Securing University Residential Networks?

campusNetworkWatcher asks: "I work for a large University that allows wide open access to most of its networks. There is no firewall of any type, and this is not likely to change in the future. A problem spot I see are the residential networks. For the most part, it is filled with un-patched Windows machines run by non-security-centric users just waiting for the newest virus/worm/trojan. Recent events, and an onslaught of DMCA violations have caught the attention of my superiors (as well as his superiors), but there is little we can do once we track down a compromised machine. With a couple of exceptions, in a couple of departments, there is no group will to do desktop support of student machines. We can tell a user he or she is compromised, but lack the enforcement to make the user fix the problem. My group strongly advocates an open academic environment, but if the network is too open it may negatively affect the people we are running it for. I feel like this must be a problem for many other universities and was wondering how others have handled it (blanket port blocking of NetBIOS, established only traffic, or other options). I am looking for non-intrusive suggestions for protecting the network, while allowing as much access as possible to the students. Any suggestions?"

Scan machines, and turn off ports

[danielwright]

The school I go to has an effective policy: firstly, they routinely scan the entire campus network for vulnerable machines using nessus.

If they find vulnerable machines, or if they detect that a machine has been compromised, they notify the owner, and if the problem is not corrected in an appropriate amount of time, turn off the connection at the switch. If that happens, the owner has to prove that the machine is fixed before they will turn it back on.

Admittedly, this is a little draconian, but the other residents appreciate that the network isn't constantly congested with dos attacks from compromised machines in their dorm.