Internet Access Control (1.1.1)


This program is a utility that limits access to applications on specified computers in response to the existence or absence of a flag file. A means is also provided to control operation (add/remove the flag file) my means of a physical switch however there are however as many alternative methods of doing this as there are system administrators. This physical switch can be located at any convenient location. The computers are managed in groups that can comprise 1 to 100,000 units. The program is very difficult to circumvent if setup properly and protected by normal network security.

It is only intended to operate on Win9x. It appears to operate normally on W2K and XP but operates in the users context as a normal application and as such is relatively easy to circumvent. When required we intend to release a version that runs as a service on these systems but this is not expected until or in preparation of my schools migrating to XP (or later). For operation on these operating systems you may need to manually add a string value to the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" key to start the program.

The program can be started from the command line with the name and the path of the "ini" file passed as a parameter (i.e. from a logon script) or from the local registry. The program operates in two modes one is server mode and the other client mode. In client mode the computer controls program access depending on the existence or absence of the flag file on the server. The computer operating in server mode (houses the flag file) can be a client of itself, another PC running in server mode or be unmanaged.

The computer operating in server mode checks its serial port (either com1 or com2) for loop back every second. The loop back is normally created by a physical switch connected to pins 2 and 3 of the serial port. If the switch is closed (switched on) a loop back exists and a flag file is created on a shared drive or folder. If the switch is open (switched off) no loop back exists and the flag file is removed. If the file is created manually in an attempted to circumvent restrictions it is removed during the next second. The name of the flag file, its location and which com port to check is specified in an "ini" file. This file is normally located on a read only share on the controller pc or server. The flag file is normally created on a shared local drive which can be shared as read only. Several problems are inherent in using a shared drive on an existing file server however in certain circumstances this may be desirable. If the "ini" file is not located on the local drive then the pc must be logged onto the network for the system to operate.

The client computers check for the existence of the flag file specified in the "ini" file every second. If the file does not exist then program access is restricted as instructed in the allow and deny files. The allow and deny files are specified in the "ini" file. These files are in the same format as the files used by my ScanWindows application and may be shared. When the flag file is restored the program access is restored to normal.

The normal steps to setting up the system:

1) The first job is to decide the method of control i.e. which computer (if any) is going to operate in server mode. This computer, referred to as the controller pc requires a read only share to be created. As an alternative the share can be a writeable share located on a file server but this is not recommended as a smart student may open the file with a write lock preventing deletion. If an alternative means of control is to be provided then this needs to be setup and made operational.

2) If using a computer in server mode make a cable with a DB 25 plug for your chosen serial (com) port on one end a switch on the other. Connect the switch to pins 2 and 3. Connect the cable to the serial port on the controller pc and locate the switch in a convenient location.

3) In the local path entry in the "ini" file enter the local path to the shared folder (can be the root directory) and the name you want to use for the flag file ie. If the file is called "flag" and you have shared the root directory of C: then the local path will be c:\flag. No extension is required but can be used if you wish.

4) In the port entry of "iaccess.ini" enter the computer name and the serial port number the above cable is connected to. It is this entry in the :port" section of the "ini" file that determines if the computer operates in server mode.

5) In the path entry of .the "ini file enter the external path of the flag file with out the server name i.e. in the example above if the c: drive is shared as "c" and the file is called "flag" then the path will be \c\flag. (don't enter the full stop) Don't forget the leading backslash or it will fail.

6) For the initial testing set the display errors and nohide to 1 (in the ini

file). After testing set to 0.

7) Enter the path to the allow and deny files in the appropriate entry.

In the controller section enter the names of each client computer followed by an equal sign and then the name of the controller pc. You can have as many controller pc's as you like just put the name of the desired controller pc after the equal sign.

9) Store the iaccess.ini file on a read only share on a file server and or the local drives of the controller PCs.

10) Use the install program to install the program on your computers.

11) Manually start the program by double clicking on iaccess.exe. Iaccess.exe is normally located in the windows directory. When the program first starts it will ask you for the location of iaccess.ini. Enter the full UNC path to the file ie \\server\sharename\iaccess.ini (or whatever name you like). As an alternative you can start the program from the command line with the ini file passed as a parameter eg. \\fileserver\fileshare\iaccess.exe \\fileserver\fileshare\iaccess.ini

12) I use a controller pc heck to see if the flag file is created and removed by operation of the switch.

13) Check to see if the programs are restricted in response to the switch and/or flag file.

14) The system should now be operational.

The control takes some command line options they are:

   /stop Will stop previous instances of the application.
   /nostop Cannot be stoped by the /stop command
   /showme Shows the window and provides debugging information.

This software is provided as is with no warranty or fitness for any purpose what so ever either stated or implied.

1.1.1 Added scan for I.E. Sub windows inside Window Explorer windows.
1.1.0 Removed Dependancy on scrrun.dll to avoid interface not supported errors reported by some people Added extra startup debug information. Added scanning for Interent Explorer sub windows in Windows Explorer.
1.0.0 Default scan interval changed to 0.5 secs
0.9.4 Added extra checking for missing files. Uses timer to wait, no longer hangs. added /showme command.
0.9.3 Fixed error causing exit when still monitoring serial port loopback. waits for files to become available (but hangs while waiting).
0.9.2 Fixed ini file options to not hide and show form. Shows some debug info in form.
0.9.1 Speeded up searching of large allow files (>500 entries).
0.9.0 Uses ScanWindows module to control program access. Some other ini file options unavailable.
0.8.3 Looks for local path and Port in new computer-specific part of ini file. Timer delay reduced to 2 secs in debugger. Looks for Port number and controllerPC to determine which parts to run or if can exit. Runs a different command for enable and disable. Full commands now specified in ini file. Uses ini file entry to control running in stealth mode.
0.8.2 Doesn't subclass in the debugger. Exits if controllerPC = exit or none. Can start from command line with the ini file as an argument. If so bypasses the registry. Exits if second instance.
0.8.1 Added more error checking.
0.0.8 Changed name to iaccess.exe. fixed error in runservices reg entry. Changed initialize routine to return a Boolean value. Exit now called from timer form.
0.0.7 Ignores WM_ENDSESSION Message when logging off. Adds reg key if missing. Code complete for Win95 (I think)
0.0.6 Got RegisterServiceprocess to register as a service on Win9x. Added file checking to wait until control files become available. Changed check for flag file to use fso.fileExists.
0.0.5 Uses MSComm module instead of dwcomm. Dwcomm failed on W2K after build.
0.0.4 Now looks at hkey_local_Machine\software\deet\iaccess to find location of ini file. Ini file and control file now combined.
0.0.3 Added more info in debug print. Made iaccess.ini after I lost it.


Comment List