Programs to restrict access to files and OS settings

Despite the fact that Windows has tools for restricting access, in practice it turns out that they are not very convenient, and in the most ordinary situations. Suffice it to mention such simple examples, like setting a password for a directory or preventing the Control Panel from opening.

It can be noted that in Windows 8, compared to its predecessor, Windows 7, parental controls have been improved. Now it can be found in the "Family Safety" section of the Control Panel. The filter has the following features:

• Website visit filtering
• Time limits
• Restrictions on the Windows Store and games
• Application restrictions
• Viewing user activity statistics

From the above, it is clear that even these functions will help the computer administrator to solve many private issues. Therefore, the following will be discussed small programs, which allow you to restrict access to information and system partitions in addition to the standard Windows management tools.

License: Shareware ($69)

The Security Administrator program resembles a typical system tweaker, but with an emphasis on system security. Each of the options is responsible for a certain restriction, so the general settings tree is called “Restrictions”. It is divided into 2 sections: Common Restrictions and User Restrictions.

The first section contains parameters and subsections that apply to all users of the system. These include booting and logging in, network, Explorer, the Internet itself, system, Control Panel, and others. Conventionally, they can be divided into online and offline access restrictions, but the developers did not consider a particularly complex breakdown by tabs. In fact, it is enough that each “tweak” has a description: what effect this or that option has on security.

In the second section, User Restrictions, you can configure access for each Windows user individually. The list of restrictions includes sections of the Control Panel, interface elements, buttons, hot keys, removable media, etc.

It is possible to export the settings to a separate file so that it can be applied, for example, to other system configurations. The program has a built-in agent for monitoring user activity. The log files help the administrator track down potentially dangerous user actions and make appropriate decisions. Access to the Security Administrator can be protected with a password - in the programs discussed below, this option is also available de facto.

Among the shortcomings is a small list of programs for which restrictions can be applied: Media Player, MS Office, etc. There are many more popular and potentially dangerous applications. The lack of an up-to-date version for Windows 8 and localization complicates the work - this is exactly the option when it is difficult to do without basic knowledge of English.

Thus, the program is designed both to restrict access and to flexibly configure OS security settings.

License: trialware ($23.95)

In WinLock there is no division of settings into general and user, instead there are sections "General", "System", "Internet". In sum, there are fewer opportunities than Security Administrator offers, but this logic makes working with the program more convenient.

TO system settings includes restrictions on elements of the Desktop, Explorer, the Start menu, and the like. You can also set a ban on certain hotkeys and all kinds of menus. If you are only interested in these aspects of the restrictions, see the Deskman program below.

The limitations of the Internet functions are presented very superficially. They replace one of the Family Safety components: blocking access to sites. Of course, any firewall in this part will be the best solution. The lack of the ability to at least set a mask for web sites makes this section of WinLock unimportant for an experienced user.

In addition to the above sections, mention should be made of "Access", where application management is available. Any program can be easily blacklisted by name or manually added.

In the sections "Files" and "Folders" you can put data that you want to hide from other users. Perhaps there is not enough password protection for access (for this you need to turn to the help of other programs, see below).

License: freeware

WinGuard can be used to block applications and Windows partitions, as well as for data encryption. The program is distributed in two editions - free and advanced. The functional differences between them are small - several options in the "Advanced" tab of the same name. Among them, shutdown Internet Explorer, Explorer, installation process, writing files to USB.

Control over the launch of applications is carried out in the "Task Lock" tab. If desired program is not in the list, you can add it yourself by specifying the name in the title or by selecting from the list of open in this moment applications (similar to WinLock). If we compare the blocking function with Security Administrator, in the case of WinGuard, you can disable restrictions for the administrator account. However, you cannot set up a blacklist of applications for each user.

Encryption is available through the Encryption section. The implemented user interface is inconvenient: it is impossible to make a list for processing, no context menu. All you need to do is specify a directory that will be both the source and destination. All contained files will be encrypted with 128-bit AES (Advanced Encryption Standard). Decryption is done in the same way.

Thus, the functionality is quite poor, even if we take into account the paid version.

License: shareware ($34.95)

Another program for AES data encryption, and yet the difference from WinGuard is quite noticeable.

First, selecting files for encryption is faster. You don't need to select each folder individually, just make a list of directories and files. When adding Advanced Folder Encryption, it requires you to set a password for encryption.

You, in the program, there is no way to specify the protection method, instead you can select the Norman, High or Highest method.

The second convenient moment is encryption through the context menu and decryption of files with one click. You need to understand that without Advanced Folder Encryption installed, the data cannot be viewed even if you know the password. This is the difference from archivers, which can pack files into an encrypted and everywhere available exe-archive.

When selecting a large number of files for encryption, as it was noticed, the cancel button does not work. Therefore, you need to be careful not to get the result in the form of a broken file.

License: trialware (€39)

A program to restrict access to interface elements and system partitions. Perhaps here it is appropriate to compare it with the Security Administrator, with the difference that Deskman is more concentrated on the Desktop. System options are also present, but this is rather something that did not fit in other sections: disabling the restart buttons, Control Panel and other mixed options.

In the Input section, disable hotkeys, function buttons, and mouse functions. In addition to the existing list, you can define keyboard shortcuts yourself.

Curious option Freeze, which is available on the toolbar. By pressing it, a "white list" is formed from the applications running at the moment. Accordingly, programs not included in the whitelist are not available until the Freeze function is disabled.

Another possibility related to being online is secure web surfing. The essence of the "protected" method is that only those pages that contain certain keywords in the title will be available. This feature can only be called experimental. In addition, the emphasis is on Internet Explorer, which is certainly the standard browser, but certainly not the only one.

It should be noted the convenient management of the program. To apply all the set restrictions, just press the "Secure" button on the panel, or the boss key to remove the restrictions. The second point is that remote access to the program is supported via the web interface. Once configured, it is available at http://localhost:2288/deskman as a control panel. This allows you to monitor user activity (viewing logs), run programs, restart the computer / log off the system - both on one and on several machines.

Password for Drive (Secure NTFS)

License: shareware ($21)

The program works only with the NTFS file system and uses its capabilities to store information in a hidden area.

To create a vault, you must run Password for Drive with administrator rights and select the drive to create the vault. After that, the files can be copied to the protected area using the virtual disk. Accessing data from another computer does not require administrative rights.

Removable media can also be used as storage. To do this, you first need to format the disk, for example, regular Windows tools, to NTFS and install Password for Drive in portable edition.

The program does not have an intuitive and user-friendly interface, in fact, control is carried out by a minimal set of buttons - "Open" / "Delete storage" and "Activate disk". In demo mode, it is only possible to test the functionality of the program, since the number of storage openings is limited to one hundred.

License: shareware ($19.95)

The program is designed to install password data on removable media.

Unlike Secure NTFS, the setup dialog is much more intuitive thanks to a setup wizard. So, to apply protection, you need to connect a device to your computer, select it from the list, and follow the installation wizard. After this procedure, the user receives a password-protected disk at his disposal. To unlock, just run the exe-file in the root of the disk and enter the password.

Encrypted disk when opened is available as virtual disk, with which you can perform the same operations as with the original. Do not forget that on computers where the launch is prohibited third party programs(not in the "white" list), access to the content will be closed.

You can also download other data protection programs from the developers' website, including:

• Shared Folder Protector - protection of files within the network;
• Folder Protector - protect files on removable media.

License: freeware

A small utility that allows you to control user access to the Registry and files, find vulnerabilities in granted rights. In other words, the program will be useful if the access rights are set Windows tools.

The convenience of the utility lies in the fact that the OS simply does not provide tools for viewing access rights to directories in the form detailed list. In addition to files, you can also check access to registry branches.

To check access rights, you must specify a directory or registry key to scan and start the scanning process. The results are displayed as "Read"/"Write"/"Deny" columns corresponding to addresses. The properties of each of the list items can be accessed through the context menu.

The program works under all OS Windows families NT.

Summary

The utilities discussed in the review can be used in addition to the basic Windows tools, in a complex and in addition to each other. They cannot be classified as "parental control": some functions are somewhat similar, but for the most part they do not match.

And - utilities-tweakers of security settings, which can also be used to disable desktop elements, system partitions and others. In addition, WinLock has a built-in Internet filter and it is possible to block files and folders.

The functions include restricting access to the interface (superior in flexibility and), application launch control, an Internet filter.

It combines the functions of an encryptor and a restrictor of access to programs and devices. it makes sense to consider it as a replacement for WinGuard in terms of encryption.

And restrict access to data on removable media.

- a free convenient shell for checking user access rights to files and the Registry.

To curtail user rights, there are Various types accounts, but with the help of them you can’t configure everything as you like, for example in Windows XP, although in Windows 7 there are already more options for setting account types ...

To help curtail user rights in Windows, there is a special "Group Policy" service, with which you can configure the system so that no one can "spoil" your operating system :)

I must say right away that there is no such service in WIndows XP HOME.

To start the Group Policy service, you need to run the "gpedit.msc" command, without the quotes, of course. You can use the hotkeys and press Win + R and in the "run" window that appears, type gpedit.msc, then press Enter or the "Ok" button. The "Win" key is located on the bottom left of the keyboard, it still has the Windows logo, but also to the right of the spacebar. If you cannot find this key, then click on start and select "run" (Windows XP). For Windows 7, click on start, select "all programs" -\u003e "accessories" -\u003e "run".

So, now I will describe the further execution of the action for Windows 7, since there is no Windows XP at hand, but the differences in this service are not significant there.

After executing the command, you should see the "Editor of the local group policy". On the left there is "computer configuration" and "user configuration", we will work only in user configuration.

I must say right away that the changes being made will be applied to all users of the system, even for the Administrator, that is, if you restrict access to something through this service, then you will automatically deprive the Administrator of these rights :) It is clear that this is not good, but we're going to use this trick.

In order to restrict access to everyone except the Administrator, you need to act according to the following algorithm:

1. Change any values ​​in group policies;
2. Log out;
3. Log in as all other users;
4. Log in as Administrator;
5. Copy the file C:\Windows\System32\GroupPolicy\User\Registry.pol somewhere;
6. Change all those values ​​that limited (change the values ​​to "disable", instead of the original "not set");
7. Copy the Registry.pol file back to C:\Windows\System32\GroupPolicy\User\;
8. Log in as other users and make sure that they have everything "cut down", but the Administrator does not :)

Everything basic, so to speak, is in the administrative templates, so we will change all the values ​​there. In order to restrict something, for example, access to the task manager, go to "user configuration" -> "Administrative templates" -> "System" -> "Options after pressing CTRL + ALT + DEL" and select "Add task manager ", that is, double-click, or right-click and select "change" from the menu, a window will open where you will need to select "Enable", then "apply". If everything is done correctly, then you will no longer be able to start the task manager :)

In principle, it makes no sense for me to describe every "restriction" here, because in the service itself everything is already well described.

I will give you an example of what restrictions I set at school for ordinary schoolchildren for Windows XP Professional (everything is in "User Configuration" -> "Administrative Templates").

System

• prohibit the use of the command line;
• disable registry editing tools;
• disable autorun.
• CTRL+ALT+DEL features:
  1. remove task manager;
  2. disable blocking of the computer;
  3. prohibit changing the password.
• group policy:
  1. Prevent interactive users from generating Resultant Policy (RSoP) data.
• Internet communication management -> Internet communication settings:
  1. disable web publishing in the task list for files and folders;
  2. opt out of the Support Improvement Program Windows users messenger;
  3. disable the Internet File Association service;
  4. disable automatic download of codecs for Windows Movie Maker;
  5. disable web links in Windows Movie Maker;
  6. disable video saving on web sites of video hosting providers...;

Net

• offline files:
  1. disable customization of offline files.
• network connections:
  1. ban additional setting TCP/IP;
  2. deny access to command " Extra options" in the "extra" menu;
  3. prevent adding and removing components for LAN connections or...;
  4. deny access to connection properties by local network;
  5. prohibit enabling and disabling components of connections over a local area network;
  6. deny access to the New Connection Wizard;
  7. deny access to the "Options" command remote access" in the "More" menu.

Control Panel

Deny access to the control panel.

Desktop

1. delete command "properties"... (all 3 pieces);
2. prevent users from changing the path of the My Documents folder;
3. prevent dragging and closing all toolbars on the taskbar;
4. prohibit changing the location of desktop toolbars;
5. uninstall the desktop cleanup wizard;
6. remove the "Network Neighborhood" icon from the desktop;

taskbar name

1. remove links and ban Windows usage update;
2. remove "Network Connections" from the "Start" menu;
3. remove the "Network Neighborhood" icon from the "Start" menu;
4. prohibit changing the settings of the taskbar and the Start menu;
5. disable access to the context menu for the taskbar;
6. clear the list of recently opened documents on exit;
7. disable shortcut menus;
8. fix the position of the taskbar;
9. remove the list of frequently used programs in the start menu.

Conductor

1. remove the "folder options" command from the "service" menu;
2. hide the "manage" command from the explorer context menu;
3. remove the tab "Equipment";
4. disable image thumbnail caching.

But at the same time, I also limited the rights to write to hard disk C.

© Filimoshin V. Yu., 2010

As practice shows, the fewer users have access to a particular computer, the longer system remains operational on it and the more likely it is that folders and files will be safe and sound. It is best if the computer has only one user. Alas, in reality this is far from always the case: at work you have to let other employees use your computer, at home quite often the same computer is used by all family members, and in public places (in particular, in educational institutions and computer clubs) the number of users computer can be very large.

About the need to restrict access

It is quite understandable that usually neither colleagues nor household members want to harm your computer, but if they belong to the category of novice users, then problems cannot be avoided. And the younger generation in educational institutions usually does not set themselves the goal of disabling the computer and destroying the information stored on it - they simply actively experiment, without thinking about what consequences certain actions can lead to.

As a result, certain problems inevitably arise on computers in the operation of individual applications or the operating system. This is not surprising, because it is enough to accidentally (simply by negligence or in the course of an experiment) delete, for example, a monitor driver - and the image on the screen will become less attractive, remove the printer - and printing documents will be impossible, change network settings - and the computer will stop working in the local networks, etc. And this is not the worst option - accidentally deleting a number of system folders and files can lead to a complete inoperability of the operating system, so it will have to be reinstalled. And the destruction of important working documents can have even more sad consequences - it is possible that it will not be possible to restore them in full and part of the work (or even all of it) will have to be done again. In addition, it cannot be discounted that if your personal or corporate materials are of any commercial value, attackers may want to use them.

Thus, the issue of restricting access to a computer, its individual devices, as well as the data stored on it, is to some extent relevant for all computer users without exception. It’s just that for some (administrators, teachers in computer classes with children of home users), the tasks of blocking access to operating system settings and protecting files and folders of the operating system and installed applications, and for others (this includes administrators, specialists from computer security departments and teachers, who in our country, along with teaching activities, are often also forced to ensure the performance of computers under their control) it is more important to block access to various devices(USB, CD/DVD, FireWire, etc.). There are three reasons for the need to block access to devices: firstly, it is on such devices that insiders often take confidential information from companies; secondly, viruses and Trojans often enter the computer through these devices; thirdly, various programs are installed from removable media, which is desirable to prevent - otherwise, in a week, such a number of toys will be installed on a computer, for example, in an educational institution, that there will simply be no room left for other applications.

Many office workers are interested in completely blocking access to a running computer in the absence of a legitimate user. The need for such protection in the office is very relevant, because even if you have your own computer, the user cannot be near him all the time and there are often situations when the computer is turned on unattended, which can be used by other employees interested in your materials.

Another group of users (it includes all office workers and home users) is concerned about the protection of personal data to prevent their damage, deletion or leakage. Defense problem personal folders and files inevitably arises when several people work at the computer. This can be at home, when you need to protect other family members (for example, a child) from information that is not intended for them, and at work, where even if each user has their own computer, situations are possible when another employee needs to perform some tasks on your computer. operations. In both cases, there is no need to show outsiders your working materials, and not at all because they are classified as “top secret”. Everything is much simpler: no one likes outsiders to interfere in their affairs. In addition, by blocking access to your folders and files, you can not worry that something will happen to them through the fault of another (insufficiently trained) user or they will be illegally used, which, unfortunately, is quite possible if the materials are of commercial value.

In general, the issue of reasonable access restriction is very complex and multifaceted, and it is impossible to solve it without suitable applications. This article is devoted to such applications.

Programs for restricting access

The range of applications offered on the market for restricting access is quite wide and covers diverse software products. Some of them block access to the operating system settings, others allow you to control access to various devices, others completely block the computer in the absence of the user, and the fourth ones provide hiding personal data. Often, these features are combined in one or another combination, which is quite understandable, because many users need to restrict access in several directions at once in order to solve the tasks they face.

Blocking access to operating system settings and system data

Built-in Windows tools allow you to enter some restrictions on user access to operating system settings and system data by managing local policy Security (Control Panel=>Administration=>Local Security Policy). In particular, you can disable changing the password account and installation of printer drivers, limit the list of allowed applications to use, etc., but the list of restricted options is limited.

At the same time, in practice, to ensure the stable operation of the system, it is often necessary to limit the capabilities of users more, which can only be done using highly specialized utilities designed to control access to a computer. As an example, we will consider the programs Security Administrator, WinLock, Deskman and My Simple Desktop. The most interesting of them is the Security Administrator utility, which allows you to restrict access to all important system settings and is focused on system administrators. The My Simple Desktop program has the least functionality, but it is free for personal use and has quite sufficient capabilities for some home users, and you can master it in a matter of seconds.

Security Administrator 12.0

Developer: getfreefile

Distribution Size: 1.85 MB

Work under control: Windows 9x/Me/NT4/2000/XP/2003/Vista

Distribution method http://www.softheap.com/download/secagent.zip)

Price: $69

Security Administrator is a professional solution for managing access to a computer that allows you to restrict access to a computer and all its important settings (Fig. 1) both in general and for individual users. It is also possible to completely block the switched on PC in the absence of the user. In addition to setting restrictions, the utility can be used to control the work of users on the computer, since it keeps statistics on the use of the local network, the Internet, etc.

Rice. 1. Restrict access to system settings and hide drives
in Security Administrator

This solution is useful for setting a wide range of access restrictions. With it, it is easy to restrict access to desktop settings (prohibit changing display properties, hide certain icons, etc.) and disable some Start menu items, hide the taskbar (all or only certain elements). It also prohibits the installation/uninstallation of applications and restricts user options when browsing the Internet: prohibit changing Internet Explorer settings, downloading files, accessing the Internet from applications, etc. There are also ample opportunities to protect critical system settings from changes - for example, you can prohibit editing the system registry, activating DOS mode, installing new drivers, adding / removing printers, copying / moving files in system folders and deleting files and folders from the My Computer folder . And also hide the control panel, printers, network connections and the Run command from the Start menu. If necessary, the control panel can be hidden not completely, but partially, hiding the most critical elements from the point of view of unauthorized changes, such as "System", "Display Properties", "Network", "Passwords" and "Printers". It is just as easy to hide local, network and USB drives, disable burning and autoplay of CDs, block the use of hot Windows keys and launch specific applications, as well as hide the specified folders - these folders will become invisible in the "My Computer" folder, Explorer and the Open / Save dialog boxes of Windows applications.

WinLock 5.0

Developer: Crystal Office Systems

Distribution Size: 2.65 MB

Work under control: Windows 95/98/Me/NT4.0/2000/XP/Vista

Distribution method: shareware (30 day demo - http://www.crystaloffice.com/winlock.exe)

Price: WinLock - $21.95; WinLock Professional - $31.95

winlock- convenient solution to restrict access to important system resources (Fig. 2) and user data, including remotely. The program is presented in two versions: basic WinLock and extended WinLock Professional (capabilities basic version do not allow restricting access to web resources and using encryption).

Rice. 2. Restrict access to system settings and hide drives
in WinLock

With this solution, you can disable access to the system registry, hide commands from the Start menu to access the control panel, printers, and network connections and completely block access to the corresponding system folders and to some other folders (My Computer, My Documents, Recycle Bin, etc.). And also set a ban on blocking the computer and make it impossible to change the settings of the taskbar, display settings, network settings, adding/removing programs from the Start menu and renaming desktop icons. It is just as easy to set prohibitions on activating DOS mode and booting Windows in safe mode and block Windows hotkeys (Alt+Ctrl+Del, Alt+Tab, Ctrl+Esc, etc.). If desired, you can even restrict the ability to manage windows (for example, prohibit resizing and moving them). The program also has tools for blocking access to removable media (CD / DVD drives, USB devices, etc.) and hiding the display of certain drives in the My Computer folder and Explorer. You can block the launch of specific applications (download managers, games, etc.) and deny access to certain files and folders (the former cannot be opened for viewing or editing, and the latter cannot be opened, renamed or deleted). And also prevent access to dubious web resources (based on the white list of allowed sites and the black list of prohibited keywords) and set limits on how long a computer can be used by specific users.

Deskman 8.1

Developer: Anfibia Software

Distribution Size: 1.03 MB

Work under control: Windows 2000/2003/XP/Vista

Distribution method: shareware (30 day demo - http://www.anfibia-soft.com/download/deskmansetup.exe)

Price: personal license - 25 euros; business license - 35 euros

Deskman is a simple tool for controlling access to a computer and its settings (Fig. 3), which allows you to completely block the PC (including the keyboard, mouse and desktop) or restrict access to certain of its functions (individual restrictions are possible for different users).

Rice. 3. Setting limits in Deskman

Using this solution, you can restrict access to desktop settings (for example, prohibit changing display properties, deleting icons, calling the context menu, etc.), Windows Explorer, taskbar, Internet Explorer settings, and prevent changes to various Start menu items. And also restrict access to the control panel and other critical system settings - for example, prohibit the removal of network drives, block the restart and shutdown of the computer, etc. If necessary, it is easy to block all or only certain Windows hotkeys (Alt+Ctrl+Del, Alt+Tab, Ctrl+Esc, etc.) and configure the utility to automatically remove new entries from startup to prevent viruses, adware and spyware modules . It is possible to set a ban on the use by other users of specific hard drives and removable media (CD / DVD drives, USB devices, disk drives, etc.), blocking autoplay of CDs and burning them. You can configure restrictions through pre-installed profiles (it is more convenient for beginners and much faster) or manually.

My Simple Desktop 2.0

Developer: Anfibia Software

Distribution Size: 1.76 MB

Work under control: Windows XP/Vista

Waydissemination: My Simple Desktop Office Edition and My Simple Desktop School Edition - shareware (30-day demo - http://www.mysimpledesktop.com/downloads.sm.htm); My Simple Desktop Home Edition - freeware (http://www.mysimpledesktop.com/download/msdsetup_home.exe)

Price: My Simple Desktop Office Edition - 32 euros; My Simple Desktop School Edition - 20 euros; My Simple Desktop Home Edition - free (for personal use only)

My Simple Desktop - very simple program to restrict access to the computer and its settings (Fig. 4). It is presented in three editions: the paid My Simple Desktop Office Edition and My Simple Desktop School Edition and the free My Simple Desktop Home Edition (the possibilities of the editions are completely identical).

Rice. 4. Setting access restrictions in My Simple Desktop

With this utility, you can protect the desktop, taskbar and Start menu from changes, make it impossible to make changes to the display settings and the Explorer context menu. And also deny access to the control panel, folder properties and the system registry and block the use of Windows hot keys and the right mouse button. The device access restriction plan includes a ban on the use of fixed drives and external USB devices, as well as hiding network drives and blocking autoplay of CDs. If necessary, you can set a limit on the time of using the computer - the same for all users, except for the administrator. Restrictions are configured by assigning one of the preset profiles or manually.

Restrict access to devices

The built-in mechanisms for distributing access rights and setting security policies in operating systems of the Windows family (except Windows Vista) do not allow controlling other users' access to potentially dangerous devices (USB devices, CD / DVD drives, FireWire and infrared ports and etc.). Of course, you can disable such devices in the BIOS, but this is not an option, since to work with a disabled device (if necessary), you will have to access the BIOS each time and turn it on again, which is quite long and very inconvenient.

It is much wiser to control access to devices using additional applications, which can be very different. Often, the ability to hide or block devices is provided in utilities designed to control access to operating system settings, including those reviewed by us. True, the possibilities for restricting access to devices are not great in them: you can control access to far from all dangerous devices, and we are not even talking about media control. Much more functionality in this regard is provided by utilities - device access blockers and specialized solutions for protecting the system from leaks of corporate information. As an example, we will consider the DeviceLock, USB Lock Standard and ID Devices Lock programs. The most functional of them is the DeviceLock program, with which you can control (and not just block) the access of individual users and user groups to almost any potentially dangerous devices (and even media), but it is mainly aimed at system administrators. The capabilities of the other two utilities are much more modest, but they are quite enough for most users.

Device Lock 6.3

Developer: CJSC "Smart Line Inc"

Distribution Size: 39.7 MB

Work under control: Windows NT/2000/XP/Vista

Distribution method: shareware (30 day demo - http://www.devicelock.com/ru/dl/download.html)

Price: 1300 rub.

DeviceLock is a specialized solution for organizing a corporate information leakage protection system that allows you to control access to the entire range of potentially dangerous devices: USB ports, disk drives, CD / DVD drives, as well as FireWire, infrared, parallel and serial ports, Wi-Fi and Bluetooth adapters, tape drives, PDAs and smartphones, network and local printers, internal and external removable drives and hard drives. The program has a centralized system remote control, providing access to all functions from the workplace of the system administrator. Such management is implemented using the optional DeviceLock Enterprise Manager console or through Actvie Directory group policies, which allows you to automatically install DeviceLock on new computers connected to corporate network, and configure for new computers automatically.

Either a complete blocking of a certain type of device is possible, or partial, that is, in accordance with the white list of media (Fig. 5), in which access to some media will be allowed despite blocking the corresponding type of device. You can also set read-only mode and protect disks from accidental or intentional formatting. It is possible to assign different access rights to devices and I / O ports for individual users and user groups with the ability to set control depending on the time and day of the week. If necessary, you can log all user actions with devices and files (copying, reading, deleting, etc.) by performing shadow copying.

Rice. 5. Setting device access restrictions according to
with white list of media in DeviceLock

USB Lock Standard 3.4.1

Developer: Advanced Systems International S.A.C.

Distribution Size: 2.02 MB

Work under control: Windows XP/Vista

Distribution method: shareware (10 day demo - http://www.advansysperu.com/down_st.php)

Price: $44

USB Lock Standard - handy tool to block access (Fig. 6) to all types of removable media: USB ports (USB drives, iPods, MP3 players, etc.), Zip devices, disk drives, CD / DVD drives, Bluetooth adapters and readers smart cards (CF, SD, MMC, XD, etc.). It allows you to completely block access to the specified devices or do it partially by opening access for authorized devices. To cancel the blocking, you need to know the password or a USB key. Operations with unlocked devices are recorded in the logs.

Rice. 6. Access blocking
to CD/DVD drives in USB Lock Standard

ID Devices Lock 1.2

Developer: ID Security Suite

Distribution Size: 1.47 MB

Work under control: Windows 98/NT/2000/XP/Vista

Distribution method http://www.idsecuritysuite.com/files/iddeviceslocksetup.exe)

Price: $37

ID Device Lock - simple utility to restrict access (Fig. 7) to USB-devices, CD-drives and drives by prohibiting copying data to them, which helps prevent information leakage on mobile media. To cancel the lock, you need to know the password.

Rice. 7. Restricting access to the drive in ID Devices Lock

Complete blocking of the computer in the absence of the user

The easiest way to block access to a computer that is turned on is to set a password for the splash screen, but this is not the best option, since you can easily remove the password from the screen saver when you reboot. It is much more reliable to completely block the computer using special software tools, which will make it impossible to access any elements of the computer, including the keyboard, mouse, and desktop. After that, it will no longer be possible to view any information on it, launch applications, access files and folders (including currently open ones), and even restart the computer by pressing the Ctrl + Alt + Del keyboard shortcut. You can unlock the computer only by knowing the user's password, and a simple reboot (even in safe mode) or a power failure will not lead to the removal of protection.

Such blocking of a computer is usually provided using highly specialized utilities: Desktop Lock, Lock My PC and similar, however, such opportunities can also be provided in programs designed to set various kinds of access restrictions, in particular, in Security Administrator and Deskman.

Desktop Lock 7.2.1

Developer: TopLangsoftware

Distribution Size: 792 KB

Work under control: Windows NT/2000/XP/2003/Vista

Distribution method: shareware (15 day demo - http://www.toplang.com/dlsetup.exe)

Price: $24.95

Desktop Lock is a utility for blocking a computer (Fig. 8) while the user is away. Blocking is set from the utility itself by pressing a certain key combination automatically at the time specified by the user or, if the user is inactive, after a specified period. Entering the computer into locked mode may be accompanied by the launch of a screensaver, playing an audio or video file, which is reasonable, for example, at exhibitions when demonstrating corporate presentations. Locking disables the mouse and makes it impossible to use basic keyboard shortcuts. To exit the locked mode, you need to press a secret keyboard combination or mouse button with a password. If desired, you can configure the utility to capture short messages from other users who approached the computer during the absence of its owner and wished to write something to him.

Rice. 8. Set Computer Lock Options in Desktop Lock

Lock My PC 4.7

Developer: FSPro Labs

Distribution Size: 1.4 MB

Work under control: Windows 2000/XP/2003/Vista

Distribution method: shareware (30-day demo - http://www.fsprolabs.com/download/distr/lmpc.zip)

Price: personal license - $19.95; business license - $29.95

Lock My PC is a tool for blocking a computer (Fig. 9) while the user is away. Locking a computer is easy - just double-click on the corresponding icon in the system tray or press a special keyboard combination. It is possible to automatically block after a specified time of user inactivity. When locked, the mouse and CD / DVD drives are turned off (this will not allow you to remove CDs from them) and it becomes impossible to use the main keyboard combinations: Ctrl + Alt + Del, Alt + Tab, etc. On a locked computer, any , including self-created images in GIF, JPEG, BMP and animated GIF formats. You can unlock the computer only if you know the user or administrator password.

Rice. 9. Customize your computer lock settings in Lock My PC

Protection of personal information

There are several ways to protect personal data from unauthorized access: you can compress folders and files in a password-protected archive; hide them; put in a secret folder, access to which for other users will be protected by a password; encrypt or create a virtual encrypted disk, on which to record your secret materials. The choice of the most preferred method depends on the situation, but in most cases the best option is to hide and encrypt folders and files, so in this article we will limit ourselves to it.

Theoretically, you can hide folders and files using the built-in Windows features- for this, it is enough to include the "Hidden" attribute in the properties of the corresponding objects. Folders and files hidden in this way will not be visible in Explorer to other users of the system, but only on condition that the "Do not show" checkbox is enabled in the properties of the parent folders containing them. hidden files and folders. In principle, this may be enough to protect data from untrained users. However, objects hidden in this way will be visible in applications that do not use the standard dialog for displaying files and folders (FAR, Total Commander etc.), so this protection is not very good.

A more reliable option for protecting data with the built-in Windows tools is to use the EFS (Encrypting File System, EFS) encrypted file system, which allows you to encrypt files by enabling the “Encrypt content to protect data” option for them in Explorer (Properties => General => Advanced). It is impossible to read files encrypted in this way without knowing the password, however, the EFS system allows you to protect folders and files only in file system NTFS.

For these reasons, it is better to use specialized utilities to protect personal folders and files. These solutions will allow you to more securely hide folders and files (they will not be visible when you disable the checkbox "Do not show hidden files and folders"), as well as block access to them. Moreover, some of these utilities also provide the ability to encrypt data, which will ensure that it is protected from other users even if Windows boot in safe mode, boot into another operating system or on another computer (if it is previously installed HDD with protected information). We'll look at Folder Lock, Folder Guard, and Hide Folders XP as examples. The first provides the highest level of protection for encrypted data, the second additionally provides tools to protect the basic OS settings from changes. The Hide Folders XP package is noticeably inferior to the named solutions in terms of its capabilities, but it has a Russian-language interface and is offered to Russian-speaking users at a very attractive price.

Folder Lock 6.0.1

Developer: NewSoftware Professionals, Inc.

Distribution Size: 2.78 MB

Work under control: Windows 2000/XP/2003/Vista

Distribution method: shareware (20 day demo - http://dl.filekicker.com/nc/file/130083-0M78/folder-lock.exe)

Price: $35.95

Folder Lock is an effective and reliable solution for protecting personal files, folders (Fig. 10) and drives by setting a password, hiding and encrypting them (AES algorithm with a 256-bit key). For more security in this decision it is allowed to use blocking and encryption at the same time - files protected in this way are not displayed in Explorer and in applications and are completely inaccessible, since it is impossible to access them without knowing the password even if loaded in DOS, in a safe Windows mode, from a different OS, or on a different computer. In case the password is forgotten, it is possible to gain access to data using the registration key. The original data that needs to be protected can be located not only on the hard drive, but also on USB-drives, memory cards, CD-RW disks, floppy disks and laptops. And the installation process of the provided protection can be performed automatically in case of inactivity of the computer. In the special Stealth Mode, the program is able to hide all traces that indicate the installation of data protection on the computer: it prevents the display of its own shortcuts on the desktop and in the Start menu, hides installation / uninstallation data in the corresponding section of the control panel, clears the history and buffer data exchange, etc. In addition, for greater security, the program keeps a record of all passwords that were unsuccessfully entered to remove protection, which allows the user to timely record the manifestation of an unhealthy interest in his own computer from other users.

Rice. 10. Working with protected folders in the Folder Lock package

Folder Guard 7.6

Developer: WinAbility Software Corporation

Sizedistribution kit: Folder Guard Editions and Folder Guard x64 Edition - 1.8 MB; Folder Guard Professional Edition - 2.5 MB

Work under control: Windows 2K/XP/2003/Vista

Distribution method: shareware (30 day demo - http://www.winability.com/folderguard/editions.htm)

Price: Folder Guard Editions and Folder Guard x64 Edition - $39.95; Folder Guard Professional Edition - $59.95

Folder Guard is a simple and convenient solution for restricting access to folders and files, as well as preventing access to a number of Windows settings. It comes in three editions: Folder Guard Editions, Folder Guard x64 Edition and Folder Guard Professional Edition. The first version runs in 32-bit Windows versions, the second - in 64-bit, and the third - in both.

Restriction of access to personal data is carried out by hiding them (Fig. 11), setting the read-only mode or blocking. At the same time, hiding is implemented in two versions: you can make folders and files hidden or set them empty (Empty). In the second case, the folders will be visible, but when opened they will be empty, although in reality they contain information - this protection option is suitable for standard folders Windows, the complete hiding of which will indicate that the information on the computer is blocked, which is undesirable. Protected folders without a password will not be available to other users of the system even when Windows is booted in safe mode, although this will require some settings in the program. In case the password is forgotten, there is a function to recover it using free utility Emergency Recovery (http://www.winability.com/folderguard/eru.htm). Also implemented is the ability to run the program in Stealth Mode, in which its own shortcuts and files will be hidden.

Rice. 11. Hiding a Folder in Folder Guard

With Folder Guard you can also protect basic settings OS from adjustment (Fig. 12) - in particular, close access to the properties of the taskbar, the Start menu and a number of other windows, prohibit saving display properties (if they have been changed), block changing folder properties and Internet settings Explorer, do not show desktop icons. And also prevent changes to critical parameters for the operation of the system by closing access to the control panel and setting a series of prohibitions: access to the system registry, adding / removing printers, using the Run command, etc. Can also be hidden from My Computer, Explorer, and standard Open/Save dialog boxes certain drives and block CD/DVD recording. For different users, a different set of such restrictions is possible.

Rice. 12. Setting restrictions on access to Windows settings
in Folder Guard

Hide Folders XP 2.9.8

Developer: FSPro Labs

Distribution Size: 1.23 MB

Work under control: Windows 2000/XP/2003/Vista

Distribution method: shareware (30 day demo - http://www.fsprolabs.com/download/distr/hfxp.zip)

Price: $ 29.95 (in the Softkey.ru store - 400 rubles)

Hide Folders XP is a simple program to protect folders and files (Fig. 13) from unauthorized access by hiding and/or blocking them. Protected folders will not be available to other users, including the system administrator, even when Windows boots in safe mode. In this case, not only protected folders and files, but also folders containing them will be protected from deletion. And in order to prevent other users from guessing about the presence of protected data on the computer, the program can remove traces of established protection and can hide itself (may not appear in the list of frequently downloaded programs, not show the uninstall line in the control panel, hide itself in the list running processes and etc.).

Rice. 13. Working with protected files in the Hide Folders XP environment

It seems to me that in this situation the following recipe may work: you need to create two groups, let's call them PCComission and UserCommission.
Include in their composition computers and users of the commission department, respectively.
Next, create a GPO and link to the OU SUS, removing the apply policy right from the Auth Users group, adding it instead to the PCComission group. After that, in the policy properties, using the group membership restriction mechanism, exclude the domain group Domain Users from the local Users group, but add the UserCommission group

Vadim, I pointed out that you are mistaken because your recipe will not work: excluding domain users from the built-in computer users group will not restrict domain users from logging in locally to this computer. That's all. Do not be offended, but your "it seems to me that ..." should be checked before offering as a recipe. Recall / familiarize yourself with the state of a typical "Builtin\Users" membership on a member computer in an AD domain, about privileges, finally ...

Yes, and one more thing, you don’t need to practice yourself, and even more so - advise an inexperienced administrator to change the security reference model without good reasons. Firstly, by doing this you will bring more problems than you will receive bonuses, and secondly, it may deprive you of technical support!

Vadim, if you can explain what I am wrong about, I will be grateful to you. :)

Add: Vadim, and about the policy object. Well, let the UGP take at least 10 megabytes in SYSVOL and take the same amount in the AD container - so what? Replication is optimized, the client does not reload the UGP five times a day, and the administrator does not change it because there is nothing to do - right? In general, it is better to create more OGP, and often - the only way it is possible than to poke around in a vinaigrette.

Thanks to my wife Katya, Klevogin S.P., Kozlov S.V., Muravlyannikov N.A., Nikitin I.G., Shapiro L.V. for my knowledge! :)