Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Colleges Monitor Students' PCs?

Posted by Cliff on from the a-single-critical-point-of-failure dept.

dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"

11 of 554 comments (clear)

  1. Education by agent+dero · · Score: 5, Interesting

    Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.

    Students are at college to learn. Educate them :)

    --
    Error 407 - No creative sig found
    1. Re:Education by EvanED · · Score: 5, Interesting

      You don't want to disable this though, so they can still use lab computers.

      Here at PSU you must register your computer's MAC address and your dorm room and the port you plug your computer in within your room. If you change your MAC address from what's on file, you can't connect. If you plug into another port, you can't connect.

    2. Re:Education by binarybum · · Score: 5, Interesting

      I like this restricted subnet leper colony idea. A healthy network is one that runs well independently of how crapped out end nodes are. I think in this day, it is best to develop networks that assume that every node is a virus-ridden maggot that could potentially be a threat. Networks that rely on users keeping their systems tidy will not scale well and will invetibaly become weaker by not having to deal with minor day to day issues due to an intially placid user base.
      By moving "leper" systems into a restricted subnet until they prove themselves cured, you minimize the risk to your infrastructure without completely terminating access. Additionally, people that let their systems become infested usually will not be power users and may not even notice/mind the restricted access state.

      --
      ôó
    3. Re:Education by Anonymous Coward · · Score: 4, Interesting

      As a network admin (Network Nazi, thank you very much) I know the effects of having just one compromised pc on the network. With all the viruses out there that spoof email addresses, I know instantly when an infected pc comes online (I get an email from every server that gets attacked by a virues...)

      On one hand, I commend the university staff for trying to keep everyone safe. Nothing worse than one infected pc spreading through the windows "security flaw" flavor of the week and dragging everything down.

      On the other hand, they are taking on a huge responsibility to keep the students pc's running. Case and point - we demand that everyone on our network runs McAfee and is kept up to date with patches. One lady in admin installs McAfee so that she can use her home pc to connect (via Cisco VPN,) and the whole pc stops blows up. I ended up spending 10 hours (6 hours trying to fix what went wrong, the other 4 giving up and reloading the damn thing.) Add to that getting grief the whole time because "This wouldn't have happened if I didn't install that.." Nevermind the spyware that was already installed.

      Moral of my rant? Don't do this kind of thing unless you have a mass of cheap labor (college kids who are on work/study,) and are allowed to fix what went wrong when it most likely will.

  2. It's a good thing and a bad thing by Coldeagle · · Score: 4, Interesting

    I believe that as long as it's network security things, it's a good thing; however I would investigate any software they want to install on my system before I say yes or no. My work has a similar policy and I don't really have a problem with it on my laptop, because I did some checking and they can't do anything but patch security holes, and it lakes anything that infringes on privacy (such as reporting what websites are being hit, password loggers, etc), so if the software it self doesn't infringe on privacy, I think it's a good thing, well with Window$ machines at least :P

  3. Use a carrot, not a stick by Aneurysm9 · · Score: 4, Interesting

    My school has taken a similar route, however, we're not pushing patches onto end users, but requiring that they authenticate and verifying that they're up to date before letting them out into the wild. If they fail the verification they're provided resources to update their computer, but we don't push the patches without their consent.

    --
    There was Cowboy Neal at the wheel of a bus to never-ever land.
  4. Same experience by AgentOJ · · Score: 5, Interesting

    I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.

    I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.

    Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?

  5. Don't do this by EvanED · · Score: 5, Interesting

    I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.

    Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.

    I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.

  6. The college is question is Wheaton. by Vellmont · · Score: 4, Interesting

    A little investigation reveals Mr Sanford (dancedance) goes to Wheaton College in IL. Why are you so vague about which college is doing this Mr Sanford?

    --
    AccountKiller
  7. Then it is simple: by Avihson · · Score: 5, Interesting

    You do not connect!

    If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.

    If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.

    I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
    I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.

    Never argue with an idiot, they drag you down to their level and beat you with experience.

  8. Liberal Arts colleges and OS choice by wing03 · · Score: 4, Interesting

    A few factors to consider here

    1. Liberal arts college
    2. Artsy fartsies
    3. Starving students or parents who are budget conscious.

    I went to a liberal arts college too, and as a graduate looking back on that experience, I have one observation.

    As much as we liked to think we are expanding our minds, thinking outside of the box and bucking trends, the majority of us still went for the path of least resistance and followed the herd because it was so difficult to be the iconoclast and march to the beat of a different drum.

    What that means is that the vast majority of computers will be M$ based. A few windbags will talk about Linux vs the evil corporate M$ (not having any idea what BSD, BeOS or any other marginal open source OS is). They will either try to install the OS or get a friend to do so.

    Over time, they'll not have a clue about what's going on, go back to Windows, graduate and become a sales and marketing jockey for one of those companies they crapped all over during their idealistic days in university.

    But hey, what do I know? I'm just another jaded IT worker who happens to have a liberal arts education....