Slashdot Mirror
Securing a High School Windows XP Computer Lab?
An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"
95% of the answers given here are going to be smartasses telling you to install Ubuntu.
Lock the door.
http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx/
m /
Is a good place to start for newbies. Or if these are XP pro machines you can use gpedit.msc (start->run->gpedit.msc)
If these are XP home machines try this http://www.dougknox.com/xp/tips/xp_home_sectab.ht
Set up the machines to run in a VM environment. When the host OS boots and logs in, make a copy of the VM and run that. When they exit, destroy it.
Get off my lawn.
The easiest thing to do is to lockdown the user account that the students use. It is unacceptable from a security standpoint to allow them access to more than being able to run simple preinstalled apps like Firefox, MS Office, etc. It sounds like you're not running on a domain based on the fact that it is a simple 'limited' account. I'm not really in a position to go into the details of XP security in a quick reply, but it is possible to lockdown a user account very tightly in XP on a domain. In a corporate environment, users typically can't even install things like print drivers without admin rights.
First off, the part you'll be authorized to use is almost exactly like Windows. Here's the login screen. Here is the "Start" button. This is your web browser, word processor, etc.
These machines will NOT run most of the applications you have at home. We want it that way.
http://www.faronics.com/ has a program called deep freeze, its not free, but after implementing it in several of our public labs it cut down just about all the troubles. Just reboot and the thing is exactly how it was when you froze it.
Please note i'm not associated with faronics or deep freeze in any way, just found the program useful and thought it might help you out.
No, Really. Drop on somethign easy to use like ubuntu, set up a single, very limited user account, and have the students login to a fileshare that requires login. Have a link on the Desktop that asks for username and password and uses sshfs if you want simplicity.
You're going to hear a lot of "install Linux" comments and a lot of "linux sucks" comments in reply to them. I'm not going to go there. Assuming you're looking for some minimal security, not a whole architecture revamp, look into some good backup software, make a clean install image with everything you want on it, add a network storage server (Linux?) for persistent data, and just periodically wipe the machines and replace them with a known good image. Keep the image up to date, virus scan the network storage, and you're probably going to be fine.
Setup individual accounts for each student. Anything else is insane as there is no way to discover who did what.
reimage each machine every night.
Make sure they are on a differnent subnet from all of the admin computers and that the only path to the admin computers from the labs is down through a router.
Files must be stored on a locked down server. Or students own USB drives.
Otherwise. Remove all the hard drives. Lock the door and update resume.
This is my suggestion.
Hail Eris, full of mischief...
E pluribus sanguinem
If you lock them down, they'll work but you'll have a lot of complaints as people are restricted from using the computers for any purpose you haven't specifically allowed. In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.
What I would do is try to create a network disk image that could be quickly and easily reverted to when the machines inevitably get messed up. Let the students play and learn, a large part of learning is in messing things up and trying to fix them.
All movements for social change begin as missions, evolve into businesses, and end up as rackets.
Get a system to be a domain controller. Lock that DC far away from everything else. Reformat the machines and configure them according to this: http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID =scg10.3.1.1. It'll pretty much prevent any silly things with the keyboards. Also disable the local admin accounts after the machines join the domain and don't give anyone the domain admin password or privilages except those who need it.
This is the only way I've found to keep people from messing up Windows Machines.
...and pray that they don't have blasters.
It's free, and designed for XP and schools and libraries. It's pretty easy to install and configure too, if you know how to repartition your drive using Partition Magic. I use it, so reply if you want hints on getting it to work. You need WPA, and Hive cleanup service installed for it to go. It lets AV programs update, and Grisoft gave me a script to make it work with the SCT Windows Desktop Protection. Just reboot, and changes are gone, unless you save them first. Have the computers update overnight, because it doesn't work when people need to use the computer.
Naked under my flag.
As a network admin I am in charge of 3 windows labs(high schools) and 35 Mac OSX labs, amazingly I used to have to spend more time working on the 3 windows labs than the 35 mac labs put togather. I encouraged my department to purchase Deep Freeze and have not had to re-image a machione (other than yearly maintenance) since. I dont ushually promote products but Deep freeze really is an amazing piece of work, it was simple to install and configure and any change that a student makes to the computer gets reset back to the defaults on then next reboot. Its amazing that in june the machine is exactly the same (except for updates) that the machine was in september. With the proper settings you can configure deep freeze to boot in thawed mode (meaning changes will stay) with the keyboard and mouse disabled, run anti virus and windows updates than refreeze we have this set to happen at 2am twice a week. I can remotely thaw or freeze computers from my desk accross town. All in all even though the software is not cheap it has paid for itself multiple times in saved labour and hassle.
A good solution if you are concerned about generally maintaining the same exact image consistently when people use the machine is to utilize Deep Freeze. In our IT Department at a medium-size University (10,000 students) we use Deep Freeze extensively to keep students from ruining lab computers. Deep Freeze is as others have mentioned, a virtual partition system. Each time you reboot the machine, the original image you had is restored and any changes wiped (only files kept in the "Thawspace" are maintained, all others are lost). This means that no matter what your students do, the machine will be restored on bootup.
Now, if you want to further limit what they can do, you can make many changes to the registry in windows to block users from doing many things such as using the "run" menu, installing applications or a number of other things as simple as changing screen resolution or color depth. Once you set everything up and create the image of your restricted setup, Deep Freeze will maintain it every time for you.
You can get Deep Freeze from here: http://www.faronics.com/ or look there to find out more information about how it works.
We have tried other products in the past that claimed to "restrict" Windows such that users could not make harmful changes (e.g. OnGuard) but none of the ones we utilized were able to be fool-proof and stop students from getting around it or messing something up. Short of reformatting the machine Deep Freeze is pretty hard for the student to get around. Thawing the machine to make changes requires a lengthy key combination to even bring up the password box (key combination is customizeable by you), or you can enter a key combination on bootup to access the password box to thaw the machine. You can also maintain the systems through a Deep Freeze console so you can admin all the machines at once and even push new images to them that way.
That's my three cents on how we do things in an Academic environment, but our general policy has been slight restrictions but allow them a lot of free reign - except we reset the system every time it is rebooted. I'd suggest for Middle and High school to implement a lot more restrictions on the base image that you use with Deep Freeze than what we have here at the University level.
"To strive, to seek, to find, and not to yield." - Tennyson
No matter what you do, sufficiently motivated students will hack their way around it. At least, that was my experience in high school. It doesn't even matter if you try stuff like BIOS passwords, etc. -- the students have physical access to the machines, or at least can con the teachers into getting it (e.g. in order to fix a problem, unless you've got a much less understaffed IT department than my school had).
So what's the solution? Give up, and let them do it. Re-image the machines if they get screwed up, discipline the students if they do something unacceptable (e.g. download porn, etc.), and don't waste your time bothering with anything else.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Have you tried the above link on an XP home machine? The MS website says it is for Win NT and Win 2K.
science is a religion
From experience, here's what you need to do.
First, lockdown all accounts. Some people mentioned Deep Freeze, some people mentioned group policy. My old school used Active Directory with group policies, so yearbook students and teachers could save files to the central server.
Take away the Task Manager, right-click, and Internet Explorer. Those are the most common amateur attack vectors. I'm at Oregon State University, and have had no problems compromising the "locked" computers here simply because they left me with Internet Explorer. Replace it with Firefox, and read the Firefox docs on how to lockdown the browser settings.
Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.
~ C.
It's so convincing, it even took me a few seconds to realize that it wasn't XP. (When I looked at the Start menu and saw an X instead of a Windows logo. Everything else on screen would have been 100% 'at home' on a true Windows computer.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Between 1990 and 1996 I had a high school computer lab. It was a time when the school's computers were better than what most of the kids had at home. Thus there were lots of kids who wanted to stay after school to play with the school's machines. The deal was simple: You can do anything you want with the school's computer as long as it is available for use the next morning. It worked well. Other than hardware problems, I had approximately 100% up time. We never had a machine go down due to a virus. I also learned a lot about security for Win 3.1 and Win 95. Everyone benefitted.
The college where I work now uses Deep Freeze. I agree with several other posters: it's good. Before we got it, we had at least a couple of times when the school's entire network was down for days because of a virus. Since we got it there have been zero such problems.
My 12 year old son can't tell the difference between Windows XP with MS Office 2003 and Linux with XPde and OpenOffice. On a Pentium II 400 MHz system with 256 MB of RAM.
That's what they use at his middle school, and they use both Windows and Linux. When I installed Linux dual-boot on his home PC (P4 3.2 GHz, 512 MB RAM,) the only way he knows he's in Linux is that he can't find his games.
Your troll would be interesting, if there was fact behind it.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
I disagree. While Linux shouldn't even be brought up in the context of securing a Windows XP lab (except maybe to serve network resources and authentication), using a Linux desktop is only going to help high school students learn computer skills.
Basic web usage is portable to Internet Explorer (and even moreso to Firefox on Windows). Basic word processing skills can be easily transferred from OpenOffice to MSOffice. Basic fragging skills are transferrable from Quake 3 to Half-Life (c'mon, these are high school students).
More important, learning to accomplish the same task using more than one application can really help cement in the kids' minds that they're not learning "how computers work," but "how this particular application works." Which is very important for a real understanding of computers. Where differences exist, they open up opportunities for learning. What is a file format? How can multiple programs handle the same data, and why do they sometimes do it slightly differently? What are web standards?
Couple that with the number of programming languages freely available to educational institutions under the apt-get license, and it seems to me that there is definitely a place for Linux in the classroom.
You want the truthiness? You can't handle the truthiness!
Most of the student won't try to break things, but a few assholes will so you have to make sure they can do the least amount of damage possible. Unless, of course, you feel like cleaning things up daily.
You could also get an Active Directory domain and push the restrictions that way. I prefer to script it since I prefer to have my servers run Linux.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
Comment removed based on user account deletion
First: get a router for all the computers to pass through, with a web site whitelist (like the cheap and widely available DLink 808HV or 404HV); tell students that if they want to access a site that's blocked, they have to ask permission for it to be unblocked. Over time, useful sites will fill the whitelist.
Second: install VNC as a service on all the machines, with a good password, and configured to not allow keyboard/mouse control. Then switch all students to non-administrator access so they can't turn it off (stop the service) or uninstall it. Finally, announce to each and every class that you have the capability to watch any desktop at any time remotely, and will basically be scanning through every desktop in the room regularly and punishing everyone caught doing stuff they shouldn't. Then DO IT, until the message sinks in that you're serious.
Third: over time, do consider switching to a more secure OS, provided it can support what you're trying to accomplish in the lab.
It's unfortunate you were moderated down as troll, when most of the people posting to this topic have been trolling and straying from the original topic. I'm willing to bet a lot of the people who didn't read "these are windows XP systems" and are going on about linux have never configured and maintained a large homogenous or native Windows network, or at least had the knowledge, experience or intelligence to properly configure and lock down a Windows based network. I hope the OP is at least running all these kids in plain "user" mode, as opposed to administrator or power user. Plain user mode would prevent against a large number of trojans and malware from being installed (as well as regular programs) but give them enough functionality to browse the web. Whoever suggested the ghost or imaging idea was also on the right track - a client high school I work with has a morning reimage from a master system sent down every evening completely undoing any damage done the previous day. A RIS schedule could also be implemented, assuming you have network cards with boot code. This is really unnecessary though, if you spend enough time learning how to effectively secure Windows. The OP neglected to mention if these computers were part of a domain - if so GPO's would also make locking down these systems a little easier.
Evil little bastards will steak anything that isn't (and sometimes is) fastened down. So make sure you get those PCs locked down physically. Keep this in mind.. out of site, out of mind. If they don't see it, they won't try and break it. I came across a Dell tower one day while wondering the high school and found that someone had punched a hole though the empty bays as well as poked out the PCI slot covers in the back. They managed to swipe the CD-ROM, Memory and processor. The dumb ass teacher didn't even think to report this to use. And its not like the system was hidden under the desk, it was right on the counter in the front of the classroom. Another kid brought in a duffle bag and bolt cutters. He actually made it to the parking lot before security caught him. Oh did I mention he got this thing unsecured and in the bag during class?
;-)
Anyway as far as locking the system down, if you own Windows 2000/2003 server Active directory is the easiest and cheapest way to go. It will take some tweaking but it works pretty well. I also found striking the fear of god into the kids was equally effective.
And the guy who posted about the stock of mice and keyboards, he is also right on! They run through that equipment like water! So you strike a good deal with a vendor and buy those things in bulk. We got the keyboards down to like 7 bucks ea. and the mice about 3-4 bucks each.
Dewser - all around techy "In the immortal words of Socrates - 'I drank what?'"
I administered a computer network at a high school for three years, so I can toss out a few suggestions:
VLAN your network. If you have Cisco switches, this should be easy. Set up seperate VLANs for students, the staff, and servers. You'll be able to isolate what resources can be accessed based upon these access lists.
SET UP A PROXY SERVER! Seriously. One of the first systems you should implement is ISA Server 2006. ISA Server will act as an internal proxy to control what users have access to the Internet, and what resources they can access. Set ACLs on your internal switches to prevent routes to the Internet from the student VLAN unless they go through the ISA Server. Set up the ISA Server in front of a filtering appliance, pass all HTTP traffic, and allow access only to HTTPS sites you've added to an allow rule on your ISA server. Add the same limits to SWF, DCR, and possibly java or class files.
Only allow Internet traffic to port 80 and (to a limited extent) 443 for students: Look, your students aren't going to need any other services besides HTTP and HTTPS, and if you're not careful about HTTPS, they'll be popping holes in your proxy using an encrypted web service.
Set your web filtering to deny unrated sites: Students are going to try and circumvent your web filter though phproxy or cgiproxy. The smartest kids will go so far as to set up their own domain to get around your filter. The solution? Block what's not rated. It's also important that your filter have a mechanism to request that a site be unblocked. From a security perspective, it's important that you not open yourself up to risks that you can't control - including websites - but it's also important for the students' development that they have an opportunity to view controversial subjects and make up their own minds about the topic.
Use groups: Set up an OU for each grade in your school. Create a global domain group for each grade. Set up another OU for classes, and create a global security group for each class section. That way, you'll be able to allow or deny access to resources for each grade or class.
Software Restriction Policies: If you have a Server 2003 network, group policies are an amazing asset for your Windows XP clients. Group policies allow you to change settings on users and computers in your network. For instance, you can disable access to the registry or lock down Internet Explorer. Within group policies are a special policy component called Software Restriction Policies that allow you to decide whether or not applications can run based upon the hash, path, or filename. On my network, I designed the SRP around hashes. Managing those policies was a pain (the list was around 400 executables), but it was worth limiting what code would execute on the systems.
Admin tools: You'll want to turn off access to all administrative tools, so disable access to the command prompt, registry editor, and MMC. Also, disable access to the security tab in Explorer to prevent students from changing file permissions. For your computer policies, set the local security policy to disable storing the LM hash for passwords.
Use the Windows firewall: I know it's not much, but it does provide a lot of benefit over nothing at all. Using group policies, configure static rules into the Windows firewall. This will prevent malware from causing problems on your network, and will also prevent iTunes from eating your bandwidth.
Web browsers: It pains me to say this, but don't allow browsers other than Internet Explorer to run on your machines during school. When Firefox adds group policy support, I'll relent on that, but you have no control over what code is executed in Firefox, whereas group policies give you a lot more control over Internet Explorer. Example: after implementing our software restriction policies, students began downloading Flash games in swf form to their laptop hard drives. After receiving complaints from teachers, we simply disabled Firefox through SRPs, and disable
that and it's possible that they may get interested enough (out of geekyness or for the money) in linux to go and learn advanced stuff, and become a network or server admin, thus making much larger sums of money in their career path than they would if they only ever use WinXP and instant messenging...
The Shared Computer Toolkit is fairly easy to use. If you don't have Partition Magic, GParted (Gnome Partition Editor) works great, is freely available, and I've used it to setup shared machines with no problems. ( http://gparted.sourceforge.net/ )
Accentuate the positive, don't waste your mod points on the negative.
A human. If they see you doing something bad you can't use the lab for a week. If that compromises your ability to work then you should have thought of that before you did it. If your grades suffer, that's your problem not theirs.
IANA*
bit9 (http://www.bit9.com) parity does exactly what the OP is looking for. you can lock down computers without taking away admin rights, and can whitelist applications which are allowed to install during lockdown. you can also administer all your desktops from the web console, so you don't have to go to each desktop and manually configure everything every time you want to make a change, and you can see what applications are running/installed on each desktop, and be alerted when something new appears.
:)]
[full disclosure: i work at bit9 -- i couldn't help posting as we see and solve this exact problem all the time
hope this helps; there are other alternatives (imaging/freezing products that others have pointed out) as well.
-drew
"Where are we going, and why am I in this handbasket?"
If it HAS to be windoze, just get thin clients and run it off servers. After every class re-image the client disks. Do not connect it to external networks. Then nuke from orbit, level the building and spread salt. The only way to be sure with XP.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
If you have an windows domain the best is to the group policies and create individual accounts to track each of the students.
Group policy http://www.microsoft.com/technet/technetmag/issues /2005/05/LockDown/ will also give you a great deal of control over how much of the windows interface they have access to. For instance you can lock out the CLI, and where they can save files. Here is a link from Micro$oft on how to get started.
If you don't have an active directory domain setup, you can still lock down the desktop by creating local policies http://www.windowsnetworking.com/articles_tutorial s/wxppspol.html, unfortunately you will need to apply these to each PC if all the hardware in the lab is the same, but it wouldn't be to difficult to create a locked down image using Ghost, and then image all the machines to be identical.
Also, if the school can afford it buy a copy of websense http://www.websense.com/global/en/. It will keep the little buggers out of the internet, prevent them from downloading games, and even using chat programs.
"Don't be so humble - you are not that great." - Golda Meir
I'm going to assume here that you must use Windows. Honestly, it's not much harder to lock down than Linux.
:) Dan's Guardian is an excellent free solution that does content filtering. Squidguard also works well. The best advice is to block everything except what you want them to see. Ditch IE and use one of the Kiosk addons for Firefox or Mozilla (there are several).
* It's relatively simple to lock down users with GPO where all they see is a start menu and specifically what you want to give them. Make sure you remove access to the C: drive. Be warned that there are ways around it so keep you eyes open.
* If you MUST give them net access, force proxy and restrict the hell out of them. Teenagers will look at stuff they're not supposed to and are very creative at getting around firewalls
* Get ghostcast, or opforce, or something free and reimage them every night. You'll thank me later.
* There'll be one or two kids (usually just one) that always manage to get around your restrictions. These are the kids that will one day have hugely successful IT careers. My experience is it's better to give them some extra responsibility to help YOU out, they'll thank you for it.
"take off and nuke the entire site from orbit. It's the only way to be sure"
I work for a school so I know this problem inside and out, but the answer really depends on your situation /resources.
The easiest way:
Buy a copy of a program called Fortress. While you are at it get their HD protector it's called Clean Slate. These are available at http://www.fortresgrand.com/ This will enable you to comletely lock down the ability to open the command prompt, run certain programs, change the colors or or desktop, etc. Clean Slate can return a machine back to a known good state everytime you log out. (Or so it claims i've never had to acually use it.)
Pros: Simple.
Cons: Students still don't have their own accounts for saving documents. This sort of security sends a negative message of "I don't trust you with anything."
A better way but a bit harder:
Create a domain controller using Windows Server 2003. Buy a beefy server with plenty of HD space. Install Server 2003 (or 2000 if you can find it.) Get a copy of a good Active Directory book. You will also need to buy CALs (Client Access Liscences). Buy a program called adinfintium. (makes managing users a lot easier) Then (using your trusty active directory book) create users and place them in an OU (Organizational Unit) called something like "Students". Learn how to add a "Group Policy" to the students OU. (at this point you can just call OUs folders.) Group policies can do things like set a homepage, lock the background and colorscheme, disable msn messenger, disable certain other programs, etc.
Pros: A server that acts as domain controller and file server can do more things than I wish to list here.
Cons: $$$ It's expensive, not just to buy, but to maintain. Alternanly you can do almost as much with a combination of a good linux server and that fortress program for a lot less. You will need to know linux though.
A note on content filters:
Since you are at a school you have to comply with COPA (or something like it if you aren't in the US). Schools have the burden of being legally required to maintain a content filter to filter out bad things. What do they mean by bad things??? COPA like laws are all vague, but you have to show you are doing atleast something to prevent kids from vague things that may lead them into vague danger and cause them vague harm. The best way to do this is to to buy a server to act as your firewall and content filter. A compay called Clark Connect makes a great firewall product that updates its content filter automatically. It uses a program called dansguardian on the backend and is intelligent and easy to use.
Final note:
The firewall/content filter and domain controller are not traditionally something you use just for one lab. They are usually used for an entire school, or in some cases mutiple schools. This includes staff computers also. Most schools use this type of setup and would highly reccomend it if you can afford the hardware and lisences.
FWIW, I've worked as a school site technician in 3 different school districts and I'm currently a Network Specialist for the local County Superintendent of Schools. I, too, have used and highly recommend Deep Freeze, but it sounds like the person who submitted the question should probably implement some other ways to lock down the computers in addition to Deep Freeze.
If you have a filter and you're having problems with students downloading games and music, why not block game and music sites? Take a look at your Web access log and block the sites that are creating a problem. If all computers at your site (not just in your lab) access the network through your "free Internet filter," and if you have a domain,* you might benefit from setting up the proxy filter to only apply to a certain domain account, and then put your lab PCs on the domain and have the students log in via this restricted domain account. That way, teachers etc. can still get into whatever sites they need to, and they won't hate you because of your somewhat restrictive filter.
*Someone else suggested using a domain, and I wholeheartedly agree. I haven't set up a SAMBA domain, but if cost is an issue (which it sounds like it is since you're using a free filter), you might be able to set up a domain with a Linux server, although I admit I have no idea how to go about setting up account restrictions on a Linux domain.
Another great reason to use a domain is that you can set up your student account to be *very* limited; you can specify specific apps that they can't run, or if you want to be *really* restrictive you can even specify apps that they're allowed to run and everything else will be blacklisted by default. You can find some basic instructions in an article at my blog. (Sorry for the indirect link--ironically I'm behind a firewall and can't get the exact URL for you. Please look in the sidebar to find the Active Directory post.)
Again, the specific music and game sites can be blocked individually, but it sounds like a big issue here is classroom discipline. I can't give you any tips on that. =) But another tech tip that I have is a free program suite: UltraVNC. You've probably heard of VNC before, but this particular implementation is really great for a school lab. You can set it up so there's no tray icon (making it easier to log into a student computer without them knowing or being able to shut down your connection), and you can actually lock down their ability to use the keyboard or mouse on an individual basis. So if you've got some kid that's really screwing around, take away their privilege of being able to use the computer until they decide they can behave. UltraVNC also lets you transfer files between the computers, which can come in handy.
As an aside, VNC also makes it a piece of cake to take screenshots of students accessing naughty sites. Just connect to their screen when they've got something inappropriate up, hit the Print Screen key on your keyboard, and paste into Paint. Save it, and you've got the hostname and IP address of that computer in the VNC Viewer app's header, the current time from your system tray, and a clear shot of what the naughty student was viewing at the time.
One more thing: someone suggested individual user accounts, stating that this was the only way to track which student used a particular computer at a particular time to do something bad. This is not such a great idea, however, for several reasons. To name just a
the JoshMeister on Security
Seriously, at my jr high we had all the locked-down stuff we could want. Didn't do any good at all because they only changed the password to control the lockdown software (this was Win98 I think) once/quarter, and it would be seen or guessed within 2 weeks. I'm not sure how this hasn't come up yet in the discussion... but any relatively computer-literate kid could make an Admin account that looks just like the normal (limited) account to all but the closest scrutiny... but doesn't limit him/her at all!
Also, yes, make sure they are using limited User accounts, not Power User accounts. Make sure they are locked out of the system folders entirely, have only read permissions anywhere else on the hard drive outside of ther personal folders, and possibly even make it so that their home folder is wiped (or partially wiped) at each logout (I'm assuming the students share an account). My university uses a handful of scripts triggered by the Task Manager to do things like revert system settings when we log off, start security software client (not start a scan, just the client) when we log in, and stuff like that. It's easy to set up, and should work just fine even on non-domain computers.
There's no place I could be, since I've found Serenity...
(I won't say install Ubuntu, Kubuntu is much better.) However I'd rather get down to what really works in a situation like this. Don't lock them down. Anything an adult imposes will be viewed as a challenge and "Repressing their inner need to grow" However if they choose a security team, they get involved (even if it's just listening) with the process of locking down the systems, seeing how the bad guys work and what to do about it. Suddenly they are no longer "The schools computers" but their computers. If the students themselves are in charge of the lock down then if and when one of their own walks outside the line they are much more effective at pulling their peers back in line than you can be (except in extreme cases, like theft.) Not to mention the shear volume of knowledge even the slowest learner will acquire during the process. Put that budding script kiddy in a position where his/her reputation as "cool" is on the line ( SK " Oh man that's ripe any fool can hack that" Teacher "OK since you know the hacks, how about showing us the blocks.") Sure they will push back but be sympathetic and understanding saying "That's OK I'm sure you really don't know that much about this anyway." People protect what they own. Give these kids a sense of ownership.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
I'm using Deep Freeze in a youth centre. I've tried a ton of other solutions, both software and hardware-based. None even came close to the effectiveness and ease of DF.
And contrary to other posters, I have seen NO SLOWDOWN. These machines run all the modern games without problems.
One of the best things is that it is completely invisible to the users and does not impose any UI restrictions. Only when you do the special Vulcan nerve pinch AND type in the pw AND reboot the machine do you get any access.
Users seem to be able to do whatever they want, and a reboot is going to undo all of it. (I'm then using additional tweaks to ensure reboots aren't required so often.)
The only isue is that if you want to make one master disk image to mirror to the lab pc's, you need to be very mindful of how you apply DF during the process. It is possible to lock yourself out (wasting the weekend you just spend building the image).
I can't help but give you my utmost recommendation to use this product. (Oh, and I'm not affiliated.)
Physically, our pc's are locked away in cabinets, with only KVM cables going out, and a lockable doorbell-type button to power the thing on. The games CD's are loaded as images, so users never get any hands-on.
"Good news, everyone!"