Slashdot Mirror
Management Tools for Computer Labs?
dorko72 asks: "I have been put in charge of setting up a small computer lab (30 workstations) for a local community. The benefactor is providing the hardware (dell workstations and one server) as well as the operating system for these systems (Windows XP Professional and Windows 2000 Advanced Server) All the equipment is used, but not too old. I would like to find out what some of you guys use to monitor and manage the lab usage (ie provide realtime stats of which station is in use, etc). I would plan to set these machines in a Windows domain using Win2k Advanced Server as the controller via Active Directory. There must be some way to access AD and find out who is logged in to what machine in the domain. Any suggestions or ideas would be much appreciated."
This isn't quite what you're asking about but I figured I'll give you some useful information. I put in some security hardware called Centurion Guard at my library. I must say, if you're worries about malicious conduct on the computers, either viri or people sabotaging systems (damn teenagers), I suggest you consider it. Basically it keeps a partition of itself and whenever you reboot everything not on the partition (which normal users can't screw around with) is wiped and restored to it's original state. Just giving you my 2 cents.
Live life to the fullest. It's not that life is short, but that you are dead for so long.
Ditch windows for PXE boot LTSP MOSIX and have yourself a controlable cluster. You might want to look at: http://k12ltsp.org/contents.html Windows terminal services are another option, but, they are much less secure.
Systems Management Server.
You're a community organisation - just ask Bill and Melinda for a few licenses.
Dameware : manage the machines from a remote location.
netusers.exe and some perl or python thrown in to deal with the output of netusers. You can get all your user stats and stuff from this.
With those tools you can develop some scripts to track usage, avaiable comptures and throw it all up on a web site.
Install a remote admin tool on each of the comps. You can watch their desktops this way too. Another fun thing to do is control their desktop while theyre playing games or something and mess them up :P
At the most basic level this would work: /T >>H:\LOGINLOG.TXT /T >>H:\LOGINLOG.TXT
You can include a script to run in the startup folder that does the following:
rem --
net use h: \\SERVERNAMEORIP\SHARE
echo [INSERTCOMPUTERNAMEHERE] had the following user login:>>H:\LOGINLOG.TXT
echo %USERNAME% >> H:\LOGINLOG.TXT
date
time
rem --
every user that logged into the domain would need write access to the share tho.
There are tons GPO+VB script ways to do this
post it to "ask microsoft"
- Strong locks for the outer doors of the lab.
- Clippers capable of severing all keyboard and mouse cables.
- A sturdy, 36" Crowbar.
- Cheap bourbon.
Long and painful experience has shown that management software and administrative tools are interchangeable luxuries at best (and are more often nothing more than time-consuming placebos). While you are certain to receive many suggestions for that type of product, I am certain that the list above represents the absolutely indispensible core of any competent adminstrator's toolkit.No, seriously...
/etc/squid/blocked_sites.txt. List the file extentions to block in /etc/squid/filetypes.txt in regex fashion (something like \.(exe)$ to block .exe files). Not a complete fix, but a good quick way to safeguard web access.
Bring up your favorite distro. The important bits of immediate concern are Squid and syslog. Prevent direct access to the net from the client machines and force them to go through the proxy using a GPO in ActiveDirectory. Configure Squid how you like, but best to at least add the capability to block certain sites and prevent certain file types from being downloaded:
acl hosts_deny dstdomain "/etc/squid/blocked_sites.txt"
acl filetypes urlpath_regex -i "/etc/squid/filetypes.txt"
http_access deny filetypes
http_access deny hosts_deny
List the domains to block in
Now run over to sourceforge and grab ntsyslog. This handy tool exports your Event Viewer logs to a remote syslog server. It installs as a service and it's a cinche to setup. Stick is on your domain controller. On your Linux box add a line like the following to syslog.conf (for sysklogd):
user.alert -/var/log/domain.log
By default, ntsyslog uses user.alert, but you can change that to whatever you like. Also make sure your syslog is configured to receive messages from remote clients. Now, in your default domain policy on the domain controller configure it to audit logon events as well as account logon events, successes and failures for both.
Now you've got web access managed by a central proxy with full logging and minimal blocking abilities and all logon success/failures being reported to Event Viewer on the DC and forwarded to the syslog. If you want to see who is logged into a machine at any given time you can either quickly parse the logs or use something like NetUsers or LoggedOn.
Popular local opinion says that you're likely to have more problems/attacks with/against your Windows server. Having your Event Viewer messages forwarded means you can diagnose problems in the event something happanes to that server. You'll probably want to at least MRTG the Linux box to get an idea of bandwidth usage too. Then enjoy whippin' up your own set of shell scripts to play with your logs (hint: real-time monitoring)!
I'm against picketing, but I don't know how to show it.
I suggest you check out NetOp School. I manage 8 computer labs for a community college in Gainesville, FL and we use this in several of them. At a glance, the instructors can tell who is logged in & where (uses machine name and windows login name information). Additionally, NetOp School provides controls, i.e. lockout and demo mode. You can run commands on the remote machine, transfer files, etc. Also, you can create breakout sessions where small groups are formed, and one person in that group would be granted all of the above controls.
It installs remotely (from the "instructor" station) and runs as a service. Our instructors love it. I think you should check it out.
In Soviet Russia, the signature reads YOU!
Assuming that you will be in charge, here are some pointers on how it can be done
My opinion? See above.
I'll also recommend Microsoft Baseline Security Analyzer, which lets you check computers for "common misconfigurations", i.e. missing patches, trivial passwords, etc.
Also, if you are a *nix guy, put a GNU/Linux or *BSD box on your network. If nothing else, just for tools like nmap etc. While most of it is available for Win32 too, it's so much eazier to just apt-get what you need instead of hunting for an outdated, buggy Win32 binary.
Please alter my pants as fashion dictates.
This box here at school (along with a few hundred others) has Deepfreeze.
:(
the BANE of us geeks, we can't fiddle and tweak with our boxen cuz the night classes have newbies *sigh*
Deepfreeze works at the MBR level, only way to circumvent it to blow the HD away (i.e. write zeros across it and sector zero.)
easy way around that is a password on the bios (also on these boxers) to prevent alt boot sources
A big honkin' Master lock on the covers keeps us from getting at the bios reflash jumpers, i.e these boxes are both idiot and GEEK proof
Deep Freeze + Ghost/DeployCenter is your FRIEND, just have 1 box be a dummy (i.e. no students fsck with it), get updates, make image, thten push over the network.
But be DAMN sure that it's PERFECT, at the beginning of the school year, fresh image contained the blaster worm, and with deepfreeze the fix didn't work. IT didn't give us the access codes for Deep Freeze so we used royally fucked up boxes for 3 weeks while a new image was made (yes, it took three weeks to: nuke a HD, load initial GHOST image, add new stuff, make new image, reimage rest of boxen). server core here in win2000, sucks ass. though we did get 4 Dual Xeon servers on the cheap. from Arthur Andersen when they went bye bye.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
Altiris is what you need.
Namaste
Never underestimate the power of a pointy stick.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
ask yourself why you need to monitor this information.. most likely you don't need to treat your users as criminals..
I have to second depefreeze - i did student work in the networking dept at my college last semester and worked with deepfreeze a lot. it's great for keeping morons from effing up stuff they shouldn't, easy to use, and very difficult to screw up.
To initially install the OS and software for a full lab, we would use a program called Ghost. It works by taking an iso of an existing setup and writes it multiple machines at once over a hub. i'd set up a lan with 12 machines at a time and would write the image to all of them at once. much much faster and easier than one at a time.
First of all, Windows can log Logon Security events using the built-in event system.
Second, running logon scripts from the startup folder is retarded. Use the logon script facility.
Finally, your script probably has locking issues, and you couldn't figure out how to get the computer name from an environmental variable.
I just about get what COM is, ActiveX took me a while but I think I have the gist, I found out very recently that .NET is like Java (not just a new brand name like I thought!), but Active Directory and various others still elude me... anyone else have this problem?
The tools you need to meet your needs are built in.
For determining who is logging in where and when, you simply need to enable auditing at the domain level.
If you want performance or utilization information then use Performance Monitor. It can be used either locally or remotely to monitor a mind boggling(and possibly useless) number of performance counters.
For monitoring the activities of the users, file level auditing can be used. For internet activities you need additional hardware/software than you said you had in the article.
If you want this information all agregated into a central location, use Task scheduler to run a hourly/nightly batch file to upload the logs and performance results to a central file server or database.
There are numerous thirdparty tools that do this things and much more but since you are working with donated hardware and software, I will assume that you have no budget to purchase additional tools. Perhaps a book or two on MCSE training would be helpful in letting you know about the many features and tools that are available in Windows 2000 but aren't discussed on Slashdot since most Slashdotters seem to only be experienced in Windows 98 and Windows XP home edition.
Yes, I have that problem too. For more info on AD google found me this link. AD does everything that a domain controler used to do in earlier version of Windows. It gives you authentication, and security for an entire network with lots of users. What's different that a traditional domain controler you ask? It's not backwards compatable, so you have to upgrade. Standard MS tactic. Take existing software, add a feature that nobody wants, and force you to upgrade to it. Case in point, my favorite version of Excel is '97. It did the best job of not getting in my way when I was tring to use it. It definatly had bugs that needed to be fixed, but MS has to "over-innovate" and add features that nobody ever asked for that always get in your way. Now excel is a bloated piece of crap that corrects everything I do, and sorts my numbers differently than I told it to. Blech.
SCO.com uses Linux
If your willing to spend a little you could try ZENWorks - http://www.novell.com/zenworks/
It works happly on W2K Server and it has loads of management fetures like remote app delivery, remote control and you can audit who was on what machine when!
Is there a reason they have to run Windows?
Take a look at the K12 Linux Terminal Server Project. With relatively new machines you can be up and going in 2 hours (not including plugging the machines in). I put this in our business lab at the high school and it's been a dream to run. I never have to worry about viruses, and updates/installations are done once. To install a new machine you plug it in, go to the BIOS and tell it to do a network boot. I don't have to worry about any license issues either. If you need Windows, you can also use RDestkop to access Windows Terminal Services.
K12LTSP also comes with squid and for filtering squidguard and Dan's Guardian.
One problem that I've seen with Deep Freeze is when the latest worm comes out. Sure you can reboot your machine and it is clean, but if there is just one machine on your network still infected, you'll become infected again.
What, me worry?
I've never used Deep Freeze, but from everything that's been said about it so far it appears that subverting it is directly reducable to the problem of gaining raw write access to the hard drive. Once you have raw access, you could either alter the Deep Freeze partition or, if the administrator was clever enough to put the image on a CD, alter the master boot record to ensure that Deep Freeze is never activated.
I have no idea how difficult it is to get raw access using various versions of Windows, but in Linux its usually a case of getting root. How many local exploits do you think Windows XP has?
Why would you want to know those things? What is the point? What can possibly that information be good for, other than the obvious -- being subpoenaed by some dipshit who thinks, some of your students pinged him, and you being responsible for accuracy of it, instead of being able to just say "we never log anything, get lost", and get him off your back?
Contrary to the popular belief, there indeed is no God.