Should Colleges Monitor Students' PCs?

dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"

Education

[agent+dero]

Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.

Students are at college to learn. Educate them :)

Re:Education

[EvanED]

You don't want to disable this though, so they can still use lab computers.

Here at PSU you must register your computer's MAC address and your dorm room and the port you plug your computer in within your room. If you change your MAC address from what's on file, you can't connect. If you plug into another port, you can't connect.

Re:Education

[binarybum]

I like this restricted subnet leper colony idea. A healthy network is one that runs well independently of how crapped out end nodes are. I think in this day, it is best to develop networks that assume that every node is a virus-ridden maggot that could potentially be a threat. Networks that rely on users keeping their systems tidy will not scale well and will invetibaly become weaker by not having to deal with minor day to day issues due to an intially placid user base.
By moving "leper" systems into a restricted subnet until they prove themselves cured, you minimize the risk to your infrastructure without completely terminating access. Additionally, people that let their systems become infested usually will not be power users and may not even notice/mind the restricted access state.

Re:Education

[garcia]

Yeah well they are still spewing garbage out and wasting bandwith (whether it is going anywhere or not).

You also run the risk of having to disinfect these people manually via the network support staff.

When you find the people that are infected, disable them, have IE automatically open to a page that tells them they are cut off and that they need to immediately contact the support staff for cleaning and reinstatement.

Re:Education

As a network admin (Network Nazi, thank you very much) I know the effects of having just one compromised pc on the network. With all the viruses out there that spoof email addresses, I know instantly when an infected pc comes online (I get an email from every server that gets attacked by a virues...)

On one hand, I commend the university staff for trying to keep everyone safe. Nothing worse than one infected pc spreading through the windows "security flaw" flavor of the week and dragging everything down.

On the other hand, they are taking on a huge responsibility to keep the students pc's running. Case and point - we demand that everyone on our network runs McAfee and is kept up to date with patches. One lady in admin installs McAfee so that she can use her home pc to connect (via Cisco VPN,) and the whole pc stops blows up. I ended up spending 10 hours (6 hours trying to fix what went wrong, the other 4 giving up and reloading the damn thing.) Add to that getting grief the whole time because "This wouldn't have happened if I didn't install that.." Nevermind the spyware that was already installed.

Moral of my rant? Don't do this kind of thing unless you have a mass of cheap labor (college kids who are on work/study,) and are allowed to fix what went wrong when it most likely will.

Re:Education

[BobPaul]

Well, they do search for mis-formed MAC addresses (ie, if the MAC doesn't resolve to a real company) and then they'll port block you (at the switch). Or if you register a whole bunch of macs (remember, they go under your name in the database) then they'll block your physical port on the switch.

Also, a ping sweep might register as a scan, in which case you might get blocked since virii also scan. Or, you'll hit my IP (my firewall blocks pings) and you'll use my ip/mac and then you will get yourself quickly physically blocked in the switch your connected to.

For people not in the dorms, they can really only block your mac address, but I've tried manually setting IP addresses, and it doesn't seem to work...

Re:Education

[Kyosuke77]

I go to a school of about 20,000 students and I work for the Arts & Sciences IT Department. I deal mostly with Faculty, not students in the residences (thank god).

We do much of what your school does to combat viruses, but now and then we get a professor who refuses to let us near their machine to clean it if it's infected. In that case, we have the authority to just go to the networking hub closets and start ripping out cables so that all the network jacks in that professors office go dead. I don't think we've ever had to actually do that. The threat alone is usually enough.

But anyway, the upshot is that in a large school, you don't have time to mess around with complicated solutions. If someone's a stick-in-the-mud about getting their machine disinfected, you threaten to cut them off, and if they still hold out, you go and fucking cut them off and see how they like it.

It's a good thing and a bad thing

[Coldeagle]

I believe that as long as it's network security things, it's a good thing; however I would investigate any software they want to install on my system before I say yes or no. My work has a similar policy and I don't really have a problem with it on my laptop, because I did some checking and they can't do anything but patch security holes, and it lakes anything that infringes on privacy (such as reporting what websites are being hit, password loggers, etc), so if the software it self doesn't infringe on privacy, I think it's a good thing, well with Window$ machines at least :P

Use a carrot, not a stick

[Aneurysm9]

My school has taken a similar route, however, we're not pushing patches onto end users, but requiring that they authenticate and verifying that they're up to date before letting them out into the wild. If they fail the verification they're provided resources to update their computer, but we don't push the patches without their consent.

Same experience

[AgentOJ]

I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.

I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.

Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?

Don't do this

[EvanED]

I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.

Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.

I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.

The college is question is Wheaton.

[Vellmont]

A little investigation reveals Mr Sanford (dancedance) goes to Wheaton College in IL. Why are you so vague about which college is doing this Mr Sanford?

Easy Answer.

[twitter]

I'm not sure where the happy medium is between total computer intrusion and none at all. It's hard to trust anyone else messing around with my computer with software i MUST install.

Windows is already owned and there's plenty of middle ground for Universities that stop short of owning your computer.

Sure, you should be uncomfortable about letting your campus put yet another back door onto your machine, but Windows is crawling with them to begin with. If you are running Windoze, you are already letting Bill Gates mess with it. It's already compiling lists of all the music and movies you play and it sends all sorts of information back home. Any Microsoftie will tell you that it's very important for you to run Winblows Updater, which does much the same thing your campus service will. What do you expect of people who consider stuff on your hard drive "their" operating system and your desk as a billboard to be sold to the highest bidder?

LSU can and does monitor traffic at building routers. Unusual activity has them block the MAC address. It's much easier than requiring expensive commercial software that does not work.

Unfortunately, LSU is moving toward just that kind of stupid requirement. They are specifying that Winblows machines on their network have "up to date" virus software. That's fine, so long as they don't require Winblows in the first place. The student senate is considering a laptop and Active Directory requirement. What a nightmare.

There's lots of room between turning every computer on campus into a campus owned DRM'd dumb terminal and letting the Windows machines destroy the campus network. They could continue blocking actual problems at the router instead of requiring the very source of the problems be run by all. They can offer the service voluntarily to those who simply have to have winblows. Macs, Linux and commercial Unix do not have the same problems and should be encouraged. Computing services should make running Windows as easy as they can and that includes offering virus protection, but they defeat themselves when they dumb the network down for it.

Re:Easy Answer.

[mcrbids]

Any Microsoftie will tell you that it's very important for you to run Winblows Updater, which does much the same thing your campus service will. What do you expect of people who consider stuff on your hard drive "their" operating system and your desk as a billboard to be sold to the highest bidder?


Running Red Hat Fedora, I routinely use yum to update packages... not much different than Windows Update.

Just because I use Linux doesn't mean I don't feel the need to stay up to date!

Re:Easy Answer.

[forlornhope]

Active Directory isnt so bad, Samba 3 can join AD domains and participate as a native client. Its a bit harder to setup but it is definately possible.
As for Macs, Linux, and other commercial Unixes most people dont want that, so the CS department Im working at is concidering forcing Debian onto all our departmentally owned machines and denying access to all privately owned computers except on the highly locked down wireless lan, and even then we require virus scanners and up to date patches.
Now I hear people groaning already about forcing Debian on all machines, well imagine this;
A person sits down at a computer and is presented with a GDM login screen. They type in their user name and password and set their session to "Microsoft Windows 2000." Yup, you guessed it, a hardware independent completely locked down, controled and up to date version of Windows pops up logged into the domain with complete access to all their files and all the printers and everything, and they can even open up a terminal that automagically presents them with a Debian environment for them to do their programing on. How will we do this? VMWare running ontop of our nice Debian install. That way the Windows install is completely hardware independent and every time there is an update we just roll up a new image and throw it up on the file server and all our users have all the latest updates. Combine that with the fact that the Debian host machine is running snort and puts the Windows machine inside a highly restricted private ip space that is monitored, and virtually all the problems we have with Windows suddenly disappear. Now yes this is an abomination, but it turns Windows from a huge headache into just another *.deb that we have to keep track of and keep up on security for.
Now thats how to deal with the Windows virus/spyware/worm administration nightmare. Now Im not saying that this would work to roll out on the entire campus, but it is a very novel approach.

Then it is simple:

[Avihson]

You do not connect!

If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.

If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.

I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.

Never argue with an idiot, they drag you down to their level and beat you with experience.

Liberal Arts colleges and OS choice

[wing03]

A few factors to consider here

1. Liberal arts college
2. Artsy fartsies
3. Starving students or parents who are budget conscious.

I went to a liberal arts college too, and as a graduate looking back on that experience, I have one observation.

As much as we liked to think we are expanding our minds, thinking outside of the box and bucking trends, the majority of us still went for the path of least resistance and followed the herd because it was so difficult to be the iconoclast and march to the beat of a different drum.

What that means is that the vast majority of computers will be M$ based. A few windbags will talk about Linux vs the evil corporate M$ (not having any idea what BSD, BeOS or any other marginal open source OS is). They will either try to install the OS or get a friend to do so.

Over time, they'll not have a clue about what's going on, go back to Windows, graduate and become a sales and marketing jockey for one of those companies they crapped all over during their idealistic days in university.

But hey, what do I know? I'm just another jaded IT worker who happens to have a liberal arts education....

Re:Big Difference.

[mcrbids]

Please note that "twitter" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft bashing. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" or "fanboy" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, twitter is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

Wow. You must have some TIME on your hands to put together such blather. Since it's obviously important to you, I'll take a few myself.

1) Your very first sentence is self contradictory, assuming that you meant "sycophant"... How can somebody be a sycophant and obnoxious/off-topic? Or did you not notice the word "flattery" in the definition?

2) This is slashdot. Here is where people spend leisure time and blather. Such as, for instance, your post. Get over it. Think of slashdot as the online equivalent of a bar. Some people talk too much. Some people really should shower more often. Some people wear clothes that were fashionable in the 80's. Get over it.

3) It's OK to not like Microsoft software. Probably 80% of my experience of cyberspace is done via Linux. I hate the worms, viruses, spyware, and general crap as much as the next guy. I love the clean, easy way Linux lets met at the guts of the system to result in a stable, secure platform.

4) Even if twitter is some lonely, desperate, delusional, megalomaniac karma whore, how is posting stuff on slashdot being "part of the open source/free software community."? Contributing software is "being part of the OSS community" - posting on slashdot is being part of the slashdot community!

Get off your high horse, dude. People are entitled to be a bit nuts - you'll probably figure that out (as most people do) when you get to be around 30.

Oftentimes, the nuttiest people are the most brilliant.

I remember a gentleman named "Gary". I won't give his last name. He was one of the strangest people I'd ever met. Remember "Revenge of the Nerds"? Well, the cast of that movie tried in vain to capture the spirit of Gary.

The kind of guy who really DID drive a mustard-brown, 20-year old station wagon at 35 MPH down the Interstate - stuffed to the gills with books, bird cages, a pet lizard, folding chairs, boxes of clothing obtained at a thrift store, and consumed Jolt cola bottles.

He attended community (There's that word, in this case, it was people in the area in which I lived meeting together) meetings that I often attended as well, meetings congressed to discuss legal and political issues.

Having talked briefly with Gary before, and figuring him for being partially mentally handicapped, it was a great shock when, during a speech on the history of the US Constitution, Gary raises his hand, and then spends several minutes giving a detailed, ornate, and incredible rendition of the history of an important event. (I could be wrong, but if I remember correctly it was the ending of the civil war)

I was shocked, and I wasn't the only one. Everyone I knew looked at each other in surprise and bewilderment. This? Coming from GARY!?

So, before you go knocking on twitter for having a good time mentally masturbating on slashdot, remember this old saying:

"There's enough good in the worst of us, and enough bad in the best of us, that it ill behooves any of us to thing the worst of any of us".