Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing a High School Windows XP Computer Lab?

Posted by ryuzaki0 on from the locking-your-windows dept.

An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"

9 of 533 comments (clear)

  1. Sure. by khasim · · Score: 4, Interesting

    First off, the part you'll be authorized to use is almost exactly like Windows. Here's the login screen. Here is the "Start" button. This is your web browser, word processor, etc.

    These machines will NOT run most of the applications you have at home. We want it that way.

  2. XP security by maxwells_deamon · · Score: 3, Interesting

    Setup individual accounts for each student. Anything else is insane as there is no way to discover who did what.

    reimage each machine every night.

    Make sure they are on a differnent subnet from all of the admin computers and that the only path to the admin computers from the labs is down through a router.

    Files must be stored on a locked down server. Or students own USB drives.

    Otherwise. Remove all the hard drives. Lock the door and update resume.

  3. One word: Don't by PaxTech · · Score: 4, Interesting

    If you lock them down, they'll work but you'll have a lot of complaints as people are restricted from using the computers for any purpose you haven't specifically allowed. In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.

    What I would do is try to create a network disk image that could be quickly and easily reverted to when the machines inevitably get messed up. Let the students play and learn, a large part of learning is in messing things up and trying to fix them.

    --
    All movements for social change begin as missions, evolve into businesses, and end up as rackets.
  4. Re:An Idea... by Anonymous+Freak · · Score: 2, Interesting
    My son's middle school runs their computers on Linux with XPde and OpenOffice.

    It's so convincing, it even took me a few seconds to realize that it wasn't XP. (When I looked at the Start menu and saw an X instead of a Windows logo. Everything else on screen would have been 100% 'at home' on a true Windows computer.)

    --
    Another non-functioning site was "uncertainty.microsoft.com."
    The purpose of that site was not known.
  5. Re:An Idea... by Anonymous+Freak · · Score: 3, Interesting

    My 12 year old son can't tell the difference between Windows XP with MS Office 2003 and Linux with XPde and OpenOffice. On a Pentium II 400 MHz system with 256 MB of RAM.

    That's what they use at his middle school, and they use both Windows and Linux. When I installed Linux dual-boot on his home PC (P4 3.2 GHz, 512 MB RAM,) the only way he knows he's in Linux is that he can't find his games.

    Your troll would be interesting, if there was fact behind it.

    --
    Another non-functioning site was "uncertainty.microsoft.com."
    The purpose of that site was not known.
  6. two suggestions by DaveJay · · Score: 2, Interesting

    First: get a router for all the computers to pass through, with a web site whitelist (like the cheap and widely available DLink 808HV or 404HV); tell students that if they want to access a site that's blocked, they have to ask permission for it to be unblocked. Over time, useful sites will fill the whitelist.

    Second: install VNC as a service on all the machines, with a good password, and configured to not allow keyboard/mouse control. Then switch all students to non-administrator access so they can't turn it off (stop the service) or uninstall it. Finally, announce to each and every class that you have the capability to watch any desktop at any time remotely, and will basically be scanning through every desktop in the room regularly and punishing everyone caught doing stuff they shouldn't. Then DO IT, until the message sinks in that you're serious.

    Third: over time, do consider switching to a more secure OS, provided it can support what you're trying to accomplish in the lab.

  7. Re:deep freeze by michrech · · Score: 3, Interesting

    I disagree.
    In the school I worked, the kids had no problem re-downloading the programs and music every. single. day. I assumed finding and re-downloading the stuff was more fun than listening to the teacher anyway. Plus, most of them started playing flash-games on the game websites as well.

    Deep-freeze will keep the OS from being permanently destroyed by student/virus/whatever, but it doesn't make it any less of a distraction in the classroom if it is not further locked down.

    You disagree -- That is your opinion. Let me tell you why I believe you are wrong. You use something like deepfreze to lock the PC. Then you have a content filter to block the crap the students are doing online that they should not be. Right tool for the job, and all that.

    At one particular school I used to do some work for (before moving to a higher paying job), I set up a linux (Gentoo, in case it matters) server that did Samba, iptables, squid/squidguard, etc. When teachers would catch their students doing things they ought not to be, the web site was written down, passed to me, then blocked. I would sit and look at the access log to see if the students were looking at game sites (of the games.yahoo.com type) and block them. When I got wind of this stupidcensorship.org crap, I joined that mailing list (under multiple email address) and started blocking THOSE. The faculty/administration of that school *loved* that they were in control; not the students and not some company with the blocking database. They loved that the software didn't cost them a dime so they were able to pump more money into better back-end hardware.

    They didn't believe in locking the machines down with deepfreze (or didn't want to spend the money -- one of the two), but fortunatly for them with how much I had things locked down, the students really haven't been able to damage the machines (as far as software goes). No, they've resorted to damaging hardware (resulting in suspension/expulsion). That is beyond what any ITS individual can prevent.

    --
    bork bork bork!
  8. Great ways to lockdown the desktops in XP. by borphos · · Score: 2, Interesting

    I work for a school so I know this problem inside and out, but the answer really depends on your situation /resources.

    The easiest way:
    Buy a copy of a program called Fortress. While you are at it get their HD protector it's called Clean Slate. These are available at http://www.fortresgrand.com/ This will enable you to comletely lock down the ability to open the command prompt, run certain programs, change the colors or or desktop, etc. Clean Slate can return a machine back to a known good state everytime you log out. (Or so it claims i've never had to acually use it.)
    Pros: Simple.
    Cons: Students still don't have their own accounts for saving documents. This sort of security sends a negative message of "I don't trust you with anything."

    A better way but a bit harder:
    Create a domain controller using Windows Server 2003. Buy a beefy server with plenty of HD space. Install Server 2003 (or 2000 if you can find it.) Get a copy of a good Active Directory book. You will also need to buy CALs (Client Access Liscences). Buy a program called adinfintium. (makes managing users a lot easier) Then (using your trusty active directory book) create users and place them in an OU (Organizational Unit) called something like "Students". Learn how to add a "Group Policy" to the students OU. (at this point you can just call OUs folders.) Group policies can do things like set a homepage, lock the background and colorscheme, disable msn messenger, disable certain other programs, etc.
    Pros: A server that acts as domain controller and file server can do more things than I wish to list here.
    Cons: $$$ It's expensive, not just to buy, but to maintain. Alternanly you can do almost as much with a combination of a good linux server and that fortress program for a lot less. You will need to know linux though.

    A note on content filters:
    Since you are at a school you have to comply with COPA (or something like it if you aren't in the US). Schools have the burden of being legally required to maintain a content filter to filter out bad things. What do they mean by bad things??? COPA like laws are all vague, but you have to show you are doing atleast something to prevent kids from vague things that may lead them into vague danger and cause them vague harm. The best way to do this is to to buy a server to act as your firewall and content filter. A compay called Clark Connect makes a great firewall product that updates its content filter automatically. It uses a program called dansguardian on the backend and is intelligent and easy to use.

    Final note:
    The firewall/content filter and domain controller are not traditionally something you use just for one lab. They are usually used for an entire school, or in some cases mutiple schools. This includes staff computers also. Most schools use this type of setup and would highly reccomend it if you can afford the hardware and lisences.

  9. Don't lock them down, let them do it by Allnighterking · · Score: 2, Interesting

    (I won't say install Ubuntu, Kubuntu is much better.) However I'd rather get down to what really works in a situation like this. Don't lock them down. Anything an adult imposes will be viewed as a challenge and "Repressing their inner need to grow" However if they choose a security team, they get involved (even if it's just listening) with the process of locking down the systems, seeing how the bad guys work and what to do about it. Suddenly they are no longer "The schools computers" but their computers. If the students themselves are in charge of the lock down then if and when one of their own walks outside the line they are much more effective at pulling their peers back in line than you can be (except in extreme cases, like theft.) Not to mention the shear volume of knowledge even the slowest learner will acquire during the process. Put that budding script kiddy in a position where his/her reputation as "cool" is on the line ( SK " Oh man that's ripe any fool can hack that" Teacher "OK since you know the hacks, how about showing us the blocks.") Sure they will push back but be sympathetic and understanding saying "That's OK I'm sure you really don't know that much about this anyway." People protect what they own. Give these kids a sense of ownership.

    --

    I'm sorry, I'm to tired to be witty at the moment so this message will have to do.