Trying to lock down an internal network comprised of dozens of computers is never easy. It certainly doesn’t help when some of those computers are still running Windows 98. While Windows 9x boxes can log onto an NT domain, they aren’t required to. The good news is they can be forced to if needed.

That pesky escape key

One of the great irritants of Windows 9x in a multiuser environment has always been that pesky escape key. When presented with a login prompt, either pressing escape or clicking Cancel lets snoops slide right in using the default account.

In a recent situation, I was dealing with a network where users already had to connect to an NT domain to access various network resources. So I figured, if we are securing the network, why not take steps to secure the clients?

The need for network authentication

While I’m not an enormous fan of using Windows XP in an office environment, at least the professional edition can connect to an NT domain and can be required to do so. If you set things up properly, you can make sure no active local account exists other than the local administrator. After making sure to give that account a password, as it doesn’t have one by default, I am reasonably comfortable with local security using this setup.

Unfortunately, Windows 98 isn’t quite as flexible. The server can keep rogue users from accessing the network, but that doesn’t do anything to protect the system locally. So I started looking for something simple to add just a little more security to Windows 98 for free.

Forcing network authentication

What I found was a clever registry tweak that forces users to log into the NT domain. It’s no silver bullet, but it’s enough to stop the casual snoop from going any further.

To implement this tweak, you’ll need to open the registry editor and click your way to HKEY_LOCAL_MACHINE >> Network >> Logon. Then, create a new DWORD with the name “MustBeValidated” and then double-click it and change the value from 0 to 1.

But what if… ?

One of my first concerns with implementing this tweak was that if the network goes down for a long time or the network card dies, users may need to have local logins for a short time. But if I can’t authenticate over the network, how do I log in to disable forced network authentication?

For better or worse, the default user account will still work in safe mode. So if the server croaks, I can always go back to local authentication exclusively by booting into safe mode and editing the registry from there.

Adding some automation

To be nice, I thought about the possibility of my not being available when the unthinkable happened. For this reason, I made an emergency floppy for performing these registry edits with only the double-click of a file. This floppy included two files: one to enable and one to disable.

forcenetauth.reg:

REGEDIT4

[HKEY_LOCAL_MACHINE\Network\Logon]
"MustBeValidated"=dword:00000001

unforcenetauth.reg:

REGEDIT4

[HKEY_LOCAL_MACHINE\Network\Logon]
"MustBeValidated"=dword:00000000

Shortcomings of this method

Obviously, this technique is no replacement more a more secure client operating system. There are still a few shortcomings. For example,

• passwords are still cached locally,
• safe mode is still available and wide-open,
• and locally-stored data is not encrypted.