Windows NT, Windows 2000 and Windows XP / Vista / 7 / 8 users

Return to Introduction  Previous page  Next page  

 

User accounts

 

Any user belonging to the Administrators group or having permissions equivalent to those of an Administrator will be able to disable the PC TimeWatch service and / or uninstall the program (provided she has the PC TimeWatch Manager password). As the PC TimeWatch Manager, this is not what you want. So you have to make sure that the accounts that will be monitored by PC TimeWatch are not administrator accounts or do not belong to the Power Users group.

 

You can be the PC TimeWatch Manager without being an administrator but it would be better if you were. After all, you're supposed to be the leading authority on this system. However, the capability of being the PC TimeWatch Manager without being a system administrator allows you to delegate the permission of modifying the program settings to someone else by simply giving her your password, while you're away from home for example. Then, when you're back, you change the password and you're the big boss again.

 

Users monitored by PC TimeWatch should not belong to the Administrator group or, on Windows 2000, the Power Users group. On WinXP / Vista and 7, monitored users should be in the Limited group; on Windows 2000 they should be in the Users group. Members of the Administrator and Power Users groups have privileges allow them to:

 

Simply stop the PC TimeWatch service.
Manually uninstall the program.
Access the registry and remove any PC TimeWatch data.

 

This may vary according to how your system is administered.

 

Windows systems include a built-in account called Guest that has very limited access privileges. When you first install PC TimeWatch, all users on the system are authorized to use the computer, including the built-in Guest account. When you first run PC TimeWatch, you should open the Options dialog, check the settings, and click OK to confirm they are correct. After you save the .ptw file, the Guest account will no longer be authorized to use the computer while PC TimeWatch is running. It will not even appear in the user list. The PC TimeWatch restrictions will be used in place of a Guest account. Please note that this also applies to any account belonging to the Guests group.

 

Please note that a user not having administrator rights will not be able to change the PC TimeWatch Manager and her password. In all cases, even if you have given your password to an untrusty person, you'll be able to reset it by following the instructions in the Recovery from tampering document available from the Help menu.

 

 

Time synchronization on NT / 2000 / XP / Vista / 7 / 8 systems

 

As explained earlier, it's important for PC TimeWatch that the system time be accurate. Although PC TimeWatch can manage this on its own, it would be good to setup the Time Service feature, so that the system time be "naturally" accurate, thus not forcing PC TimeWatch to take control of this.

 

A very good document about how to configure the time service is available here.

 

 

Limited access to the registry

 

Monitored users (the users you want to restrict) should not have the permission to write to the HKEY_LOCAL_MACHINE key in the system registry. This is the default on Windows XP and this is the recommended setting for most systems. For other versions of Windows, you should verify this (however, under Windows 98 and Windows Millennium, the registry cannot be secured).

 

If for any reason, you must give monitored users write access to this key, you should at least protect the HKEY_LOCAL_MACHINE\SOFTWARE\MainSoft\PC TimeWatch key.

 

If you are not familiar with the registry, these articles might help:

 

How To Use the Windows XP and Windows Server 2003 Registry Editor Features

Enhance Security Through Registry Permissions

 

Back to "Must read" section