Securing University Residential Networks?

campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"

Windows Solutions

[haplo21112]

ADD to the Terms Of Service that Windows machines must be part of a domain. Create a domain to which you have the administrative control. Then deploy SMS. You now have control to send blanket upgrades and patches to all the machines. Periodically scan for machines that are not on the Domain, contact the offender, if they don't respond, pull the Plug on the network connection(actually if you have good switches all you really have to do is tell the port not to pass traffic.