Advice for the K12 Tech Guy?

small fish asks: "I am a newly dubbed 'Technology Coordinator' for a K-12 school district. Things here technology-wise are not well. People here are ignorant technology-wise--which is fine, as being tech-savvy is my job. However, they do not seem to trust my judgment on anything except changing printer cartridges. I'm being measured against a former teacher who filled the role for a while and was VERY comfortable with using Microsoft products. Are there any other Slashdot readers out there in similar straits? If so, what advice do you have for me?" "For starters, there is no firewall, all IPs are exposed to the public, they are relying on Windows NT 4 boxes to sustain operations, and they seem to love their Exchange for doing email and address books, although I have only one user who migrates between two different computers. The Exchange server died due to a spam overload and will not restart, so I set up a BSD box for handling mail and DNS. To make things worse, there is no real disaster recovery here and virtually no backup power. As I type my carpets are still wet from last night's rains that poured through the machine room wall - and this happens every time it downpours I'm told.

My coworkers do not want anything to do with Macintosh computers, they have never heard of Firefox, and Unix was a strange foreign word I had to explain to some before I gave up entirely. What tips do you have for surviving (even thriving) in this type of environment?"

Sage

[Saeed+al-Sahaf]

This is good advice. If you walk in and dump everything for a concept that is totally unknown and alien to them, it does not matter if it's well thought out, they will oppose it and find fault with it even if there is none. And, as a post above suggests, don't roll out some huge untested plan, run a test program and build on its success.

I've been there

[Jjeff1]

I work as a consultant for a systems integration firm. We have a large number of customers who are K-12 schools. Many of the technology coordinators were the technology dude from last school year and need a lot of assistance. This might be a bit of rambling, because I don't have time to make it shorter.

First of all, your budget is going to be limited, while you might be able to get E-rate money to pay for a lot of network gear, and possibly some servers, you can't use erate for staff. You need to standardize so you get work done centrally. This allows you to hire 1 or 2 smart network admins, vs a horde of drones. Hardware, software, processes, etc... all need to be standardized. Get a good handle on what software you own and where it's installed. Put some policies in place to keep teachers from pirating software; which they will do in massive amounts. Make a business case to the administration that you need to have tight control on software and hardware. You can have every l33t tech teacher running around being their own little network admin for their cluster of 30 PCs only for so long, this will fail really, really badly. This isn't just about control, it's about establising a consistent learning environment for students who will switch between classrooms and schools; as well as teachers, some of whom will have little or no technology experience and will be befuddled by 2000 computers that all act a bit different.
If you don't have a centralized imaging system, get one. Altiris is nice, Ghost is nice. CA makes a very nice (but pricy) product that will do scripted Windows installs as well as packaged or scripted app installs. Their best feature is that it will keep track of all your app installs and where they're supposed to be, reinstalling them automatically when you reimage PCs; basically handling all your license tracking for you.
Do you have network monitoring for when an errant broom handle takes out the power to a wiring closet? HP Insight manager will monitor your stuff and is reasonably easy to setup (also free). Obviously there are tons of other options, but you'll probably never find the time to devote a week to setting something (anything, anyplace) up.

Chances are you'll have people from 4 corners writing and being awarded grants that use technology. Get in on the ground floor with these folks, make sure they understand that computers need desks, network ports, AV licensing, etc... Establish an approved hardware list, and make sure people only buy stuff on the list. This reduces the number of types of printer carts you need to stock and PC images to build. Figure out a per PC cost for network support, make sure they build it into their grant.

Realize that the point of the network is to teach, not to push an idealology. Most business use windows, you'll probably be using it too.

Again, centralize. Use login scripts, group policies (time to upgrade from NT to 2003), network based apps, etc... If you don't have some remote control software, at least on all the teacher and admin machines, get some - VNC is great.

Avoid peer-to-peer apps like the plague. One of my customers has a very nice (from a teaching standpoint) app called CCC. From a technology standpoint, it's a total nightmere. It even has a hardcoded backdoor password. To function at all, everyone has to have full control over all the files; guess how often a student nukes the database... Firefox is good, but chances are, you'll run into at least one app that only works in IE. Do you want to support 2 different browsers? A lot of educational software is poorly written. Your users won't be logging in as local admins, which will break a lot of apps. Make sure you test any apps before you buy them. Again, this goes to making the policies, users shouldn't be buying software until you look over it.
Make sure the department heads are with you and can enforce rules with their staff. You don't want each librarian at each school buying different card catalog software.

Obviously you h

From the trenches:

[chris_mahan]

You've got no money, no staff, no power, and a hazardous environment.

You are adept at unix/linux/bsd.

You are capable of writing scripts.

Forget expensive machines, you'll never get them.

If I were you:

Let the users run windows, it's good enough for the desktop, and you already have licenses for it (came with the machines, no?)

On the servers:

A firewall, pix ($350 on ebay)

A spam filter (repurposed pc)

An email server. Looks like you have that covered.

Try to get 1 windows 2003 server for active directory, stick the teachers on the same domain and play with the policies to get permissions right.

You will be setting up 2 networks: one for the school to get work done, one for students to play with: firewall them from each other.

Build your infrastructure on non-windows stuff. Keep exchange down.

Document everything.

Remember that you cannot secure the machines students have access to. Some will boot from CDs. Some will reformat and put linux on them.

Spend most of your money on hardware. You can code software from scratch, but you can't get "make" hardware.

Try to get graduates who have moved on to local colleges talking IT courses to help out. Offer internships for college students. Nothing like running a high school network on a shoestring budget to get your feet wet.

Use what little money you have left to buy a good library of books. I would stick with O'Reilly, Wiley and Sons, and Addison Wesley. Remember, the admin after you should be able to learn on the job.

For the teachers, they just want the stuff to work with minimal effort. Find out how many use hotmail or yahoo at home. You might be surprised. ask them if they would be ok with a web-based email program.

The only thing that matters is that you deliver stable service. Doesn't have to be fancy, doesn't have to be fast. It has to be reliable.

Finally, a word of advice: document absolutely everything. Make copies of everything, and make memos of all conversations, and print them, and keep them in file folders. In a high-school, you have to be extra careful. But you knew that.

Advice from a K-8 Tech Coordinator

[ReverendRyan]

5 & 7: At my school we just rolled out images with DeepFreeze on them. Best thing ever. A lot of our boxes have <10Gb hard disks and the students roaming profiles get huge after a year- having 50 of them on one harddisk (in a lab) will fill the disk up right quick- DeepFreeze prevents the profiles from sticking around after a reboot.

2: The one thing keeping us on exchange (OK, two things) is calendaring (and its cousin, scheduling meetings). We have an exchange calendar for everything. I know there are alternatives, but I cant justify the cost of switching since a parent donated our Exchange 2k3 licences for free.

Someone above said that a UPS isn't important. Bull shit. Maintaining your SIS records is one of your top priorities, next to the financial records. If those go down (expecially in a disaster) your school (district) will have a harder time getting back on its feet.

When I first got where I am, my predicessor had spent the last 6-8 months doing nothing but putting out fires. The first thing I did was get the backend up to specs, and everyone (well, almost =P ) was happy about it- the servers were more reliable and people had fewer problems. Then I got all the computers running 2k or XP (also donated to the school) and most of the problems went away.

Good luck!

Re:Do anti-stupid precautions

[ReverendRyan]

UPS-Wise, K-12 systems aren't that mission critical. If you can configure the bios and everything on the systems to boot up silently without any human intervention. Make it so that once the power gets back on, everything gets back up.

Uh, NO. If you've put any serious thought into what your servers are acutally holding (financial records, tax information, student data, budgets, insurance information) you dont want to risk corrupting your file systems when some dumbass construction worker up the street kills power to the school/office, let alone storms, floods, earthquakes, or any other even when the school will need to file an insurance claim. My advice would be to talk to your Director about how bad it would be if every file on the server were corrupted. My guess is that would be bad. Sure, you could restore from your off-site backups (you do those, right?!) but if you can prevent that, do it!

Repetition, licenses, risks

[dreamer-of-rules]

My workplace has a dozen people, very little turnover, and *must* use Windows because of a Windows-only primary application. However, security is very important in our industry. I hammered at them for weeks that IE and Outlook were the hackers primary targets, and had countless holes in them. The transition to Firefox went fairly smoothly-- I told them to use it for everything expect business-critical sites that required IE. I set up Adblock on Firefox and weeded out ads from the common sites.

Every week I send out a list of new security holes, and the impact. If it's an IE 0wn-u bug, I warn them not to open IE until the patch comes out. Every week, even if there are no new bugs, I warn them not to use IE, because there are still unpatched vulnerabilities.

I point out other businesses in our industry which have made the 5 o'clock news because they were hacked. And remind them not to open attachments or use IE, everytime. Or we could be next.

After a few months, everybody is using Firefox all the time, and they don't think anything of it. They do not open email attachments, they install patches when I ask them (I check).

---
Go to each computer and clean each one for viruses, spyware, bad cookies. Log the results. Post the results, but don't use names. You are not trying to embarrass anyone, just trying to show them how their systems have been obeying some other masters. Tear down their SEP fields. Discredit the "don't ask, don't tell" security policy. ("If I don't know my system is hacked, then it doesn't affect me.")

Put in a firewall. Log everything. Open up every legitimate outgoing port, for AIM, Folding@Home, whatever. Show them the attacks.

Show them logs from trojans phoning home. Chances are nobody is running a legitimate chat server, or is doing ftp or heavy traffic late at night.

Get them to *pay* for their software. (This may be the hardest.) As long as they are stealing software, Windows is an obvious, though short-sighted win. But when you point out the increase in piracy lawsuits, and get them to use only legal software, $3000 for Exchange (Exchange/CALS/OS) seems pretty pricy.

Switch out a couple systems (from volunteers) for Macs. They can coexist. I use my Powerbook 50% of the time at work.

Insist on installing OpenOffice on all systems, but that either MS or OO can be used. Insist that all Microsoft Office software be paid for. Ask them for reports or forms in PDF format, then act astounded that MS Office can't handle such a simple task. Insist that all software be paid for. Include 0wned bugs for Office in your weekly report. Mention at the cooler that the only viruses that exist on the Mac are Microsoft Office viruses. Point out new vulnerabilities found in Office apps, and what they allow into their systems.

Insist that all software be legit. Not pirated. After all, it's a lawsuit-happy world out there, and Microsoft is getting more willing to go after those pirates.

Expect the whole process to take a full year.

* Hammer home the security risks. Don't let them hide behind their lack of knowledge.

* Firewall-- first thing. Close off everything they don't use. Then tighten the worst holes.

* Firefox-- second thing. Your spyware scans should back you up. Mandatory install on every system, and lock down the settings in IE (using group policies on xp/2k workstations) every time you touch someone's system.

* Use the MSBA to scan all the systems weekly. It fairly automatic, but you get to see who's refusing to keep up with patches.

* Mandatory OpenOffice install, but optional to use. Request PDFs for the school website and forms.

* Hammer home the piracy idea. Lawsuits. Lawsuits. Lawsuits. Bad publicity. They are sending a message of lawlessness to the students.

Spyware

[Ultra64]

One of your biggest problems is going to be spyware, do yourself a favor and setup a DNS blackhole. We've set this up here at the Iberia Parish school district in Louisiana and love it.

Get some kind of imaging software like Symantec Ghost, try to keep your software installations as identical as possible.

Give each user a share on the server and make them save their documents there instead of on their hard drive (you can redirect My Documents to a share with Group Policies). Makes recovery much easier when you need to replace a hard drive, or re-image a Windows install that's overridden with viruses/spyware/etc.

Leave Windows on the workstations, but install Linux on old servers to be used for DNS/web caching/samba/whatever.

When you setup your firewall be sure to block the ports of AIM/Yahoo/MSN/IRC/Kazaa/Gnutella/and whatever else you can think of. If you don't, I can promise you the students will do nothing but chat and download music all day.

My experience

[myov]

I was a tech in a secondary school so this may not completely apply...

1. Log everything.
2. Review your logs.

Logs are what allowed me to discover a student logging in to a restricted teacher area, a number of weird log entries (logins at 4AM) which lead me to a number of compromized machines, etc.

3. Imaging software is your friend. Ghost, Acronis, even dd if you have to. Machines will be compromized, messed up, or even residual files will be left over summer. I went as far as building the image to automatically ask for the machine name and I could reimage a lab of 30 workstations in under 30 minutes.

4. Disable downloads.

This is the only thing that kept me on IE - you can choose to disable downloads. We had to tweak it a bit by adding a number of sites to one of the zones (to allow downloads from intranet, etc) but it really cut down the support calls.

5. Ticketing system. This may or may not work (it didn't for me as problems were always phone calls or walk ins), but if you need to justify additional spending/resources, it's great to be able to say "I handle X calls a month. Give me $Y and I can reduce calls from X to Z". If you do a lot of site visits, write down what you do.

6. Each student signs an AUP. No AUP, no account. Most students won't be a problem, but a few will decide to "test" your network security and you need to be able to keep them off the computers.

7. Watch how your resources are used. Every friday I'd run a scan for files in home directories over 1MB. This caught most of the MP3's, games, etc while filtering out the word documents. My AUP (also posted in each lab) stated academic use only, so anyone with MP3's had to explain themselves.

8. Get the staff on your side. You can't be everywhere and they're the ones who will be in the labs - picking weak passwords, allowing locked-out students to "borrow" another account, etc. Administration will be dealing with problem students and they need to know why things are a problem. They're not techs.

At the end of the day, you're a support service. You exist to support staff and students. There might be better ways, but non-techs need to use it. Don't bore people with details (they don't need to know that you've migrated from NT4 domains to a samba server. It's just an upgrade) - but, samba needs to work if you do this. Gradual transitions - don't take word away and replace it with OpenOffice. Install both for the year.