Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Uni Dumps Dual-Boot In Favor of Linux

Posted by ryuzaki0 on from the greater-good dept.

kNIGits writes "News.com.au is reporting that the University of Wollongong have dumped their previously dual-boot installations in favour of booting Linux only. Among other reasons, staff enjoy the ease with which they can 'lock down' first year students, stopping them messing with the systems prior to learning anything about them."

9 of 344 comments (clear)

  1. Re:Hehehehe... by Jester998 · · Score: 5, Informative

    The cards you're thinking of are often called "Sheriff Cards".

    Apparently they have them in my old high school now. Poor kids... hacking the network was one of the more fun things about high school. :)

  2. Another Solution - Windows Policy Editor by RaboKrabekian · · Score: 5, Informative

    I'm not fully versed in all its wonders, but the Windows Policy Editor (or whatever its called now) can completely lock down a machine. It's a vastly underutilized tool for environments where you don't want users messing with the machines. I remember getting annoyed the first time I sat down at a box which wouldn't let me even look at the start menu. Any and all Windows admins should look in to its proper use in their environment.

    --
    "Moderate drinking can help prevent amputated limbs" -- Abigail Zuger, NYTimes, 12/31/02
    1. Re:Another Solution - Windows Policy Editor by foo+fighter · · Score: 4, Informative

      Windows Policy Editor was used for the 9x/Me series.

      Starting with Windows 2000, admins have access to "Group Policy". Essentially, any user interface setting -- and most system settings -- can be controlled via this either on the local machine or remotely.

      Group Policy kicks ass. You can completely lock down a machine so that cmd.exe doesn't work no matter what and the only .exe's that do work are the ones you specify. You can let the user specify their Display preferences, but nothing else. Or everything except the Display preferences. The point is, Linux has nothing to compare with this.

      The fact is, under Windows 2000 (and XP), administrators have never had an easier time setting up, controlling, troubleshooting, and fixing a user's desktop. If Linux had anything to easier to compare to this I'd be using it (admins being essentially lazy).

      At length, I've evaluated Redhat, Suse, Caldera, Debian, FreeBSD, OpenBSD, and Mac OS X. (At length means ~40 hours on each setting up desktops and administrative consoles and testing things out.)

      I have many Redhat machines running on servers at work. I have a Yellow Dog machine running my web site and email and OpenBSD running my router at home.

      The FACT is no one has a better way to administrate and trouble-shoot end-user desktops than Microsoft right now.

      --
      obviously no deficiencies vs. no obvious deficiencies
    2. Re:Another Solution - Windows Policy Editor by mystran · · Score: 5, Informative
      There also another view. In windows you have to options: either you allow people to do everything or you allow them to do nothing. The policy editor just stops working once you allow someone to run an .exe from his desktop since he can break the system (with one of the numerous exploit that for example the GUI gives you).

      In Linux (and unix in general) you can allow people to do almost anything with their own account. If they mess their homedir (and it's quite unlikely to get your personal stuff to the point you can't login at all by accident), just clean it by resetting the configfile that breaks the thing.

      You can have people run custom window managers, code their own software (even that damn window manager), whatever, if they happen to know how, while at the same time making sure they don't mess the system up if they don't.

      Now, imagine that user has to do some task, and they have messed up their configs. Now on Windows you either repair their profile (which can take quite a time if you can't login as them, if possible at all) or take backup of files, create new profile and copy the files over, on linux you just throw the default configs to their homedir and all you lose are few hacks in some files (say .bash_profile/.bashrc or may .Xsession)

      About the config thing.. if you setup linux in ~40 hours (for shared use) you are pretty fast. If you can do the same (in ~40 hours) for Windows you are superman. Start counting from when you get few hundred PCs with blank harddrives, with no images ready, etc..

      And once you get new systems with different hardware you have to do it again :) With linux you dump the same image and switch either kernel or module config.

      Windows has it's strong points, but administration isn't one of them. At least if you are trying to do it well. In a Uni even "we are not mission critical, we don't need the best security" isn't argument, since what would better target for a hacker than a Uni with a lots of computers and students doing all kind of things with irregular patterns.

      Btw, the Windows 9x/ME policy system is a joke :) If you can't get past it whily you can still do something with the system, you probably shouldn't be securing anything ;-)

      --
      Software should be free as in speech, but if we also get some free beer, all the better.
  3. Re:Hehehehe... by ChrisBennett · · Score: 5, Informative

    There is a software solution for Windows called DeepFreeze. It works very well. I love seeing the look on faces when they delete random .dlls or change wallpaper only to find that they magically re-appear when the system reboots.

  4. Windows Policy Editor - could it be any worse?? by dan_barrett · · Score: 5, Informative

    Yes, you *could* use windows policy editor, but there are some major issues with it (having just locked down a standalone windows box for kiosk use I'm well versed in the pain of poledit for Win 2000..)

    Note that policy editor is now primarily designed for a computer in a Active directory tree - without active directory you have to edit a "local" policy, ie edit the registry directly.

    A disclaimer: maybe an active directory policy is nicer to play with, I don't know - local policies were enought of a pain for me as it was..

    here's the fun with local policies..
    firstly - the policies affect ALL users, INCLUDING the administrator. (WTF?!?!? you say?) so.. lock out all registry tools, disable "command prompt" and run on the start menu - and you're screwed - no more windows administration. time to reformat the box. (or at least attempt to "rescue disk" it..

    second - policies quite often are applied in REAL TIME. hmm.. disable registry editing.. (screen flashes) - oh bugger, policy editor has stopped working..

    The way to get around this is to remove access to the %winnt%/system32/GroupPolicy dir for the administrator (that's right, you remove access to the root user to prevent the policy applying to that user.) of course, this dir has to be accessible to make any changes. And the changes apply immediately. Forget to reapply the restictions to the admin user and it's reformat time, again.

    if you want to use policy editor I suggest having a recovery cd lying around, as I guarantee you *will* be locked out of your system, unless you're extremely careful.

    I love windows security, it rocks.

  5. Re: Windows Policy Editor - could it be any worse? by agallagh42 · · Score: 4, Informative

    Just because you don't know how to use a tool, doesn't make that tool bad.

    A properly configured local policy can lock down exactly what you want to lock down, and affect only the users you want it to affect.

    Also, in Active Directory, you use things called "Group Policy Objects" to apply policies to workstations, and it's WAY more powerful than local policies.

    Go here for an overview of GPOs.

    --
    Carpe Cerevisi - Seize the Beer
  6. Re:Hehehehe... by Feztaa · · Score: 5, Informative

    Older versions of DeepFreeze were pretty funny. Set the system clock sufficiently far into the future, and it magically crashed. The first thing you do after that is delete DeepFreeze, and you have no more DeepFreeze problem ;)

  7. Re:Hehehehe... by Black+Copter+Control · · Score: 5, Informative
    Either way, PE is a lot easier, as well as the numerous other packages avail., than re-OSing the campus, or installing hardware into every machine.

    Windows was originally designed around the presumption that there was really only one user on the system, and that user could/should do whatver (s)he wanted. To that was added the eventual realization that Oops! That's not always the case.

    This has resulted in the back-ending of all sorts of security hacks onto what is still, essentially, a single-user system. A side effect of this is all sorts of special cases and wierd holes in the design of Windows that results in the need for things like PE.

    Unix, on the other hand was designed as a multi-user system almost from day one. In this context, a single user system is simply the special case of N==1. Locking down a Linux system requires little more than putting passwords on GRUB and the CMOS editor, and possibly pulling the setuid bit from some questionable binaries. Once that's done, there's little that a non-root user can do beyond trashing their own account, or various DOS type stupidities (which can often be responded to by a good sysadmin).

    Beyond that, the ability to prevent first-year stupidity is only one of the reasons why Linux was chosen as the standard for first-year students. Not having to worry about being sued when the students post the source code that you gave them (under some sort of non-disclosure agreement) on the net when asking for an answer to a question is another. Multiple GUI desktops, extensibility and totally free access to the source code are some of the others.

    --
    OS Software is like love: The best way to make it grow is to give it away.