Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing a High School Windows XP Computer Lab?

Posted by ryuzaki0 on from the locking-your-windows dept.

An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"

5 of 533 comments (clear)

  1. Sure. by khasim · · Score: 4, Interesting

    First off, the part you'll be authorized to use is almost exactly like Windows. Here's the login screen. Here is the "Start" button. This is your web browser, word processor, etc.

    These machines will NOT run most of the applications you have at home. We want it that way.

  2. XP security by maxwells_deamon · · Score: 3, Interesting

    Setup individual accounts for each student. Anything else is insane as there is no way to discover who did what.

    reimage each machine every night.

    Make sure they are on a differnent subnet from all of the admin computers and that the only path to the admin computers from the labs is down through a router.

    Files must be stored on a locked down server. Or students own USB drives.

    Otherwise. Remove all the hard drives. Lock the door and update resume.

  3. One word: Don't by PaxTech · · Score: 4, Interesting

    If you lock them down, they'll work but you'll have a lot of complaints as people are restricted from using the computers for any purpose you haven't specifically allowed. In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.

    What I would do is try to create a network disk image that could be quickly and easily reverted to when the machines inevitably get messed up. Let the students play and learn, a large part of learning is in messing things up and trying to fix them.

    --
    All movements for social change begin as missions, evolve into businesses, and end up as rackets.
  4. Re:An Idea... by Anonymous+Freak · · Score: 3, Interesting

    My 12 year old son can't tell the difference between Windows XP with MS Office 2003 and Linux with XPde and OpenOffice. On a Pentium II 400 MHz system with 256 MB of RAM.

    That's what they use at his middle school, and they use both Windows and Linux. When I installed Linux dual-boot on his home PC (P4 3.2 GHz, 512 MB RAM,) the only way he knows he's in Linux is that he can't find his games.

    Your troll would be interesting, if there was fact behind it.

    --
    Another non-functioning site was "uncertainty.microsoft.com."
    The purpose of that site was not known.
  5. Re:deep freeze by michrech · · Score: 3, Interesting

    I disagree.
    In the school I worked, the kids had no problem re-downloading the programs and music every. single. day. I assumed finding and re-downloading the stuff was more fun than listening to the teacher anyway. Plus, most of them started playing flash-games on the game websites as well.

    Deep-freeze will keep the OS from being permanently destroyed by student/virus/whatever, but it doesn't make it any less of a distraction in the classroom if it is not further locked down.

    You disagree -- That is your opinion. Let me tell you why I believe you are wrong. You use something like deepfreze to lock the PC. Then you have a content filter to block the crap the students are doing online that they should not be. Right tool for the job, and all that.

    At one particular school I used to do some work for (before moving to a higher paying job), I set up a linux (Gentoo, in case it matters) server that did Samba, iptables, squid/squidguard, etc. When teachers would catch their students doing things they ought not to be, the web site was written down, passed to me, then blocked. I would sit and look at the access log to see if the students were looking at game sites (of the games.yahoo.com type) and block them. When I got wind of this stupidcensorship.org crap, I joined that mailing list (under multiple email address) and started blocking THOSE. The faculty/administration of that school *loved* that they were in control; not the students and not some company with the blocking database. They loved that the software didn't cost them a dime so they were able to pump more money into better back-end hardware.

    They didn't believe in locking the machines down with deepfreze (or didn't want to spend the money -- one of the two), but fortunatly for them with how much I had things locked down, the students really haven't been able to damage the machines (as far as software goes). No, they've resorted to damaging hardware (resulting in suspension/expulsion). That is beyond what any ITS individual can prevent.

    --
    bork bork bork!