


Yahoo! Groups Sponsor
ADVERTISEMENT



Height:
345678ft 01234567891011in
Weight:










Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must
have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT




<http://us.adserver.yahoo.com/l?M=168643.1620686.3168692.1261774/D=egroupmai
l/S=1705007183:HM/A=799560/rand=279718300>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]

Actually, there's another little program that we've used called "crowd
control" - it is pretty inexpensive, and lets you lock down those win95 & 98
stations pretty thoroughly-including use of floppy, removes icons from
desktop and so on. The website is www.sahalie.com.

Lydia
lcoffman@...

-----Original Message-----
From: Giallombardo, Ed [mailto:egiallombardo@...]
Sent: Friday, September 28, 2001 4:55 AM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Security for Data Collection Terminals

You could disable the floppy drive in the Bios Setup.


Ed Giallombardo
Computer Technician
Major Industries, Inc.
7120 Stewart Ave.
Wausau, WI 54402
phone: 715-842-4616 ext. 322
email: egiallombardo@...

-----Original Message-----
From: Troy Funte [mailto:tfunte@...]
Sent: Thursday, September 27, 2001 8:45 PM
To: vantage@yahoogroups.com
Subject: Re: [Vantage] Security for Data Collection Terminals


As Thad mentioned, if other clients on the network don't have file sharing
on, nobody should be able to get on them. Also, you can password those
shared folders on individual clients.

That doesn't stop malicious users from messing up your Data Collection
stations, however. We use a program called FORTRESS, which locks down the DC
stations so that ONLY Vantage can run (or whichever programs you pick) - No
Start button, No windows explorer, etc.

I'm not sure if FORTRESS can block access to the floppy drive as well. I've
never bothered to try it.

Troy Funte
Liberty Electronics

----- Original Message -----
From: Mitchell Kirby
To: vantage@yahoogroups.com
Sent: Wednesday, September 26, 2001 4:45 PM
Subject: [Vantage] Security for Data Collection Terminals


I just set up 8 personal computers as data collection terminals. We are
going live on Ver 5.0, the server is Win2000, the pc's are Win98. How do
I
set things up so that an experienced pc user can not access the rest of
the
computers on the LAN? Vantage tech support is sending me a doc on how to
configure security on the server but they didn't know how to limit access
from one client to another.

Do I change the terminals to another workgroup? Do I do all of this from
the server? If you can help keep in mind that I am not a system admin and
have no formal training in Win2000 or network configurations. Having
humbled myself before you all, I would appreciate your responses.

Mitchell Kirby
V. P. Manufacturing
Riten Industries, Inc.

800-338-0027, ext 210
800-338-0717 FAX


Yahoo! Groups Sponsor
ADVERTISEMENT



Height:
345678ft 01234567891011in
Weight:










Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must
have already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]



Yahoo! Groups Sponsor

ADVERTISEMENT




<http://us.adserver.yahoo.com/l?M=168643.1620686.3168692.1261774/D=egroupmai
l/S=1705007183:HM/A=799560/rand=279718300>

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
<http://groups.yahoo.com/group/vantage/files/.>
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
<http://groups.yahoo.com/group/vantage/messages>
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links
<http://groups.yahoo.com/group/vantage/links>

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service
<http://docs.yahoo.com/info/terms/> .




[Non-text portions of this message have been removed]



Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

>Other than that, the monitor and system unit is locked in a box, but that's
>more for environmental protection in our shop. Disabling the floppy/CD
>drives and putting on a supervisor password should be enough.

Assuming no one in the shop has a screw driver, the inclination, and the
knowledge with which to open the back cover, and flip the jumper to reset
the BIOS back to defaults, and boot up with whatever floppy they want, and
possibly disable the security software by editing / removing config files
from DOS, or just plain reformatting the hard drive.

Of course is a mute point if other employees have view of the unit, and
everyone knows that only specific people are to be taking a screwdriver to
the computer. A highly visible fake security camera looking in the
direction of the monitor would do the trick as well...

Thaddeus


-----Original Message-----
From: Brian Boyes [mailto:brianb@...]
Sent: Thursday, September 27, 2001 1:39 PM
To: 'vantage@yahoogroups.com'
Subject: RE: [Vantage] Security for Data Collection Terminals


On our stations, I used poledit to hide everything and only allow vantage
and prowin32 to run. This works great. The systems are set to log on to the
network automatically using a data collection account and the Data
Collection program launches automatically when Windows starts. To make
administration a bit easier, I shared the hard drive on each unit as C$ and
put restrictions allowing only admins to use the share.

I also took everything out of the start menus, but that isn't absolutely
necessary if you use poledit to restrict what programs can run. I just did
it to discourage those who want to "play".

Other than that, the monitor and system unit is locked in a box, but that's
more for environmental protection in our shop. Disabling the floppy/CD
drives and putting on a supervisor password should be enough.

Let me know if you want any more details.

Brian Boyes,
Systems Administrator,
Precision Resource Canada Ltd.
<http://www.precisionresource.com>
<mailto:brianb@...>

> -----Original Message-----
> I just set up 8 personal computers as data collection
> terminals. We are
> going live on Ver 5.0, the server is Win2000, the pc's are
> Win98. How do I
> set things up so that an experienced pc user can not access
> the rest of the
> computers on the LAN? Vantage tech support is sending me a
> doc on how to
> configure security on the server but they didn't know how to
> limit access
> from one client to another..

Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/links

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Good grief, Thad. I hope you aren't speaking from experience?

Seriously though, there is always a way around whatever security measures
you take. The cabinets we use are nema12 certified steel and locked with a
padlock. However in our situation, its not determined employees with
screwdrivers we are worried about, its clumsy employees with forklifts...

I have to agree with you though, that the best way to physically secure a
workstation is to put it in public view.

Brian

> -----Original Message-----
> Assuming no one in the shop has a screw driver, the
> inclination, and the
> knowledge with which to open the back cover, and flip the
> jumper to reset
> the BIOS back to defaults, and boot up with whatever floppy
> they want, and
> possibly disable the security software by editing / removing
> config files
> from DOS, or just plain reformatting the hard drive.
>
> Of course is a mute point if other employees have view of the
> unit, and
> everyone knows that only specific people are to be taking a
> screwdriver to
> the computer. A highly visible fake security camera looking in the
> direction of the monitor would do the trick as well....