Slashdot Mirror


Should Colleges Monitor Students' PCs?

dancedance asks: "I am a CS student at a small Liberal Arts college. Like most academic institutions, we have to deal with worm-infested computers being brought into the network from the outside. In the past the school's response has been to require all windows computers to install the virus software provided by the school. Although this helped protect the network, it was certainly not a complete solution, especially at the beginning of the school year. This year computing services is taking a more proactive approach to network security: it is requiring all Windows-based computers to install software which will allow the school to automatically update virus software, apply windows patches, install software 'deemed necessary' for network security, and 'report on the status of your computer'. This seems like a 'one step foreword, two steps backward,' approach to network safety as I fear that, under this system, a malicious user would only have to break into one central system to wreak havoc on the entire network. Are my concerns about this system well founded, or is this less of a problem than I make it out to be? Are similar policies getting implemented at other academic institutions?"

6 of 554 comments (clear)

  1. Education by agent+dero · · Score: 5, Interesting

    Colleges are for education, for those students who most likely won't know already about protecting their computers, make them take a class on how to do it. And if their computers turn out to be infected afterwards, ban their MAC from the network until they prove otherwise.

    Students are at college to learn. Educate them :)

    --
    Error 407 - No creative sig found
    1. Re:Education by EvanED · · Score: 5, Interesting

      You don't want to disable this though, so they can still use lab computers.

      Here at PSU you must register your computer's MAC address and your dorm room and the port you plug your computer in within your room. If you change your MAC address from what's on file, you can't connect. If you plug into another port, you can't connect.

    2. Re:Education by binarybum · · Score: 5, Interesting

      I like this restricted subnet leper colony idea. A healthy network is one that runs well independently of how crapped out end nodes are. I think in this day, it is best to develop networks that assume that every node is a virus-ridden maggot that could potentially be a threat. Networks that rely on users keeping their systems tidy will not scale well and will invetibaly become weaker by not having to deal with minor day to day issues due to an intially placid user base.
      By moving "leper" systems into a restricted subnet until they prove themselves cured, you minimize the risk to your infrastructure without completely terminating access. Additionally, people that let their systems become infested usually will not be power users and may not even notice/mind the restricted access state.

      --
      ôó
  2. Same experience by AgentOJ · · Score: 5, Interesting

    I'm in the same boat as you. I work for computer services at my college, and we went through the exact routine you did. Originally we were using Novell (ugh) to push the antivirus updates, but we're moving away from Novell next year. I'm still not sure exactly what we're going to be doing as far as mandatory updates go, but something needs to be done. Our firewall is fine for blocking worms coming from the outside, but the minute a student opens the wrong kind of attachment, all hell breaks loose on the internal network.

    I've brought up this issue with my superiors, but they have always told me that any intra-network segregation would be too costly for our meager budget to handle. Though draconian, it has gotten to the point where I almost feel that we should turn off most outbound connections at the switch level between dorms...that way the problem is confined to a single dorm. If a user could give good reason why they needed ports opened, we could grant them that.

    Nothing, however, will stop users from opening attachments. We've tried user education, and it just doesn't seem to work. Aside from banning outlook (our biggest problem is with mass-mailing viruses) on campus, does anyone have a cost effective solution that a small private college can implement?

  3. Don't do this by EvanED · · Score: 5, Interesting

    I would forgo high speed internet access and dial up, then use lab computers for fast internet access before I would submit to this.

    Simply cut off any computer that is sending packets trying to exploit a hole, like Blaster or whatever. Hell, commercial ISPs don't even do this unless it's really really bad, let alone require such software to be installed.

    I would have no problem with requiring users to install the latest security patches or virus software and keep definitions up to date, but no campus network service is gonna be installing stuff on my computer.

  4. Then it is simple: by Avihson · · Score: 5, Interesting

    You do not connect!

    If you want to use the facilities, you follow the rules. The only vote you get is with your feet. Their house - their rules.

    If I didn't trust the IT department, I would never hook up anything that I personally value to their infrastructure. I would (ab)use their equipment, and save my data on a thumb drive.

    I've been that route: last semester, I was a part-time instructor at the local CC and knew that the IT Dept was full of mediocre windows power users - not even an MCSE in the bunch.
    I was hired to teach a Linux course, and was not permitted to connect those "insecure" machines to the LAN! Before every lab session, we had to disconnect the lab switch from the network, so there was no possibility of "hacking" into the school's network. I wasted about 15 minutes trying to educate the IT manager, before I figured it was better to let him stew in ignorance, since they were not paying me to educate him.

    Never argue with an idiot, they drag you down to their level and beat you with experience.