Types of Security Available

There are two basic approaches to providing security on a Windows computer. These are reflected in the various security packages available.

1. Protect the computer at the user interface level. This means limiting the features that can be used. For example, in Window 3.1 many of Program Manager's features would be disabled (create icons, run programs, etc.). In Windows 95 you would want to limit access to the Start Menu options, or the Control Panel. Most purchased security software works in this manner.
   
2. Protect the computer at the hard disk level. This means protect the hard disk at the file and directory level by controlling what files may be created, deleted, modified, or executed. For example, you could make the entire Windows directory tree READ-ONLY and prevent any changes (or additions) to the Windows system files. By not allowing any directory to have both write access and execute access effectively limits what programs may be executed. Since ultimately everything that changes on the computer is at the hard disk level this type of security provides the most protection. This method of security is similar to the way operating systems such as UNIX, Windows NT, and NetWare provide security.

Each method has its strong points and weaknesses, and many security programs offer a combination of the two approaches to bridge the gap:

The weak point of providing security at the user interface level is that if a user can get past the protected interface the computer is completely vulnerable. The security software must protect against all possible methods of bypassing the user interface, and there may be many such methods. For example, simply renaming command.com to another name may provide access to the DOS C:\ prompt.

The weak point of protecting the computer at the hard disk level is that a Windows computer is not designed with this type of protection in mind. The Windows operating system or a program (such as Netscape) may not operate properly if the hard disk is protected. For example, Netscape version 3.0 expects use of the Windows\Temp directory. If this is protected (by protecting the Windows directory tree), Netscape will simply not run without any error messages. These types of problems can be very hard to resolve.

The strong point of using security that protects at the user interface level is that it is typically easier to setup than hard disk level security, and, in general, less likely to conflict with Windows and your installed software. Hard disk level security will probably provide better security, but will require quite a bit of trial and error, and require more technical skill.

http//www.softheap.com