Securing a High School Windows XP Computer Lab?

An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"

Policy Editor

[drrck]

Policy editor combined with logging in to a domain with a restriced account seems to make life difficult enough for me on my work lappy.

Check out the microsoft shared computer toolkit

[Aarondeep]

http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx/
Is a good place to start for newbies. Or if these are XP pro machines you can use gpedit.msc (start->run->gpedit.msc)

If these are XP home machines try this http://www.dougknox.com/xp/tips/xp_home_sectab.htm /

Re:Check out the microsoft shared computer toolkit

[Deathlizard]

i'll second this, although We use a domain to set user permissions, but it would work without domains using gpedit.msc

Basically, make an admin account (call it "school user" for example) and Password protect it install everything using that account, secure using gpedit.msc, Remove CREATOR OWNER permissions on the C:\, C:\program files, C:\windows and C:\windows\system32 folders then log out.

From there, log into administrator (the real one) copy the "school user" profile into the Default user profile using the Users profiles settings found in system properties Giving "everyone" access when you copy the profile, then change the permission manually in the "default user" profile so that everyone cannot write to it. Then make a third user account. Use compmgmt.msc to make that account a member of the guests and users groups. (make sure that guest accounts will delete once they log out. It's in gpedit.msc somewhere) optionally hide both administrator and "school user" and log out of administrator.

Log into the third account and test everything. it should not allow you to install anything if done correctly or write anywhere except for the third user profile. once you log out it should delete the profile (sometimes it doesn't for some reason. This helps with that a lot) and the settings should be safe.

Of course I'm assuming XP Pro. I'm pretty sure XP Home doesn't have these utils available.

Re:Check out the microsoft shared computer toolkit

[WasteOfAmmo]

On note on copying profiles: when you use the copy profile feature it does not copy the "local settings" folder in the source profile. Now this makes sense from a theoretical point of view (local settings should only contain information pertaining to the current user) but unfortunately their are a number of programs that happily install configuration settings into the local settings folder of the profile you use during installation. This means that if you do not manually copy the "local settings" folder over that some of you programs will not work (I have a list around here somewhere but I'm too lazy to look it up right now).

Re:Check out the microsoft shared computer toolkit

[Blastrogath]

Get a linux boot cd and use "dd if='windows drive' | gzip > foo.gz" to copy the install to a remote disk then. The disk image is handy to have anyway, you never know when you'll need to re-install. Some Windows XP installs will even fit on a bootable DVD-ROM with a small linux so you can include an automatic install script.

deep freeze

[hustlebird]

http://www.faronics.com/ has a program called deep freeze, its not free, but after implementing it in several of our public labs it cut down just about all the troubles. Just reboot and the thing is exactly how it was when you froze it.
Please note i'm not associated with faronics or deep freeze in any way, just found the program useful and thought it might help you out.

Re:deep freeze

[DocBoss]

Deep Freeze is truly the way to go. It is the single best program for a situation like this.

Re:deep freeze

Apple uses the Mac version of Deep Freeze on all Apple Store front-of-house demo machines, if you want a corporate pedigree.

Re:deep freeze

my school had Deep Freeze. my problem with it (as a student who knew what he was doing) was that the pre-installed software was lame. I didn't want to have to install firefox every class.... so I found a little program called Deep Unfreezer. http://usuarios.arnet.com.ar/fliamarconato/pages/e deepunfreezer.html

it can:
freeze
unfreeze
freeze after x reboots.

needless to say my computer had mozilla and winamp on it. jealousy ensued.
just pointing out that deep freeze isn't flawless either

Get a domain controller and follow these policies

[jmauro]

Get a system to be a domain controller. Lock that DC far away from everything else. Reformat the machines and configure them according to this: http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID =scg10.3.1.1. It'll pretty much prevent any silly things with the keyboards. Also disable the local admin accounts after the machines join the domain and don't give anyone the domain admin password or privilages except those who need it.

This is the only way I've found to keep people from messing up Windows Machines.

Shared Computer Toolkit WDP

[internetstruck]

It's free, and designed for XP and schools and libraries. It's pretty easy to install and configure too, if you know how to repartition your drive using Partition Magic. I use it, so reply if you want hints on getting it to work. You need WPA, and Hive cleanup service installed for it to go. It lets AV programs update, and Grisoft gave me a script to make it work with the SCT Windows Desktop Protection. Just reboot, and changes are gone, unless you save them first. Have the computers update overnight, because it doesn't work when people need to use the computer.

Deep Freeze

As a network admin I am in charge of 3 windows labs(high schools) and 35 Mac OSX labs, amazingly I used to have to spend more time working on the 3 windows labs than the 35 mac labs put togather. I encouraged my department to purchase Deep Freeze and have not had to re-image a machione (other than yearly maintenance) since. I dont ushually promote products but Deep freeze really is an amazing piece of work, it was simple to install and configure and any change that a student makes to the computer gets reset back to the defaults on then next reboot. Its amazing that in june the machine is exactly the same (except for updates) that the machine was in september. With the proper settings you can configure deep freeze to boot in thawed mode (meaning changes will stay) with the keyboard and mouse disabled, run anti virus and windows updates than refreeze we have this set to happen at 2am twice a week. I can remotely thaw or freeze computers from my desk accross town. All in all even though the software is not cheap it has paid for itself multiple times in saved labour and hassle.

Deep Freeze a great solution

[ironwill96]

A good solution if you are concerned about generally maintaining the same exact image consistently when people use the machine is to utilize Deep Freeze. In our IT Department at a medium-size University (10,000 students) we use Deep Freeze extensively to keep students from ruining lab computers. Deep Freeze is as others have mentioned, a virtual partition system. Each time you reboot the machine, the original image you had is restored and any changes wiped (only files kept in the "Thawspace" are maintained, all others are lost). This means that no matter what your students do, the machine will be restored on bootup.

Now, if you want to further limit what they can do, you can make many changes to the registry in windows to block users from doing many things such as using the "run" menu, installing applications or a number of other things as simple as changing screen resolution or color depth. Once you set everything up and create the image of your restricted setup, Deep Freeze will maintain it every time for you.

You can get Deep Freeze from here: http://www.faronics.com/ or look there to find out more information about how it works.

We have tried other products in the past that claimed to "restrict" Windows such that users could not make harmful changes (e.g. OnGuard) but none of the ones we utilized were able to be fool-proof and stop students from getting around it or messing something up. Short of reformatting the machine Deep Freeze is pretty hard for the student to get around. Thawing the machine to make changes requires a lengthy key combination to even bring up the password box (key combination is customizeable by you), or you can enter a key combination on bootup to access the password box to thaw the machine. You can also maintain the systems through a Deep Freeze console so you can admin all the machines at once and even push new images to them that way.

That's my three cents on how we do things in an Academic environment, but our general policy has been slight restrictions but allow them a lot of free reign - except we reset the system every time it is rebooted. I'd suggest for Middle and High school to implement a lot more restrictions on the base image that you use with Deep Freeze than what we have here at the University level.

Not made for XP home

[maddogsparky]

Have you tried the above link on an XP home machine? The MS website says it is for Win NT and Win 2K.

Lock it down hard

[Shawn+is+an+Asshole]

Dealing with destructive high school students one of the things I have to do. Here's a few things to keep in mind.

• Use a domain.
• Put all desktop and menu items in the netlogon/All Users folder.
• After creating the user's profile and it's copied to the server, rename ntuser.dat to ntuser.man (means mandatory). Set Samba to disallow write access. This will prevent them from writing changes back to the server.
• Use the administrative templates to lock down everything that can possibly locked down. If you don't, some bastard will change it and you'll have to fix it. This can be scripted.
• Make use of whatever lockdown features are available in your software. Believe me, you'll need it.
• Install the Shared Computer Toolkit. It provides many addition lockdown features. Anoying thing about it, though, is that it requires the computer to be "validated". Not just activated. Make use of it's "Disk Protection" feature.
• Disable access to everything you possibly can, except what's needed.
• Use optical mice. Keep many extras. Expect buttons to be torn off. Expect mice to be regularly stolen, so use cheap ones. Also expect paper or other garbage to be jammed into the sensor. That also applies to floppy drives and cdrom drives.
• Keep many extra keyboards. Be prepeared to spend time every week putting the keys back in the correct order. Keys will also be stolen.

Most of the student won't try to break things, but a few assholes will so you have to make sure they can do the least amount of damage possible. Unless, of course, you feel like cleaning things up daily.

You could also get an Active Directory domain and push the restrictions that way. I prefer to script it since I prefer to have my servers run Linux.

Re:An Idea...

[urbanriot]

It's unfortunate you were moderated down as troll, when most of the people posting to this topic have been trolling and straying from the original topic. I'm willing to bet a lot of the people who didn't read "these are windows XP systems" and are going on about linux have never configured and maintained a large homogenous or native Windows network, or at least had the knowledge, experience or intelligence to properly configure and lock down a Windows based network. I hope the OP is at least running all these kids in plain "user" mode, as opposed to administrator or power user. Plain user mode would prevent against a large number of trojans and malware from being installed (as well as regular programs) but give them enough functionality to browse the web. Whoever suggested the ghost or imaging idea was also on the right track - a client high school I work with has a morning reimage from a master system sent down every evening completely undoing any damage done the previous day. A RIS schedule could also be implemented, assuming you have network cards with boot code. This is really unnecessary though, if you spend enough time learning how to effectively secure Windows. The OP neglected to mention if these computers were part of a domain - if so GPO's would also make locking down these systems a little easier.

Re:Come on, did you really have to ask Slashdot?

[Ziwcam]

I'd recommend Deep Freeze from Faronics. I've seen machines it's running on take all kinds of abuse, and after restart they're like new. I have not seen the windows version, but the mac version seems to run pretty well.

I'm not affiliated with Faronics in any way.

Group policies are your friend

[raistphrk]

I administered a computer network at a high school for three years, so I can toss out a few suggestions:

VLAN your network. If you have Cisco switches, this should be easy. Set up seperate VLANs for students, the staff, and servers. You'll be able to isolate what resources can be accessed based upon these access lists.

SET UP A PROXY SERVER! Seriously. One of the first systems you should implement is ISA Server 2006. ISA Server will act as an internal proxy to control what users have access to the Internet, and what resources they can access. Set ACLs on your internal switches to prevent routes to the Internet from the student VLAN unless they go through the ISA Server. Set up the ISA Server in front of a filtering appliance, pass all HTTP traffic, and allow access only to HTTPS sites you've added to an allow rule on your ISA server. Add the same limits to SWF, DCR, and possibly java or class files.

Only allow Internet traffic to port 80 and (to a limited extent) 443 for students: Look, your students aren't going to need any other services besides HTTP and HTTPS, and if you're not careful about HTTPS, they'll be popping holes in your proxy using an encrypted web service.

Set your web filtering to deny unrated sites: Students are going to try and circumvent your web filter though phproxy or cgiproxy. The smartest kids will go so far as to set up their own domain to get around your filter. The solution? Block what's not rated. It's also important that your filter have a mechanism to request that a site be unblocked. From a security perspective, it's important that you not open yourself up to risks that you can't control - including websites - but it's also important for the students' development that they have an opportunity to view controversial subjects and make up their own minds about the topic.

Use groups: Set up an OU for each grade in your school. Create a global domain group for each grade. Set up another OU for classes, and create a global security group for each class section. That way, you'll be able to allow or deny access to resources for each grade or class.

Software Restriction Policies: If you have a Server 2003 network, group policies are an amazing asset for your Windows XP clients. Group policies allow you to change settings on users and computers in your network. For instance, you can disable access to the registry or lock down Internet Explorer. Within group policies are a special policy component called Software Restriction Policies that allow you to decide whether or not applications can run based upon the hash, path, or filename. On my network, I designed the SRP around hashes. Managing those policies was a pain (the list was around 400 executables), but it was worth limiting what code would execute on the systems.

Admin tools: You'll want to turn off access to all administrative tools, so disable access to the command prompt, registry editor, and MMC. Also, disable access to the security tab in Explorer to prevent students from changing file permissions. For your computer policies, set the local security policy to disable storing the LM hash for passwords.

Use the Windows firewall: I know it's not much, but it does provide a lot of benefit over nothing at all. Using group policies, configure static rules into the Windows firewall. This will prevent malware from causing problems on your network, and will also prevent iTunes from eating your bandwidth.

Web browsers: It pains me to say this, but don't allow browsers other than Internet Explorer to run on your machines during school. When Firefox adds group policy support, I'll relent on that, but you have no control over what code is executed in Firefox, whereas group policies give you a lot more control over Internet Explorer. Example: after implementing our software restriction policies, students began downloading Flash games in swf form to their laptop hard drives. After receiving complaints from teachers, we simply disabled Firefox through SRPs, and disable

SCT + gparted = crazy delicious

[zubernerd]

The Shared Computer Toolkit is fairly easy to use. If you don't have Partition Magic, GParted (Gnome Partition Editor) works great, is freely available, and I've used it to setup shared machines with no problems. ( http://gparted.sourceforge.net/ )

Windows application control software

[frenetic3]

bit9 (http://www.bit9.com) parity does exactly what the OP is looking for. you can lock down computers without taking away admin rights, and can whitelist applications which are allowed to install during lockdown. you can also administer all your desktops from the web console, so you don't have to go to each desktop and manually configure everything every time you want to make a change, and you can see what applications are running/installed on each desktop, and be alerted when something new appears.

[full disclosure: i work at bit9 -- i couldn't help posting as we see and solve this exact problem all the time :)]

hope this helps; there are other alternatives (imaging/freezing products that others have pointed out) as well.

-drew

Locking Down Windows

[lokispundit]

There are a few ways to "lock" down windows.

If you have an windows domain the best is to the group policies and create individual accounts to track each of the students.

Group policy http://www.microsoft.com/technet/technetmag/issues /2005/05/LockDown/ will also give you a great deal of control over how much of the windows interface they have access to. For instance you can lock out the CLI, and where they can save files. Here is a link from Micro$oft on how to get started.

If you don't have an active directory domain setup, you can still lock down the desktop by creating local policies http://www.windowsnetworking.com/articles_tutorial s/wxppspol.html, unfortunately you will need to apply these to each PC if all the hardware in the lab is the same, but it wouldn't be to difficult to create a locked down image using Ghost, and then image all the machines to be identical.

Also, if the school can afford it buy a copy of websense http://www.websense.com/global/en/. It will keep the little buggers out of the internet, prevent them from downloading games, and even using chat programs.

Re:Lock down the user accounts

[Tim+C]

In a corporate environment, users typically can't even install things like print drivers without admin rights.

The last time I got a new PC at work was the first time it was sourced via a particular department of our corporate owners. It arrived set up such that local admin accounts couldn't even change the desktop background.

Of course, as we've never been properly integrated into the company as a whole, we're not part of the coporate Active Directory structure, so 5 minutes googling and 30 seconds of gpedit.msc fixed that. However the point is that it is indeed possible to lock an XP machine up tight if you know what you're doing and have the infrastructure to support it.

ADS Security and Ghostcast

[Zerbey]

I'm going to assume here that you must use Windows. Honestly, it's not much harder to lock down than Linux.

* It's relatively simple to lock down users with GPO where all they see is a start menu and specifically what you want to give them. Make sure you remove access to the C: drive. Be warned that there are ways around it so keep you eyes open.
* If you MUST give them net access, force proxy and restrict the hell out of them. Teenagers will look at stuff they're not supposed to and are very creative at getting around firewalls :) Dan's Guardian is an excellent free solution that does content filtering. Squidguard also works well. The best advice is to block everything except what you want them to see. Ditch IE and use one of the Kiosk addons for Firefox or Mozilla (there are several).
* Get ghostcast, or opforce, or something free and reimage them every night. You'll thank me later.
* There'll be one or two kids (usually just one) that always manage to get around your restrictions. These are the kids that will one day have hugely successful IT careers. My experience is it's better to give them some extra responsibility to help YOU out, they'll thank you for it.

Re:It can't be done anyway.

[Geoffreyerffoeg]

So what's the solution? Give up, and let them do it.

My experience is that the sufficiently motivated students (me and a few others) didn't actually want to play games or anything...so one answer is to allow only the sufficiently motivated students to get past it (not explicitly open it) but threaten them with discipline if they tell others.

And yes, any machine with physical access is inherently insecure. That isn't necessarily a bad thing, if you plan your security model around that. MIT gives out the root passwords for its public machines, for instance, but you can only become root through su-ing from a normal account - and su is logged. (And root doesn't have read access to other user's networked home directories, of course.)

Re:Come on, did you really have to ask Slashdot?

[Armando_Mcgillicutty]

How have you seen it broken? None of our students have figured it out yet. (The old version maybe, it had a bug that allowed you to change the date/time or some such thing and it broke.) The new versions, I've yet to see it broken. (Provided the CMOS is locked, and the studen't isn't openin up the computer to reset it so they can boot from a cd/floppy/usb drive.) And any teacher that doesn't notice a student removing the cover from a computer needs to pay more attention. And I agree, it runs very well on any modern (6 years old or newer) machine that we have. I can't imagine what a hastle my job would be without it.

Deep Freeze

My school district purchased a district-wide license for a program named Deep Freeze (www.faronics.com), and while I'm not always in agreement with their IT decisions, this was a good one. Deep Freeze, as the name suggests, 'freezes' a computer's installation... users can make changes to the contents of the hard drive or the computer set up, but when the system restarts, it's put back to its 'frozen' state.

This is an effective protection against students messing around, but also against hackers, spyware, virus infestations, etc... just restart and the problem is removed.

Downside, of course, is that the computer is equally protected against security updates, administrator-desired software installations, etc-- in order to those, Deep Freeze needs to be disabled and then the computer restarted, which is a bit time-consuming.

Luckily, there's an administrator console version installed on my system-- with it, I can turn Deep Freeze on or off or restart or shut down systems-- in my lab and throughout my school... so I can disable Deep Freeze on all my systems, make any needed changes, then enable it again on all my systems, all without leaving my chair.

Highly recommended for school computer labs and other public computers.

Re:Come on, did you really have to ask Slashdot?

[drinkypoo]

Actually it's not too hard. I knew a guy who wanted more RAM to run his huge (read:innefficient) Computer Science project, so he shut down his computer and the ones next to him

You're stupid. that's not an example of someone breaking deep-freeze, that's an example of someone dealing with the hardware. That will not help them do anything unauthorized to the software.

And, in any case, that problem can be solved through the use of a lock.

At my former employer, Yuba College, in labs in which they need deep freeze they use it; labs which lack supervision also use locks. Sure, you could cut the lock's cable, but it would take you a little while. Deep Freeze works excellently. Who cares if they alter the OS? It gets restored to factory at the end of the day.

Anyway, back on topic, you could also just go ahead and use ghost or what have you and reload the systems from images at the end of the day... but I'd use deep freeze.

Re:Obligatory Star Wars Quote

[swganle]

Sorry for being obsessive, but its "and hope they don't have blasters."

Re:Come on, did you really have to ask Slashdot?

[tke248]

I noticed someone else recommended Deepfreeze but if you work for a school system you probably don't have any money to accomplish this so you may want to try and use the Free Microsoft Shared Computer users toolkit

Documentation: http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/sct/default.mspx

Download: http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx

+1 Use Deep Freeze

[KlaymenDK]

I'm using Deep Freeze in a youth centre. I've tried a ton of other solutions, both software and hardware-based. None even came close to the effectiveness and ease of DF.

And contrary to other posters, I have seen NO SLOWDOWN. These machines run all the modern games without problems.

One of the best things is that it is completely invisible to the users and does not impose any UI restrictions. Only when you do the special Vulcan nerve pinch AND type in the pw AND reboot the machine do you get any access.

Users seem to be able to do whatever they want, and a reboot is going to undo all of it. (I'm then using additional tweaks to ensure reboots aren't required so often.)

The only isue is that if you want to make one master disk image to mirror to the lab pc's, you need to be very mindful of how you apply DF during the process. It is possible to lock yourself out (wasting the weekend you just spend building the image).

I can't help but give you my utmost recommendation to use this product. (Oh, and I'm not affiliated.)

Physically, our pc's are locked away in cabinets, with only KVM cables going out, and a lockable doorbell-type button to power the thing on. The games CD's are loaded as images, so users never get any hands-on.