Fortres 101 is a single solution to malicious destruction of computers, problems with inconsistent interface, and inconsistent printing behavior.

Fortres 101 is an innovative security agent that resides invisibly between the user and the computer. Transparent to the user, Fortres 101 looks at everything the user attempts and decides if the operation is prudent from the system's and the administrator's perspectives. Fortres 101 gives administrators strict authority to specify which applications may be executed. Fortres 101 provides power, security, flexibility, and confidence.

In addition to protection from malicious use, Fortres 101 ensures that the interface looks the same every day. Windows can be setup up with specific groups available, and standard printer configurations that will never change. Simply arrange the interface exactly as you like, setup the printers exactly as you like, install Fortres 101, and never again think about maintaining interface or hardware settings. Once Windows is configured properly and Fortres 101 is installed, users are prevented from ever changing the interface appearance.

1. Installation takes only about 1 minute per machine
2. Fortres 101 confines all of its files to a single directory on the hard drive (\FORTRES.101\).
3. All security options can be altered without having to reboot or restart Windows.
4. Loading of Fortres 101 can be prevented by administrator at boot time.
5. Fortres 101 can be unloaded from memory without having to reboot.
6. Fortres 101 has complete diagnostic abilities to track down any conflicts.

Fortres 101 installs itself as a new component of the operating system, a component that has access to all functions of the interface. Once installed, Fortres 101 intercepts all of the user's action within the Program Manager or Explorer, compares the attempted operation with the Fortres 101 setup screen options, and chooses whether or not the user initiated operation should be performed. In effect, Windows asks Fortres 101 permission before executing any Program Manager or Explorer commands. For example, if a user presses the Delete key to remove an icon from Program Manager, Windows asks Fortres 101 if it is OK to delete icons and waits for a response. If Fortres 101 does not grant permission, the icon cannot be deleted.

Even if your concern is not so much about security, more about keeping the machine friendly, Fortres 101 will help. One of the problems facing new computer users is the lack of familiarity with the interface. Icons may not be in the same place every day. People may accidentally move or even delete icons. Keeping a common interface is extremely important on machines that are used by a variety of different users. With Fortres 101, you can setup the icons like you want them with confidence that they will always be where you placed them. Similarly, printers can be setup and never thought of again. Fortres 101 is there maintaining the interface for the users, and maintaining sanity for administrators.

In addition to the cosmetic protection, Fortres 101 provides a secure file system. It allows administrators to specify file level access for users. Disk drives, directories, and individual files can be marked for full access, read-only access, or no access. Fortres 101 does not modify the structure of any drives to do this. Fortres 101 simply intercepts every file operation and compares it with current security settings to determine if the operation should be allowed or failed.

Once you install and use Fortres 101 you will think of it as an integral part of the system. You really will not believe that you ever placed a computer in public without any protection.

1. Turn off any virus protection software.
2. Insert the Fortres 101 Installation Disk.
3. From the File menu of the Program Manager select Run. (File | Run)
   Type A:\SETUP (if the Fortres 101 Installation Disk is in drive A:)
   Or
   Type B:\SETUP (if the Fortres 101 Installation Disk is in drive B:)
4. Press the Install button and follow directions on the screen.
5. See the section Preventing Boot Interruption with a System/Startup Disk below.

• To access the setup screen hold, the ALT key and type WCFNFX
• To interrupt Fortres 101 loading at boot time, press and hold both SHIFT keys after escalating tones begin and before punctuating beep.
• To silence sounds on boot, use the /Q parameter after FGSA in autoexec.bat.
• All saving to hard disk can be prevented with a single check in No Saving on Local Hard Disk on the File Protect page.

Users upgrading from a previous version of Fortres 101 will need to close the currently running copy before installing this upgrade.

In order to properly turn off the old version of Fortres 101:

1. Access the Fortres 101 Setup Screen.
2. Click on the Cancel Button.
3. When queried about closing Fortres 101, click on the Yes button.
4. When notified that Fortres 101 is closed, click OK.

Upon completing these four steps, normal installation may follow.

The installation process consists of Fortres 101 copying its files to the hard disk, making backup copies of crucial system and configuration files, and preventing user control during the boot process. The installation then proceeds to request a password, and displays the Fortres 101 setup screen. After selecting the desired options on the Fortres 101 setup screen and pressing OK, Fortres 101 enforces security. The default security that Fortres 101 implements, when no changes are made to the Fortres 101 setup screen, prevents users from altering anything about the interface or modifying important system files.

The crucial system files of which Fortres 101 creates copies are:

• config.sys contains boot information and device driver references.
• autoexec.bat contains boot information and environment settings.
• win.ini contains settings for the Windows environment and user preferences.
• system.ini contains startup information for Windows which refers to hardware specifics.
• progman.ini contains information about the position and appearance of the Program Manager.
• [group files] Group files (typically ending in .grp) maintain information about finding programs on the computer including the program icons and locations.

The Fortres 101 installation is very compact and collected. Fortres 101 does not modify any system files, other than autoexec.bat and config.sys. All of the Fortres 101 files, as well as copies of important system files, are stored in a directory on the boot drive named \FORTRES.101\. This directory is created and then hidden. Fortres 101 copies no files anywhere else on your computer.

Preventing interruption of the boot process is accomplished in two steps. One step prevents interrupting config.sys, while the other prevents interrupting the autoexec.bat. In order to prevent users from using the function keys to interrupt the boot process at the config.sys level, the documented DOS switches=/F /N statement is inserted as the first line of the config.sys file. It is important that this line be the first line in the config.sys file. In order to prevent the autoexec.bat file from being interrupted, fgsl.sys is loaded from the config.sys file. fgsl.sys is a device driver that prevents the Control-Break and Control-C commands from breaking the autoexec.bat file during execution. Fgsl.sys does have other important functions as well.

Fortres 101 is loaded into memory every time the computer boots because of commands inserted into the autoexec.bat and the config.sys files. When a user boots the computer with a system disk (booting with a floppy), Fortres 101 can be bypassed. In order to prevent unauthorized users from bypassing Fortres 101, it is recommended that you change the boot sequence located in the BIOS configuration (also called CMOS settings) of your machine.

The BIOS (Basic Input / Output System) configuration can typically be accessed by hitting the delete key while the computer boots up. Once in the BIOS configuration choose the CMOS setup or the advanced CMOS setup and change the boot sequence from a,c to c,a ("a" referring to disk drive and "c" referring to hard drive). This change causes the computer to look to the hard disk first for the operating system and then if an error occurs, the floppy disk drive. After changes are made in the BIOS configuration, it is recommended that it be password protected. Most BIOS configuration systems allow the provision for password protection. To do so refer to the setup screen in your computer's BIOS.

If your computer does not have the capability to change the boot sequence, you can re-cable the floppy disk drive. In order to do this, remove the computer cover and examine the ribbon cable that runs to the floppy disk drive. There should be two connectors attached to the ribbon cable (one of which is connected to your floppy disk drive). There is a subtle difference between the two connectors. One of the connectors will be preceded by a section of ribbon that is twisted in the center. This is the connector that allows booting from that drive. If you disconnect that and connect the one without the twisted ribbon section, users cannot boot from that drive.

In the event you do not want Fortres 101 loaded when the machine boots up, there is a provision for interrupting Fortres 101's execution. While the machine is booting, you should hear an escalating series of tones followed by a punctuating beep. After the start of the escalating tones and before the completion of the punctuating beep, press and hold the left and right shift keys at the same time. If you do this properly (it may take several tries), you will be prompted for the Fortres 101 password. After correctly typing the password and pressing return, you will see the message "Fortres 101 is Disabled For This Boot." This will prevent the Windows protection from loading. When disabling Fortres 101 in this manner, you will not be able to pop up the Fortres 101 setup screen in the normal manner. You can access the Fortres 101 setup screen by running fortres.exe in the hidden C:\FORTRES.101 directory, and then performing the Fortres 101 setup screen access method. See the section "Accessing The Setup Screen" below. Please note that loading Fortres 101 in this manner will produce complaints from Fortres 101 about the loading of file protection. These warnings will not appear when Fortres 101 is loaded automatically, and can be ignored.

After all installation tasks are completed, Fortres 101 will ask for a password. This password will be needed for any subsequent altering of the Fortres 101 configuration. Some thought should be given to choosing a password. It is generally a bad idea to use the name of your spouse, pet, school mascot, phone number, favorite recording artist, or anything that someone may guess. It is also a good idea to include a character that is not a letter somewhere in your password. An example of a good password that would be difficult to guess is: SLICK%T$

If you need to change the password after initial installation, select the Password option within the Fortres 101 setup screen and proceed to enter your new password twice as prompted.

Installing is easy. From the Program Manager select the Run command from the File Menu (File | Run), type A:\SETUP, press Return. From the Fortres 101 Installation window select install.

After a brief time, Fortres 101 will ask for a password. This is the password that will be required to edit the settings of Fortres 101. The password (between 5 and 8 characters) must be entered twice for verification. To enter your password, type the password, Tab to the next field and enter the password again. Once both passwords have been entered, click on the OK button. If the same password is not entered twice, Fortres 101 will prompt you to enter two identical passwords before you can proceed.

The default options provide the most Windows interface security possible. As well as the minimal file security required, protecting the deletion of programs and modification of most system configuration files. Most administrators use the default options.

• User may not exit Windows.
• User may not add, remove, edit, or move icons from the program groups of Program Manager.
• User may not select any group other than one specified by the administrator.
• User may not use the Run command from the File menu of the Program Manager.
• User may not access the Windows Setup program.
• User may not use the Object Packager program.
• User may not execute the File Manager.
• User may not execute a DOS command shell.
• User may not move or resize the Program Manager.
• User may not enter the Control Panel.
• User may not adjust the settings for Control Panel modules.
• All DOS programs, device drivers, libraries and overlays are marked so that they may not be deleted.
• User may not stop or interrupt the boot process.

With the installation process complete there will be no further unsolicited interaction with Fortres 101 aside from the security it provides.

Following the installation you should reboot your computer in order to finalize the settings. This is the only case when rebooting is necessary.

If you are running a network with diskless workstations, Fortres 101 can be installed on those machines by following a slightly different procedure.

1. Create a directory on the file server (ex: fgc)
2. Copy the contents of the installation disk into that directory (ex: H:\> COPY A:\*.* H:\FGC)

3. Run the installation program from the workstation (H:\ FGC\SETUP) with the boot disk in the boot drive if the computer uses one.
4. Press the Install button and follow directions on the screen.

Fortres 101 was designed so that security options may be changed to affect the current session of Windows. As soon as OK is clicked on the Fortres 101 Setup Screen, any changes made in the security settings become active immediately. You do not need to restart Windows, or reboot the machine. This "hot" update (updating while the computer is still running) makes it trivial for the administrator to disable security, perform any Windows maintenance, and reenable security, all without rebooting.

In order to access the Fortres 101 setup screen, the following steps must be completed. This process is intentionally cumbersome to prevent users from accidentally, or intentionally stumbling across access to the password screen.

To access the Fortres 101 setup screen:

1. Click the right mouse button on the Program Manager title bar.
2. Within 5 seconds, click the left mouse button on the Program Manager title bar.
3. Within 5 seconds, select "New" from the File menu. (File | New)
4. Within 5 seconds, select "Exit Windows" from the File menu. (File | Exit Windows...). This will produce the password screen. If a password screen does not appear, repeat the preceding steps. Or, refer to the alternative method, hold down the ALT key and type WCFNFX.
5. Enter the correct password and the Fortres 101 setup screen will appear.

If you have a one-button mouse or a mouse that is configured to enter a double click with a right button click, or just prefer the keyboard:

1. Select Cascade from the Window menu. (Window | Cascade)
2. Within 5 seconds, select "New" from the File menu. (File | New)
3. Within 5 seconds, select "Exit Windows" from the File menu. (File | Exit Windows...). This will produce the password screen. If a password screen does not appear, repeat the preceding steps.
4. Enter the correct password and the Fortres 101 setup screen will appear.

You can also use the keyboard without the mouse to enter the password screen:

1. Press Alt W, Alt C
2. Within 5 seconds select Alt F, Alt N
3. Within 5 seconds select Alt F, Alt X
4. Enter the correct password and the Fortres 101 setup screen will appear

If these access methods are too difficult, an icon may be created to provide access to the password entry screen. This icon can be created by first turning off the Adding, Removing, Editing Icons and Opening, Closing, Moving Groups protection in Fortres 101.

Next select (File | New | Program Item) from Program Manager. Type C:\FORTRES.101\FORTRES.EXE in the command line box and click OK.

In order to select or deselect an option, click on the appropriate box with the left mouse button. Selections can also be made using the Tab key to move between fields and the space bar to toggle an option on or off. In addition, you can utilize the Alt key and the appropriate letter to activate an option (ex. Alt C for Cancel).

When you need to turn off all security options within Fortres 101, click on the Disable Security button and click OK. To reinstate the security, simply remove the mark from Disable Security and click OK.

The Fortes 101 setup screen is divided into ten major sections, Disable, File Protect, File System, Execution, Users, Diagnostics, Import/Export, Password, Uninstall, and About. The settings in the DOS section apply to files on the computer, while the settings in the Windows section apply to the behavior of Windows. Any of the file types that are checked in the DOS section will be marked as read-only and protected from modification. Checking options in the Windows section disables the feature described to the right of the check box. For example, if the File Manager is checked, security is active on the File Manager and users will not be able to access it. The individual options available in the setup screen are discussed below.

Disabling exit prevents the user from exiting Windows and subsequently accessing a DOS command shell. From the command shell, characterized by the c:\ > prompt, users are free to alter the contents the hard disk and programs of a computer. Access to the command prompt should never be allowed on a computer to which random users have access. Some people are under the impression that Windows must be formally shut down before turning off the computer. This belief is incorrect. The process that Windows goes through on exit is not necessary for Windows itself, or the computer. The standard Windows shut down procedure alerts all of the running programs that it is shutting down, prepares the machine to run DOS, and unloads itself. The latter two steps are necessary only to enable the DOS command shell to run. Since Fortres 101 is preventing access to the DOS command shell, neglecting these two steps is inconsequential. It is generally a good idea to close all of the running applications before turning off the computer. Some applications create temporary files, which may not be deleted until the individual program is exited through its own exit or close command. Windows will sustain no harm if turned off without going through the normal shut down or exit procedures.

Prevents users from adding, removing, editing, or moving icons, which is a graphical representation, as well as entry points to underlying applications. In general, users should never need to do this. When Windows is installed on a computer, it looks for any program files on the hard disk and displays icons to represent them. Installation programs will typically install icons to represent the application being installed. While there is little harm in allowing users to add icons (the screen can become very cluttered and difficult to navigate), deleting icons makes the underlying program nearly inaccessible. If for example, a user deletes the Write icon, most users would believe that Write was not on the machine, or would not know how to find it. In any event deleting the icon prohibits most users from accessing an application.

Moving icons is a bad idea because of some standards that users have grown to expect. For example, every Windows user knows that the Calculator application is in the Accessories window. If someone would move the Calculator icon to the Games window, most users would be unable to locate it.

Allowing users to edit icons presents another potential problem. If a user were to accidentally change a single letter in the icon information, the icon may become invalid, preventing access to the underlying application. Editing icons is a feature that even a simple minded mischievous user could use to access applications which the administrator has restricted. By editing an icon, the users can change the program that is activated by the icon. Users could change the command line option of the icon to run nearly any application. (File Manager, the Control Panel, and DOS command shell could still not be invoked using this method, if they are disabled on the Fortres 101 setup screen.)

Prevents users from opening, closing, moving, and resizing groups, which are the windows inside Program Manager containing icons. This option, when selected, guarantees that the system interface will always be exactly the same. This option allows for the construction of a single group with only those programs that users need to access. With this option, active users will not be able to access any program that is not in the administrator specified group. This option also prevents the groups from being hidden, resized, or minimized. The easiest interface for users is one where all program icons are in a single group that is maximized in the Program Manager. Arranging Windows like this and disabling the opening, closing, and moving of groups guarantees the users always see the same desktop when they approach the computer.

The Run command is an option of the File menu of Program Manager through which users can execute any program on the computer or on floppy disk. (File Manager, the Control Panel, and DOS command shell could still not be invoked using this method, if they are disabled on the Fortres 101 setup screen.) It is very dangerous to give user access to the Run command. From the Run command a user could format the hard disk or infect the computer with a virus, two very bad events.

The Setup program is used to change hardware specific information about a computer as it relates to the operation of Windows. No user should have access to the Setup program. Setup allows modification to vital system settings. Further, Setup provides a method for restarting Windows outside of Fortres 101.

The Object Packager is a program that allows for the creation of a variety of object components which may then be pasted into applications and activated. The Object Packager includes the ability to run any program on the hard disk, floppy disk, or a network drive. Users should not be given access to the Object Packager. In addition to preventing users from creating damaging objects inside the Object Packager, selecting this option will prevent user from inserting executables in word processors and spread sheets.

File Manager is a Windows program used in performing maintenance on the files and disks of a computer. From the File Manager, users can perform unlimited operations on the hard disk; files can be deleted, copied, and moved. Nearly any program can be activated from the File Manager. (The Control Panel and DOS command shell could still not be invoked using this method, if they are disabled on the Fortres 101 setup screen.) From the File Manager, users could format the hard disk or infect the computer with a virus, two very bad events.

The DOS prompt, characterized by the C:\> prompt, is the DOS command interpreter. From the DOS prompt, users may alter, erase, move, and execute any files or programs on the computer. Access to the command prompt should never be allowed on a computer to which random users have access. Disabling the DOS prompt ensures that the user will not be able to access the DOS prompt from inside of Windows, even if there is no other security active. For example, even if the users can get to an icon representing the DOS prompt, or issues a Run command for command.com (the file which implements the DOS command interpreter), Fortres 101 will stop any attempt to access a DOS prompt. Note: running some DOS-based programs may require the removal of this option. The DOS protection, discussed later, will remain in force, however.

The Program Manager of Windows contains all of the groups and icons. People often think that the Program Manager is Windows. However, Program Manager is just another Windows program, one that is capable of launching other Windows programs. Preventing users from moving or resizing Program Manager provides for a consistent interface by maintaining its size and position.

The Control Panel is a program that provides access to modules for modifying the system environment and hardware settings. Disabling the Control Panel disables only access to the Control Panel from the icon on the Windows Program Manager. The individual modules of the Control Panel (Color, Fonts, Ports, Mouse, Keyboard, Desktop, Printer, International, Time and Date) may still be accessed if they are invoked by some other application. For example, some word processors provide access to the printer setup without using the Control Panel. The individual items on the Control Panel may also be disabled.

A font is a collection of glyphs (characters) with similar appearance. For example, the Arial font is a collection of letters, numbers, and punctuation marks characterized by straight constant width lines and smooth constant width curves. From the Fonts module of the Control Panel users can view, delete, add, and disable True Type and bitmap fonts used by the entire system. There is no reason, in general, to allow users to access the Fonts module.

Ports are serial (1 bit at a time) communication devices usually accessed on the back of a computer. Modems, printers, scanners, pointing devices, and networks may all be connected to these ports. From the Ports module of the Control Panel users can change the speed and protocol of the serial ports. Each device that connects to a serial port must have some protocol for communicating with the machine, and agree on a communication speed. In general, there is no reason for users to have access to the Ports module.

From the Mouse module, users can change the sensitivity of the mouse. Changing the double click speed or the tracking may make the computer very difficult for some users to navigate. The double click speed refers to how quickly the user must press the mouse button for the machine to acknowledge a double click. Tracking speed refers to how far the mouse pointer on the screen moves relative to some unit of mouse movement on the mouse pad. Experienced users will like the tracking speed very fast, which is difficult for novice or occasional computer users.

From the Desktop module, users can change a variety of options affecting the interface environment. Users can change the pattern displayed in the background of the Desktop, the screen saver, cursor blink rate, icon spacing, and window border width. Allowing users to change these settings may compromise the pursuit of a standard interface appearance. One serious potential problem with giving users access to the Desktop module is that a password can be set for the screen saver. If the screen saver has a password, the only way to get back to Windows after the saver is activated is by rebooting the machine. Users should not have access to the Desktop module.

From the Keyboard module, users can change characteristics of the Keyboard repeat and repeat rate. When a key is pressed and held down after some interval it will begin to repeat at some rate. The interval of the delay and the rate at which it repeats is set in the Keyboard module. There is nothing harmful about letting the user access the Keyboard module.

The Printers module allows the user to access all of the settings that pertain to printers. Users can install and delete printer drivers, specify the ports to which printers are attached, affect how the output is delivered, and alter network printing behavior. Additionally, users can access specific print driver settings, like paper orientation and resolution. From the Printers module the users can cause innumerable printing problems, particularly on a network. Output can even be redirected to overwrite important system files. Typically, applications provide the user with enough options to direct printer output to the desired destination. Users should not have access to the Printer module.

From the International module, users can change characteristics specific to a language. The date, time, number, and currency display can all be changed. Users should not have access to the International module.

From the Date and Time module, users can change the system time and date. Users should not have access to the Date and Time module.

The Secure File System (SFS) component of Fortres 101 gives an administrator the ability to protect all or part of any local drive on the computer. The SFS does not rely on the typical DOS file attributes nor does it involve any type of hard drive restructuring. With SFS running, a user can even have access to a DOS prompt and not be able to alter or delete files that an administrator has protected.

There are two pages of the Fortres 101 Setup Screen that are used to configure the SFS, the File Protect page and the File System page, both of which are shown below. The File Protect page is used to set general file protection such as all files that have the extension EXE. The File System page is generally used for more advanced protection such as setting directories that a user cannot access.

The File Protect page of the Fortres 101 Setup Screen provides a quick and easy method for a system administrator to protect files on the hard drive. Boxes are provided that can be checked to protect files with common extensions like EXE, DLL, DRV, SYS, INI, 386, BAT, COM, OVL. Certain programs need to write to specific files in order to perform properly, whether it is an initialization file or a temporary file. To not protect a certain file click in the box labeled "Do Not Protect" and enter the name of the file that you do not want protected. Wildcards can be used to specify multiple files with similar names. In some cases a program needs to have access to a certain file that a user should not be able to modify. Putting the name of the file that needs to be protected in the box labeled "Protect" can do this. Again, wildcards may be used for multiple files with similar names.

Fortres 101 is capable of protecting certain files on the computer from being erased or altered. While protecting the files in this manner will prevent infection from certain viruses, this feature is intended to protect the system from accidental corruption. For example, if all files ending in COM are not protected, and a user decides to save a document as C:\command.com, the machine would not boot again without reinstalling DOS. In general, the only time that an administrator should turn this protection off is to install software. After the software is installed the file protection should be reactivated.

Files ending in EXE, COM, and BAT are programs that can be executed by the computer. EXE files are segmented binary executables, which may be DOS, Windows, or OS/2 programs. (The binary designation implies that humans cannot read the file, as it is in the machines native language.) EXE is the most common file extension for programs. COM files are single segment binary executable memory images, which may be DOS or OS/2 programs. BAT files are ASCII text DOS command files. These consist of human readable DOS command prompt commands. Files ending in EXE and COM, should never be modified. BAT files should only be modified by the system administrator. The only time that an administrator should turn EXE and COM protection off is to install software. After the software is installed, EXE and COM file protection should be reactivated.

Files ending in SYS are DOS device drivers, or DOS boot files. DOS device drivers are typically loaded early in the boot process from the config.sys file. The only SYS file that should ever be modified is the config.sys, which should only be modified by the system administrator. Device drivers are used to provide access to certain hardware devices, or to add features to DOS. Himem.sys is a device driver that adds managed extended memory (XMS) features to DOS. Int13cd.sys is a device driver which provides access to some CD-ROM drives.

Files ending in DRV and 386 are typically Windows device drivers. Printer drivers and video drivers for Windows almost always end in DRV. Windows enhanced mode device drivers typically end in 386. The only time that an administrator should turn DRV or 386 protection off is to install updated drivers. After the drivers are updated, DRV and 386 file protection should be reactivated.

Files ending in DLL are Windows dynamic link libraries. DLL's are components of Windows programs that contain segmented binary executable code and Windows resources. (The binary designation implies that humans cannot read the file, as it is in the machines native language. Windows resources are pictures, icons, fonts, etc.). The only time that an administrator should turn DLL protection off is to install software. After the software is, installed DLL file protection should be reactivated.

Files ending in OVL are DOS program overlays. OVLs are components of DOS programs that contain segmented binary executable code. OVLs are used by specific DOS programs and should never be modified. The only time that an administrator should turn OVL protection off is to install software. After the software is installed OVL file protection should be reactivated.

Files ending in INI are Windows initialization files. INI files are used for persistent storage (storage after the machine is shut down) of program information by Windows programs and by Windows proper. The only time that an administrator should turn INI protection off is to install software. After the software is installed INI file protection should be reactivated.

The File System page of the Fortres 101 Setup Screen provides complete control over the access of the local drives. (Note: in order to use this page, you must first remove the mark from No saving on local hard disk on the File Protect page. The hard drive protection will then need to be set using the File System page.) In this page an administrator can set any folder, file, or even the entire drive as full-access, read-only, or no access. The file protection is implemented in an inherited rights style. This means that if specific rights have not been assigned to an object, then that object inherits the rights of the object above it in the directory structure.

For example, if the Windows folder is marked as read only, then every file in every folder contained in the Windows folder will also be read only unless the administrator changes the access for a specific file or folder. This keeps an administrator from having to change the rights for every individual file on the drive. To change the rights for a file, folder, or drive select the object with the left mouse button. Once the object is selected use the right mouse button to loop through the security options. >R' means that the object can be opened but not saved or deleted, >X' means that the object cannot be opened, saved, or deleted. The CLEAR ALL button can be used to clear all of the attributes that have been set.

Fortes 101 has been tested with hundreds of software titles for compatibility. There are accommodations that Fortres 101 makes, regardless of the file protection that the user specifies. Some of these accommodations are necessary for Windows to start properly. Turning off this feature is dangerous. Do not do it unless you really know what you are doing. An example of one of the accommodations that Fortres 101 makes is ensuring that spool folder is not write protected, as that would make printing impossible.

Fortres 101 can be setup to prohibit certain applications from executing, by specifying an executable file name in the Do Not

Run section of the Execution tab. The execution of applications can also be controlled by marking individual executable program files with an >X' in the File System tab. Most administrators will find the Do Not Run method easier to use than the File System tab. Knowing that specifying a file in the Do Not Run section is equivalent to marking a file with an >X', read and write access can be denied for any file, not just programs, by placing it in this section. By checking the Prevent Running Programs from Floppies, user can be restricted from launching any programs from floppy disks. This will also prevent the user from copying executable program files from the floppy disk to the hard disk, regardless of the protection specified for the hard disk.

This screen needs to be used only if you want to restrict access to objects on the desktop that are not covered by the Windows-Disable page.

Access to programs represented by icons on the desktop can be controlled with the Users Screen. By default users have access to all objects on the desktop, the access to which is controlled from the Windows-Disable Screen. This screen needs to be used only when you want to prevent certain users from accessing certain User Groups. By associating a user with a User Group, a password will be required before that object is accessed.

Every item available on the desktop will be listed in the Users list. Up to 50 items can be associated with any one user.

Users can be created by pressing the New button, entering a user name, and a 5 character or greater password. User names and passwords can be edited by selecting the user and pressing the Edit button. Users can be deleted by selecting the user and pressing delete.

User Group access control is managed by associating User Groups with users. To do this select a user, then select the Groups that should require a password before any user accesses it.

Most DOS and Windows applications were written with the expectation that no file operations would be prevented for security reasons. This assumption, which no longer holds, can prevent applications from running properly with Fortres 101 providing file security. Fortres 101 records all file operation which it alters or blocks. This allows for the easy accommodation of the file access needs of any DOS or Windows programs. Any file operations which Fortres 101 alters or blocks can be displayed from the Diagnostic page, with the most recent file operation being displayed at the top of the list. This list is not persistent between boots, and is limited to the 50 most recent entries.

If a program crashes or does not behave properly with Fortres 101 running, check the Diagnostic page. Parse out the file name alone, (To the left of the brackets) without the path, and enter it in the Do Not Protect list in the File Protect page. Then run the problem application again. There are some applications from major software manufacturers that will not run properly after a crash without rebooting. It may be necessary to reboot to get the application to run again.

Fortres 101 may be set up in several ways however, we recommend the administrator set-up a public access group. In order to do this, Disable Security and create a public access group that contains all the program items that are needed. Once this group is established, open the group and size it as desired, hold down the shift key and double click in the upper left hand corner of the Program Manager. This will hold that window open during the reboot. This method is one of the simplest ways of establishing security on your system. Windows will only display the programs that are immediately available to the public and all other groups cannot be accessed.

Brief Installation Description: (Compaq Presario users see below)

1. Turn off any virus protection software (refer to software manual for instruction to do this).
2. Insert the Fortres 101 Installation Disk.
3. Click the Start button, and then choose Run.
4. In the Run dialog box type A:\SETUP, and then choose the OK button.
5. Press the Install button and follow directions on the screen.
6. See the section Preventing Boot Interruption with a System/Startup Disk below.

• If you are using a DOS Login Script, you must remove the check mark from "Disable DOS Login Scripts" in the Execution.

• To access the setup screen, hold SHIFT key and double click the Start button or press CRTL-SHIFT-ESC.
• To access the Advanced Configuration option simply click the check box within the Password dialog box.
• To interrupt Fortres 101 loading at boot time, press and hold both SHIFT keys after escalating tones begin and before punctuating beep.
• To silence sounds on boot, use the /Q parameter after FGSA in autoexec.bat.
• All saving to hard disk can be prevented with a single check in "No saving to local hard disks" on the File Protect tab.

Installation instructions for Fortres 101 and Compaq Presario computers Note: The following only needs to be performed if your Compaq Presario has "Homebase" installed. Regardless, the file SYSTEM.INI will need to be listed in the Do Not Protect list box on the File Protect tab.

1. Start Windows 95
2. From the Start menu, choose Run
3. Type sysedit and press enter
4. Switch to the System.ini file
5. Place a semicolon ‘;’ in front of the "shell=c:\compaq\…"
6. Create a new line "shell=explorer.exe"
7. Save the changes and exit the System Configuration Editor.
8. Restart the machine
9. Answer NO to the box that asks if you want to restore the Compaq shell (you may not get this message).
10. At this point Homebase should not be running.
11. Rename c:\compaq\homebase.exe to c:\compaq\qhombase.exe
12. From the Start menu, choose Run
13. Type sysedit and press Enter
14. Switch to the System.ini file
15. Delete the line "shell=explorer.exe" (the line you entered previously)
16. Remove the semicolon ‘;’ from in front of the "shell=c:\compaq\..." line
17. Save the changes and exit the System Configuration Editor
18. Restart Windows 95
19. At this point, Homebase should not be running
20. Install Fortres 101 and unprotect the system.ini
21. After the password is entered, the setup screen appears.
22. Switch to the "File Protect" page of the setup screen.
23. Add system.ini to the "Do Not Protect" list.
24. Press OK on the setup screen.
25. Restart the machine
26. The machine should restart with Fortres 101 running and Homebase not running
27. Make an adjustment for blocking F keys during boot process.
28. Restart the computer in MS-DOS mode.
29. At the Root, type "attrib –r –s –h winboot.ini". Press Enter.
30. Type "edit winboot.ini". Press Enter.
31. Go to the Options section. Add the following if they do not already exist:
1. BootWarn=0
2. BootKeys=0
3. BootSafe=0

Users upgrading from a previous version of Fortres 101 will need to close the currently running copy before installing this upgrade.

In order to properly turn off the old version of Fortres 101:

1. Access the Fortres 101 Setup Screen.
2. Click on the Cancel Button.
3. When queried about closing Fortres 101, click on the Yes button.
4. When notified that Fortres 101 is closed, click OK.

Upon completing these four steps, normal installation may follow.

The installation process consists of Fortres 101 copying its files to the hard disk, making backup copies of crucial system and configuration files, preventing user control during the boot process. The installation then proceeds to request a password, and displays the Fortres 101 setup screen. After selecting the desired options on the Fortres 101 setup screen and pressing OK, Fortres 101 enforces security.

The crucial system files of which Fortres 101 creates copies are:

• config.sys contains boot information and device driver references.
• autoexec.bat contains boot information and environment settings.
• win.ini contains settings for the Windows environment and user preferences.
• system.ini contains startup information for Windows which refers to hardware specifics.
• progman.ini contains information about the position and appearance of the Program Manager.
• [group files] Group files (typically ending in .grp) maintain information about finding programs on the computer including the program icons and locations.

The Fortres 101 installation is very compact and collected. Fortres 101 does not modify any system files, other than autoexec.bat and config.sys. All of the Fortres 101 files, as well as copies of important system files, are stored in a directory on the boot drive named \FORTRES.101\. This directory is created and then hidden. Fortres 101 copies no files anywhere else on your computer.

Preventing interruption of the boot process is accomplished in two steps. One step prevents interrupting config.sys, while the other prevents interrupting the autoexec.bat. In order to prevent users from using the function keys to interrupt the boot process at the config.sys level, the documented DOS switches=/F /N statement is inserted as the first line of the config.sys file. It is important that this line be the first line in the config.sys file. In order to prevent the autoexec.bat file from being interrupted, fgsl.sys is loaded from the config.sys file. Fgsl.sys is a device driver that prevents the Control-Break and Control-C commands from breaking the autoexec.bat file during execution.

Fortres 101 is loaded into memory every time the computer boots because of commands inserted into the autoexec.bat and the config.sys files. When a user boots the computer with a system disk (booting with a floppy), Fortres 101 can be bypassed. In order to prevent unauthorized users from bypassing Fortres 101, it is recommended that you change the boot sequence located in the BIOS of your machine.

The BIOS (Basic Input / Output System) can typically be accessed by hitting the delete key while the computer boots up. Once in the BIOS, choose the CMOS setup or the Advanced CMOS setup and change the boot sequence from a,c to c,a (‘a’ referring to disk drive and ‘c’ referring to hard drive). This change causes the computer to look to the hard disk first for the operating system and then if an error occurs, the disk drive. After changes are made in the BIOS it is recommended that it be password protected. Most BIOS systems allow the provision for password protection, to do so refer to the setup screen in your computer's BIOS.

If your computer does not have the capability to change the boot sequence, you can re-cable the floppy disk drive. In order to do this, examine the ribbon cable that runs to your floppy disk drive. There should be two connectors attached to the ribbon cable (one of which is connected to your floppy disk drive). There is a subtle difference between the two connectors. If you look at the ribbon cable that attaches to the connectors, one of them will have a section of ribbon that is twisted in the center. This is the connector that allows booting from that drive. If you disconnect that and connect the one without the twisted ribbon section, users cannot boot from that drive.

In the event you do not want Fortres 101 loaded when the machine boots up, there is a provision for interrupting Fortres 101's execution. While the machine is booting, you should hear an escalating series of tones followed by a punctuating beep. After the start of the escalating tones and before the completion of the punctuating beep, press and hold the left and right shift keys at the same time. If you do this properly (it may take several tries), you will be prompted for the Fortres 101 password. After correctly typing the password, you will be given the options:

Please Press:

1. To disable Fortres 101 for this boot,
2. 2. To run Fortres 101 in diagnostic mode for this boot.

Option 1, Disable Fortres 101 for this boot. This will prevent the Windows protection from loading. When disabling Fortres 101 in this manner, you will not be able to pop up the Fortres 101 setup screen in the normal manner. You can access the Fortres 101 setup screen by running fortres.exe in the hidden C:\FORTRES.101 directory, and then performing the Fortres 101 setup screen access method. See the section: Accessing the Setup Screen below.

Option 2, Run Fortres 101 in diagnostic mode. Diagnostic mode is useful in tracking file activity and interface action that Fortres 101 blocks in applications that lock the machine, preventing access to the Diagnostics tab in Fortres 101. While in diagnostic mode, Fortres 101 does not actually block any user activity, but records the activities that would conflict with the current security settings of Fortres 101. An example is useful. Suppose that application X, which is known to be a stable application, locks up the machine when run with Fortres 101 active. Since it not only crashes itself, but also locks the machine, it is not possible to see which Fortres 101 setting conflicted with the application. By setting diagnostic mode on, an administrator can run the application beyond the point at which it locks up, then check the Diagnostics page of Fortres 101 to look for conflicts.

Fortres 101 protects, by default, all files on the computer that should, generally, never be erased, nor modified. These files are programs, device drivers, overlays, and dynamic link libraries.

Though it protects all of these files upon installation, it is a trivial task for the administrator to toggle through the Fortres 101 setup screen.

After all installation tasks are completed Fortres 101 will ask for a password (between 5 and 8 characters). This password will be needed for any subsequent altering of the Fortres 101 configuration. Some thought should be given to choosing a password. It is generally a bad idea to use the name of your spouse, pet, school mascot, phone number, favorite recording artist, or anything that someone may guess. It is also a good idea to include a character that is not a letter somewhere in your password. An example of a good password that would be difficult to guess is SLICK%T$.

If you need to change the password after initial installation, select the Password tab within the Fortres 101 setup screen and proceed to enter your new password twice as prompted (be certain to use the Tab key to toggle between lines).

• User may not access the Explorer, or Find Files.
• User may not access the Start Menu.
• User may not access My Computer.
• User may not access Network Neighborhood.
• User may not access Recycle Bin
• User may not open Shell Context Menus.
• User may not execute a DOS command shell.
• All DOS programs, device drivers, libraries and overlays are marked so that they may not be deleted.
• User may not stop or interrupt the boot process.
• User may not alter icons.
• User may not move files in Explorer
• User may not access Shell Tool Bars
• User may not use the Shut Down feature of Windows 95.
• Administrator may also disable ALL Security with a single click.

Once Fortres 101 is installed, the default security options allow users access to the shell objects on the desktop with the exception of those listed in the Security Interface. If there is a shell object on

the desktop that users should not gain access to, the shell object must be moved off the desktop or a password should be associated with that object.

Fortres 101 was designed so that security options may be changed to affect the current session of Windows. As soon as OK is clicked on the Fortres 101 Security Interface, any changes made in the security settings become active immediately. You do not need to restart Windows, or reboot the machine. This "hot" update (updating while the computer is still running) makes it trivial for the administrator to disable security, perform any Windows maintenance, and re-enable security, all without rebooting.

In order to select or deselect an option, click on the appropriate box with the left mouse button. Selections can also be made using the Tab key to move between fields and the arrow key to select the different property sheets represented by the tabbed notebook pages. The space bar will toggle an individual option on or off.

To access the Fortres 101 setup screen, hold down Shift Ctrl Esc at the same time. An alternative method is to hold down the Shift key and double clicking the Start button. The password dialog box will appear.

The Fortres 101 security interface has two configurations, Basic and Advanced, and is divided into fifteen major sections, Windows - Disable, File Protect, File System, Execution, Shell Objects, Diagnostic, Password, Kiosk, User/Remote, Import/Export, Uninstall, Privileged Apps, Reg/Policy, Registry, and About.

The basic configuration gives the administrator access to the most used sections of the Fortres 101 setup screen. This section includes: Windows-Disable, File Protect, Password, Execution, Diagnostics, and About.

Advanced configuration provides full access to all fifteen sections of the Fortres 101 Security Interface. You can gain access to the advanced configuration by clicking the box in the lower left corner of password dialog box.

From the Windows-Disable page there are a number of Windows 95 Interface components to which you can control access.

The Windows 95 Explorer is an outline view of My Computer. The Explorer replaces the File Manager from Windows 3.x. From the Explorer, users can perform unlimited operations on the hard disk and the network. Users can move, copy, rename, compress, view and delete files and folders on your computer and the network. From the Explorer, users could format the hard disk or infect the computer with a virus, two very bad events.

The Start Menu allows users access to several Windows operating components. From the Start Menu users can launch specific programs that are on the hard drive, change the settings of Windows, find and execute programs, gain access to interactive help sessions, and run programs from either the hard or floppy drive.

My Computer is a component of Windows 95 that allows the user to search the contents of the computer's hard drive and all devices connected to it. From My Computer users can perform unlimited operations on the hard disk; files can be deleted, copied, and moved, to the extent that the Fortres 101 Secure File System allows. Giving users access to My Computer will allow them to execute any program displayed. From My Computer users could format the hard disk or infect the computer with a virus, two very bad events.

The Network Neighborhood component of Windows 95 gives users access to all network resources. All computers connected to the network can be accessed through this medium. The interface of the computers connected to the network is just like the My Computer interface. There is no reason to give users access to the Network Neighborhood because network settings can be changed.

The Recycle Bin provides the option to display the Windows 95 toolbar. From this toolbar, the user can get a tree view of the computer. This tree view allows the user to utilize the file options that can delete, rename or move files. For this reason, users should not be allowed to access the Recycle Bin.

Shell Folders are Explorer components that allow the viewing and manipulating of files on the local hard drives, network drives, and floppy drives. In general, there is no good reason to provide random users access to Shell Folders. Note: if you have folders on the desktop, you will need to have this option open.

Shell Context Menus

Shell Context Menus provide menu features of specific shell objects. Users can Open, Send to, Cut, Copy, Create shortcuts, Delete, Rename, and check Properties. Users should not gain access to context menus.

The DOS prompt, characterized by the C:\> prompt, is the DOS command interpreter. From the DOS prompt, users may alter, erase, move, and execute any files or programs on the computer. Access to the command prompt should never be allowed on a computer to which random users have access. Disabling the DOS prompt ensures that the user will not be able to access the DOS prompt from inside of Windows, even if there is no other security active. For example, even if the users can get to an icon representing the DOS prompt, or issues a Run command for command.com (the file which implements the DOS command interpreter), Fortres 101 will stop any attempt to access a DOS prompt. Note: If running DOS Programs, refer to Shell Objects on page 62).

This option will prevent the user from running a DOS application that runs once and returns to Windows when finished. Under most circumstances, there is no good reason to allow this to happen.

This feature of Fortres 101 prevents the user from moving, deleting, or editing an icon on the desktop. This is important because Fortres 101 uses the name of the icon to enforce the security within Windows.

This option allows for the moving of files in shell folders. Moving of icons is limited with the disabling of Altering Icons. Move files in explorer extends the icon protection from the Altering Icons to shell folder.

Shell Tool Bars can appear at the top of shell folders. By disabling shell tool bars, you can reduce the ability of users to browse resources on the computer. It also gives the user access to some of the features available in context menus.

There are two options for shutting down the computer.

Option 1: Leave the shut down box unchecked and the start menu checked in the Windows-Disable Page. With this option, the user can access a shutdown screen by clicking the start button or pressing Alt F4.

Option 2: Place a check mark in the shut down box in the Windows Disable Page. With this option, you will need to create a shortcut on the desktop. Type "c:\fortres.101\fgclo.exe /n" in the command line. The user will need to double click on the icon to access a shutdown screen.

The Secure File System (SFS) component of Fortres 101 gives an administrator the ability to protect all or part of any local drive on the computer. The SFS does not rely on the typical DOS file attributes nor does it involve any type of hard drive restructuring. With SFS running, a user can even have access to a DOS prompt and not be able to alter or delete files that an administrator has protected.

There are two pages of the Fortres 101 Setup Screen that are used to configure the SFS, the File Protect page and the File System page, both of which are shown below. The File Protect page is used to set general file protection such as all files that have the extension EXE. The File System page is generally used for more advanced protection such as setting directories that a user cannot access.

The File Protect page of the Fortres 101 Setup Screen provides a quick and easy method for a system administrator to protect files on the hard drive. Boxes are provided that can be checked to protect files with common extensions like EXE, DLL, DRV, SYS, INI, 386, BAT, COM, OVL. Certain programs need to write to specific files in order to perform properly, whether it is an initialization file or a temporary file. To not protect a certain file click in the box labeled "Do Not Protect" and enter the name of the file that you do not want protected. Wildcards can be used to specify multiple files with similar names. In some cases a program needs to have access to a certain file that a user should not be able to modify. Putting the name of the file that needs to be protected in the box labeled "Protect" can do this. Again, wildcards may be used for multiple files with similar names.

Files ending in EXE, COM, and BAT are programs that can be executed by the computer. EXE files are segmented binary executables that may be DOS, Windows, or OS/2 programs. (The binary designation implies that humans cannot read the file, as it is in the machines native language.) EXE is the most common file extension for programs. COM files are single segment binary executable memory images which may be DOS or OS/2 programs. BAT files are ASCII text DOS command files. These consist of human readable DOS command prompt commands. Files ending in EXE and COM, should never be modified. BAT files should only be modified by the system administrator. The only time that an administrator should turn EXE and COM protection off is to install software. After the software is installed, EXE and COM file protection should be reactivated.

Files ending in SYS are DOS device drivers, or DOS boot files. DOS device drivers are typically loaded early in the boot process from the config.sys file. The only SYS file that should ever be modified is the config.sys, which should only be modified by the system administrator. Device drivers are used to provide access to certain hardware devices, or to add features to DOS. Himem.sys is a device driver that adds managed extended memory (XMS) features to DOS. Int13cd.sys is a device driver, which provides access to some CD-ROM drives.

Files ending in DRV and 386 are typically Windows device drivers. Printer drivers and video drivers for Windows almost always end in DRV. Windows enhanced mode device drivers typically end in 386. The only time that an administrator should turn DRV or 386 protection off is to install updated drivers. After the drivers are updated, DRV and 386 file protection should be reactivated.

Files ending in DLL are Windows dynamic link libraries. DLL's are components of Windows programs that contain segmented binary executable code and Windows resources. (The binary designation implies that humans cannot read the file, as it is in the machines native language. Windows resources are pictures, icons, fonts, etc.) The only time that an administrator should turn DLL protection off is to install software. After the software is installed DLL file protection should be reactivated.

Files ending in OVL are DOS program overlays. OVL's are components of DOS programs that contain segmented binary executable code. OVL's are used by specific DOS programs and should never be modified. The only time that an administrator should turn OVL protection off is to install software. After the software is installed OVL file protection should be reactivated.

Files ending in INI are Windows initialization files. INI files are used for persistent storage (storage after the machine is shut down) of program information by Windows programs and by Windows proper. The only time that an administrator should turn INI protection off is to install software. After the software is installed INI file protection should be reactivated.

The file protection for the specific files or file extensions listed in the File Protect and Execution pages can be applied to or removed from the floppy drive by simply clicking the box. This can be useful for the administrators who would like to allow the users the ability to download files from the Internet or save programs written by Computer Science students to a floppy disk.

The file protection for the specific files or file extensions listed in the File Protect and Execution pages can be applied to or removed from the network drives by simply clicking the box. This can be useful for the administrators who would like to allow the users the ability to download files from the Internet or save programs written by Computer Science students to a network drive.

By checking this option the user will not be able to create, modify, or erase any files on the floppy disk. See the Execution page description for preventing users from executing programs from floppy disk.

By checking this option the user will not be able to create, modify, or erase any files on any local hard disks. This also has the effect of preventing users from installing their own software or downloading files from the Internet to the local machine. If users need to have storage on the hard drive, a location can be specified by checking "But allow saves in directory:" and specifying a writeable directory.

Fortres 101 is capable of protecting certain files on the computer from being erased or altered. While protecting the files in this manner will prevent infection from certain viruses, this feature is intended to protect the system from accidental corruption. For example, if all files ending in COM are not protected, and a user decides to save a document as C:\command.com, the machine would not boot again without reinstalling DOS. In general, the only time that an administrator should turn this protection off is to install software. After the software is installed the file protection should be reactivated.

The File System page of the Fortres 101 Setup Screen provides complete control over the access of the local drives. In this page an administrator can set any folder, file, or even the entire drive as full access, read-only, or no access. The file protection is implemented in an inherited rights style. This means that if specific rights have not been assigned to an object, then that object inherits the rights of the object above it in the directory structure. For example, if the Windows folder is marked as read-only, then every file in every folder contained in the windows folder will also be read-only unless the administrator changes the access for a specific file or folder. This keeps an administrator from having to change the rights for every individual file on the drive. To change the rights for a file, folder, or drive select the object with the left mouse button. Once the object is selected use the right mouse button to loop through the security options. >R' means that the object can be opened but not saved or deleted, >X' means that the object cannot be opened, saved, or deleted. The CLEAR ALL button can be used to clear all of the attributes that have been set.

Fortres 101 can be setup to prohibit certain applications from executing. By specifying an executable file name in the Do Not Run section of the Execution tab. The execution of applications can also be controlled by marking individual executable program files with an >X' in the file system tab. Most administrators will find the Do Not Run method easier to use than the File System tab. Knowing that specifying a file in the Do Not Run section is equivalent to marking a file with an >X', read and write access can be denied for any file, not just programs, by placing it in this section.

This setting must not be checked if you are running a Login Script that uses DOS commands.

By checking the Prevent Running Programs from Floppies, users can be restricted from launching any programs from floppy disks. This will also prevent the user from copying executable program files from the floppy disk to the hard disk, regardless of the protection specified for the hard disk. Note: For the administrators who wish to grant permission for users to download programs from the Internet or programming students saving to the floppy drive, this option must not be selected.

If there is a finite list of executable programs on the computer’s hard drive that you want accessible to users, it is recommended that you utilize the following procedure. First, make an entry of *.exe in the Do Not Run list box under Execution. Second, list the executables for the programs that users should have access in Protect under File Protect (Do not forget the background applications such as Explorer). This procedure is a manipulation of the Secure File System by marking all exe files as "No Access" and then making exception to that list through the entries made in Protect. It is likely that after implementation of this procedure, there may be some exe files that need to be added to the Protect. In order to identify these, refer to the Diagnostic tab in Fortres 101.

This page needs to be used only if you want to restrict access to the objects on the desktop that are not covered by the Windows Disable page or you are running DOS-based programs.

Access to programs represented by icons on the desktop can be controlled with the Shell Objects page. By default users have access to all objects on the desktop, with the exception of system components like My Computer and Network Neighborhood, the access to which is controlled from the Windows-Disable page. This page needs to be used only when you want to prevent certain users from accessing certain shell objects. By associating a user with a shell object, a password will be required before that object is accessed. If for example, there is an application called foo.exe represented by an icon on the desktop, any user would be able to execute foo.exe. But, by associating foo.exe with some user, a password for that user will be required before a user could access foo.exe.

Every item available on the desktop will be listed in the Shell Objects lists. Up to 50 items can be associated with any one user.

Users can be created by pressing the New button, entering a user name, and a 5 character or greater password. User names and passwords can be edited by selecting the user and pressing the Edit button. Users can be deleted by selecting the user and pressing delete.

Shell Object access control is managed by associating Shell Objects with users. To do this select a user, then select the Shell Object that should require a password before any user accesses it.

The user NO ACCESS is always present in the user list. Associating shell objects with NO ACCESS prevents access to those objects, even if some user has been granted password access.

The user NEEDS DOS is always present in the user list. Associating shell objects that require access to a command.com interpter with NEEDS DOS will allow proper operation for most of these programs. Note: in rare instances, the program may require removing the check from DOS Prompt in the Windows Disable page.

Most DOS and Windows applications were written with the expectation that no file operations would be prevented for security reasons. This assumption, which no longer holds, can prevent applications from running properly with Fortres 101 providing file security. Fortres 101 records all file operation that it alters or blocks. This allows for the easy accommodation of the file access needs of any DOS or Windows programs. Any file operations which Fortres 101 alters or blocks can be displayed from the Diagnostic page, with the most recent file operation being displayed at the top of the list. This list is not persistent between boots, and is limited to the 50 most recent entries.

If a program crashes or does not behave properly with Fortres 101 running, check the Diagnostic page. Parse out the file name alone, (to the left of the brackets) without the path, and enter it in the Do Not Protect list in the File Protect page. Then run the problem application again. There are some applications from major software manufacturers that will not run properly after a crash without rebooting. It may be necessary to reboot to get the application to run again.

This option prevents the user from performing a warm boot of the machine.

Fortres 101 has been tested with hundreds of software titles for compatibility. There are accommodations that Fortres 101 makes, regardless of the file protection that the user specifies. Some of these accommodations are necessary for Windows to start properly. Turning off this feature is dangerous. Do not do it unless you really know what you are doing. An example of one of the accommodations that Fortres 101 makes is ensuring that spool folder is not write protected, as that would make printing impossible.

Every time that a password dialog box is displayed in Fortres 101 a random number appears in the title bar. From this number, Fortres Grand Corporation can generate a single time use password, for forgotten passwords. Checking Disable backdoor password can turn off the generation of this number. Note: if you choose to do this, the only way to get around a forgotten password is to reinstall Fortres 101.

Diagnostic mode is useful in tracking file activity and interface action that Fortres 101 blocks in applications, which lock the machine, preventing access to the Diagnostics tab in Fortres 101. In diagnostic mode, Fortres 101 does not actually block any user activity, but records all activities that would conflict with the current security settings of Fortres 101. An example is useful:

Suppose that application X, which is known to be a stable application, locks up the machine when run with Fortres 101 active. Since it not only crashes itself, but also locks the machine, it is not possible to see which Fortres 101 setting conflicted with the application. By setting diagnostic mode on, an administrator can run the application beyond the point at which it locks up, then check the Diagnostics page of Fortres 101 to look for conflicts. Fortres 101 can also be forced into diagnostic mode at boot time. See the section on interrupting Fortres 101 at boot time for details on this operation.

Any time the user performs some operation that is blocked by the Windows-Disable page settings, it appears in the Failed Interface Actions list box. This box can be used in diagnosing conflicts between ill-behaved applications and Fortres 101. The text that appears in this list box corresponds exactly with the description of the security option in conflict from the Windows Disable page.

By clicking the Clear button, it will not be necessary to reboot the computer to distinguish between new and old information in the Diagnostics page.

By clicking the Print button, a complete description of all Fortres 101 option settings, including Diagnostics, will be sent to the printer.

Kiosk mode is used to dedicate a computer to a single application. When in kiosk mode, the user is unable to close, move, resize, or switch away from a single application. With kiosk mode on, as soon as one of the supported applications becomes active, it is maximized to full screen, and brought to the foreground. The administrator can temporarily disable kiosk mode by attempting to close the application and entering the Fortres 101 administrative password. Kiosk mode will then remain disabled until the next boot, or the next exit from the Fortres 101 setup screen.

It is a simple matter for Fortres 101 to add kiosk support for other application. Unfortunately, this is a function Fortres Grand Corporation must perform at this time. Please call us if you need kiosk support for an application not currently listed.

The Users/Remote page of Fortres 101 is used to perform a variety of functions provided for compatibility with Fortres CC, Central Control Module, which is available separately. Please note that we do not provide technical support for this page. It is provided for compatibility with our central control software, for which we do provide technical support.

From this screen Fortres 101 can enable itself to be remotely controlled, specify alternate locations for Fortres 101 configuration files, or cause Fortres 101 to load user specific settings upon login.

All Fortres 101 workstations on a network can be controlled from a single station using our central control software, Fortres CC. Checking this option tells Fortres 101 to listen for commands from the central control with the serial number specified.

This allows the administrator to specify a location in which Fortres 101 should look for Fortres 101 configuration files. The folder specified can be a traditional DOS path (ex. C:\SECURITY\) or a UNC path name (ex. \\BEAVIS\C\SECURITY\). The use of this function is fairly limited and available primarily for use with our central control software.

When Windows starts, Fortres 101 loads default.fg3 from the folder in which fortres.exe is located, typically C:\FORTRES.101. When a user login occurs and Explorer loads, Fortres 101 will look in the folder specified in Use Alternate Security Folder for default.fg3 or a user security file (see Multi-User below). If an appropriate Fortres 101 configuration file is found it is loaded and the running security is updated accordingly. If an appropriate Fortres 101 configuration file is not found Fortres 101 turns all security on and makes local hard disks read-only.

Turning on Multi-User security causes Fortres 101 to look for a user-named Fortres 101 configuration file whenever a user login occurs and Explorer starts. Fortres 101 looks in the directory where fortres.exe is located or in the folder specified in Use Alternate Security Folder for a Fortres 101 configuration file with the name preceding the FG3 extension that is the same as the current user name. The current user name can always be determined by pressing the Info button on the Users page.

The refresh button can be used to refresh the list of user defined in the folder where fortres.exe is located or the folder specified in Use Alternate Security Folder.

To create the user specific Fortres 101 configuration files, either use our multi-user or export settings for each user by name.

The Import/Export page is useful when changing option selections within the Fortres 101 configuration. By using this page, you will not need to type the settings into every computer. Once you have setup a satisfactory configuration, you can export those settings to a floppy disk or a network drive. Then, simply access the Fortes 101 Security Interface and import that file on the next computer.

From this page administrators can assign certain applications the ability to write to specific file names or file extensions. For example, Microsoft Office products need to write to their own files to operate properly (see the Troubleshooting section for assistance). By listing the complete path to the Office directory and listing the file extensions that those programs need to access, the Office programs will be allowed to operate without interference. Failing to assign specific files or extensions is serious and important. Do not add an application to the privileged list with *.* as files to unprotect unless you are certain that there is no way for a user to employ it in wreaking havoc on the computer. The use of this should be restricted to device drivers and the like. The File Protect page should be used for granting all applications access to certain files on the disk.

There are certain times when granting an application privileged access to all files is the best thing to do. As an example, the multiple protocol router (MPREXE.EXE) of Windows 95 needs to write, on occasion, to the hard disk and the registry. Not allowing it to do so will impair Windows networking when using certain protocols. MPREXE.EXE is a perfect candidate for privileged application status. MPREXE.EXE provides the user with no methods of hacking the hard disk and it uses files that the user should not be allowed to write to. MPREXE.EXE needs to write to SYSTEM.INI and *.PWL files that could be used for nefarious purposes if specified in the DO NOT PROTECT section of the File Protect page. By specifying MPREXE.EXE as a privileged application with access to all files (*.*) and clicking No Registry Restrictions, it is allowed to do anything that it needs to do to the registry and hard disk.

The Reg/Policy page provides easy access to Windows 95's built in security features. While Windows 95's built in security is ineffective, generally easy for users to disable, and unnecessary while running Fortres 101, this page is provided for administrators who have fantasies about registry based security under Windows 95.

The only Technical Support provided by Fortres Grand Corporation for any questions or problems resulting from the Reg/Policy page can be found in the Troubleshooting section of this manual. This is a Windows 95 interface Fortres 101 includes it for convenience. Questions or problems should be directed to the Microsoft Windows 95 Resource Kit published by Microsoft Press.

The Registry page of the Fortres 101 Setup Screen provides complete control over the access of the Registry. In this page, an administrator can set any key as read-only. The registry protection is implemented in an inherited rights style. This means that if specific rights have not been assigned to an object, then that object inherits the rights of the object above it in the registry tree structure. For example, if HKEY_Local_Machine\Software is marked as read only, then every key and value contained in the SOFTWARE key will also be read-only unless the administrator changes the access for a specific key or value. This keeps an administrator from having to change the rights for every individual key or value in the Registry. To change the rights for a key or value, select the object with the left mouse button. Once the object is selected use the right mouse button to lock the key as read-only. The CLEAR ALL button can be used to clear all of the attributes that have been set.

Windows 95 has a number of areas from which a user could do a great deal of damage. For this reason, it is highly recommended that all of the security of Fortres 101 is utilized. All applications that the user accesses should be placed on the desktop as shortcuts.

• Turn off Opening, Closing, Moving Groups and open the group you want users to have access to. Once open turn the security back on. (Win 3.x only)

The password no longer works to access the setup screen.

• Call Fortres Grand Corporation to get a new password.

I can't get the password screen to appear.

• Try using the alternative series of mouse clicks to bring up the password screen. (Win 3.x)
• Try holding the Alt key and tapping W,C,F,N,F,X (Win 3.x)
• Try Ctrl-Shift-Esc (Win 95)

How do I tell if Fortres 101 is loaded and running?

• In Program Manager choose About Program Manager or (Help | About Program Manager). If Fortres 101 is loaded and running, the Fortres Grand Corporation logo will flash in the lower right-hand portion of the screen. If the logo does not appear, reboot the machine and Fortres 101 should load.

Program X locks

• Check the Diagnostic Page after the program crashes to find any file conflicts.
• If Program X freezes the machine, turn on Diagnostic Mode (within the Diagnostics Page) before running the application.

I can't access Help without error messages.

• Add *.HLP, *.CNT, and *.FT? to the "Do Not Protect" list in the File Protect Page.
• Refer to the Diagnostics page to check for any file conflicts.

The computer hangs after Win NT Login Script runs.

• Add LMSCRIPT.$$$ in Do Not Protect list on the File Protect page.

• Remove check mark from "Disable DOS Login Scripts" from the Execution page.

I don’t want to give the users the ability to Shutdown or I don’t want to give the user the option to Log on as a new user.

• A shortcut to the Shutdown program will need to be added to the desktop. Follow these procedures:

1. Disable Fortres 101.
2. Right click on blank spot of desktop.
3. Choose New à Shortcut
4. Enter "c:\fortres.101\fgclo.exe(space)/PARAMETER"

• /n – will only give option to shutdown.
• /s – will give both options. Shutdown or Log on as new user.

1. Click Next.
2. Choose a name for the shortcut (Suggest: Shutdown)
3. Click Finish
4. Reenable Fortres 101. Note: If desirable, a password for the icon can be set using the Shell Objects page.

Some of my CD-ROM programs won’t run. I get some message about command.com.

• Associate the program with NEEDS DOS in the Shell Objects page.

1. Click on user name "Needs DOS"
2. Click on the Shell Object that needs access to command.com.
3. Click OK.

• If the program gives you that error message when you exit the program, do the following:

1. Add the path to the program’s EXE in the Privileged Application page.
2. Allow limited privilege to the file command.com

I can’t download programs from the Internet to my floppy or network drives.

• Remove the check marks from Prevent Running Programs from Floppies on the Execution page and either Apply to floppies or Apply to network drives on the File Protect page.

I get an error message stating that it cannot write to the Registry.

• Check the Diagnostics page to determine if you need to unprotect a certain key in the Registry.
• Make sure you have checked "Auto-Modify file settings" in the Diagnostics page.

I want to give the users the ability to change their screen saver settings.

• Complete the following procedures:

1. Remove the check mark from My Computer on the Windows Disable page.
2. Select the user name No Access and click on the shell object, My Computer in the Shell Objects page. (This blocks the user from accessing the icon)
3. Add c:\windows\rundll32.exe as a Privileged Application with limited privilege to the system.ini file.
4. If you give access to the Start Menu, you will want to list *.CPL in the Do Not Run list on the Execution page.

My Dial-up connection or Telnet won’t run.

• Complete the following:

1. Remove the check mark from My Computer on the Windows Disable page.
2. Select the user name No Access and click on the shell object, My Computer in the Shell Objects page. (This blocks the user from accessing the icon)
3. If using Windows Dialer, add telephon.ini to the Do Not Protect list on the File Protect page.
4. Click OK.

I disabled (or uninstalled) Fortres 101 and Network Neighborhood (or something similar) doesn’t appear on my desktop.

• You have used the Reg/Policy tab. This page is an interface for Windows policies and not part of the normal function of Fortres 101. Any settings within this page will stay in effect until they are completely removed from the computer regardless of the status of Fortres 101. The following steps must be completed to remove the settings:

1. Go to the Reg/Policy tab.
2. Make sure there is a check mark in "Use System Policies (Hint: Don’t)"
3. Click on Deselect All.
4. Make sure there is not a check in "Disable Security"
5. Click OK.
6. Re-access the Fortres 101 setup screen.
7. Remove the check mark from "Use System Policies (Hint: Don’t)"
8. Click OK.
9. Reboot your computer.

How do I set a program to run in Kiosk mode?

• The program can be sent to Fortres Grand Corporation to be programmed in Kiosk mode (allow 4-6 weeks).
• Only allow that program icon to be accessed on the desktop.

1. Associate No Access with all shell objects except that particular program in the Shell Objects page.

OR

2. Complete the following:

1. Add *.EXE in the Do Not Run list on the Execution page.
2. List all the programs executable file names in the Protect list on the File Protect page that need to run. Note: All background applications will need to be listed. (i.e. explorer.exe, rundll.exe, and etc.) If you have missed any application, the file name can be found in the Diagnostics page.
3. This procedure will block all programs from executing with the exceptions you set.

I have a program on my server that updates files on the local machine periodically. I don’t want to disable Fortres 101 all the time to complete the operation.

• You will need to list the complete path (best to map the drive) to the executable that performs the updates in the Privileged Application page. You will need to give the program complete file privilege.

I am having a problem getting my printers to work.

• Try adding LPT1 or LPT2 (if used) in the Do Not Protect list on the File Protect page.
• Look in the Diagnostics page for any file conflicts.

When a user signs onto a computer for the first time, the computer hangs.

• Add *.PWL to the Do Not Protect list on the File Protect page.

When a user signs logs off and logs back on as a new user, Fortres 101 protection is not active.

• You will need to set Fortres 101 up to load Dynamically.

1. Disable Fortres 101.
2. Type sysedit in the Run Command.
3. Edit the "c:\fortres.101\fgsa.exe /A" line in the autoexec.bat.
4. Add a space and the parameter /U after the /A.
5. Save the changes and exit the configuration editor.
6. Type regedit in the Run Command.
7. Go to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\
   Microsoft\Windows\CurrentVersion\RunServices
8. If you do not have RunServices, you should create a new key under CurrentVersion for it.
9. Once in RunServices, you need to right click on the right box. Go to New à String Value.
10. Name the string, Fortres 101
11. Right click on the name you just created and select Modify.
12. Type the path "c:\fortres.101\fortres.exe" as the value data.
13. Make sure you have regedit.exe listed in the Execution page.

The icons align themselves to the left when I reboot.

• Check the Registry tab to see if you have block that part of the Registry.

• You have possibly used the Reg/Policy tab. This page is an Interface for Windows policies and not part of the normal function of Fortres 101. Any settings within this page will stay in effect until they are completely removed from the computer. The following steps must be completed to remove the settings:

1. Go to the Reg/Policy tab.
2. Make sure there is a check mark in "Use System Policies (Hint: Don’t)"
3. Click on Deselect All.
4. Make sure there is not a check in "Disable Security"
5. Click OK.
6. Reaccess the Fortres 101 setup screen.
7. Remove the check mark from "Use System Policies (Hint: Don’t)"
8. Click OK.
9. Reboot your computer.

My computer won’t start since the time changed to/from Daylight Savings Time.

• Complete the following steps:

1. Restart the computer.
2. When you hear the escalating tones from Fortres 101, hold down the right and left SHIFT keys.
3. Enter your Fortres password.
4. Choose Option 1.
5. Allow the computer to boot and following the instructions for changing the time.
6. Reboot the computer to reactivate Fortres 101.

Assistance with programs:

• Accelerated Reader

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privileged to the system.ini and win.ini files.

• 1996 Grolier’s Multimedia Encyclopedia

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to the path of the directory.
   Ex) c:\program files\groliers interactive\gme96\

• 1997 Grolier’s Multimedia Encyclopedia

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privileged to:

1. GE97.*
2. COL_FILE.MAP
3. DEFAULT.COL

• Family Archive Viewer

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privileged to *._I

• Microsoft Office Products

1. Add the path to folder containing the each program’s EXE as a Privileged Application (see image on page 71 for an example).
2. Give the programs limited privileged in the following manner:

1. Access -- *.MD? , *.LDB , *.LNK
2. Clip Art -- *.C?G
3. Excel -- *.XL?
4. PowerPoint -- *.232 , *.FEN
5. Word --

• Netscape

1. May need to add SENT to the Do Not Protect list on the File Protect page.
2. May also need to unprotect the Cache directories if the program appears to run slower. (Do this through the File System page)
3. If running Communicator 4.03, need to list the path to the EXE as a Privileged Application. Give it limited privilege to _HASH*

• Internet Explorer

1. Remove check mark from Shell & IE Tool Bars on Windows Disable page to get the buttons in the program and Start Menu options.
2. May also need to unprotect to Temporary Internet Files directory if the program appears to run slower. (Do this through the File System page)

• Streets USA

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to the path of the directory.
   Ex) c:\program files\streets\

• Encyclopedia Brittancia

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to BCD.INI and G.INI

• Reader’s Guide Abstracts Full Text Mega Disk

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to *.LOG and UP.DAT

• Skills Bank 4

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to *.DBF , *.CDX , and *.FOT

• World Book Multimedia Encyclopedia (version 3.2)

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to DEBUG and VM0*

• RoboCad

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to the path of the directory. Ex) c:\_!robo\
3. Also set limited privilege to _!RSESSN

• Ebsco Full Text Elite

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to *.WRK , 344* , and *.PRE

• Word Perfect

1. Add the path to the program’s EXE as a Privileged Application.
2. Give the program limited privilege to:

1. Version 7 – PFPJOBCM.{PB
2. Version 5.1 – WP*.SET
3. Version 3.1 – WP}*.*

• Programming programs (C++, etc.)

1. (skip to step 3 if you only want to save to floppy or network drive) Otherwise, add the path to the Compiler and Linker (in some cases this will be the same program) as a Privileged Application.
2. Give those programs (Compiler and Linker) limited privilege to the path of the directory of the program (C++). EX) c:\tc\ or c:\tc45\ .
3. To allow saves to the floppy or network drive, you will need to remove the check marks from No savings on floppies on the Execution page and either Apply to floppies or Apply to network drives on the File Protect page.

• Floating Point Error with C++ (windows version)

1. Add the following statement to the source code of the program being created: _asm finit;
2. The statement will initialize the floating point.

FGSA.EXE is a program that runs each time the computer is booted. FGSA.EXE confirms the integrity of Fortres 101. Additionally, FGSA.EXE provides administrators with a method of preventing Fortres 101 from loading when Windows starts. This load suppression is only in effect until the next time that FGSA.EXE is executed, which happens upon boot. FGSA.EXE can be executed by the administrator outside of the boot process to reactivate Fortres 101 loading without rebooting the machine, as well as perform some other functions as described below.

In order to suppress the loading of Fortres 101, the administrator must first notify FGSA.EXE of this intention by simultaneously holding down the left and right shift keys during the boot process.

This key combination will prompt the administrator for the Fortres 101 password. If the correct password is entered, FGSA.EXE will respond with a message confirming that Fortres 101 will not load. See the Bypassing Fortres 101 During Boot Sequence section above for details on this operation.

FGSA.EXE is a useful tool for administrators wishing to employ some of the advanced features of the Fortres 101 Security system. FGSA can accept parameters to perform a variety of low-level functions. The parameters may be specified in the autoexec.bat file, from the command line, from within custom batch files, or from inside Windows. The format is as follows.

FORMAT: FGSA [/A] [/S] [/U] [/L] [/Q] [/R:path name] [/?]

/A - allow command.com to load

/S - prevent command.com from loading

/U - prevent Windows load of Fortres 101

/L - cause Windows load of Fortres 101

/Q - quiet mode -- displays no output

/R:path name -- specifies the full path and file name of fortres.exe.

/? - Display Help screen.

/A

Allowing command.com to load is a feature that is sometimes necessary for certain configurations in which some command executed in the autoexec.bat file may need to launch a copy of command.com. Once this feature is activated it is in effect until either the FGSA /S is executed, or Windows starts.

/S

Explicitly prevents command.com from loading after FGSA /A is issued to allow command.com to execute. This may be used in conjunction with /A inside of the autoexec.bat file in the following manner:

FGSA /A

< some autoexec.bat statements that requires command.com>

FGSA /S

/U

Fortres 101 can be prevented from loading upon entry into Windows by specifying FGSA /U. This has the same effect as holding the shift keys during boot and typing in the correct password. This state of not loading will stay in effect until the machine is rebooted or the FGSA /L command is executed.

/L

Fortres 101 will load when Windows starts after issuing the FGSA /L command. This is the default behavior of FGSA, and is only necessary if the FGSA /U command has previously been executed, or loading was prevented with the shift keys and password.

/Q

FGSA can be executed without reporting any information on the screen and without making any noise. This is sometimes the preferred behavior when using FGSA in certain batch files.

/R:PATH NAME

FGSA can be used to alter the location of the Fortres 101 files. By default, when it starts, Windows tries to load Fortres 101 as C:\FORTRES.101\FORTRES.EXE. If an administrator wishes to share a single set of configuration files on network (G:\SECURITY\FORTRES.101\), the FGSA line in the autoexec.bat file should be changed to point to FORTRES.EXE
(FGSA /R:G:\SECURITY\FORTRES.101\FORTRES.EXE)

FGCLO.EXE provides a method for logging out of or shutting down Windows without allowing access to the Start Menu. By default FGCLO.EXE, gives the user only the option of logging on as a new user. By using the optional flags below FGCLO can be used to offer the option to shut down the machine as well.

USAGE: FGCLO [/S] [/N]

/S

Allows for shut down of Windows giving the option of either shutting down the computer or closing all programs and logging on as a different user.

/N

Allows for shut down of Windows only. The option to logon as a new user is absent.

There are 7 separate methods of providing some sort of file protection in Fortres 101:

On the File Protect 1) Protect - list, 2) Protect - by extension 3) Do Not Protect, 4) No Saving on Hard Disk; 5) File System page; On Execution 6) Do Not Run - list 7) Prevent Running Programs from Floppy.

Some of these functions overlap. Some take precedence over others. These 7 methods on the interface translate into 3 implementations internally. The implementations are:

1. specifying hierarchical path to files (File System, No Saving on Hard Disk),
2. specifying a file name with optional wild cards with no path (Protect - list, Protect - by extension, Do Not Protect, Do Not Run-list), and
3. floppy access (Prevent Running Programs from Floppy).

The order of precedence is C, B, A.

If Prevent running programs from floppy is checked no changes made anywhere else will allow EXE, COM, BAT, of PIF files to be created, written to, or read from on the floppy.

If *.OVL is specified in do not protect and OVL is check in protect, the result is undefined.

If FISH.TXT is specified in Do Not Protect-list and C:\DOCS\FISH.TXT is specified in the File System Tab with an R or X, the Do Not Protect will have precedence.

Fortres 101 will run on a 286 or better, running Windows (3.1, 3.11, WFW 3.1, WFW 3.11, 95) with 1Meg of RAM.

Fortres 101 should not present a memory problem when installed. Fortres 101 takes up 400K of disk space, uses a 1 K TSR (terminate and stay resident) and the program itself uses 35K of the least important extended memory within Windows 3.x and 55K in Windows 95.

To date, no security is absolutely flawless. Even US Military computers have been breached. Fortres 101 has a great deal of knowledge about the operation of Windows and the minds of hackers. The techniques Fortres 101 uses to detect and block destructive initiatives are very sophisticated and mature. However, given rogue computer operators successful and destructive track record, it is possible that methods may be discovered to skirt even the security of Fortres 101.