Using login scripts - SECURING THE OPERATING SYSTEM

8. SECURING THE OPERATING SYSTEM

8.1 Using login scripts

Station command line options

The following command line options may be added to the command to start the Station application in batch files or in shortcuts to tailor the environment that Station runs in.

Parameter Description

-sf Disables window resizing so that Station can only

operate in full screen mode and is always on top

-sl Disables window resizing so that Station can only

operate in full screen mode and is always on the bottom

-sx Disables the Exit menu choice

-ss Disables the Setup menu choice

-sc Disables the Connect menu choice

Lock Station in full screen mode and disabling menus

You can restrict access to non-Station software on a computer by changing the Station command line.

Changing the Station command line allows you to:

•

Lock the Station window in full screen so that users cannot resize the window or access operating system functions and non-Station applications.

•

Disable the Exit menu choice so users cannot close down this Station.

•

Disable the Setup menu choice so that users cannot change the connection or display settings for this Station.

•

Disable the Connect menu choice so that users cannot attempt to connect to a different server and disconnect from the current server.

Access to Intranet and Internet sites is disabled by default on Station. For information on enabling full or restricted access via Station's SafeBrowse feature, see “Customizing Station - Web Access tab, Connection properties” in the Server and Client Configuration Guide.

Example script: Starting Station

In order for operators to access Station on a secure computer, you need to create a batch

file that enables Station to start automatically when the operator logs on to the computer.

8. Securing the operating system 8.1. Using login scripts

To create the batch file:

Step Action

1 For domain account scripts, log on to the Domain Controller with a domain administrator account.

For local account scripts, log on to each system with a local administrator account.

2 Use a text editor, such as Notepad, to create the following batch file:

ATTENTION

If you use Signon Manager and Electronic Signatures, you should use the –sl option so that Station is in full-screen mode but always on the bottom so that the Signon Manager and Electronic Signatures dialog boxes appear on top of Station.

cd “\Program Files\Honeywell\signon”

start signon.exe

rem *******************************************

rem change to station directory

rem *******************************************

cd “\Program Files\Honeywell\Experion LX PKS\client\station”

rem *******************************************

rem the following line need only be included rem if you are on the Server PC

rem and also using automatic logon.

rem It delays Station startup to let the rem Server start completely first.

rem *******************************************

sleep 70

rem *******************************************

rem start station with "full screen lock" and always on top

rem and all 'Station" menu options inactive.

rem stnsetup.stn is optional, delete if not rem required.

rem *******************************************

start station.exe [stnsetup.stn] -sslxc

3 Save the file according in the locations specified in one of the following

sections.

8. Securing the operating system 8.1. Using login scripts

Step Action

•

Assigning logon scripts to individual domain accounts

•

Assigning logon scripts to local accounts

REFERENCE - INTERNAL

For more information on using scripts, refer to the Experion LX System

Administration Guide.

Assign logon scripts to domain groups and users using group policy

This procedure demonstrates how to assign the Operator_Start.bat logon script to all domain users that are members of the Operators global group.

Note: For a Windows Server 2003 Domain Controller, the Group Policy Management Console must be installed first. On Windows Server 2008/ Windows Server 2008 R2, it is installed by default.

Step Action

1 Log on to the Domain Controller using a domain administrator account.

2 Place the Operator_Start.bat script in the following path.

%SystemRoot%\SYSVOL\Domain\Scripts

3 Choose Start > All Programs > Administrative Tools > Group Policy Management.

4 Click Yes on the User Account Control dialog box.

5 In the left (navigation) pane, expand the tree and right-click Group Policy Objects under the required domain and select New.

6 Enter the new policy name as “Operator Startup Policy,” and click OK.

7 Right-click the new policy in the navigation pane and select Edit.

8 In the Group Policy Management Editor window navigation pane, select User Configuration > Policies > Windows Settings > Scripts

(logon/logoff).

9 In the right pane, double-click Logon.

10 In the Logon Properties dialog box, click Add.

11 In the Add a Script dialog box, type Operator_Start.bat as the name of the

script in the script name edit field, and any parameters required for the script

8. Securing the operating system 8.1. Using login scripts

Step Action

in the Script Parameters: edit field, then click OK.

12 In the Logon Properties dialog box, click OK.

13 Close the Group Policy Object Editor window.

14 In the navigation pane, right-click the new policy and select GPO Status >

Computer Configuration Settings Disabled.

15 In the navigation pane, left-click-and-drag the new policy to the domain (or OU) to which this policy should apply to.

16 Click OK if you want to link the GPO to the selected location.

17 Select Group Policy Objects > Operator Startup Policy in the navigation pane.

18 In the right pane, remove the users/groups listed under the Security Filtering heading, then click Add to add the required groups (or individual users).

19 When the group policies are next pushed to the computers in the domain, this startup script applies to all operator logons.

Assign logon scripts to individual domain accounts

To specify the batch file as a logon script for domain accounts:

Step Action

1 Log on to the Domain Controller using a domain administrator account.

Select Start > Control Panel > System and Maintenance > Administrative Tools > Active Directory Users and Computers.

2 Place the Operator_Start.bat script in

%SystemRoot%\SYSVOL\domain\scripts.

3 In the tree view, select Users to display the list of users in the domain.

4 Right-click the account name to which the Logon Script must be assigned and select Properties.

5 On the Profile tab, type Operator_Start.bat in the Logon script: edit box

6 Click OK.

8. Securing the operating system 8.1. Using login scripts

Assign logon scripts to local accounts

Step Action

1. Log on to the local machine using a domain or local administrator account.

2 If the local computer does not have a NetLogon share, create a directory to be used for the share (for example %SystemRoot%\NetLogon), and share the directory using the name “NetLogon”.

3 Place the Operator_start.bat file in \\<computername>\NetLogon, or use the local directory path that is shared as NetLogon.

4 Select Start > Control Panel > System and Maintenance > Administrative Tools > Computer Management.

5 Select Local Users and Groups.

6 Select Users.

7 Double-click the user account you want to modify. The Properties dialog box opens.