Securing a High School Windows XP Computer Lab?

An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"

Come on, did you really have to ask Slashdot?

[pdpTrojan]

95% of the answers given here are going to be smartasses telling you to install Ubuntu.

Virtual Machines

[clintp]

Set up the machines to run in a VM environment. When the host OS boots and logs in, make a copy of the VM and run that. When they exit, destroy it.

Lock down the user accounts

[William_Lee]

The easiest thing to do is to lockdown the user account that the students use. It is unacceptable from a security standpoint to allow them access to more than being able to run simple preinstalled apps like Firefox, MS Office, etc. It sounds like you're not running on a domain based on the fact that it is a simple 'limited' account. I'm not really in a position to go into the details of XP security in a quick reply, but it is possible to lockdown a user account very tightly in XP on a domain. In a corporate environment, users typically can't even install things like print drivers without admin rights.

Re:Lock down the user accounts

[nine-times]

You don't even have to go very far with this: just give them "user" accounts. Windows comes with three main user groups built-in: administrators, power users, users. Unless someone has messed things up, "users" shouldn't be able to install things or mess with the actual system.

Now, the other part of this (and this is important) is that you have to find a way to restrict student's access to the physical machines as much as possible. The ideal would be to put the actual machine in a locking cabinet or something (with some amount of air-flow so they don't overheat). If you really want to keep the computers secure, you don't want those kids getting access to so much as a CD-ROM drive or USB port. Really, a simple lock-down will keep most kids out of trouble, but you never know when some kid is going to figure out how to reset your Windows admin password with a Linux live CD.

Backup Software

[99BottlesOfBeerInMyF]

You're going to hear a lot of "install Linux" comments and a lot of "linux sucks" comments in reply to them. I'm not going to go there. Assuming you're looking for some minimal security, not a whole architecture revamp, look into some good backup software, make a clean install image with everything you want on it, add a network storage server (Linux?) for persistent data, and just periodically wipe the machines and replace them with a known good image. Keep the image up to date, virus scan the network storage, and you're probably going to be fine.

It can't be done anyway.

[mrchaotica]

No matter what you do, sufficiently motivated students will hack their way around it. At least, that was my experience in high school. It doesn't even matter if you try stuff like BIOS passwords, etc. -- the students have physical access to the machines, or at least can con the teachers into getting it (e.g. in order to fix a problem, unless you've got a much less understaffed IT department than my school had).

So what's the solution? Give up, and let them do it. Re-image the machines if they get screwed up, discipline the students if they do something unacceptable (e.g. download porn, etc.), and don't waste your time bothering with anything else.

Well, speaking from experience...

[MostAwesomeDude]

From experience, here's what you need to do.

First, lockdown all accounts. Some people mentioned Deep Freeze, some people mentioned group policy. My old school used Active Directory with group policies, so yearbook students and teachers could save files to the central server.

Take away the Task Manager, right-click, and Internet Explorer. Those are the most common amateur attack vectors. I'm at Oregon State University, and have had no problems compromising the "locked" computers here simply because they left me with Internet Explorer. Replace it with Firefox, and read the Firefox docs on how to lockdown the browser settings.

Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.

Re:An Idea...

[An+Onerous+Coward]

I disagree. While Linux shouldn't even be brought up in the context of securing a Windows XP lab (except maybe to serve network resources and authentication), using a Linux desktop is only going to help high school students learn computer skills.

Basic web usage is portable to Internet Explorer (and even moreso to Firefox on Windows). Basic word processing skills can be easily transferred from OpenOffice to MSOffice. Basic fragging skills are transferrable from Quake 3 to Half-Life (c'mon, these are high school students).

More important, learning to accomplish the same task using more than one application can really help cement in the kids' minds that they're not learning "how computers work," but "how this particular application works." Which is very important for a real understanding of computers. Where differences exist, they open up opportunities for learning. What is a file format? How can multiple programs handle the same data, and why do they sometimes do it slightly differently? What are web standards?

Couple that with the number of programming languages freely available to educational institutions under the apt-get license, and it seems to me that there is definitely a place for Linux in the classroom.

Comment removed

[account_deleted]

Comment removed based on user account deletion

4 years IT support for Public Schools

[Dewser]

Evil little bastards will steak anything that isn't (and sometimes is) fastened down. So make sure you get those PCs locked down physically. Keep this in mind.. out of site, out of mind. If they don't see it, they won't try and break it. I came across a Dell tower one day while wondering the high school and found that someone had punched a hole though the empty bays as well as poked out the PCI slot covers in the back. They managed to swipe the CD-ROM, Memory and processor. The dumb ass teacher didn't even think to report this to use. And its not like the system was hidden under the desk, it was right on the counter in the front of the classroom. Another kid brought in a duffle bag and bolt cutters. He actually made it to the parking lot before security caught him. Oh did I mention he got this thing unsecured and in the bag during class?

Anyway as far as locking the system down, if you own Windows 2000/2003 server Active directory is the easiest and cheapest way to go. It will take some tweaking but it works pretty well. I also found striking the fear of god into the kids was equally effective. ;-)

And the guy who posted about the stock of mice and keyboards, he is also right on! They run through that equipment like water! So you strike a good deal with a vendor and buy those things in bulk. We got the keyboards down to like 7 bucks ea. and the mice about 3-4 bucks each.