Slashdot Mirror
Securing a High School Windows XP Computer Lab?
An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"
95% of the answers given here are going to be smartasses telling you to install Ubuntu.
Lock the door.
Policy editor combined with logging in to a domain with a restriced account seems to make life difficult enough for me on my work lappy.
Why not convince the school that linux would save them tons of money, and wont ever have a problem with kids getting in to things. All they need is a browser and Open Office!
Just me
The only way that I have seen it done is using Novell or Microsoft's Server Software. Both of which are pricey. Although you may be able to find something from them for a smaller lab.
/fuck myspace surfing at school
Kids reading this: Load quake 2 onto USB or CD-Rs and dump it into a directory you and your friends have access to. Keep a word document open and alt tab as needed.
-nick
http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx/
m /
Is a good place to start for newbies. Or if these are XP pro machines you can use gpedit.msc (start->run->gpedit.msc)
If these are XP home machines try this http://www.dougknox.com/xp/tips/xp_home_sectab.ht
Set up the machines to run in a VM environment. When the host OS boots and logs in, make a copy of the VM and run that. When they exit, destroy it.
Get off my lawn.
The easiest thing to do is to lockdown the user account that the students use. It is unacceptable from a security standpoint to allow them access to more than being able to run simple preinstalled apps like Firefox, MS Office, etc. It sounds like you're not running on a domain based on the fact that it is a simple 'limited' account. I'm not really in a position to go into the details of XP security in a quick reply, but it is possible to lockdown a user account very tightly in XP on a domain. In a corporate environment, users typically can't even install things like print drivers without admin rights.
Comment removed based on user account deletion
First off, the part you'll be authorized to use is almost exactly like Windows. Here's the login screen. Here is the "Start" button. This is your web browser, word processor, etc.
These machines will NOT run most of the applications you have at home. We want it that way.
http://www.faronics.com/ has a program called deep freeze, its not free, but after implementing it in several of our public labs it cut down just about all the troubles. Just reboot and the thing is exactly how it was when you froze it.
Please note i'm not associated with faronics or deep freeze in any way, just found the program useful and thought it might help you out.
No, Really. Drop on somethign easy to use like ubuntu, set up a single, very limited user account, and have the students login to a fileshare that requires login. Have a link on the Desktop that asks for username and password and uses sshfs if you want simplicity.
You're going to hear a lot of "install Linux" comments and a lot of "linux sucks" comments in reply to them. I'm not going to go there. Assuming you're looking for some minimal security, not a whole architecture revamp, look into some good backup software, make a clean install image with everything you want on it, add a network storage server (Linux?) for persistent data, and just periodically wipe the machines and replace them with a known good image. Keep the image up to date, virus scan the network storage, and you're probably going to be fine.
Setup individual accounts for each student. Anything else is insane as there is no way to discover who did what.
reimage each machine every night.
Make sure they are on a differnent subnet from all of the admin computers and that the only path to the admin computers from the labs is down through a router.
Files must be stored on a locked down server. Or students own USB drives.
Otherwise. Remove all the hard drives. Lock the door and update resume.
This is my suggestion.
Hail Eris, full of mischief...
E pluribus sanguinem
It could well be all you need.
http://www.faronics.com/html/deepfreeze.asp
If you lock them down, they'll work but you'll have a lot of complaints as people are restricted from using the computers for any purpose you haven't specifically allowed. In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.
What I would do is try to create a network disk image that could be quickly and easily reverted to when the machines inevitably get messed up. Let the students play and learn, a large part of learning is in messing things up and trying to fix them.
All movements for social change begin as missions, evolve into businesses, and end up as rackets.
Are most of the machines the same? Of so, set one up properly and make an image of the hard drive with Ghost or a similar program. At least then you'll have an easy way to restore it when they mess it up.
Coder's Stone: The programming language quick ref for iPad
Get a system to be a domain controller. Lock that DC far away from everything else. Reformat the machines and configure them according to this: http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID =scg10.3.1.1. It'll pretty much prevent any silly things with the keyboards. Also disable the local admin accounts after the machines join the domain and don't give anyone the domain admin password or privilages except those who need it.
This is the only way I've found to keep people from messing up Windows Machines.
Take away admin rights, they surely don't need them. Your savings are two fold. 1) You've just mitigated 99.9% of spyware and Viri 2) Less time needed to keep spyware/viri off, as well as keeping your boxes from becoming bit-tortent or other P2P server and or a spam zombie. http://richrumble.blogspot.com/2006/08/anti-admin- vs-anti-virus.html
http://clintonforbes.blogspot.com/2006/10/10-pros- cons-of-switching-from-windows.html (read the second to last paragraph of that blog)
-rich
It works great if there is no persistent state that needs to be kept on the computers. Persistent state can be kept on network shared drives or removable media.
...and pray that they don't have blasters.
It's free, and designed for XP and schools and libraries. It's pretty easy to install and configure too, if you know how to repartition your drive using Partition Magic. I use it, so reply if you want hints on getting it to work. You need WPA, and Hive cleanup service installed for it to go. It lets AV programs update, and Grisoft gave me a script to make it work with the SCT Windows Desktop Protection. Just reboot, and changes are gone, unless you save them first. Have the computers update overnight, because it doesn't work when people need to use the computer.
Naked under my flag.
As a network admin I am in charge of 3 windows labs(high schools) and 35 Mac OSX labs, amazingly I used to have to spend more time working on the 3 windows labs than the 35 mac labs put togather. I encouraged my department to purchase Deep Freeze and have not had to re-image a machione (other than yearly maintenance) since. I dont ushually promote products but Deep freeze really is an amazing piece of work, it was simple to install and configure and any change that a student makes to the computer gets reset back to the defaults on then next reboot. Its amazing that in june the machine is exactly the same (except for updates) that the machine was in september. With the proper settings you can configure deep freeze to boot in thawed mode (meaning changes will stay) with the keyboard and mouse disabled, run anti virus and windows updates than refreeze we have this set to happen at 2am twice a week. I can remotely thaw or freeze computers from my desk accross town. All in all even though the software is not cheap it has paid for itself multiple times in saved labour and hassle.
1) Download KNOPPIX
...
2) Burn KNOPPIX
3) Boot KNOPPIX
Well, I said it was simple. Just might not be what you wanted. If you want to really lock them down, install knoppix in kiosk mode (system disk is write protected, simply reboot and you are back to normal).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
The school that I used to intern at had a great solution for the public terminals. Email me and I'll refer you to the SysAdmin over there.
Help me get a new laptop - http://nocreditcard.yourgiftsfree.com/?id=3012
Reinstall XP on each machine first thing. Theres no way you can uninstall the rootkits spyware etc.
Next create one or multiple student accounts, possibly one for each student so it can be traced, and lock it down. By that I mean take away write access to c:\,c:\windows,c:\windows\system32\ most program files folders etc. In short, they should only be able to write to their desktops, and other profile folders. If they cause a mess just delete the profile folder and let them login to recreate it.
Apart from that, of course get firefox and find a way to force it, like link iexplore.exe to it. Make sure you install all programs and printers that they should use and take away printer, device driver and app install privileges from that group. Done.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Hopefully it'll be fixed with other mods and meta-mod.
Mr. Universe: "They can't stop the signal, Mal. They can never stop the signal."
basically.. kids being kids.. good luck with it..
rather than try to prevent disaster.. embrace it..
just make an image of the workstations (or a single image if they're identical hardware) and then have the machines re-image themselves every night.
every morning you have a clean install, free of key loggers, spy-ware, macro viruses, etc..
hell.. you could probably go so far as to ditch the AV software.. just keep the admin network routed/firewalled seperately from the student network.
My high school had a similar issue, and their reaction was simple. They removed all - ALL - but maybe five programs from the start menu. If you wanted Microsoft Office or Internet Explorer, you were in luck. Anything else...well, not so much. If that wasn't bad enough, they also removed access to Windows Explorer, which made using things like USB drives virtually impossible, meaning that, because of the exceedingly strict filter, the only possible way to send files home at all was floppy, and even that was strongly discouraged.
This was two years ago, mind you.
Whatever you do, don't go that route. Someone will always find a way to break the system and to have fun with it, but it's entirely possible to make the computers so dysfunctional that they lose any value as an academic tool.
Goo goo g'joob.
Comment removed based on user account deletion
But definitely tighten restrictions on the accounts that the students log in with. You can tighten security to the point where they can't install software or even save files to the hard drive (requiring external media to save their documents, if that's how you want the system to work). You can use Windows Server for managing accounts, but it sounds like overkill in this case (since Windows Server is geared more toward corporate environments, not labs that use only one or two login names).
Preventing access to things like myspace.com can be done with a simple null route in the c:\WINDOWS\system32\drivers\etc\hosts file.
And keep the virus scanner running and updating itself at all times!
If you want to restrict their web browsing then you could set up a proxy or a license with something akin to NetNanny. This is also handy for blocking ports so that IM software won't be able to get in or out (or even between), if they find a way to run it.
/* No Comment */
Deep freeze worked well in our labs until we bought enough Ghost Licenses. You set it up on a base configuration, then whatever the little creeps do will be wiped out by a reboot and deep freeze will return the computer to that base configuration. http://www.faronics.com/html/deepfreeze.asp
A good solution if you are concerned about generally maintaining the same exact image consistently when people use the machine is to utilize Deep Freeze. In our IT Department at a medium-size University (10,000 students) we use Deep Freeze extensively to keep students from ruining lab computers. Deep Freeze is as others have mentioned, a virtual partition system. Each time you reboot the machine, the original image you had is restored and any changes wiped (only files kept in the "Thawspace" are maintained, all others are lost). This means that no matter what your students do, the machine will be restored on bootup.
Now, if you want to further limit what they can do, you can make many changes to the registry in windows to block users from doing many things such as using the "run" menu, installing applications or a number of other things as simple as changing screen resolution or color depth. Once you set everything up and create the image of your restricted setup, Deep Freeze will maintain it every time for you.
You can get Deep Freeze from here: http://www.faronics.com/ or look there to find out more information about how it works.
We have tried other products in the past that claimed to "restrict" Windows such that users could not make harmful changes (e.g. OnGuard) but none of the ones we utilized were able to be fool-proof and stop students from getting around it or messing something up. Short of reformatting the machine Deep Freeze is pretty hard for the student to get around. Thawing the machine to make changes requires a lengthy key combination to even bring up the password box (key combination is customizeable by you), or you can enter a key combination on bootup to access the password box to thaw the machine. You can also maintain the systems through a Deep Freeze console so you can admin all the machines at once and even push new images to them that way.
That's my three cents on how we do things in an Academic environment, but our general policy has been slight restrictions but allow them a lot of free reign - except we reset the system every time it is rebooted. I'd suggest for Middle and High school to implement a lot more restrictions on the base image that you use with Deep Freeze than what we have here at the University level.
"To strive, to seek, to find, and not to yield." - Tennyson
first, disable the cd rom (no bootable linux cds)
second, remove the run command from the start menu through group policy.
third, disable the hot keys for run.
fourth, make the password for the admin account 15 characters long so the usual password hash rainbow tables won't be able to insta crack it.
password protect the bios so that the smart kids can't change the boot order to boot from usb. that'll prevent them from getting the sam files.
make an image and store it.
Your sig(k) has been stolen. There is a puff of smoke!
No matter what you do, sufficiently motivated students will hack their way around it. At least, that was my experience in high school. It doesn't even matter if you try stuff like BIOS passwords, etc. -- the students have physical access to the machines, or at least can con the teachers into getting it (e.g. in order to fix a problem, unless you've got a much less understaffed IT department than my school had).
So what's the solution? Give up, and let them do it. Re-image the machines if they get screwed up, discipline the students if they do something unacceptable (e.g. download porn, etc.), and don't waste your time bothering with anything else.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Have you tried the above link on an XP home machine? The MS website says it is for Win NT and Win 2K.
science is a religion
Remove all the power cords, and put epoxy in the resulting empty power sockets.
From experience, here's what you need to do.
First, lockdown all accounts. Some people mentioned Deep Freeze, some people mentioned group policy. My old school used Active Directory with group policies, so yearbook students and teachers could save files to the central server.
Take away the Task Manager, right-click, and Internet Explorer. Those are the most common amateur attack vectors. I'm at Oregon State University, and have had no problems compromising the "locked" computers here simply because they left me with Internet Explorer. Replace it with Firefox, and read the Firefox docs on how to lockdown the browser settings.
Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.
~ C.
Between 1990 and 1996 I had a high school computer lab. It was a time when the school's computers were better than what most of the kids had at home. Thus there were lots of kids who wanted to stay after school to play with the school's machines. The deal was simple: You can do anything you want with the school's computer as long as it is available for use the next morning. It worked well. Other than hardware problems, I had approximately 100% up time. We never had a machine go down due to a virus. I also learned a lot about security for Win 3.1 and Win 95. Everyone benefitted.
The college where I work now uses Deep Freeze. I agree with several other posters: it's good. Before we got it, we had at least a couple of times when the school's entire network was down for days because of a virus. Since we got it there have been zero such problems.
1. Virus protection is a good start.
2. True limited user accounts where the students have only User level rights. Make accounts individual per user, you'll need a domain controller if there is not already one to accomplish this however. (Depending on scope you might be able to rededicate one of the machines as a DC)
3. Force password changes on a monthly basis, to help stop the passing around of passwords.
4. Secure the Domain Admin account, a good idea is share the account between two users, each with only half of the password.
5. Remove all local user accounts, and rename the local admin account, disable guest if it is enabled.
6. Content Filtering Proxy, if it can be budgeted for...
7. Microsoft SMS Server, but now things are starting to get expensive
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
When I was going through High School and Junior High we took the If you didn't need to see it or use it you couldn't approach. Internet acess was limited by http://dansguardian.org/ with a proxy at the Junior High lvl that only the teachers had the password for. This education system was parinoid about passwords too. I remeber finding a password only to have it change by the end of the month. We used limited account acess that only granted acess to the programs that were needed. All labs had similar hardware so we made one static disk image with Norton Ghost for each lab. Should a teacher ever feel a computer was some how comprimised they just inserted the CD and bingo clean working useable system again in about 15mins or so. The internet filter is going to be the best bet though. Get that clampped down block all ports but http/https for students. When there find out there games and music software don't work they will stop trying for the most part. Don't be afraid to make examples of students that are trouble makers they know the teachers they can walk over and practice there malicious hacking on. YMMV per district, but last I checked computer time is still a privliged class there is always the typerwriters for typing skills classes.
Disable the right click mouse button. When I was in high school, our teacher did this along with restrictive permissions on users.
Yeah! that will fix so no one can get anything done. Eventually all the computers will go unused (or should I say no one will attempt to use them) and they can all be discarded.
What a great idea!
What is it used for?
Most of the student won't try to break things, but a few assholes will so you have to make sure they can do the least amount of damage possible. Unless, of course, you feel like cleaning things up daily.
You could also get an Active Directory domain and push the restrictions that way. I prefer to script it since I prefer to have my servers run Linux.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
Comment removed based on user account deletion
We use DriveShield to secure around 5000 student PCs with WinXP at a community college. It works like a champ and doesn't seem to interfere with any known applications. http://www.centuriontech.com/products/driveshield/
Users can manipulate the desktop, install software, change settings, and download potentially harmful files from the Internet! A simple reboot of the computer restores it back to the administrator's pre-defined pristine configuration. DriveShield(TM) and MacShield(TM) simply wipe the session changes free... leaving the computer like new.
Additionally, DriveShield(TM) and MacShield(TM)protect the computer from viruses prior to discovery and remedy. When DriveShield disposes of the changes made to the computer, potentially harmful files such as worms, trojans, viruses and spyware are wiped free from the machine, never getting the opportunity to reach the hard drive.
I feel more like I do right now than I did a while ago.
What do they use the computers for? If this is a programming lab, you have different needs then if this a lab for English class. Any attempt at security should first begin with realizing what the user is supposed to be doing in the first place.
Of course, this is slashdot, so could you install Linux on a few of them just to give the kids a taste?
I prescribe fire ! And lots of it!
DriveShield, which is what I used in my classroom lab. Allows you to manage the HD 'locks' from the network, as well as reboots, shutdowns, etc. Excellent product (Windows & Mac versions), excellent support (always very knowledgeable and friendly when needed), and mostly trouble-free. Only times I needed to call was to help recover licenses when client HDDs suddenly died for whatever reason. I'm sure this compares very similarly to DeepFreeze, just I'm not as familiar with that product.
"Sometimes the only thing left to say is 'Oops'" -- debbers
The best implementation of "protection" I've seen in schools was re-imaging the OS automatically over the network on every bootup. The students can do WHATEVER they want, (giving them the local admin access becomes safer, though still not recommended) - at logout the computer reboots and it is once again clean for the next user. :(
HD space is cheaper now, so you might be able to get away with a hidden partition for re-imaging. Problem is, what if they modify the hidden partition with something malicious?
As for speed, the implementation I've seen took an average time to boot up; if one wasn't looking at the screen they'd think it was regular windows installation. I'm guessing it wasn't re-imaging the WHOLE partition, just the parts that have been changed.
Don't remember the name of the software they used, though
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
First: get a router for all the computers to pass through, with a web site whitelist (like the cheap and widely available DLink 808HV or 404HV); tell students that if they want to access a site that's blocked, they have to ask permission for it to be unblocked. Over time, useful sites will fill the whitelist.
Second: install VNC as a service on all the machines, with a good password, and configured to not allow keyboard/mouse control. Then switch all students to non-administrator access so they can't turn it off (stop the service) or uninstall it. Finally, announce to each and every class that you have the capability to watch any desktop at any time remotely, and will basically be scanning through every desktop in the room regularly and punishing everyone caught doing stuff they shouldn't. Then DO IT, until the message sinks in that you're serious.
Third: over time, do consider switching to a more secure OS, provided it can support what you're trying to accomplish in the lab.
If you catch one of the little buggers screwing around with a computer, cut off one of his/her fingers (your choice) and show it to the rest of the class as an example to what happens when you download party poker for the 1000th time...
That'll keep 'em in line >:)
Students won't be able to do anything, so it will be totally secure. A lot of schools have had great successes with this approach.
# cat
Damn, my RAM is full of llamas.
I run a grad-school lab, and what we do sounds a lot like what you need.
I think you're saying that you have a single account on each machine that every student logs in as. If that's the case, enable the "Guest" account, and let students use that (passwordless) account to log in. the Guest account has the tightest restrictions, and most of the things you can change as Guest get wiped away by a simple reboot. This is what we do, with the systems set to automatically log in as Guest - see http://www.kellys-korner-xp.com/win_xp_passwords.h tm for details.
If I'm wrong, and you need individual accounts for each student, then you'll need Windows XP Pro on every machine and some flavor of domain controller (SaMBa does a dandy job for us). Make your student accounts members of the "Domain Guests" group, and viola!
One other note: ditch the "administrator" account. It's trivial to find tools that will let a person reset the password of the default "administrator" account. Create another administrator-level account, then delete or disable "administrator".
This being Slashdot, somebody of course suggested that you "put Linux on it", but in this case they might be on the right track. We have a general-use lab that is running Ubuntu with Crossover Office, and the users are happy as clams (and these aren't techies, folks - these are writers, pastors, and chaplains). We use a single shared unprivileged account with automatic login (similar to what I described above for Windows), and everything works beautifully. It's also more stable than the Windows lab, which makes everybody happy!
Here at the school I work, we always try to use a hardware solution. Right now we use Radix (http://www.radix-int.com/). It adds to the cost of the lab but it works 100% of the time. Deep freeze is good but people have found ways to hack it in the pass.. so for us it's not a 100% trouble free solution.
But you can't.
Internet Filtering:
DNS Based Filter? TorPark.
Software based? software hacks or Ubuntu Live CD.
Content-based filtering? SSH Tunnel (on non-standard port)
Anything worth its while on Windows doesn't dig into the registry or write system files, so running as a limited account will do little. I believe Cain & Abel (a popular password "recovery" program) can be run like this.
Just $0.02 from a Public High School Student and Hellbringer of School IT staff extraordinaire.
-jX
Don't you just love politics? It's like a comedy of errors.
they should use linux. if they still choose to use windoze XP, why don't they just use active directory? and set rules and user groups with varies permissions?
Thanks, Joe Sklover SpiralWebs.com
Evil little bastards will steak anything that isn't (and sometimes is) fastened down. So make sure you get those PCs locked down physically. Keep this in mind.. out of site, out of mind. If they don't see it, they won't try and break it. I came across a Dell tower one day while wondering the high school and found that someone had punched a hole though the empty bays as well as poked out the PCI slot covers in the back. They managed to swipe the CD-ROM, Memory and processor. The dumb ass teacher didn't even think to report this to use. And its not like the system was hidden under the desk, it was right on the counter in the front of the classroom. Another kid brought in a duffle bag and bolt cutters. He actually made it to the parking lot before security caught him. Oh did I mention he got this thing unsecured and in the bag during class?
;-)
Anyway as far as locking the system down, if you own Windows 2000/2003 server Active directory is the easiest and cheapest way to go. It will take some tweaking but it works pretty well. I also found striking the fear of god into the kids was equally effective.
And the guy who posted about the stock of mice and keyboards, he is also right on! They run through that equipment like water! So you strike a good deal with a vendor and buy those things in bulk. We got the keyboards down to like 7 bucks ea. and the mice about 3-4 bucks each.
Dewser - all around techy "In the immortal words of Socrates - 'I drank what?'"
High Schools don't teach kids about computers anymore. They teach them Word, Excel, and Powerpoint.
Lock them down and lock the cases shut.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
No games
The world is made by those who show up for the job.
I administered a computer network at a high school for three years, so I can toss out a few suggestions:
VLAN your network. If you have Cisco switches, this should be easy. Set up seperate VLANs for students, the staff, and servers. You'll be able to isolate what resources can be accessed based upon these access lists.
SET UP A PROXY SERVER! Seriously. One of the first systems you should implement is ISA Server 2006. ISA Server will act as an internal proxy to control what users have access to the Internet, and what resources they can access. Set ACLs on your internal switches to prevent routes to the Internet from the student VLAN unless they go through the ISA Server. Set up the ISA Server in front of a filtering appliance, pass all HTTP traffic, and allow access only to HTTPS sites you've added to an allow rule on your ISA server. Add the same limits to SWF, DCR, and possibly java or class files.
Only allow Internet traffic to port 80 and (to a limited extent) 443 for students: Look, your students aren't going to need any other services besides HTTP and HTTPS, and if you're not careful about HTTPS, they'll be popping holes in your proxy using an encrypted web service.
Set your web filtering to deny unrated sites: Students are going to try and circumvent your web filter though phproxy or cgiproxy. The smartest kids will go so far as to set up their own domain to get around your filter. The solution? Block what's not rated. It's also important that your filter have a mechanism to request that a site be unblocked. From a security perspective, it's important that you not open yourself up to risks that you can't control - including websites - but it's also important for the students' development that they have an opportunity to view controversial subjects and make up their own minds about the topic.
Use groups: Set up an OU for each grade in your school. Create a global domain group for each grade. Set up another OU for classes, and create a global security group for each class section. That way, you'll be able to allow or deny access to resources for each grade or class.
Software Restriction Policies: If you have a Server 2003 network, group policies are an amazing asset for your Windows XP clients. Group policies allow you to change settings on users and computers in your network. For instance, you can disable access to the registry or lock down Internet Explorer. Within group policies are a special policy component called Software Restriction Policies that allow you to decide whether or not applications can run based upon the hash, path, or filename. On my network, I designed the SRP around hashes. Managing those policies was a pain (the list was around 400 executables), but it was worth limiting what code would execute on the systems.
Admin tools: You'll want to turn off access to all administrative tools, so disable access to the command prompt, registry editor, and MMC. Also, disable access to the security tab in Explorer to prevent students from changing file permissions. For your computer policies, set the local security policy to disable storing the LM hash for passwords.
Use the Windows firewall: I know it's not much, but it does provide a lot of benefit over nothing at all. Using group policies, configure static rules into the Windows firewall. This will prevent malware from causing problems on your network, and will also prevent iTunes from eating your bandwidth.
Web browsers: It pains me to say this, but don't allow browsers other than Internet Explorer to run on your machines during school. When Firefox adds group policy support, I'll relent on that, but you have no control over what code is executed in Firefox, whereas group policies give you a lot more control over Internet Explorer. Example: after implementing our software restriction policies, students began downloading Flash games in swf form to their laptop hard drives. After receiving complaints from teachers, we simply disabled Firefox through SRPs, and disable
I've seen extensive deep freeze deployment starting from when I was in high school and continuing through higher education. I work in a computer lab now, and that is what they use; I've seen the software in action and have also done some light administration with it.
From what I can tell, it basically makes the system invincible. It doesn't matter what weird crap the students pull on our machines (and trust me, young students can destroy any system they touch in no time, guaranteed--you have no idea how uncanny this is), all we have to do is reboot. Spyware? Malware? Unexplained system malfunction? With this software, rebooting actually *does* solve the problem, and I've never seen the process fail.
It's sad that an operating system is so insecure and fragile that it requires special third party software to have these features (ie protect the system from undesired changes).
I think the parent means WGA, Windows Genuine Advantage, not WPA. When I install SCT, it asks me to validate Windows first.
Oh You POS
When I was in scholl they had "Deep Freeze" installed and that worked great at keeping systems clean
Everytime the system is started the image is re-applyed and all programs installed and file not properly saved are removed along with any junk that is there. It a very handy app
"Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte."
http://www.faronics.com/html/deepfreeze.asp
They Also have a program called Anti-Executable that is cool too!
http://www.faronics.com/html/AntiExec.asp
$DO || ! $DO ; try(); > try: command not found
Couple of things Group Policy IS a god send Look into a program called deep freeze. IT makes it so if the computer gets screwed up like hacked into or a virus then you reboot the comp and it goes right back to what it was. Make sure that under no circumstances any student has administrator privaleges. BUt my main suggestion is group policy. You can even block instalation of unwanted programs like aim through group policy.
I work in a school district and we use deep-freeze on pretty much everything. Our labs are mostly 'nix/LTSP thin clients, but the teachers and admins tend to use windows machines of some sort. I'd say that it's a good idea to use DF not just on the lab, but also on teacher machines. The trick with the teachers is to setup two partitions, a frozen C: for the windows install, and a thawed D:
u rrentVersion->Explorer->Shell Folders
Then, create you user, and move his/her "Application Data" "Templates" "My Favorites" and "My Documents" to a new area on D:, you can do this by drag and drop, and check it in the registry under:
H-Key-Local-User->Software->Microsoft->Windows->C
Alternately a former co-worker of mine (where I used to work) switched over to using the "Disk Protection" from the "Microsoft Shared Computer Resource Toolkit", which I believe is supposed to be free.
Try http://www.genevalogic.com/index.php?id=us. I know a school that uses this, and it allows the teacher to close any programs running on a student's computer and force a blank screen when the teacher wants to, and probably some other stuff too.
All it takes is some searching on the internet to find out how to easily bypass any windows based lock-down or security mechanism. You're not running enterprise level business, you're running a computer lab at a high school. This isn't the typical "Windoze sux use Linux" argument. What does a student learn from using Windows? Nothing, they already know it. From a learning standpoint, many linux distros provide an ease-of-use similar to Windows while exposing them to a side of computing they've likely never seen before. This exposure may lead people into the IT industry who may never have done so otherwise. As an added bonus, linux is built from the ground up and a multi-user OS, where you can easily set access restrictions without the need for thousand dollar licenses to do what an OS should already be capable of doing.
Similes are like metaphors
If you've ever worked in the educational-tech industry, you'd know that this on its own is a bad idea. Districts can have dozens of schools with labs, and trust me with the ways you can get spyware/viruses/etc you will be having to re-image them regularly. Yes, you can script it, but it's still not an elegant solution and has many issues. Also, while your machines are waiting on an image, they'll be happily popping up porno banners for the kids, connecting to P2P servers, running as open proxies or spam relays/botnets, and looking around for other machines to infect. You'll also need a different image for all the different hardware varieties, possibly the different license keys, machine names, and who knows what else.
Much better to secure the machine using one of the ways described - it's not impossible or even all that difficult to lock down a windows XP machine fairly well - and then have the backup image as a, well, backup solution in the event that something bad does happen.
Just buy Deepfreeze and get the machines set up the way you want them, then freeze them so if the kids fuck them up you just need to restart them and Bam back to the origanal settings, keep it simple stupid folks.
Fortres 101 is a good program they used to use when I was in high school. Easy to configure and lots of options on what you want restricted. You can really lock down pretty much whatever you want. Also looking on their website they have educational pricing. http://www.fortresgrand.com/products/f101/f101.htm
The Shared Computer Toolkit is fairly easy to use. If you don't have Partition Magic, GParted (Gnome Partition Editor) works great, is freely available, and I've used it to setup shared machines with no problems. ( http://gparted.sourceforge.net/ )
Accentuate the positive, don't waste your mod points on the negative.
Deepfreeze is not your typical security program. It embeds itself in your isntalation and cannot be forcefully removed without knowing the password. Even in safemode. If you dont unfreeze the computer before doing anything when you restart it will go back to the image. If you delete the deepfreeze driver file without uninstalling it you will screw up the system and have to reboot and it will go right back to the image again. With deep freeze you can set it so that at a specific time it boots up unfrozen so you can use wsus and install updates then you can set it so that it reboots frozen again at another time This program is great and dont let people who know nothing about it give you false information. i run it on my network and its an awesome program . you just have to remember to unfreeze the computer when you install something. Also look up winu . We use that program too and that with group policy,and deep freeze and the computers are practically locked down.
What kind of a performance drops should I expect with deep freeze?? I know the discussion is about student machines, but I was thinking about getting this for some people [read family] I wind up supporting alot.
At my highschool (which still sacks us Students on Windows 98SE and Mac OS 9), they (the evildoer's we call the board) have software called 'deep freeze' installed on all the computers, even the teachers. On a Windows(TM) based machine, you have to restart the computer using a special key combination, and then enter a password to unlock it. Your students can delete the windows directory (which I've done), and as soon as the machine restarts everything is back the way the board wants it. They cannot install software that writes anything out to the windows dir, or modify too many system settings (which will be reset as soon as you reboot anyway). The craptastic iMacs we have use a system extention that cannot be disabled by holding down 'shift' while booting, and requires a password to unlock. The teachers PC (Windows XP Pro, P4's) also use this software, however, it is slightly less limiting. In terms of what this stuff requires to run, we're using P3's at 600-900Mhz, with 128mb RAM with 98SE. The iMacs have a wonderful 333Mhz something (tray loading version) and 64mb RAM, which is not nearly enough for running Word(TM) 98, and IE 5.1.
1) Setup Active Directory and create accounts and passwords for all students and faculity
2) Apply group policies to users to lock down settings and installations
3) Use Microsoft ISA Server to filter and monitor web activity and put any students who go to porn sites in detention
This is no minor investment, but Microsoft does give a nice discount for academic outfits. This will cut down on 95% of all computer abuse, and the for the enterprising young minds who manage to get around it (because no system is full proof), give them access to a Linux distribution and embrace their passion. This is a WIN-WIN; computers will function for those people who just need to use them, and you give students with a passion for computers the opportunity to explore more powerful operating systems.
"Flee at once, all is discovered."
Install it, along with making them a restricted user and using domain policy to restrict more things and reboot computers every night.
Did it in a public computer lab, worked fine.
I do infrastructure for a company that does 1 week training class for a variety of different topics. I have found that the Novell product "Zenworks" works like a charm. With Zenworks you can schedule the machines to automatically reimage on a schedule, implement your patches directly into the image, and it even has the ability for the administrator (or teacher in this case) to view the user (students) desktop.
It gets a bit more complicated, but the imaging component alone could save loads of time on these systems (i assume the systems are all identical, or close to identical hardware). The students can pooch the machines all they want, the next morning when they show up the class, they will be back to their original state.
The imaging process, depending on the harddrive size, will only take 20-30 minutes, and multicasting is built in so it won't bring the network to its knees like ~30 unicast reimages will. It has made my life much easier in building classrooms on the fly where I work, when classes end on friday, it takes about an hour to get all 4 classrooms ready for the next week of classes. Also, if a student pooches their machine, its back up and running within 30 minutes in most cases.
...to be able to lock down the internet. On top of Group Policy, use a proxy to block sites & log traffic. Just take an old box & throw linux and squid on it.
Trying to stop people from doing things is a waste of time and a bad way to do things. Look into making an image of the machines and how quickly you can restore the machine. After each class, reimage the machines back to a fresh copy.
Using either the free VMWare Player or Server you can isolate and easily recover from any impact students may have on the system itself. In addition to locking down the host OS itself using the great suggestions made here I would advise simulating a Kiosk type of environment. VMWare is a great way to do that.
I think I know a thing or two about this subject as I managed the computer labs at a university for about nine months. That was something like 900 machines in 35 labs as I recall.
Start over with a clean install of XP Pro on one machine. (which gives far better manageability than Home; If you don't have remote desktop or gpedit you'll miss them.) Install all of the programs, plugins, etc that you will need.
Run gpedit, the group policy editor. You can lock them down by making such restrictions as removing Run... from the Start menu, disallowing the ability to lock the computer, even removing the ability to change the preferences in IE. It's surprisingly user-friendly for the control that it provides. I used this to lock down the kiosks and other public access systems, leaving very little for users to do. They could run the few programs that I left for them (IE, FireFox, and a few other specific programs) and not do much else. They couldn't change preferences, no Run dialog, no right-click menu on the desktop, no way to save anything, or even see the hard drives, for that matter. You do need to leave yourself a back door, however (i.e. allow cmd to be run from a desktop icon which is only installed in one admin account, so that you can run gpedit again to remove restrictions.)
Use Norton Ghost to create an image of the hard drive and distribute it to the other machines. (They do have identical hardware, correct? If not, there is a way to use sysprep to remove the drivers before creating the image, but I have never done this.) You will want to create a script to rename the machines based on a DNS entry or other network database as a source, using the MAC address as a unique ID. I suppose you could rename them all manually, but since it requires two reboots, it could be a rather time-consuming process.
Ghost is great. Well worth the license fee for a setup like a highschool. You can make a change on one machine and distribute that new hard drive image to all the other machines. My process was: remove a machine from the lab in question, put the old ghost image back on it (to remove any corruption introduced since it was last imaged), update Windows and McAfee, make the change, begin the rename cycle, create a new ghost image, and finally distribute the image to the lab. It took a couple of hours (more or less depending on image size and network speed), but every time I did it, it was as if I had just reinstalled Windows and every other program on every machine in the lab. Just try installing 35 copies of Windows, Office, FireFox, Adobe, JRE, and 30-50 other programs in a few hours using any other system! I had a laptop to use as a Ghostcast server and a set of CDs to boot each system with. I simply had to set up the laptop as a server on that lab's subnet, boot each system to the CD (Bart PE -- Live CD of XP) which would automatically run Ghost and connect to the server. I start the distribution from the server and when it finishes, eject each CD, and reboot the systems. They rename themselves and return to the XP login screen. Nothing to it!
My alternate method was a different Bart PE CD from which I mapped my images share (net use s: \\smbserver\path; this can be scripted) and ran Ghost 9 from the menu, and did it all through unicast. Again, after it finished I simply removed the CD and reboot and it would rename itself and come up to the login prompt. The big difference is that it was unicast instead of multicast and I therefore didn't need my server to be on the same subnet. (In theory it didn't anyway, but the volume of multicast network traffic would cause some trouble on the core of the network if it had to be routed. This was somebody else's department, I was just following orders in never doing that.)
Set up an Active Directory and lock down the various account types through that (my recommendation is a Student group, possibly with other subgroups for particular classes, a Teacher group, and an Administrator group. Give students their own accounts with passwords that they mu
A human. If they see you doing something bad you can't use the lab for a week. If that compromises your ability to work then you should have thought of that before you did it. If your grades suffer, that's your problem not theirs.
IANA*
bit9 (http://www.bit9.com) parity does exactly what the OP is looking for. you can lock down computers without taking away admin rights, and can whitelist applications which are allowed to install during lockdown. you can also administer all your desktops from the web console, so you don't have to go to each desktop and manually configure everything every time you want to make a change, and you can see what applications are running/installed on each desktop, and be alerted when something new appears.
:)]
[full disclosure: i work at bit9 -- i couldn't help posting as we see and solve this exact problem all the time
hope this helps; there are other alternatives (imaging/freezing products that others have pointed out) as well.
-drew
"Where are we going, and why am I in this handbasket?"
Trying to stop the inevitable isn't possible. This sounds like whining. Let's make sure we restrict our students capacity to learn. After all, we all know, the best way to learn is in a closed environment devoid of anything useful. People learn best when they're told what to do, how to do it and when to do it. It's important to ensure our kids don't have the capacity to experiment. God forbid they look up some naked pictures of your dad while jamming out to KORN with a snickers bar in one hand and the other hand below the desk.
(if you don't count unplugging the CAT5) to lock these machines down is to hire someone who knows what they are doing to enforce a "locked" desktop. Windows XP can actually be quite secure although there are certainly Apps that want you to be Administrator but you can always not use them or set up RUNAS permissions.
The point is: This is not easy to do correctly and you should have someone that knows what they are doing do it.
This
I volunteered during high school as an aide in the computer labs and we faced the same problems. Our biggest problems was screensavers, and desktops. The other students would change the desktop backgrounds to pictures from Maxim and other similar things not really relevant to a school setting. It's not very neat, but there are Windows registry settings that can disable changing those settings, I used to have a giant list of them but it isn't too hard to Google things like that, we then wrote a little Python app that reset the background on logon/logoff and disabled things like changing the homepage, etc. The registry is pretty powerful in that regard.
If it HAS to be windoze, just get thin clients and run it off servers. After every class re-image the client disks. Do not connect it to external networks. Then nuke from orbit, level the building and spread salt. The only way to be sure with XP.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
http://www.softheap.com/index.html
I use this at my office for certain systems that need to be locked down (mainly warehouse systems so the workers dont slack off by surfing the net all night long).
setup is easy and relativly intuitive and the price is right.
I have this on old PIII 600mhz machines w/ 128 ram running 2000 and xp and there is no noticeable slowdown in performance
the history of the world
I'm the systems adminstrator for a high school here. We use Clean Slate so when the student logs off or restarts the computer it reverts back to an image that I created. I've yet to have a problem with them messing up a machine. Even if they got a virus on the machine somehow after a reboot it's gone.
Another program to look into is called NetOp. The teachers use it in place of projectors to give presentations and notes. It essentially displays the teacher machine on the student machine. It also give remote access to "teacher" installed versions. I can access every PC in the building not just in the labs. I can monitor what the students are doing remotely from my office and that keeps me up on their tricks and essentially allows me to keep it more secure. It also has a policy feature in which I can block any programs from being executed. For example they've been playing Halo alot lately. I put the Halo executable in the blocked policy and no more Halo!
It's not a free solution by any means but the students in my school can't mess up the machines, are kept on task, and are well monitored.
I think it goes without saying that most of the people learned about computers the first time, by using somebody elses equipment. So why not exploit the fact that you have motivated students in the classroom that can help you manage the environment. Get them to focus away from breaking the locks that the school installed. And make them the administrators. The really smart ones are going to confound you anyway, so you might as well use them to control the others. Make it a project - make a base image and get the students to figure out the best way to secure it.
I had a similar problem over the summer, with the exception that this was not a high school in the United States, but in a town some four hours away from the capital of a Central American country (can't be dealing with going back every time there is a problem). Anyway, I installed Kubuntu (kubuntu.org) which is one of the Ubuntu variants (there is also Edubuntu, a version specifically for the education sector as the name implies). It is fast to install; can easily be installed next to Windows XP, so that you do not have to permanently convert all the machines (in case there is an administrator or other bureaucrat who thinks that computer=microsoft--they are the most difficult group to convince. I would first set up one machine if they need convincing... it took me about 3 hours to get the first install done with the printers, network, etc. after that it was about an hour, but they can run in parallel. The other six were done in a couple of hours since I fiddled with netinstalls); so far immune to viruses, spyware, malware, etc.; and it is easy to setup user accounts. No one seems to have been able to hack into the root or sudo level (I check the logs once in while, as I am able to login from afar to perform updates, manage accounts, etc. I am shifting this to a local person). Since installing in the summer, there have been no problems with modifying the machines by users (and they are clever...) Linux, and *ubuntu in particular, are quite robust with very good security features. They can be setup remotely and even setup as thin clients (which I did to some of the machines since their hard drives were toast... and work well over a 10mb ethernet connection). OpenOffice, KOffice, Firefox, Acrobat Reader, Real Audio, Skype (only on a P4 with 512MB) etc. are some of the software running mostly without any hitch. I find OpenOffice on PCs (PIIIs/256MB) to be just as responsive, if not more so, than Office and it is almost 100% compatible (presentation is quite usable, but might be the only thing where Powerpoint might be superior... if only Apple made Keystone for Linux). Firefox is by far superior to IE, regardless of the platform (and better than Safari on a Mac). So, easy to install, manage, secure, great community support, don't need to throw away Windows (but you will want to anyway), and it is free!!! It should also appeal to the more serious computer users/future IT students as there is a great wealth of development software (any language you can imagine). Hope this helps.
Build one from scratch, get it set up the way you like it, then make a Ghost image of it. Then, every night, re-image the machines - poof, back to stage one. I'm about 2 days away from doing that to a lab at my work frequented by children, childish adults, and too few supervisors.
Poor means hoping the toothache goes away.
I used to use ssl cgi proxies to bypass the firewall and the proxy at college.
I downloaded files, exploits, cracks, pictures, entered restricted sites, etc...
SO, if you want to have your computers and networks under control, either disable https or create a special SSL proxy man-in-the-middle, analysing restricted keywords, sites and files text clear unencrypted.
ssl key of the host SSL proxy Student PC
The average, upper-average even advanced guys won't notice that the little "lock" on the browser isn't really the ssl certificates of the webpage, but of your ssl proxy.
And they will be amazed or frustrated of this high efficient filtering.
Why Not Try Linux? What Do they need to use the computer for specifically? Linux Will work with most of the printers in your school, especially Ubuntu, and they would be easy to lock down.
N. A. Stuart
Just limit the rights on the username that the kids all log in under.
My guess is, if these kids are anything like the kids my wife teaches, the biggest problem is that they download files and install them, things like games, etc. Or they play them online in flash based environment, which you had mentioned. One way to limit this is to put a router in place inside the lab. If all the computer lab computers get network (and internet access through the router) then you can limit what they can access from there. yes, there are ways around it, but it will cut out alot of your headaches, and it's reasonably cheap. You wouldn't even need alot, probably a $100 or so. that way you don't have to worry about locking down the rest of the network, or dealing with internet restriction software that is based on user name, and affects the total network. the room would have it's own restrictions, and you can easily control the list so you can add sites that you find the kids using. Other than that, and making sure the limited account doesn't have sufficient privileges to write to various things (like the registry), you will be in good shape. As for the "install linux" suggestions that have been made. I use it and it's great, but I don't think it's the right tool for this situation. sadly enough part of using a computer in a lab like this is to make sure that kids who don't know how to use one can learn, and whether /. likes it or not, the majority of the desktop PC's run Windows, so it's best for them to at least be functional there.
Simple - TEACHERS - SUPERVISE YOUR STUDENTS!
No amount of security software, planning, re-imaging will prevent malicious students from damaging / destroying systems in a public school or playing web-based games for hours at a time.
Teachers are there to lead their students into becoming moral and ethical people, as well as teaching them grade specific curriculum.
It disgusts me to hear teachers complain that "The Computers" are to blame because they allowed their kids to spend an entire lunch hour unsupervised in the computer lab, leading to all kinds of issues such as inappropriate web surfing, missing mice, missing plastic logos off the cases of computers, dropped monitors, cola on keyboards etc....
Suck it up and do your jobs - TEACH!
Load the OS at startup, and then it doesn't matter what changes they make...as soon as the system is rebooted, it's lost.
If you have an windows domain the best is to the group policies and create individual accounts to track each of the students.
Group policy http://www.microsoft.com/technet/technetmag/issues /2005/05/LockDown/ will also give you a great deal of control over how much of the windows interface they have access to. For instance you can lock out the CLI, and where they can save files. Here is a link from Micro$oft on how to get started.
If you don't have an active directory domain setup, you can still lock down the desktop by creating local policies http://www.windowsnetworking.com/articles_tutorial s/wxppspol.html, unfortunately you will need to apply these to each PC if all the hardware in the lab is the same, but it wouldn't be to difficult to create a locked down image using Ghost, and then image all the machines to be identical.
Also, if the school can afford it buy a copy of websense http://www.websense.com/global/en/. It will keep the little buggers out of the internet, prevent them from downloading games, and even using chat programs.
"Don't be so humble - you are not that great." - Golda Meir
How about a distro that boots off of the CD? Make them save to USB thumb drives. Since the CD is finalized they can't mess it up. Since there is no hard drive thay can't change the OS.
It's the only way to be sure.
Life is like a web application. Sometime you need cookies just to get by.
Where I work we have a few kiosk computers for applicants to use, after much evaluation we settled on a product called SiteKiosk. This has worked very well for us (our network admin gave up on cracking out of it after 20 minutes, citing that no applicant would take that much effort to get around the program). The program actually loads a custom shell, uses a customised browser and is very easy to lock down, a little tweaking is needed to open stuff up, but it isn't hard from the administrator's account, it is impossible without the administrator's password. After deploying it 6 months ago, I have not had to service the pc's one time, ever. They are very secure (about as secure as I say a machine can be). Security on these can be as extreme as you want it (autologon to the SiteKiosk user, only browse to whitelisted websites, etc...) if someone manages to get around it, you should consider giving them a job, seriously. I don't know of the cost, but I know it works.
My other suggestion is Linux, it would probably cost less, and be as secure (if you configured it right) and good luck getting windows games to run on it if you don't install Wine (Slack would be my suggested distro, stable, secure, and easy for administrators to handle).
I got nuthin
I personally do not lock my profiles down for my labs. I used to do this and it was just a waste of time. My preference now is to use guest accounts instead of user accounts. The nice thing about guest accounts is that when you log out they are destroyed, so if they change the background then it makes no difference. I will often redirect the My Documents folder to "c:\temporary work" though or something similar so they can save documents between sessions, although I warn them that they could be wiped at any time. The one caveat to this is that with Windows XP it is now a feature that guest accounts are only guest accounts if the computer is on a domain. However, if you do not have a domain you can join them to a temporary domain and not use it (because the accounts do not need to be domain accounts), but if you have a domain then this works out even easier for you.
"The optimist proclaims that we live in the best of all possible worlds, and the pessimist fears this is true." --James
The Shared Computer Toolkit from MS is definitely the simplest way to go.
I worked as an assistant at one of the UW libraries, and we would just put a program called Deep freeze on our computers that froze the boot record, so every time you started it started anew. Then you unfreeze it, make the changes you need to, and go from there. Also inform students that they should save to floppy, USB, whatever.
I've seen plenty of posts on here about how reimaging the machines and or using LiveCD's and installing Linux to hdd - but what about the one or two students (even if they're the only ones out of the whole campus) that are geeky enough to even think of this? they do that, and they can pretty much nullify anything this Deep Freeze can do, and at best it can be re-imaged if Deep Freeze or any drive-imaging setup uses IP's instead of having to have the software on the client to be reset
the only few way's I can think of keeping people from using LiveCD's or installing to hdd, is to remove the cd drive and use a motherboard that doesn't allow for USB booting (in case they try a small distro for USB drives)
Much educational software is poorly written, even if the content is good. The teachers refuse to part with it (we DID pay for it after all), but a lot of it was written during a time when Windows 95 was still new. There are some newer software that is STILL written that way!
Try running a lot of this stuff as a non-admin and it just doesn't work.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
Hmm. That's news to me. I graduated from SCAHS in 1998 and the only people running Linux were a few of my classmates toying with RedHat.
:)
If you want some spare machines, I have quite a few.
keep up the satire, this is hilarious. a secure XP network. HA! you guys are real comedians.
more of this please, I just stopped laughing
Pull all the disk drives out, install an Edubuntu server, PXE boot each LTSP client, problems over.
Bigtime Consulting - "We're the best because we cost the most"
I got to this late, so one or more of the 200 replies before mine may have already mentioned it, but Microsoft's Shared Computer Toolkit (http://www.microsoft.com/windowsxp/sharedaccess/d efault.mspx) is a great way of locking down computers. I use it in the labs at my middle school.
You can create a vmware ACE machine that's locked down and with a non persistant disk that it will revert to. VMware has docs that tell you how to set up the computer to boot into the ACE enviorment and explorer.exe will not be started hence if they do get out of the ACE machine there isn't much they can do. It works quite well. On the other side of things something like Apple's remote desktop is a great program as you can basically watch everyone's screens. I've seen it used to great effect in my highschool as the teacher could sit and keep an eye on everyone. There are a lot of possibilities but cost will always be a factor with normally underfunded schools.
//-- Network Security vs Local Security --// In your position a domain sounds like the most beneficial solution. There is however, no security through obscurity. Even with a domain, you could potentially have issues from any of the students who are gurus themselves. For the most part though, if you can establish a domain with a good security policy, individual user accounts, and a decent web filter, you will eliminate a lot of your everyday problems. The issue with doing local security on the machines is that first of all, it is impractical to try and manage a network and users that way. Say someone steals the Administrator password from the SAM file? Or uses a key logger? Or just manages across it somehow. Do you want to change the Administrator password for every single machine in that lab? You can lock down the local security enough that it will help to deter users from by-passing the domain login, and keep the domain security strong enough to eliminate most of the issues you're having. You need to be careful with domains though, if you don't do things right you can end up giving lots of access to the wrong people, so being comfortable with it is important. If you want to stay with local security permissions, and there is no convincing you to budge on that, then there are some things you can do to improve your situation. First of all, making the suer accounts limited is important, and making sure none of them have been promoted to administrators is also important. Beyond that, changing the Administrator name to something else, as well as the guest account. Network wise, try to block access to proxy sites as best as possible, sites like myspace as well. Do some research on how to restrict file downloading for limited accounts in Windows. In my opinion, the local security is not the way to lock down your network, or manage it, but if it is your only option then do plenty of research on the local security accounts, and on slashdot (as you're doing) and build it up as much as possible. Some third-party apps to help restrict Windows and Internet functions might help, too. Several people will argue to use Linux, which is a very fair argument, but if you aren't comfortable in it then there is no way you aren't going to ever get it secured on your own. That is something important to keep in mind, so if you went that route, familiarize yourself with it first thing! Linux is tricky for newbies, so that could work to your advantage, and it will certianly prevent a lot of downloading! As another resource, contact a few admins from other schools and see what they are doing to keep their networks locked up. No doubt, a lot what you can do will come down to a budget, but if you have the resources or time, spring for the domain. :)
I have several labs I keep watch over and the answer is deepfreeze. The machine reboots and it don't matter what the students did in the past it is gone. You can put viruses on the machines, erase registry keys, save documents and after reboot everything is back to time you installed it
I'm going to assume here that you must use Windows. Honestly, it's not much harder to lock down than Linux.
:) Dan's Guardian is an excellent free solution that does content filtering. Squidguard also works well. The best advice is to block everything except what you want them to see. Ditch IE and use one of the Kiosk addons for Firefox or Mozilla (there are several).
* It's relatively simple to lock down users with GPO where all they see is a start menu and specifically what you want to give them. Make sure you remove access to the C: drive. Be warned that there are ways around it so keep you eyes open.
* If you MUST give them net access, force proxy and restrict the hell out of them. Teenagers will look at stuff they're not supposed to and are very creative at getting around firewalls
* Get ghostcast, or opforce, or something free and reimage them every night. You'll thank me later.
* There'll be one or two kids (usually just one) that always manage to get around your restrictions. These are the kids that will one day have hugely successful IT careers. My experience is it's better to give them some extra responsibility to help YOU out, they'll thank you for it.
OK, I admin 200+ machines for a large community college in Austin so I know from where I speak. I'm surprised I haven't seen this already. Group policies are nice. Novell's Zenworks is better, especially if you have a lot of users of varying types who need different levels of OS access. But that is all just window dressing, and then you have to manage it.
The bottom line is - install some imaging software (Ghost, Zenworks, or any of the open source ones work). Keep a clean image handy and in 20minutes you have a new OS complete with apps reinstalled. Schedule all the machines to image every night and you are even better. Worst case you have a botnet for 12 hours if something goes really bad. Enable auto update, get good malware protection and then say, "Screw 'Em."
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
I would be more worried more about the teachers not knowing what they are doing in Linux. Most teachers aren't going to want to learn how use Linux, and they certainly aren't going to want to explain linux to their students. No teacher is going to want to take the time to explain how to do basic things to their students. Students are going to want to know why their USB key doesn't show as removeable disk E: when they go to save their work, etc. It is small things like that, which may not seem like a big deal to you or I, that will frustrate teachers and students and potentially waste time. If the lab was for a CS class, I would say go with Linux, because the students taking that type of class probably won't mind learning a new GUI, Filesystem etc.
Kilroy was here.
They have a massive setup, so this may be a bit overkill for your situation -- they have something like 5,000 computers on the school network, which spans 8 or 9 different schools (I live in Quincy, Illinois.) They have a subscription to WebSense Enterprise, which is a software-less solution to blocking objectionable websites (such as YouTube, MySpace, et cetera) and have filters set up to not allow MP3 files or any video files to be placed in the student's personal folder. Student data is all stored on a shared folder, whereunder each student's specific folder (mine is 4533 -- my ID number) contains My Documents, Recycle Bin, and Desktop (the Start Menu is common to all users per computer.) The student directory is mapped to H:, and is also merged with the computer's file system, so that My Documents points to H:\My Documents. It works really well. They created a new group, with even more limited actions, in the user manager (under Administrative Tools) and set the priveledges very low - all students are classed under this group. The computers are still fully functional, and work excellently.
Finally, they have unattend disks -- you pop a disk in, reboot, a small DOS batch file runs, tells you to enter a computer name (like B203S01, which is Senior High, B Building, Station 1) and then to remove the disk. Windows then installs using setup files stored on the network (so patches are applied globally) and within an hour, it's back to the login screen, as if nothing ever happened.
It's one hell of a setup, but even I commend them greatly for getting it to work so damn well. Also, there are some tweaks they applied to Windows to disallow the executing of any EXE, VBS, JS, BAT, or COM files that they don't explicitly flag as "executable" -- excepting the Windows system files, of course. I'm not sure how they did that. I'm not a networking/security expert.
Also, there's another tweak they applied so that USB Flash drives may be used, but only if they're
Why image every night when if you use deep freeze you can do the same thing sort of but all you have to do is restart the computer?
Its windows. Its always going to be insecure.
Install linux on those PCs instead, but first make sure any windows-only apps you need to run work OK under wine. Also you'll giving the kids a b3etter education by not forcing them to have a Microsoft-only world view.
As a high school computer teacher, I just gave up on windows altogether years ago. Now I use linux exclusively, and it is heaven. I have spent zero dollars on software (all my money goes to hardware), zero time/money on viruses, zero time on administration/reimaging, etc. For the past 5 years it's been a joy to use computers that actually work all the time, everyday! So, my advice is: try switching to linux. Forget windows, or be prepared to spend more time/money just trying to keep them functional. The choice was easy for me (and a growing number of others...:-))
http://pacomputing.webjunction.org/
This is the site that has become of the work the Gates Foundation. They gave XP machines to public libraries. There are tools that will allow you yo lock down a pc with Group policy setting using locally roaming profiles. No Domain, no domain controller. It may be worth checking out for some ideas if nothing else.
Use the MMC tool (Start > Run > MMC {Enter}) to create a local security policy on one of the xp machines in your lab. Use the tool to set all of the security feature your desire. Once you have create the policy to your lab's needs, find the folder that stores the policy, usually C:\Windows\System32 and the folder is a hidden one called "Grouppolicy" so make sure you have view hidden files and folders checked in your Tools > Folder Options tab. One you have the folder, copy it to the same place on all the machines (I am assuming they are in a workgroup enviroment and not a domain). The grouppolicy hidden folder may not exist on the machines that you didnt create the policy on, just copy the hidden folder over to the same location anyways and reboot the machines. You policy should be working. With the policy you can disable users from installing, downloading and all around functionality of the system.
...help you lock down the environment. In a school of any size, you likely have a good number of kids that can help you during their free period to better organize the network, and help you maintain a locked down environment. You and the students will learn something pretty useful along the way, and the kids will feel important and powerful, since they will have the ability to help admin things, give special priviledge to their friends, lock the dumb jocks out of everything, and enable the cute girls to download mp3's. This will also give these kids a taste of the real world where the geeks rule. It might even get them to pay attention in class so that they can themselves become one of the geeks.
Aside from using the admin access controls in windows itself, get DeepFreeze. No matter what is done to the computer, just restart it, and it goes back to the freeze state. Works pretty much every time. http://www.faronics.com/
If you don't already know how to lock down such machines, run far, far away. The students will inevitably hack around anything you do to download warez, porn, and other unspeakables. No public school in the US can pay you enough for the time and energy you'll have to put into it.
If you don't have any, or they're incompetent, then get rid of the computers. If the parents complain, have them talk to the pricipal and/or district about insufficient IT resources.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
She lost about six years' worth of mail, modulo the three-year-old backup and the two weeks' worth that was still saved on the server. Boy did I feel like an ass.
As a result our documented procedures for migrating users to new standard images now have a big bold note NOT to use the MS profile tool, and really the only reason you would ever need to is if you were copying a user's folder to a server to be a multi-user mandatory profile (because the MSPT makes it easy to change the scope of who is allowed to run that profile). I do that in the labs at another location, which was why I automatically went for the tool in this case.
-- Old Man Kensey
Maybe the thing to do is to install a normal OS, and use VMWare or some other virtualization thingie to supply the Windows environment. And every time you start the Windows environment, it runs a freshly-created copy of an image that some guru has already set up. Too much spyware accumulated in the last few hours? Just reboot.
Or just install a fresh system and then hardware write-protect the drive. this will probably lead to problems, but if it works, it'll be a lot easier/faster.
Of course, as others will surely tell you, the more obvious answer is to not use Windows at all. There are some high-school students who know how to use Windows, just as 25 years ago there were students who knew how (or could learn) to use $ANCIENT_OS_HERE. But you have to keep in mind that Windows is an OS for gurus who know what to do when they get a "click here to destroy your system (Yes/No)" dialog window followed by "Are you SURE you don't want to install this vir^H^H^H totally k00l application? (Yes/No)" if the user says No the first time. In other words, about 1% of the population. A high-school computer lab is going to have a rather wide variety of students, and most of them aren't destined for rocket science.
You might want to look into Linux; there are some very friendly distros, and for the end user it's almost undesputedly safer. You'll hear some people say it's "not ready for the desktop" but those people usually are talking about problems they've had with installation and administration. For casual use, it's a reasonably good way to go.
MacOS has an even better reputation, but it probably won't run on your existing hardware.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
One thing you can do to deter the downloading that is extremely simple in xp pro is to log into the admin account delete all users then go into my computer and right click on your hard drive go to properties then to the quota tab and enable quota management and limit disk space to for kids in high school i would say no more than 10 to 50 megs of space enough for then to store documents and such then i am guessing this is a lab used during class - create limited user names with passwords on the machine and assign seats to the students so they all get their little section of the hard drive this will effectivly limit them to how much they could possibly download and store on the machine no more game downloads or music downloads as they won't have space and the machine won't let them exceed that space. Like i said this won't change them from making changes to the settings but will prevent them abusing the school's net connection.
I am sure there are IT guys who know how to do this. If not, then there should be. Each and every school should not be re-inventing the wheel. There should be a board-wide policy document or guide on the preferred (or recommended) way to secure a lab. It's likely that the predecessor was just too incompetent to follow the procedure.
If your box is infected with Micro$oft Windoze, may I suggest Thermite (tm) as a cure?
To use to Thermite (TM) on an infected machine, simply remove the hard drive, apply liberally to the hard drive, stand well back and light the touch paper.
This may cause some singing to carpets and other fabrics.
After the Thermite (TM) had worked, simply purchase a new hard drive and install a Real Operating System
The orginal post only talks about secruity, but you have to assume their is a goal to teach the students as well.
of course PC's in a English class for example could be locked tight as a tick (as you describe) But it sure seams important to have a PC class that actually teaches something about PC's, not just how to launch and use the MS App of the month.
I guess a couple PC's for swapping components. The virtual PC's sound good for PC's that you want to train the basics of developers, and programers. As long as that isn't too perfect of an environment.
Basically I think the automatic restore overnight to a image, and admin rights to the labs/computer class PC's would be better.
"take off and nuke the entire site from orbit. It's the only way to be sure"
I would suggest installing and subscribing to a content-filtering service such as WebSense. You easily enforce your Computer/Internet AUP. Monitor what sites are being denied (probably myspace being the most, etc) and print weekly/monthly reports. Assuming you want to stick with Windows, setup an Active Directory domain, enforce Group Policies, lock down the user account. Install SP2, anti-virus, enable the Windows Firewall, lock down ActiveX (it's unnecessary to install Firefox to have a secure browsing experience. If you lock IE down properly, your problems should be minimal). Disable unnecessary services, create a mandatory profile. And finally create an image with only the software students will use, and removing things like games.
This is by no means everything you should do, or even the start of what you chould... but it's something I feel would be the basic steps towards a more secure computing environment.
1) Use deep freeze. It will lock down the machines so that users cannot write anything to disk, which eliminates problems with changing settings, installing games/spyware/virii/whatever.
2) Remove the O/S from the hard drives and boot Knoppix from CD instead. Accomplishes the same thing as option 1, but in a different way, while still allowing users to write data to the hard drive.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
I work for a school so I know this problem inside and out, but the answer really depends on your situation /resources.
The easiest way:
Buy a copy of a program called Fortress. While you are at it get their HD protector it's called Clean Slate. These are available at http://www.fortresgrand.com/ This will enable you to comletely lock down the ability to open the command prompt, run certain programs, change the colors or or desktop, etc. Clean Slate can return a machine back to a known good state everytime you log out. (Or so it claims i've never had to acually use it.)
Pros: Simple.
Cons: Students still don't have their own accounts for saving documents. This sort of security sends a negative message of "I don't trust you with anything."
A better way but a bit harder:
Create a domain controller using Windows Server 2003. Buy a beefy server with plenty of HD space. Install Server 2003 (or 2000 if you can find it.) Get a copy of a good Active Directory book. You will also need to buy CALs (Client Access Liscences). Buy a program called adinfintium. (makes managing users a lot easier) Then (using your trusty active directory book) create users and place them in an OU (Organizational Unit) called something like "Students". Learn how to add a "Group Policy" to the students OU. (at this point you can just call OUs folders.) Group policies can do things like set a homepage, lock the background and colorscheme, disable msn messenger, disable certain other programs, etc.
Pros: A server that acts as domain controller and file server can do more things than I wish to list here.
Cons: $$$ It's expensive, not just to buy, but to maintain. Alternanly you can do almost as much with a combination of a good linux server and that fortress program for a lot less. You will need to know linux though.
A note on content filters:
Since you are at a school you have to comply with COPA (or something like it if you aren't in the US). Schools have the burden of being legally required to maintain a content filter to filter out bad things. What do they mean by bad things??? COPA like laws are all vague, but you have to show you are doing atleast something to prevent kids from vague things that may lead them into vague danger and cause them vague harm. The best way to do this is to to buy a server to act as your firewall and content filter. A compay called Clark Connect makes a great firewall product that updates its content filter automatically. It uses a program called dansguardian on the backend and is intelligent and easy to use.
Final note:
The firewall/content filter and domain controller are not traditionally something you use just for one lab. They are usually used for an entire school, or in some cases mutiple schools. This includes staff computers also. Most schools use this type of setup and would highly reccomend it if you can afford the hardware and lisences.
... Deep Freeze. http://www.faronics.com/html/deepfreeze.asp
Is a Joke, i cant say how many times i got admin passwords when i was in high school. Unless they Put a Great Firewall of China up, with communist guards with night sticks in front of the server, people will get in.
-Noc
most of these comments below me are good answers but, i believe in using what you already have, not purchasing more bull on top of the bull your workin with. impliment a group policy on all the computers for a certain group and add that person to that group that's locked down. you can lock it up so bad, such as start menu lockdowns, desktop lockdowns...etc. lot's of stuff. play god and have fun!(if you are working with a domain structured enviornment anyways, but you can still lock these down using the group policy tool in windows xp)
"In the kingdom where everything dies, the sky is mortal."
This is an effective protection against students messing around, but also against hackers, spyware, virus infestations, etc... just restart and the problem is removed.
Downside, of course, is that the computer is equally protected against security updates, administrator-desired software installations, etc-- in order to those, Deep Freeze needs to be disabled and then the computer restarted, which is a bit time-consuming.
Luckily, there's an administrator console version installed on my system-- with it, I can turn Deep Freeze on or off or restart or shut down systems-- in my lab and throughout my school... so I can disable Deep Freeze on all my systems, make any needed changes, then enable it again on all my systems, all without leaving my chair.
Highly recommended for school computer labs and other public computers.
Easy - get the Network Manager to do it. Her school does have a Network Manager, right? Right?
/me makes a mental note to let our school ICT Technicians know just how much we appreciate them.
All the terrible stories I've heard about the US education system no longer seem like exaggerations. This school had a computer lab where the *teacher* was responsible for network security?!
Here in the UK, the teaching unions would be up in arms over something like this. Teachers are paid (and trained) to teach, not to be a sys-admin in their all-too-short spare time. Yes, teachers should have input into security policies, but to have them in charge of the day-to-day administration of those policies is a terrible waste of their talents.
Use the right tool for the job. You wouldn't get a sysadmin to teach a class, why get a teacher to administrate a network?
FWIW, I've worked as a school site technician in 3 different school districts and I'm currently a Network Specialist for the local County Superintendent of Schools. I, too, have used and highly recommend Deep Freeze, but it sounds like the person who submitted the question should probably implement some other ways to lock down the computers in addition to Deep Freeze.
If you have a filter and you're having problems with students downloading games and music, why not block game and music sites? Take a look at your Web access log and block the sites that are creating a problem. If all computers at your site (not just in your lab) access the network through your "free Internet filter," and if you have a domain,* you might benefit from setting up the proxy filter to only apply to a certain domain account, and then put your lab PCs on the domain and have the students log in via this restricted domain account. That way, teachers etc. can still get into whatever sites they need to, and they won't hate you because of your somewhat restrictive filter.
*Someone else suggested using a domain, and I wholeheartedly agree. I haven't set up a SAMBA domain, but if cost is an issue (which it sounds like it is since you're using a free filter), you might be able to set up a domain with a Linux server, although I admit I have no idea how to go about setting up account restrictions on a Linux domain.
Another great reason to use a domain is that you can set up your student account to be *very* limited; you can specify specific apps that they can't run, or if you want to be *really* restrictive you can even specify apps that they're allowed to run and everything else will be blacklisted by default. You can find some basic instructions in an article at my blog. (Sorry for the indirect link--ironically I'm behind a firewall and can't get the exact URL for you. Please look in the sidebar to find the Active Directory post.)
Again, the specific music and game sites can be blocked individually, but it sounds like a big issue here is classroom discipline. I can't give you any tips on that. =) But another tech tip that I have is a free program suite: UltraVNC. You've probably heard of VNC before, but this particular implementation is really great for a school lab. You can set it up so there's no tray icon (making it easier to log into a student computer without them knowing or being able to shut down your connection), and you can actually lock down their ability to use the keyboard or mouse on an individual basis. So if you've got some kid that's really screwing around, take away their privilege of being able to use the computer until they decide they can behave. UltraVNC also lets you transfer files between the computers, which can come in handy.
As an aside, VNC also makes it a piece of cake to take screenshots of students accessing naughty sites. Just connect to their screen when they've got something inappropriate up, hit the Print Screen key on your keyboard, and paste into Paint. Save it, and you've got the hostname and IP address of that computer in the VNC Viewer app's header, the current time from your system tray, and a clear shot of what the naughty student was viewing at the time.
One more thing: someone suggested individual user accounts, stating that this was the only way to track which student used a particular computer at a particular time to do something bad. This is not such a great idea, however, for several reasons. To name just a
the JoshMeister on Security
http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx
I'm assuming you don't have these computers on a domain, in which case use a GPO.
P.S.,
This is what part of the alphabet would look like if Q and R were eliminated.
Let the little bastards get the piss shocked out of them a few times and it'll stop that tinkering bullshit. :)
Every one of the XP workstations should have a local security policy on it. Try Start->Run->Secpol.msc and change the setting so that the only users who have ability to install is the administrator. Change the administrator's name to something only you know and give it a 10 character password with 4 of those being non alpha minumum. Secpol will have the required settings you need.
Don't even bother.
Either:
A) Switch to Linux, or
B) Reimage daily.
Regarding A: Don't scoff at it out of hand. Obviously, its not the type of thing where you would show up tomorrow with Ubuntu CDs and hope for the best, but it *is* the type of thing that can be done after some consideration.
Regarding B: I've heard good things about Faronics "Deep Freeze" product. Schedule your systems to automatically shutdown at some point (preferably via BIOS, otherwise kill the power via power-strip.) Set the systems to not power up automatically when power is restored, and set the systems to powerup 1-2 hours before the lab opens. Tada! Fresh systems everything moring from your image, and it makes updating system software a breeze.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
You should consider disabling things such as the command shell ("cmd" through the run menu) directly through the registry. While you're at it, find some decent software to track where your students are surfing, and block websites accordingly. Some decent web-filters allow you block sites on the basis of Given keywords. In addition to this, see if you can get funding for software called "Vision." Essentially, it allows you to control/stop any computer user's activites... and gives you constant watch over the systems. Hopefully that gives you a place to start.
Doesn't have gpedit.msc. Does have compmgmt.msc.
Sorry, you have to have the correct buzzwords to even get your resume looked at by someone who knows that Open Office Writer and Microsoft Word have transferable skillset.
Well young computer wiz, what would you do to secure the computers? You are the Windows expert after all.
http://www.faronics.com/html/deepfreeze.asp
^^
My high school used that software, anyone could change settings and do basically whatever they wanted, install whatever they wanted.. To undo everything, you just restarted the computer.. You either had to save to a disk, network drive or a partition that retained data when the machine was restarted. The students didn't mind it at all.
We have always had a fairly well-administered network, but when we started using Drive Shield the effect was amazing. It has changed student behavior in two ways. First, since they know that they'll lose everything on a re-boot anyway, they don't try nearly as much "customizing". Second, since the user experience is consistent kids don't get frustrated and mess things up out of spite.
Others have suggested Deep Freeze which I assume would be similar.
Well, I'd tell you to install linux, as its more secure, and I'd be willing to bet those kids have never even heard of it, much less know how to operate it. But then I think about that one kid (not unlike my self in my highschool days) that DOES know what it is, and DOES know how to operate it, know what I mean? I'm not sure thats any better :-P
i have a roll of electrical tape.
There is an exceptionally good product we used when I was in the trade. It was called HDGuard. It should be used as part of your greater security arrangements, by way of disclaimer.
When try to change or create any file on the system, it creates a clone and directs every call to that file to the new file. It stores a list of pointers in a table. When the computer restarts, that file is flushed and it's like working with a new system. If you put it on straight after a ghost your sweet and the worst you ever have to contend with is physical damage to the machine.
The benefit of doing it the HDGuard way is that it doesn't interfere with any temp/swap/scratch files.
It does other neat stuff as well. It will also allow for remote shutdowns/restarts and the like.
Also, use Serv 2003/R2 upgrade.
I'd recommend restoring a saved ghost img over the machine every time a user logs out. That way you don't need to restrict students from learning how to destroy or fix issues.
Simple solutions are usually the best ones. simply rig up a mechanism that detects any sort of wrong doing. Best part you should do? add a pnumatic guillotine that the hands have to go through first before they can touch the keyboard. 'Look Ma! No hands!' make the kids think twice about fooling around with computers doesnt it... (admittedly tho, god when i found my school principals password, grades were going up 10 bucks per mark, per subject)
I recommend a product called SpyWall from Trlokom (www.trlokom.com). It is a
sandbox for the web browser that will prevent the users from downloading crap
to the PC.
Even more important, it can generate a reference scan file and remove all the
spyware with a click of a button.
It has a basic webfilter and monitoring built in.
This should be under ' its funny, laugh'.
If the kids have physcal access they WILL break your secuirty. All you can do is slow them down.
Off the top of my head:
1 - No workgroups, domain only. ( and leave the server in a inaccessible room )
2 - Use microsft GPO templates to lock them down to a kisok
3 - Cross your fingers and expect to be using RIS once a week ( day? ) to reload them.
4 - Network access outside the lab should be at the least controlled in this inaccessible room, and even better, no outside access.
Consider terminal server instead. And no diskdrives on the pc, and no outside access... Oh, and no usb...
---- Booth was a patriot ----
That means the PCs are for learning class materials, not for experimentation. Playing can be done on their own time, at home.
Treating them like ' a business computer/user' is not a bad thing. Is called preparing for the real world.
---- Booth was a patriot ----
I have an 800 user network (750 pupils, 50 teachers) and we run Redhat and Mandriva 2006 servers and XP clients.
:)
First thing is lock the bios with a password and then lock the cases with tamperproof screws or suitable locks. Set the boot sequence to hard disk first and then either CD-ROM or floppy or disable the latter altogether. Our kids aren't stupid and can find bootable tools for overcoming the stupidly weak LM password hashed passwords.
You can use local or group policies to remove roaming profiles from the client C drives when users log out or even better set mandatory profiles. One kid got lucky and managed to get a local admin account on a client PC that a teacher had been using allowing him to access her locally stored roaming profile.
The big problem is USB memory sticks. There's a USB stickable program that will exploit a hole in XP's autorun program which then allows it to rip the password hash table for later hacking, creates a local admin account and a remote access config. We're working on that one at the moment
We also have a local policy on our PCs that hides C and prevents access to C via run in the start menu. This also affects the administrator account but a couple of reg files on the admin desktop allows us to enable and disable them with a single click.
On one of our Linux servers we have a disk image of a clean install which we can roll if need be and we can do a whole room overnight via gigabit. We also use the veto files line in samba which allows us to specify file types which can't be saved onto shares and Dansguardian running on a Mandriva box filters incoming content and stops certain file types being downloaded in the first place.
In order to log activity on the net we can't use transparent proxying as that stops you logging usernames in the filters access log. This means locking IE's proxy settings via local policies. We also blocked 80 and 3128 on the firewall so we can deploy firefox although each user has to set their own proxy settings.
Ultimately, USB memory sticks are the big problem. As long as you can subvert the security in XP via these you're pretty much stuffed whatever happens as a kid could install a keylogger via the local admin account he creates and call you over to fix a problem. As soon as you put your admin credentials in you're stuffed regardless of whatever you do.
Thin clients? Maybe, or maybe some other mechanism of abstraction will help. The only advice I can give with 100% certainty is don't underestimate the abilities of teenagers. They can seem thick one second and then pull of an act of supreme cunning the next.
Good Luck.......
Hmmmmmm..... Deep fried and look like Squirrel.
"Securing" in the general sense means "allowing some (intended) use and disallowing any other".
You can't really "secure" any box, running whatever OS, unless you can *define* in detail what it is you want to allow - e.g. browsing, but no Flash animations; word processing with no network access apart from network filesystem use; and so on...
This is my personal experience, but the system at our school seems generically feasible. There are some holes in the system (no command prompt, but running a .bat file pops it right up). The school uses WebSense to block games/downloads, but a slimbrowser/firefox client and a codeen proxy bypasses it. The main system itself is a citrix system, which is occasionally inefficient but useful for at-home logins.
If they simply removed execute priveliges from My Documents (they did it on flash drives, they could do it on My Documents), then the system would be, for the average user, unbreakable.
"I'm a well-wisher, in that I don't wish you any specific harm."
Seriously, at my jr high we had all the locked-down stuff we could want. Didn't do any good at all because they only changed the password to control the lockdown software (this was Win98 I think) once/quarter, and it would be seen or guessed within 2 weeks. I'm not sure how this hasn't come up yet in the discussion... but any relatively computer-literate kid could make an Admin account that looks just like the normal (limited) account to all but the closest scrutiny... but doesn't limit him/her at all!
Also, yes, make sure they are using limited User accounts, not Power User accounts. Make sure they are locked out of the system folders entirely, have only read permissions anywhere else on the hard drive outside of ther personal folders, and possibly even make it so that their home folder is wiped (or partially wiped) at each logout (I'm assuming the students share an account). My university uses a handful of scripts triggered by the Task Manager to do things like revert system settings when we log off, start security software client (not start a scan, just the client) when we log in, and stuff like that. It's easy to set up, and should work just fine even on non-domain computers.
There's no place I could be, since I've found Serenity...
I would tell you to just install iMacs in the labs.. but honestly, a solid windows install with a well configured active directory (and DeepFreeze) works great. Windows may not be the most "hip" OS nowadays, I don't even use it anymore. But sometimes people dont give it enough credit. The only issue I see is IT that lacks the ability to design quality images for their machines.
Taking ownership of .cpl and other unnecessary items the students do not need to begin with. (games, run, windows installer, services, control panel and more i'm sure i'm not listing)
Group policies are a godsend.
A Domain controller/proxy server would be a good idea. (It's easier to control network traffic through one machine, with the DC you can backup each students individual profile every time they log off, use deep freeze to reset the machines to install spec on a restart and then have everyones files in one place for virus/adware/malware scans.)
Configure filetype associations to programs that wont run what it is they shoulndt be accessing. (Paint wont open an mp3 divx avi exe swf whatever)
Setup a linux machine as the router and configure it to use squid-cache in transparent proxy mode. This will allow you to better audit what website the students are downloading crap-ware from and add them to a block list.
My neighbours acquired a Gread Dane and were concerned that it would jump over the 2ft 6in high fence into my garden. They were suggesting 6ft high solid panels. I said "Don't be silly! Train the dog." Dogs are 'good' at territorial limits and there never was a problem. He came to look over the fence and sometimes put his paws onto the top to 'say hello' but that was as far as it went. So why is this relevant? Because (1) You need to define what is and ins't acceptable. (And from that it follows you have some sanctions for offenders.) (2) A lot of trespassing is caused by curiosity. (3) A lot of fence-breaking is caused by wanting a clear view of threats at a distance. Of course in school there are additional reasons, but let's look at the social dynamics from the maliciously minded student's point of view. (OK some are just careless and it is possible that nobody told them what was/not acceptable.) Do they benefit from their actions? It is up to the school to see that they don't. Simple. Obviously bad things will still happen so cast-iron tech (a)prevention and (b) restore are necessary, but who would suggest a school policy of 'it's OK for kids to bring weapons because the teachers have bullet proof vests'. Prevention (I repeat because you need both bits: Define 'acceptable' and work out how 'crime' doesn't pay) is a far less expensive strategy than armour plate. NB Reprobates can onlt be caught if they can be identified. Some audit trail or 'only you have access so it must have been you' tech mothods required. (2) Because you have to be able to identify offenders
unless you have a very very large budget, "physical access = owned"
If I were in your position I would look at a nightly restore strategy. Every night at 11pm all the machines hammer the server and run a broadcast netrestore. Every morning by 8 every machine in every lab is back to how it was this time yesterday.
Assuming they will occasionally hose the machine beyond netrestore, keep a stack of 3 hard drives on hand that can be hot swapped if a machine goes down. Image the drive at your leisure and add it back to the repair pile.
Users should use network based home folders. This not only makes them more portable (can login anywhere on campus) but there is no problem if a machine has to be reimged or blows up or is stolen or whatever.
There is automated software that will auto refresh machines nightly. I imagine any internet kiosk has to use it. Ask around.
I work for the Department of Redundancy Department.
I think all efforts on securing the machines turn useless if someone was able to boot from a removable device such as a CD ROM or a USB drive. A Linux Live CD could be used for booting...
The teachers are almost as likely to screw things up as the students. The motivation is different (intentional mischief vs misguided helper), but the result is the same: fubar. No, as long as there is somebody to do the admin job (and there clearly wan't one before, so it's not like you can take a step backwards) you're in pretty good condition.
I'm a diehard windows user - I even still have a copy of Windows 1.02 on 720kb floppy, along with various flavors of DOS back to...well, before dinosuars walked the earth. I work in XP all day becuase it has the apps that make my business run smoothly. I normally am in the "stick with windows" camp. This time, I'm on the other side. These kids don't need XP at school. They need consoles that do the work, not teach them a particular version of a particular program. I say Linux is a good idea.
Is it just my observation, or are there way too many stupid people in the world?
Move your offices into the computer lab, and give any misbehaving students a beady-eyed stare whenever they try something.
A high school is actually a closed environment, so catching miscreants after the fact is actually effective, provided you have the capability to actually assign blame and punish in a manner that will serve as a deterrent. Merely technical measures are bound to be circumvented.
Giving people computers to play with is a lot like giving them balls to play with: If you don't have someone watching the children, they're bound to bean each other in the head with them sooner or later.
Go the microsoft.com and search for: Shared Computer Toolkit Download it, try it, study it, then load it up PS: There will be a lot of people that will say make it xxxxx OS which is not really what you ask. Right? That like "what is the best way to make a business work in New york city?" Go to LA
Make the user profiles for each account read only, so that the students can't edit them. Then, deny the student accounts everything but read access to the Windows folder, so they can't make any other changes to the computer. Finally, use GPEDIT.msc and lock down the command prompt. Short, and rather simple. It makes it so that the users can run any program they need to, but won't be able to make any real changes to the computer. Sure, they can delete programs, but keep an image of what the HDD should look like and and image it if anyone complains about stuff not working. Its not going to stop them from getting to flash games or anything, but no matter what you do, some crafty student is going to get around that.
Faronics Deep Freeze - It works for 3500 computers at the school district I am employed by.
burn 'em all! ... they can't mess with the computers if they're dead, now, can they?
The NSA has extensive guides that everyone in the U.S. government bases their security on. Their operating system guides will show you how to lockdown a machine to only allow a handful of applications to work.
Somewhere in all of the brain farts, lies a rosy bouquet.
Trust me, it is literally *impossible* to secure any currently released version of microsoft windows if the user has console access. Period. It cannot be done. All it takes is about two minutes on the console with any windows box and they will be able to get full control (if they know a few tricks) no matter how locked down you think it is. I always laugh when I go to a new client and they give me a new laptop where I don't get admin rights and its all configured so that only their admins are supposed to be able to install software, etc, etc. In my early days I used to just wipe the hard drive and install my own OS, but for the last few years I've learned that I don't need to waste my time with that.
Despite it's flaws and quirks, Shared Computer Toolkit is a godsend for these kinds of applications. It's a free download from Microsoft and takes about 20 minutes to install and configure. I highly recommend trying it out. It can totally lock down a computer from all but the most determined of 31337 H4X0RZ!!1
First of all, I will say that Deep Freeze is definitely a solid solution...when it's not hacked. The old Win98SE boxes at my high school that used Deep Freeze could be EASILYcompromised using Deep Unfreezer http://usuarios.arnet.com.ar/fliamarconato/pages/e deepunfreezer.html. According to the author of that program, it works on XP too.
Since the PCs are XP boxes, I would highly suggest setting up a group policy server (either WinServer 2003 or a free Linux setup like Samba).
Even better, use Linux. (No sarcasm intended). The majority of kids haven't even heard of Linux, let alone know how to use it. They'll have to figure out how to even open a web browser in Linux first before they try any screwing around.
I am a high school student at a school with an 'net admin' that somewhat lacks in knowledge, so I have been running their network and security for about a year now. Microsoft Shared Computer Toolkit was a great help in locking down the machines. I allowed access to basics such as Firefox and Open Office (the school isn't much into purchasing licenses so it opens opportunities for me to install open source software) and locked down everything else. Preferably each student would have their own account but with some networks (such as the one I run) this is not possible (to many students and not enough resources). So, I set aside a specific folder to which students can save documents. This folder is limited to 15MB to prevent storage of large files that they do not need access to. Then I have VNC and various keyloggers installed and the background image is a ULA stating that EVERYTHING they do will be monitored. This system seems to work fairly well, though it could use some improvement in some areas, but, for limited resources it is not to bad.
I helped a guy out with this sort of thing once before, and this is what we came up with:
Two boxes.
The first machine was set up with Debian and Shorewall All the other machines lived behind it.
The second machine was also set up with Debian, and with some rsync silliness, we got all of the lab machines re-imaging themselves every night.
It was a bit of a hassle to get running at first (we had to wipe every machine and install linux on it) and there is the drawback that the windows partition was living on FAT32 (unless NTFS write support has become significantly better, this might still be an issue). We also had to use Smart Boot Manager as it had the nice feature of being able to schedule boots. At midnight, every machine in the building would reboot into linux, rsync their windows partition against the master server, and then reboot to windows in the morning.
There was some good things to this, though:
1) Everything was done out of band, so even when windows would normally complain or make things difficult (some system files, as I recall), it was totally out of our way.
2) You could push a new image to the rsync server and within 24 hours all of your machines would be patched.
3) No matter what crap they installed or littered on the machines, it was gone the next morning.
4) Rsync is smart enough to do deltas and only push across the files that have changed, so it was reasonably bandwidth friendly.
5) When a machine crapped out (due to software, anyhow), you could walk up to it, reboot it, perform the magic keyboard voodoo, boot into linux and reimage it.
I'm sure there's fancier ways of doing this, but it's the sort of thing you can potentially scrap together the basics in a few days and with the exception of the two machines, it's only the cost of labor.
-transiit
(I won't say install Ubuntu, Kubuntu is much better.) However I'd rather get down to what really works in a situation like this. Don't lock them down. Anything an adult imposes will be viewed as a challenge and "Repressing their inner need to grow" However if they choose a security team, they get involved (even if it's just listening) with the process of locking down the systems, seeing how the bad guys work and what to do about it. Suddenly they are no longer "The schools computers" but their computers. If the students themselves are in charge of the lock down then if and when one of their own walks outside the line they are much more effective at pulling their peers back in line than you can be (except in extreme cases, like theft.) Not to mention the shear volume of knowledge even the slowest learner will acquire during the process. Put that budding script kiddy in a position where his/her reputation as "cool" is on the line ( SK " Oh man that's ripe any fool can hack that" Teacher "OK since you know the hacks, how about showing us the blocks.") Sure they will push back but be sympathetic and understanding saying "That's OK I'm sure you really don't know that much about this anyway." People protect what they own. Give these kids a sense of ownership.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
First off let me say that "in the real world" Linux doesn't really help here guys... one of the main things people want to do at an Internet cafe is browse the web - and the abysmal state of the Flash plugin on Linux makes it not a viable solution. Yes, I know that Flash 9 is in beta, but it's not done yet. When Flash is viable (i.e. actually uses ALSA) I would suggest running some distro just like everyone else here.
For now, I went the "XP Lite" route - no Internet Explorer out of the box, the Automatic Updates service removed out of the box (it was killing the satellite link out here), and a lot of bloat removed.
Here's a screenshot of computers at that Internet cafe.
Basically I renamed the local Guest account user, made Shell="progman.exe" in the registry, and a couple of other nice tweaks. If you're interetested in the tweaks they're here, and the scripts it talks about you can email me for.
Privacy issues, such as someone else logging in as User and seeing everything the last guy downloaded, are handled by a task that's scheduled to run every 5 minutes. It checks to see if 'User' is logged on locally, and if he's not, it deletes "C:\Documents and Settings\User".
I setup the "Default User" profile to have all the settings already applied (like OpenOffice nagging you to set it up when it starts, Firefox asking if it should be the default browser, etc.) so by the script deleting "\Docs and Settings\User" the next guy that hits enter to login gets a completely fresh blank profile. Also I did some things that just make sense, like changing Firefox to clear all provacy settings when it's closed, etc.
It's been up at a 16 machine café for about two months now. No Internet Explorer, No MS Office. NO SPYWARE. Nuff said.
P.S. The antivirus solution is provided by AVG Free running completely in the background.
Here's to the crazy ones
Get a system to be a domain controller.
Do not overlook the fact XP pro can join a Domain and XP home can not. Much more that a domain controller will be needed if the machines are XP Home.
The truth shall set you free!
It is my experience that no matter how tight you lock down the computers, high school students will break through. We used to bust into our old machines a thousand different ways, from bringing in disks and booting off of them and changing the list of software that loads so that the lockdown software didn't load, to making small scripts on notepad to do annoying things. I currently go to school at a tech school. They actually keep the computers clean, if not the network. They have all of the machines set to re-image on every boot. It works well.
For the public computers I service, I merely loaded a little program that checks for certain window titles I specify. If it finds them, it closes the application. Some might say that it might find legitimate windows and think them bad, which is true, but for the most part people shouldn't be going REMOTELY near any of the unwanted sites/software (In my case, P2P, porn, and games). Any computer programmer could EASILY shut down this program, but again, for the most part it works great. Simply dropped the program in startup folder for all users, and each time someone tries to install LimeWire or visit Pogo.com it closes their browser and they get a warning message. The warning message alone is often enough to completely turn people off from ever trying the sites again. Link to source code template: http://pastebin.ca/220437
You can do better than that. Install OpenBSD on one computer. Find a bunch of old terminals out of some junk heap and hook them up to the computer. Sell all the other computers on Ebay. Make them use the terminals while you stare at the logs all day. See them hack it now, mofos!
I suggest getting a qualified system administrator.
Here you go:. mspxh /windowsxp/secwinxp/default.mspx
http://www.microsoft.com/technet/security/default
http://www.microsoft.com/technet/security/prodtec
It is possible to make a Windows machine secure enough for military users, but then it isn't quite so easy to use anymore.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
You need to look up windows policy. This will take you a long time to read through.
Every computer in there is compromised. You won't be using one of them as the base for a new image.
Buy the copy of ghost that allows you to stream your images nightly. Daily reimaging will do a lot to prevent people installing stuff, as its always gone in the morning.
On a secure computer, develop your image. Install windows, get the drivers required on there, install allowed software, get your policies set up. Keep this image. You'll need to access it occasionally to make changes as required.
Zap all the pc's with the new image. Rinse. Repeat.
Yay me!
If there's one lesson to be learned form the past of computer labs, it's that whatever the kids are learning in school will have little resemblance to what is available when they sit down at their first job. Windows 95 was more like Apple's System 7 than it resembled Windows 3.11. I find that a mix of operating systems is best to teaching how to use computers, and that those who learned just one OS are often thrown for a loop when confronted with a major update.
Linux does seem better suited to computer lab environments as opposed to Windows. The sandbox approach and the emphasis on experimentation encourage pupils to explore on their own. Windows is good for prefab programmes, so it also has its place on at least one or two of the machines. Ideally the school should add a Mac or two to the mix, but beggars can't be choosers.
I'm using Deep Freeze in a youth centre. I've tried a ton of other solutions, both software and hardware-based. None even came close to the effectiveness and ease of DF.
And contrary to other posters, I have seen NO SLOWDOWN. These machines run all the modern games without problems.
One of the best things is that it is completely invisible to the users and does not impose any UI restrictions. Only when you do the special Vulcan nerve pinch AND type in the pw AND reboot the machine do you get any access.
Users seem to be able to do whatever they want, and a reboot is going to undo all of it. (I'm then using additional tweaks to ensure reboots aren't required so often.)
The only isue is that if you want to make one master disk image to mirror to the lab pc's, you need to be very mindful of how you apply DF during the process. It is possible to lock yourself out (wasting the weekend you just spend building the image).
I can't help but give you my utmost recommendation to use this product. (Oh, and I'm not affiliated.)
Physically, our pc's are locked away in cabinets, with only KVM cables going out, and a lockable doorbell-type button to power the thing on. The games CD's are loaded as images, so users never get any hands-on.
"Good news, everyone!"
I'm more a Windows-and-Deep-Freeeze kinda guy (mainly because Need for Speed et al. aren't that speedy on Linux), but I'll bite. Not to yank your chain, but because I'm genuinely interested.
Say I would want to use Ubuntu (or Brand X Linux), how would I secure it so a user --any user-- can log in, surf the web, and play games, but NOT be able to change start menu items ("Yo momma" instead of "Firefox", these kids are soo mature *shrug*)?
I know users aren't root (I'm no noob, using BSD at home), but can you actually lock down KDE ()yeah I know Ubuntu uses Gnome, but anyway)? I'm very interested to hear comments on this!
"Good news, everyone!"
... you could still use brute force. Our university had the same problem. In the end they configured the machines to load a fresh image from the server during the boot process. Rebooting the same copy was only possible if the user who shut down the PC was identical to the user booting it again. If the check failed, the new image was loaded as well.
It puts quite a load on the network and the servers HDDs but its an effective last resort.
I don't think he was asking how to rebuild the machines. He was asking how to lock them down!
1 5848
2 31
There are many things that you can do, including making the machine run in "kiosk" mode. I found the following on Google.
http://answers.google.com/answers/threadview?id=5
http://answers.google.com/answers/threadview?id=2
I unfortunately can't tell you because I haven't had to do this before. I tend to lock down the accounts up to a certain point through the security settings and through the way you setup users on the machine. I'm sure you'll find the answer on Google. Maybe someone that has done it has a link that actually points to a how-to.
-P
http://www.fortresgrand.com/products/f101/f101.htm
I work at a public school and we use Fortres 101 to lock the machines down. It has a central control option too which lets you point the clients to a central server for the settings.
Perhaps a bit off topic and very likely to get burried as this was posted a while ago... ...here's a link to How well Linux is working in detroit schools. The artical is a bit old, but it couldn't hurt to dial up another school official and find out a few things from basic, like how well the project is still going, to technial, like how exactly they've got their system set up. Can studetns still access their files regarless of what machine they sit in front of?
Remove all power cables.
You'll NEVER have a problem again!
Really!
On a more serious note.
Unique accounts for every user
Drive Images
Something like FullArmor
...if only for the title.
As an IT teacher that also does a large amount of the tech stuff at my school (we have a 2 day a week tech as well) that also inherited a relatively dodgy setup, security wise, it really is important to remember that there needs to be some freedom for students to do things related to you know, learning.
We've run into several situations where it helps if students have access to C drives to store things like raw video for editing, since the software (and the network) tends to complain if every kid is dragging their footage across the network constantly for editing.
Naturally the main problem I have with our situation is not having the time to sit down and make sure it's all done right the first time, so it tends to evolve into a bit of a kludge that'll "get fixed at the end of the year when the kids have gone". So I do what I can with active directory (learning as I go, since it was the first time I'd come across it here) and fix as I go.
Funnily enough the biggest problem we've had so far as been physical security rather than software. The amount of vandalised mice, CDROM drives (locking them away just isn't practical - kids use them, or try to when they're not busted), keys off keyboards, etc. Sadly I think the biggest offender here is non-IT teachers who just don't supervise.
We have our share of 'hacker' kids (inverted commas well and truly deserved) but most of them just want to hide their copy of Q3A somewhere inventive :P
Not really.
I saw it on Slashdot, it must be true!
As an Educator, do you feel like, "The Child, left behind?" And the students are not even slowing down so that you can catch up?
/. readers will give you good advice, mostly; But you may not be able to either A.Implement, or B.Have-A-Clue. So your best solution is to talk to other school sites in your area, and go to those school sites to see how they are doing it,(For Modeling Lessons, try Portola Middle School, Orange USD, Anahiem, California). Also, what is the curriculum? Students will download, (sometimes better), stuff. Does the your school site curriculum have the flexibility to handle students that are higher up on the learning curve than even the educator? You may want to develop lessons based on openOffice, Gimp, and Blender so as to push even the brightest minds that enter the classroom. Why did I suggest the above programs? Because they are FREE, as in "School Lunch Programs." There are web based tutorials, web based lessons, and Books on these application programs also.
Lock Down? Consider booting off of a Edubuntu CD's, the money the school administrator will save on Windows Operating System, and Windows based Program license fees would allow the school to fund another computer lab.
If the Educator is going to use computers, then learning the network administration of such a setup is significant. Barnes and Noble have books on this subject. The Educator should be viewing the students computer, along with the student; A working solution is to move the computers into a "Circle Configuration". The Educator should teach to the back of the students while the students try the solutions.
I work in a large school system (Basically a Field Tech for the school system) with many Computer Teachers who have chosen to install DeepFreeze on the computers in the labs. I have seen many times where DeepFreeze causes a RollingReboot where the computers start up, load BIOS, start loading Windows (Loading Drivers really) and then shuts down and starts the whole process again. Not really hard to fix, but somewhat annoying and very time consuming when you have to run chkdsk /r from a CD or PXE the computer again on 5-15 computers.
And who really wants to have to tell someone they have to change thier lesson plan for the day because you couldn't get your lab back up and working fast enough?
When it works, it's great. When it doesn't work...OMG it's horrible.
"Yeah, but by we know yo mama gives EVERYBODY root privilege..." -jpetts (208163)
Don't most modern BIOSes also have an option to disable booting from devices other than the hard drive, or to specify the boot order, so you can't override the HD by using a floppy?
... but again, if you don't notice that going on in a public lab, you've got problems. Like, why aren't you locking the chassis shut, for starters.
I know my HP xw5000 does. I've never used it, but I saw it there in the settings. You could tell it to only boot up from a particular IDE device, even if there were other valid options (say, a boot floppy).
I guess if you set the boot order to HD first, someone could still get into the case, unplug the HD, then turn it on and boot from a CD, then maybe plug the HD back in hot, and delete stuff
If you're using a BIOS that has a well-known master password, then it's not going to help you at all, but if the BIOS is good and you can't get inside the chassis to reset the CMOS or pull the battery or do some other kind of shenanigans, seems like that would keep people from messing around with it too much.
I wish there were a better way to allow people to safely boot from USB devices, without giving them access to the hard drive (so that a USB stick couldn't be used to mess with the native OS installation). Then you wouldn't have to stop legitimate users who want to boot from a USB stick and use their 'virtual computer' type system (which I think is a really neat idea). Unfortunately, because people love to use external boot devices as a way to fuck up shared computers, there's really no good way to allow this (unless you have everything netbooting from a read-only volume).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
All of the high-rated comments are suggesting technical solutions. However, the person asking appears to be a teacher, not an IT person. I have been responsible for several computer labs, and I always start from the other end. I make sure the students know what is acceptable, and what the consequences are for unacceptable behavior. Then I implement what solutions I have time for, and can afford.
First, don't even let the students even turn on a computer until they understand the Acceptable Use Policy. Here are two that I have written, feel free to use or modify them:
Don't just hand these out and collect them. I always spent the first class going over it and giving concrete examples. I found that a great way to introduce the subject was to ask the students what they should and shouldn't do with computers. I would write their answers on the board, and by the end we would have almost the exact same things as those that are on the policy. Make sure to emphasize positive things as well, like research, games, asking questions, and telling someone about problems.
After that you are going to at least need some sort of imaging software. I always used Ghost, but several other programs were recommended in other posts.
Next, make sure you have security software. Firewall, anti-spam, anti-virus, and content filtering. If you don't have it, mention it often. Politely make sure that every teacher, administrator, and parent that you meet knows that the school refuses to protect the children. I eventually got eTrust from Computer Associates for a good price, and I'm sure Symantec would also be willing to give you a volume/educational discount, maybe to go with that networked version of Ghost.
Last, set boundaries. If you are a teacher, your time should be spent teaching. Of course you have to do some administrative work, but don't accept responsibilities that are not yours (i.e making accounts for hundreds of students, or setting up network hardware and software). Use what you have, and if things outside of your job description go wrong, politely remind people that it is not your fault, and not your job.
Long live the Speaker Bracelet
Rolo D. Monkey
We use a wonderful program called Deep Freeze (faronics.com). After you have a clean drive, you install Deep Freeze. Then any time you want to change the desktop or anything on the C: drive, the next time the computer is rebooted, those changes are lost and it goes back to being "clean." The administrator can thaw the machine to make changes, though, and then just refreeze it when you've got it the way you want it. Ours are set to automatically reboot each night. This program has saved me literally hours and hours of work cleaning up computers.
Microsoft has a free utility for you to use that can do the same stuff as Deep Freeze. Deep Freeze requires deep pockets, and that cant fly for many. https://www.microsoft.com/technet/prodtechnol/winx ppro/maintain/sct/scthch01.mspx
Try it out, I have it in 6 sperate client networks and it is excellent.
we have deep freeze installed on windows m/cs in univ of tx at arlington and it is the best from what i have played with.
Open Source and Computer-aided Design (http://ossandcad.blogspot.com)
At a local community college, we use DriveShield from Centurion technologies. It lets the students do whatever they want, upon reboot, the PC is back to normal.
Make sure network is isolated from rest of campus. (In case of virus's) Make the machines rebuild overnight. OS install from network bootstrap kinda thing.. Remind students to take their work home before leaving!
Just setup local group policies. No need to purchase anything, it's all built into Windows. It takes a some work to setup, but students are hard-pressed to bypass it. Email me: mycomputerisjunk@hotmail.com if you need more help.
If you've got money, you can always try products like CleanSlate, DeepFreeze, or DriveShield. I've used them all in a public setting and prefer DriveShield--it's been very reliable and they have a new product that'll open up at night to let the machines pull down updates. An excellent free choice is to use Microsoft. They've got a product called Microsoft Shared Computer Toolkit that's available for free and came out of the original Gates computer grants to schools and libraries. The original setup has been honed over the years and this product made available for download. Take a look at it. http://www.microsoft.com/downloads/details.aspx?fa milyid=7256D456-E3DA-42EA-857D-92B716077A84&displa ylang=en
We used to use DeepFreeze and have moved to another method... our labs are similar to what you describe: schoolbased accounts with the same password. But the following method seems to be working. We use Synchroneyes which allows all of our lab stations to be viewed from an outside location, like a security camera room. When our student aides in the tech support center see something that looks like "outside the box" computer use, they freeze the screen, call the teacher, and have the teacher look at station X. As they only freeze stuff outside of the AUP (acceptable use policy), the "offenders" can get in pretty serious trouble, like losing rights to use, or even in or out of school suspension. Because the method is a combination of human and technological methods, it is just random enough to be effective. It can be defeated by unhooking the computer from the network or rebooting, but that behavior is caught as well, and has been written into the AUP.
Our bottom line is that the computer is a tool and a priviledge, and needs to be used within a set of rules.
This, by the way, is not what Synchroneyes was designed for. It is a tool to share screens for use on a big white board (Smartboard) during class discussions. It just worked out to help us solve a problem that Deep Freeze also helped, but too intrusively.