Securing a High School Windows XP Computer Lab? 533
An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"
Come on, did you really have to ask Slashdot? (Score:3, Insightful)
Virtual Machines (Score:5, Insightful)
Lock down the user accounts (Score:5, Insightful)
Comment removed (Score:2, Insightful)
Install Linux (Score:2, Insightful)
Backup Software (Score:4, Insightful)
You're going to hear a lot of "install Linux" comments and a lot of "linux sucks" comments in reply to them. I'm not going to go there. Assuming you're looking for some minimal security, not a whole architecture revamp, look into some good backup software, make a clean install image with everything you want on it, add a network storage server (Linux?) for persistent data, and just periodically wipe the machines and replace them with a known good image. Keep the image up to date, virus scan the network storage, and you're probably going to be fine.
It can't be done anyway. (Score:5, Insightful)
No matter what you do, sufficiently motivated students will hack their way around it. At least, that was my experience in high school. It doesn't even matter if you try stuff like BIOS passwords, etc. -- the students have physical access to the machines, or at least can con the teachers into getting it (e.g. in order to fix a problem, unless you've got a much less understaffed IT department than my school had).
So what's the solution? Give up, and let them do it. Re-image the machines if they get screwed up, discipline the students if they do something unacceptable (e.g. download porn, etc.), and don't waste your time bothering with anything else.
Well, speaking from experience... (Score:4, Insightful)
First, lockdown all accounts. Some people mentioned Deep Freeze, some people mentioned group policy. My old school used Active Directory with group policies, so yearbook students and teachers could save files to the central server.
Take away the Task Manager, right-click, and Internet Explorer. Those are the most common amateur attack vectors. I'm at Oregon State University, and have had no problems compromising the "locked" computers here simply because they left me with Internet Explorer. Replace it with Firefox, and read the Firefox docs on how to lockdown the browser settings.
Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.
Get some hackers (Score:2, Insightful)
The college where I work now uses Deep Freeze. I agree with several other posters: it's good. Before we got it, we had at least a couple of times when the school's entire network was down for days because of a virus. Since we got it there have been zero such problems.
Re:An Idea... (Score:5, Insightful)
Basic web usage is portable to Internet Explorer (and even moreso to Firefox on Windows). Basic word processing skills can be easily transferred from OpenOffice to MSOffice. Basic fragging skills are transferrable from Quake 3 to Half-Life (c'mon, these are high school students).
More important, learning to accomplish the same task using more than one application can really help cement in the kids' minds that they're not learning "how computers work," but "how this particular application works." Which is very important for a real understanding of computers. Where differences exist, they open up opportunities for learning. What is a file format? How can multiple programs handle the same data, and why do they sometimes do it slightly differently? What are web standards?
Couple that with the number of programming languages freely available to educational institutions under the apt-get license, and it seems to me that there is definitely a place for Linux in the classroom.
Comment removed (Score:5, Insightful)
4 years IT support for Public Schools (Score:3, Insightful)
Anyway as far as locking the system down, if you own Windows 2000/2003 server Active directory is the easiest and cheapest way to go. It will take some tweaking but it works pretty well. I also found striking the fear of god into the kids was equally effective.
And the guy who posted about the stock of mice and keyboards, he is also right on! They run through that equipment like water! So you strike a good deal with a vendor and buy those things in bulk. We got the keyboards down to like 7 bucks ea. and the mice about 3-4 bucks each.
Re:An Idea... (Score:1, Insightful)
All that proves is that your kid is slow. I mean really, aside from the functionality, which we could debate all day, there are plenty of dead giveaway cosmestic differences. The most major being the gigantic fucking "Windows XP Professional/Home" banner on the side of the menu you get when you click the Start button with the Windows flag. Hyperbole to attempt to prove your point just makes you (or your kid) look stupid.
My school had a really good solution (Score:2, Insightful)
Re:Lock down the user accounts (Score:4, Insightful)
You don't even have to go very far with this: just give them "user" accounts. Windows comes with three main user groups built-in: administrators, power users, users. Unless someone has messed things up, "users" shouldn't be able to install things or mess with the actual system.
Now, the other part of this (and this is important) is that you have to find a way to restrict student's access to the physical machines as much as possible. The ideal would be to put the actual machine in a locking cabinet or something (with some amount of air-flow so they don't overheat). If you really want to keep the computers secure, you don't want those kids getting access to so much as a CD-ROM drive or USB port. Really, a simple lock-down will keep most kids out of trouble, but you never know when some kid is going to figure out how to reset your Windows admin password with a Linux live CD.
Better: Deep Freeze plus additional stuff (Score:3, Insightful)
FWIW, I've worked as a school site technician in 3 different school districts and I'm currently a Network Specialist for the local County Superintendent of Schools. I, too, have used and highly recommend Deep Freeze, but it sounds like the person who submitted the question should probably implement some other ways to lock down the computers in addition to Deep Freeze.
If you have a filter and you're having problems with students downloading games and music, why not block game and music sites? Take a look at your Web access log and block the sites that are creating a problem. If all computers at your site (not just in your lab) access the network through your "free Internet filter," and if you have a domain,* you might benefit from setting up the proxy filter to only apply to a certain domain account, and then put your lab PCs on the domain and have the students log in via this restricted domain account. That way, teachers etc. can still get into whatever sites they need to, and they won't hate you because of your somewhat restrictive filter.
*Someone else suggested using a domain, and I wholeheartedly agree. I haven't set up a SAMBA domain, but if cost is an issue (which it sounds like it is since you're using a free filter), you might be able to set up a domain with a Linux server, although I admit I have no idea how to go about setting up account restrictions on a Linux domain.
Another great reason to use a domain is that you can set up your student account to be *very* limited; you can specify specific apps that they can't run, or if you want to be *really* restrictive you can even specify apps that they're allowed to run and everything else will be blacklisted by default. You can find some basic instructions in an article at my blog [blogspot.com]. (Sorry for the indirect link--ironically I'm behind a firewall and can't get the exact URL for you. Please look in the sidebar to find the Active Directory post.)
Again, the specific music and game sites can be blocked individually, but it sounds like a big issue here is classroom discipline. I can't give you any tips on that. =) But another tech tip that I have is a free program suite: UltraVNC [ultravnc.com]. You've probably heard of VNC before, but this particular implementation is really great for a school lab. You can set it up so there's no tray icon (making it easier to log into a student computer without them knowing or being able to shut down your connection), and you can actually lock down their ability to use the keyboard or mouse on an individual basis. So if you've got some kid that's really screwing around, take away their privilege of being able to use the computer until they decide they can behave. UltraVNC also lets you transfer files between the computers, which can come in handy.
As an aside, VNC also makes it a piece of cake to take screenshots of students accessing naughty sites. Just connect to their screen when they've got something inappropriate up, hit the Print Screen key on your keyboard, and paste into Paint. Save it, and you've got the hostname and IP address of that computer in the VNC Viewer app's header, the current time from your system tray, and a clear shot of what the naughty student was viewing at the time.
One more thing: someone suggested individual user accounts, stating that this was the only way to track which student used a particular computer at a particular time to do something bad. This is not such a great idea, however, for several reasons. To name just a
Lock the accounts, and secure the admin. (Score:3, Insightful)
Seriously, at my jr high we had all the locked-down stuff we could want. Didn't do any good at all because they only changed the password to control the lockdown software (this was Win98 I think) once/quarter, and it would be seen or guessed within 2 weeks. I'm not sure how this hasn't come up yet in the discussion... but any relatively computer-literate kid could make an Admin account that looks just like the normal (limited) account to all but the closest scrutiny... but doesn't limit him/her at all!
Also, yes, make sure they are using limited User accounts, not Power User accounts. Make sure they are locked out of the system folders entirely, have only read permissions anywhere else on the hard drive outside of ther personal folders, and possibly even make it so that their home folder is wiped (or partially wiped) at each logout (I'm assuming the students share an account). My university uses a handful of scripts triggered by the Task Manager to do things like revert system settings when we log off, start security software client (not start a scan, just the client) when we log in, and stuff like that. It's easy to set up, and should work just fine even on non-domain computers.