Slashdot Mirror
Securing a High School Windows XP Computer Lab?
An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"
Lock the door.
http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx/
m /
Is a good place to start for newbies. Or if these are XP pro machines you can use gpedit.msc (start->run->gpedit.msc)
If these are XP home machines try this http://www.dougknox.com/xp/tips/xp_home_sectab.ht
Nah, try gentoo. It'll be really secure then.
Mr. Universe: "They can't stop the signal, Mal. They can never stop the signal."
Set up the machines to run in a VM environment. When the host OS boots and logs in, make a copy of the VM and run that. When they exit, destroy it.
Get off my lawn.
The easiest thing to do is to lockdown the user account that the students use. It is unacceptable from a security standpoint to allow them access to more than being able to run simple preinstalled apps like Firefox, MS Office, etc. It sounds like you're not running on a domain based on the fact that it is a simple 'limited' account. I'm not really in a position to go into the details of XP security in a quick reply, but it is possible to lockdown a user account very tightly in XP on a domain. In a corporate environment, users typically can't even install things like print drivers without admin rights.
First off, the part you'll be authorized to use is almost exactly like Windows. Here's the login screen. Here is the "Start" button. This is your web browser, word processor, etc.
These machines will NOT run most of the applications you have at home. We want it that way.
http://www.faronics.com/ has a program called deep freeze, its not free, but after implementing it in several of our public labs it cut down just about all the troubles. Just reboot and the thing is exactly how it was when you froze it.
Please note i'm not associated with faronics or deep freeze in any way, just found the program useful and thought it might help you out.
If you lock them down, they'll work but you'll have a lot of complaints as people are restricted from using the computers for any purpose you haven't specifically allowed. In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.
What I would do is try to create a network disk image that could be quickly and easily reverted to when the machines inevitably get messed up. Let the students play and learn, a large part of learning is in messing things up and trying to fix them.
All movements for social change begin as missions, evolve into businesses, and end up as rackets.
...and pray that they don't have blasters.
A good solution if you are concerned about generally maintaining the same exact image consistently when people use the machine is to utilize Deep Freeze. In our IT Department at a medium-size University (10,000 students) we use Deep Freeze extensively to keep students from ruining lab computers. Deep Freeze is as others have mentioned, a virtual partition system. Each time you reboot the machine, the original image you had is restored and any changes wiped (only files kept in the "Thawspace" are maintained, all others are lost). This means that no matter what your students do, the machine will be restored on bootup.
Now, if you want to further limit what they can do, you can make many changes to the registry in windows to block users from doing many things such as using the "run" menu, installing applications or a number of other things as simple as changing screen resolution or color depth. Once you set everything up and create the image of your restricted setup, Deep Freeze will maintain it every time for you.
You can get Deep Freeze from here: http://www.faronics.com/ or look there to find out more information about how it works.
We have tried other products in the past that claimed to "restrict" Windows such that users could not make harmful changes (e.g. OnGuard) but none of the ones we utilized were able to be fool-proof and stop students from getting around it or messing something up. Short of reformatting the machine Deep Freeze is pretty hard for the student to get around. Thawing the machine to make changes requires a lengthy key combination to even bring up the password box (key combination is customizeable by you), or you can enter a key combination on bootup to access the password box to thaw the machine. You can also maintain the systems through a Deep Freeze console so you can admin all the machines at once and even push new images to them that way.
That's my three cents on how we do things in an Academic environment, but our general policy has been slight restrictions but allow them a lot of free reign - except we reset the system every time it is rebooted. I'd suggest for Middle and High school to implement a lot more restrictions on the base image that you use with Deep Freeze than what we have here at the University level.
"To strive, to seek, to find, and not to yield." - Tennyson
No matter what you do, sufficiently motivated students will hack their way around it. At least, that was my experience in high school. It doesn't even matter if you try stuff like BIOS passwords, etc. -- the students have physical access to the machines, or at least can con the teachers into getting it (e.g. in order to fix a problem, unless you've got a much less understaffed IT department than my school had).
So what's the solution? Give up, and let them do it. Re-image the machines if they get screwed up, discipline the students if they do something unacceptable (e.g. download porn, etc.), and don't waste your time bothering with anything else.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I disagree. While Linux shouldn't even be brought up in the context of securing a Windows XP lab (except maybe to serve network resources and authentication), using a Linux desktop is only going to help high school students learn computer skills.
Basic web usage is portable to Internet Explorer (and even moreso to Firefox on Windows). Basic word processing skills can be easily transferred from OpenOffice to MSOffice. Basic fragging skills are transferrable from Quake 3 to Half-Life (c'mon, these are high school students).
More important, learning to accomplish the same task using more than one application can really help cement in the kids' minds that they're not learning "how computers work," but "how this particular application works." Which is very important for a real understanding of computers. Where differences exist, they open up opportunities for learning. What is a file format? How can multiple programs handle the same data, and why do they sometimes do it slightly differently? What are web standards?
Couple that with the number of programming languages freely available to educational institutions under the apt-get license, and it seems to me that there is definitely a place for Linux in the classroom.
You want the truthiness? You can't handle the truthiness!
Comment removed based on user account deletion
I'm not affiliated with Faronics in any way.
I administered a computer network at a high school for three years, so I can toss out a few suggestions:
VLAN your network. If you have Cisco switches, this should be easy. Set up seperate VLANs for students, the staff, and servers. You'll be able to isolate what resources can be accessed based upon these access lists.
SET UP A PROXY SERVER! Seriously. One of the first systems you should implement is ISA Server 2006. ISA Server will act as an internal proxy to control what users have access to the Internet, and what resources they can access. Set ACLs on your internal switches to prevent routes to the Internet from the student VLAN unless they go through the ISA Server. Set up the ISA Server in front of a filtering appliance, pass all HTTP traffic, and allow access only to HTTPS sites you've added to an allow rule on your ISA server. Add the same limits to SWF, DCR, and possibly java or class files.
Only allow Internet traffic to port 80 and (to a limited extent) 443 for students: Look, your students aren't going to need any other services besides HTTP and HTTPS, and if you're not careful about HTTPS, they'll be popping holes in your proxy using an encrypted web service.
Set your web filtering to deny unrated sites: Students are going to try and circumvent your web filter though phproxy or cgiproxy. The smartest kids will go so far as to set up their own domain to get around your filter. The solution? Block what's not rated. It's also important that your filter have a mechanism to request that a site be unblocked. From a security perspective, it's important that you not open yourself up to risks that you can't control - including websites - but it's also important for the students' development that they have an opportunity to view controversial subjects and make up their own minds about the topic.
Use groups: Set up an OU for each grade in your school. Create a global domain group for each grade. Set up another OU for classes, and create a global security group for each class section. That way, you'll be able to allow or deny access to resources for each grade or class.
Software Restriction Policies: If you have a Server 2003 network, group policies are an amazing asset for your Windows XP clients. Group policies allow you to change settings on users and computers in your network. For instance, you can disable access to the registry or lock down Internet Explorer. Within group policies are a special policy component called Software Restriction Policies that allow you to decide whether or not applications can run based upon the hash, path, or filename. On my network, I designed the SRP around hashes. Managing those policies was a pain (the list was around 400 executables), but it was worth limiting what code would execute on the systems.
Admin tools: You'll want to turn off access to all administrative tools, so disable access to the command prompt, registry editor, and MMC. Also, disable access to the security tab in Explorer to prevent students from changing file permissions. For your computer policies, set the local security policy to disable storing the LM hash for passwords.
Use the Windows firewall: I know it's not much, but it does provide a lot of benefit over nothing at all. Using group policies, configure static rules into the Windows firewall. This will prevent malware from causing problems on your network, and will also prevent iTunes from eating your bandwidth.
Web browsers: It pains me to say this, but don't allow browsers other than Internet Explorer to run on your machines during school. When Firefox adds group policy support, I'll relent on that, but you have no control over what code is executed in Firefox, whereas group policies give you a lot more control over Internet Explorer. Example: after implementing our software restriction policies, students began downloading Flash games in swf form to their laptop hard drives. After receiving complaints from teachers, we simply disabled Firefox through SRPs, and disable
bit9 (http://www.bit9.com) parity does exactly what the OP is looking for. you can lock down computers without taking away admin rights, and can whitelist applications which are allowed to install during lockdown. you can also administer all your desktops from the web console, so you don't have to go to each desktop and manually configure everything every time you want to make a change, and you can see what applications are running/installed on each desktop, and be alerted when something new appears.
:)]
[full disclosure: i work at bit9 -- i couldn't help posting as we see and solve this exact problem all the time
hope this helps; there are other alternatives (imaging/freezing products that others have pointed out) as well.
-drew
"Where are we going, and why am I in this handbasket?"
If it HAS to be windoze, just get thin clients and run it off servers. After every class re-image the client disks. Do not connect it to external networks. Then nuke from orbit, level the building and spread salt. The only way to be sure with XP.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack