Securing a High School Windows XP Computer Lab?

An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"

Come on, did you really have to ask Slashdot?

[pdpTrojan]

95% of the answers given here are going to be smartasses telling you to install Ubuntu.

Re:Come on, did you really have to ask Slashdot?

[HoosierPeschke]

Nah, try gentoo [gentoo.org]. It'll be really secure then.

Re:Come on, did you really have to ask Slashdot?

[Ziwcam]

I'd recommend Deep Freeze from Faronics [faronics.com]. I've seen machines it's running on take all kinds of abuse, and after restart they're like new. I have not seen the windows version, but the mac version seems to run pretty well.

I'm not affiliated with Faronics in any way.

+1 Use Deep Freeze

[KlaymenDK]

I'm using Deep Freeze in a youth centre. I've tried a ton of other solutions, both software and hardware-based. None even came close to the effectiveness and ease of DF.

And contrary to other posters, I have seen NO SLOWDOWN. These machines run all the modern games without problems.

One of the best things is that it is completely invisible to the users and does not impose any UI restrictions. Only when you do the special Vulcan nerve pinch AND type in the pw AND reboot the machine do you get any access.

Users seem to be able to do whatever they want, and a reboot is going to undo all of it. (I'm then using additional tweaks to ensure reboots aren't required so often.)

The only isue is that if you want to make one master disk image to mirror to the lab pc's, you need to be very mindful of how you apply DF during the process. It is possible to lock yourself out (wasting the weekend you just spend building the image).

I can't help but give you my utmost recommendation to use this product. (Oh, and I'm not affiliated.)

Physically, our pc's are locked away in cabinets, with only KVM cables going out, and a lockable doorbell-type button to power the thing on. The games CD's are loaded as images, so users never get any hands-on.

Re:

[drinkypoo]

Actually it's not too hard. I knew a guy who wanted more RAM to run his huge (read:innefficient) Computer Science project, so he shut down his computer and the ones next to him

You're stupid. that's not an example of someone breaking deep-freeze, that's an example of someone dealing with the hardware. That will not help them do anything unauthorized to the software.

And, in any case, that problem can be solved through the use of a lock.

At my former employer, Yuba College, in labs in which they need

Windows application control software

[frenetic3]

bit9 (http://www.bit9.com) parity does exactly what the OP is looking for. you can lock down computers without taking away admin rights, and can whitelist applications which are allowed to install during lockdown. you can also administer all your desktops from the web console, so you don't have to go to each desktop and manually configure everything every time you want to make a change, and you can see what applications are running/installed on each desktop, and be alerted when something new appears.

[full disclosure: i work at bit9 -- i couldn't help posting as we see and solve this exact problem all the time :)]

hope this helps; there are other alternatives (imaging/freezing products that others have pointed out) as well.

-drew

Easy solution

[brucmack]

Lock the door.

Obligatory Star Wars Quote

[Anonymous Coward]

...and pray that they don't have blasters.

Terminal server, drive images, isolated network

[Werrismys]

If it HAS to be windoze, just get thin clients and run it off servers. After every class re-image the client disks. Do not connect it to external networks. Then nuke from orbit, level the building and spread salt. The only way to be sure with XP.

Re:

[PastAustin]

I was going to go with remove the keyboards. The only way to secure a Windows PC is have someone constantly watch over them. Novell has some good deals for schools.

Re:

[voice_of_all_reason]

And if they can't break in, they'll just glue up the lock. The lesson? Don't be a jerk in the first place and let them play snood during chem lab.

Check out the microsoft shared computer toolkit

[Aarondeep]

http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx/ [microsoft.com]
Is a good place to start for newbies. Or if these are XP pro machines you can use gpedit.msc (start->run->gpedit.msc)

If these are XP home machines try this http://www.dougknox.com/xp/tips/xp_home_sectab.htm / [dougknox.com]

Not made for XP home

[maddogsparky]

Have you tried the above link on an XP home machine? The MS website says it is for Win NT and Win 2K.

Re:Check out the microsoft shared computer toolkit

[Deathlizard]

i'll second this, although We use a domain to set user permissions, but it would work without domains using gpedit.msc

Basically, make an admin account (call it "school user" for example) and Password protect it install everything using that account, secure using gpedit.msc, Remove CREATOR OWNER permissions on the C:\, C:\program files, C:\windows and C:\windows\system32 folders then log out.

From there, log into administrator (the real one) copy the "school user" profile into the Default user profile using the Users profiles settings found in system properties Giving "everyone" access when you copy the profile, then change the permission manually in the "default user" profile so that everyone cannot write to it. Then make a third user account. Use compmgmt.msc to make that account a member of the guests and users groups. (make sure that guest accounts will delete once they log out. It's in gpedit.msc somewhere) optionally hide both administrator and "school user" and log out of administrator.

Log into the third account and test everything. it should not allow you to install anything if done correctly or write anywhere except for the third user profile. once you log out it should delete the profile (sometimes it doesn't for some reason. This [microsoft.com] helps with that a lot) and the settings should be safe.

Of course I'm assuming XP Pro. I'm pretty sure XP Home doesn't have these utils available.

Re:

[WasteOfAmmo]

On note on copying profiles: when you use the copy profile feature it does not copy the "local settings" folder in the source profile. Now this makes sense from a theoretical point of view (local settings should only contain information pertaining to the current user) but unfortunately their are a number of programs that happily install configuration settings into the local settings folder of the profile you use during installation. This means that if you do not manually copy the "local settings" folder

Re:

[Blastrogath]

Get a linux boot cd and use "dd if='windows drive' | gzip > foo.gz" to copy the install to a remote disk then. The disk image is handy to have anyway, you never know when you'll need to re-install. Some Windows XP installs will even fit on a bootable DVD-ROM with a small linux so you can include an automatic install script.

Re:

[The MAZZTer]

My college uses Deep Freeze. One of the CS seniors, Jon, last year worked around it (he got around the bios protections against booting from a CD) and repartitioned the hard drive of one of the computers and installed Slackware as a prank. He kept the Windows parititon intact, but the poor ITS guy (a fellow CS senior) went ahead and had to redo everything from scratch. He was mad when Jon told him it was him. :D

Virtual Machines

[clintp]

Set up the machines to run in a VM environment. When the host OS boots and logs in, make a copy of the VM and run that. When they exit, destroy it.

Lock down the user accounts

[William_Lee]

The easiest thing to do is to lockdown the user account that the students use. It is unacceptable from a security standpoint to allow them access to more than being able to run simple preinstalled apps like Firefox, MS Office, etc. It sounds like you're not running on a domain based on the fact that it is a simple 'limited' account. I'm not really in a position to go into the details of XP security in a quick reply, but it is possible to lockdown a user account very tightly in XP on a domain. In a corporate environment, users typically can't even install things like print drivers without admin rights.

Re:

[Tim C]

In a corporate environment, users typically can't even install things like print drivers without admin rights.

The last time I got a new PC at work was the first time it was sourced via a particular department of our corporate owners. It arrived set up such that local admin accounts couldn't even change the desktop background.

Of course, as we've never been properly integrated into the company as a whole, we're not part of the coporate Active Directory structure, so 5 minutes googling and 30 seconds of gpedit

Re:Lock down the user accounts

[nine-times]

You don't even have to go very far with this: just give them "user" accounts. Windows comes with three main user groups built-in: administrators, power users, users. Unless someone has messed things up, "users" shouldn't be able to install things or mess with the actual system.

Now, the other part of this (and this is important) is that you have to find a way to restrict student's access to the physical machines as much as possible. The ideal would be to put the actual machine in a locking cabinet or something (with some amount of air-flow so they don't overheat). If you really want to keep the computers secure, you don't want those kids getting access to so much as a CD-ROM drive or USB port. Really, a simple lock-down will keep most kids out of trouble, but you never know when some kid is going to figure out how to reset your Windows admin password with a Linux live CD.

Lock the accounts, and secure the admin.

[cbhacking]

just give them "user" accounts

and secure the admin password!

Seriously, at my jr high we had all the locked-down stuff we could want. Didn't do any good at all because they only changed the password to control the lockdown software (this was Win98 I think) once/quarter, and it would be seen or guessed within 2 weeks. I'm not sure how this hasn't come up yet in the discussion... but any relatively computer-literate kid could make an Admin account that looks just like the normal (limited) account to all but

deep freeze

[hustlebird]

http://www.faronics.com/ [faronics.com] has a program called deep freeze, its not free, but after implementing it in several of our public labs it cut down just about all the troubles. Just reboot and the thing is exactly how it was when you froze it.
Please note i'm not associated with faronics or deep freeze in any way, just found the program useful and thought it might help you out.

Re:

[DocBoss]

Deep Freeze is truly the way to go. It is the single best program for a situation like this.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:deep freeze

[michrech]

I disagree.
In the school I worked, the kids had no problem re-downloading the programs and music every. single. day. I assumed finding and re-downloading the stuff was more fun than listening to the teacher anyway. Plus, most of them started playing flash-games on the game websites as well.

Deep-freeze will keep the OS from being permanently destroyed by student/virus/whatever, but it doesn't make it any less of a distraction in the classroom if it is not further locked down.

You disagree -- That is your opinion. Let me tell you why I believe you are wrong. You use something like deepfreze to lock the PC. Then you have a content filter to block the crap the students are doing online that they should not be. Right tool for the job, and all that.

At one particular school I used to do some work for (before moving to a higher paying job), I set up a linux (Gentoo, in case it matters) server that did Samba, iptables, squid/squidguard, etc. When teachers would catch their students doing things they ought not to be, the web site was written down, passed to me, then blocked. I would sit and look at the access log to see if the students were looking at game sites (of the games.yahoo.com type) and block them. When I got wind of this stupidcensorship.org crap, I joined that mailing list (under multiple email address) and started blocking THOSE. The faculty/administration of that school *loved* that they were in control; not the students and not some company with the blocking database. They loved that the software didn't cost them a dime so they were able to pump more money into better back-end hardware.

They didn't believe in locking the machines down with deepfreze (or didn't want to spend the money -- one of the two), but fortunatly for them with how much I had things locked down, the students really haven't been able to damage the machines (as far as software goes). No, they've resorted to damaging hardware (resulting in suspension/expulsion). That is beyond what any ITS individual can prevent.

Re:

[Nimey]

Yeah, my uni's got a similar product called Centurion Guard in all the public labs. You set the machine up, activate the software, then all changes made after you activate it go away when you reboot. You can deactivate it temporarily to install new software. Works pretty well.

Re:

[DeadboltX]

I would also highly recommend deep freeze.
many school in the Sacramento area use it with great success and I myself have deployed it on several machines I oversee at public study-hall areas for apartment complexes in a college town.

Every time the computer reboots it resets itself to how it was when you first installed it, so even if you have no further access prevention (although I would recommend Microsoft's tool which helps you put extra access prevention, just to discourage that sort of behavior) you can

Re:

[Jonah Hex]

Thanks for pointing Deep Freeze out, I couldn't remember the name of it but it's definitely the way to go! If I could get my corp to buy it I'd be much happier, Active Directory policies don't help when they give everyone admin rights to their own computer.

Jonah Hex

Re:

[From A Far Away Land]

If you have XP, it's hard to beat the free WDP in Shared Computer Toolkit by Microsoft.

Re:

[Anonymous Coward]

Apple uses the Mac version of Deep Freeze on all Apple Store front-of-house demo machines, if you want a corporate pedigree.

Re:

[Anonymous Coward]

my school had Deep Freeze. my problem with it (as a student who knew what he was doing) was that the pre-installed software was lame. I didn't want to have to install firefox every class.... so I found a little program called Deep Unfreezer. http://usuarios.arnet.com.ar/fliamarconato/pages/e deepunfreezer.html [arnet.com.ar]

it can:
freeze
unfreeze
freeze after x reboots.

needless to say my computer had mozilla and winamp on it. jealousy ensued.
just pointing out that deep freeze isn't flawless either

Agreed

[phorm]

I work in a school district and we use deep-freeze on pretty much everything. Our labs are mostly 'nix/LTSP thin clients, but the teachers and admins tend to use windows machines of some sort. I'd say that it's a good idea to use DF not just on the lab, but also on teacher machines. The trick with the teachers is to setup two partitions, a frozen C: for the windows install, and a thawed D:

Then, create you user, and move his/her "Application Data" "Templates" "My Favorites" and "My Documents" to a new area

Re:

[Chris_Jefferson]

I have implemented something similar using a very small (4MB) linux partition, where at reboot, it copies a fixed partition back over the primary one. It can also pull the partition from a server if it's been lost / damaged / updated on the server. Out of interest, what does deep freeze offer over that? Serious question, I assume it must offer extra features if so many people are advising it's use.

Better: Deep Freeze plus additional stuff

[the JoshMeister]

FWIW, I've worked as a school site technician in 3 different school districts and I'm currently a Network Specialist for the local County Superintendent of Schools. I, too, have used and highly recommend Deep Freeze, but it sounds like the person who submitted the question should probably implement some other ways to lock down the computers in addition to Deep Freeze.

security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter.

If y

Install Linux

[Fireflymantis]

No, Really. Drop on somethign easy to use like ubuntu, set up a single, very limited user account, and have the students login to a fileshare that requires login. Have a link on the Desktop that asks for username and password and uses sshfs if you want simplicity.

Two words:

[jbeaupre]

No games

Re:

[From A Far Away Land]

"if these are students trying to prepare for the real world using Linux is not going to help them get that job at 80% of the companies looking to hire computer litterate employees."

Excuse me? What kind of employer would assume that a student who knows how to operate LINUX, is computer illiterate? If anything, they'll think the kid is some kind of computer genius.

I call FUD.

Re:

[Spiked_Three]

heh, call FUD all you want. Do a search on monster.com or dice for 'proficient with open office' and then search 'proficient with Microsoft office'

He's right.

Backup Software

[99BottlesOfBeerInMyF]

You're going to hear a lot of "install Linux" comments and a lot of "linux sucks" comments in reply to them. I'm not going to go there. Assuming you're looking for some minimal security, not a whole architecture revamp, look into some good backup software, make a clean install image with everything you want on it, add a network storage server (Linux?) for persistent data, and just periodically wipe the machines and replace them with a known good image. Keep the image up to date, virus scan the network storage, and you're probably going to be fine.

Re:

[Spiked_Three]

Bingo! I even went so far one time is to create a CD that would boot and copy a ghost image into it. It was a pain to make, but if I had a Lab full of machines it would be worth it.

Re:

[mikelieman]

"look into some good backup software, make a clean install image "

A Knoppix boot cd and the 'dd' utility makes that a snap.

This is a bad idea

[phorm]

If you've ever worked in the educational-tech industry, you'd know that this on its own is a bad idea. Districts can have dozens of schools with labs, and trust me with the ways you can get spyware/viruses/etc you will be having to re-image them regularly. Yes, you can script it, but it's still not an elegant solution and has many issues. Also, while your machines are waiting on an image, they'll be happily popping up porno banners for the kids, connecting to P2P servers, running as open proxies or spam rel

Re:

[99BottlesOfBeerInMyF]

I would have modded this as "funny" but some days it is hard to tell, especially when the coffee is all gone.

XP security

[maxwells_deamon]

Setup individual accounts for each student. Anything else is insane as there is no way to discover who did what.

reimage each machine every night.

Make sure they are on a differnent subnet from all of the admin computers and that the only path to the admin computers from the labs is down through a router.

Files must be stored on a locked down server. Or students own USB drives.

Otherwise. Remove all the hard drives. Lock the door and update resume.

Re:

[Frumious Wombat]

I always thought the best way to secure a lab of XP machines was to take a epoxy kit, and fill in the network and USB ports. If you take that extra second to pull the CD-ROM flap down, you can secure those as well.

It tends to reduce the resale value, but it does cut down on a lot of nonsense.

Security

[Nimey]

This is my suggestion. [russian-mosin-nagant.com]

One word: Don't

[PaxTech]

If you lock them down, they'll work but you'll have a lot of complaints as people are restricted from using the computers for any purpose you haven't specifically allowed. In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.

What I would do is try to create a network disk image that could be quickly and easily reverted to when the machines inevitably get messed up. Let the students play and learn, a large part of learning is in messing things up and trying to fix them.

Re:

[KingDaveRa]

I have to say, I both agree and disagree. I build student PC base setups for the uni I work at. I try to keep things as standard as possible, but I still restrict things. The idea is, you can do things the same as you could on your own PC at home, but you might be restricted in WHAT you can do. We do it via ZenWorks mostly, through Group Policy settings, but on occasion we'll re-image a PC if it goes bad. For the most part, our users (and they are users) don't have many problems. We have issues with big app

Re:

[TubeSteak]

In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.

Not really. A school is almost exactly like a business, employees and kids both have to agree to an Acceptable Use Policy (AUP) and that is that.

The main difference is that a school is liable, for things that happen on the network, in ways that a business is not.

The IT guy want kids to use the computers for educatio

Re:

[Pharmboy]

Not really. A school is almost exactly like a business

Not exactly, as only half the kids at a school network are looking at porn and playing games, compared to 80% of employees...

But your other point, that a business is not liable for what happens on the network is incorrect. A male employee checks out porn, offense a female, the company is liable for sexual harassment. Your computers get infected and start spewing out spam, you are liable and your T1 shut down for a while. You run a server that accepts

Re:

[voice_of_all_reason]

A school is almost exactly like a business

Except it's run by the state (not a private enterprise), and is mandatory (not optional). Other than that, it's exactly like a busuiness!

It can't be done anyway.

[mrchaotica]

No matter what you do, sufficiently motivated students will hack their way around it. At least, that was my experience in high school. It doesn't even matter if you try stuff like BIOS passwords, etc. -- the students have physical access to the machines, or at least can con the teachers into getting it (e.g. in order to fix a problem, unless you've got a much less understaffed IT department than my school had).

So what's the solution? Give up, and let them do it. Re-image the machines if they get screwed up, discipline the students if they do something unacceptable (e.g. download porn, etc.), and don't waste your time bothering with anything else.

Re:

[Geoffreyerffoeg]

So what's the solution? Give up, and let them do it.

My experience is that the sufficiently motivated students (me and a few others) didn't actually want to play games or anything...so one answer is to allow only the sufficiently motivated students to get past it (not explicitly open it) but threaten them with discipline if they tell others.

And yes, any machine with physical access is inherently insecure. That isn't necessarily a bad thing, if you plan your security model around that. MIT gives out the root

Re:

[vertinox]

Well said...

If this class is about learning computers, I would teach them computers. If they screw up the operating system or break something, teach them how to fix it. Teach them how to re-image the drive or use the rollback feature.

If we hide knowledge we aren't teaching our kids anything.

If they do something bad then punish them, but don't treat them like criminals when they are here to learn.

No it isn't

[LWATCDR]

High Schools don't teach kids about computers anymore. They teach them Word, Excel, and Powerpoint.

Lock them down and lock the cases shut.

Re:

[voice_of_all_reason]

In other words, "don't cry, emo admin!"

Re:

[SpottedKuh]

as someone who used to activly help in un-securing school computers to do what i wanted. i have to agree with the dont bother comment becuase its much more trouble than its worth make and image and push it out over the network that what they did at my school.

I think what you're trying to say is...that you screwed around with school computers during English class?

Re:

[account_deleted]

Comment removed based on user account deletion

Image the machines

[slapout]

Are most of the machines the same? Of so, set one up properly and make an image of the hard drive with Ghost or a similar program. At least then you'll have an easy way to restore it when they mess it up.

Get a domain controller and follow these policies

[jmauro]

Get a system to be a domain controller. Lock that DC far away from everything else. Reformat the machines and configure them according to this: http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID =scg10.3.1.1 [nsa.gov]. It'll pretty much prevent any silly things with the keyboards. Also disable the local admin accounts after the machines join the domain and don't give anyone the domain admin password or privilages except those who need it.

This is the only way I've found to keep people from messing up Windows Machines.

Shared Computer Toolkit WDP

[internetstruck]

It's free, and designed for XP [microsoft.com] and schools and libraries. It's pretty easy to install and configure too, if you know how to repartition your drive using Partition Magic. I use it, so reply if you want hints on getting it to work. You need WPA, and Hive cleanup service installed for it to go. It lets AV programs update, and Grisoft gave me a script to make it work with the SCT Windows Desktop Protection. Just reboot, and changes are gone, unless you save them first. Have the computers update overnight, because it doesn't work when people need to use the computer.

Re:Shared Computer Toolkit WDP WGA

[From A Far Away Land]

I think the parent means WGA, Windows Genuine Advantage, not WPA. When I install SCT, it asks me to validate Windows first.

SCT + gparted = crazy delicious

[zubernerd]

The Shared Computer Toolkit is fairly easy to use. If you don't have Partition Magic, GParted (Gnome Partition Editor) works great, is freely available, and I've used it to setup shared machines with no problems. ( http://gparted.sourceforge.net/ [sourceforge.net] )

Deep Freeze

[Anonymous Coward]

As a network admin I am in charge of 3 windows labs(high schools) and 35 Mac OSX labs, amazingly I used to have to spend more time working on the 3 windows labs than the 35 mac labs put togather. I encouraged my department to purchase Deep Freeze and have not had to re-image a machione (other than yearly maintenance) since. I dont ushually promote products but Deep freeze really is an amazing piece of work, it was simple to install and configure and any change that a student makes to the computer gets reset

Reinstall and lock down

[mnmn]

Reinstall XP on each machine first thing. Theres no way you can uninstall the rootkits spyware etc.

Next create one or multiple student accounts, possibly one for each student so it can be traced, and lock it down. By that I mean take away write access to c:\,c:\windows,c:\windows\system32\ most program files folders etc. In short, they should only be able to write to their desktops, and other profile folders. If they cause a mess just delete the profile folder and let them login to recreate it.

Apart from th

Don't go too far...

[Gothic_Walrus]

My high school had a similar issue, and their reaction was simple. They removed all - ALL - but maybe five programs from the start menu. If you wanted Microsoft Office or Internet Explorer, you were in luck. Anything else...well, not so much. If that wasn't bad enough, they also removed access to Windows Explorer, which made using things like USB drives virtually impossible, meaning that, because of the exceedingly strict filter, the only possible way to send files home at all was floppy, and even that

Deep Freeze a great solution

[ironwill96]

A good solution if you are concerned about generally maintaining the same exact image consistently when people use the machine is to utilize Deep Freeze. In our IT Department at a medium-size University (10,000 students) we use Deep Freeze extensively to keep students from ruining lab computers. Deep Freeze is as others have mentioned, a virtual partition system. Each time you reboot the machine, the original image you had is restored and any changes wiped (only files kept in the "Thawspace" are maintained, all others are lost). This means that no matter what your students do, the machine will be restored on bootup.

Now, if you want to further limit what they can do, you can make many changes to the registry in windows to block users from doing many things such as using the "run" menu, installing applications or a number of other things as simple as changing screen resolution or color depth. Once you set everything up and create the image of your restricted setup, Deep Freeze will maintain it every time for you.

You can get Deep Freeze from here: http://www.faronics.com/ [faronics.com] or look there to find out more information about how it works.

We have tried other products in the past that claimed to "restrict" Windows such that users could not make harmful changes (e.g. OnGuard) but none of the ones we utilized were able to be fool-proof and stop students from getting around it or messing something up. Short of reformatting the machine Deep Freeze is pretty hard for the student to get around. Thawing the machine to make changes requires a lengthy key combination to even bring up the password box (key combination is customizeable by you), or you can enter a key combination on bootup to access the password box to thaw the machine. You can also maintain the systems through a Deep Freeze console so you can admin all the machines at once and even push new images to them that way.

That's my three cents on how we do things in an Academic environment, but our general policy has been slight restrictions but allow them a lot of free reign - except we reset the system every time it is rebooted. I'd suggest for Middle and High school to implement a lot more restrictions on the base image that you use with Deep Freeze than what we have here at the University level.

Mod parent up

[vga_init]

I've seen extensive deep freeze deployment starting from when I was in high school and continuing through higher education. I work in a computer lab now, and that is what they use; I've seen the software in action and have also done some light administration with it.

From what I can tell, it basically makes the system invincible. It doesn't matter what weird crap the students pull on our machines (and trust me, young students can destroy any system they touch in no time, guaranteed--you have no idea how u

Re:

[ADRA]

Ah, sweet memories. I remeber spending quite some time hacking the Deep freeze demo at comdex years ago (think win95 timeframe?). I did it, but it took a very long time, and it definitly wasn't trivial for a geek.

I found it a good tool, but like everything else it isn't invulnerable to different attack vectors (physical). I'd recomend this in combination with other solutions like off-computer imaging solutions for times when the tool is compromized and firewalls just because you should always use 'physical'

Re:

[anethema]

Deep freeze is a good program, but far from foolproof like many have mentioned. Use other security measures as well. One student gets his hand on the wrong tool (like this one http://usuarios.arnet.com.ar/fliamarconato/pages/e deepunfreezer.html [arnet.com.ar] ) and your deep freeze doesnt help much.

Good luck! :)

couple of quick things to do

[farker haiku]

first, disable the cd rom (no bootable linux cds)
second, remove the run command from the start menu through group policy.
third, disable the hot keys for run.
fourth, make the password for the admin account 15 characters long so the usual password hash rainbow tables won't be able to insta crack it.
password protect the bios so that the smart kids can't change the boot order to boot from usb. that'll prevent them from getting the sam files.

make an image and store it.

Easy

[tktk]

Remove all the power cords, and put epoxy in the resulting empty power sockets.

Re:

[Lxy]

Sadly, I remember many students who were able to defeast this in my high school. Dried epoxy just requires patience and a good screwdriver, and power cords are easy to come by.

Well, speaking from experience...

[MostAwesomeDude]

From experience, here's what you need to do.

First, lockdown all accounts. Some people mentioned Deep Freeze, some people mentioned group policy. My old school used Active Directory with group policies, so yearbook students and teachers could save files to the central server.

Take away the Task Manager, right-click, and Internet Explorer. Those are the most common amateur attack vectors. I'm at Oregon State University, and have had no problems compromising the "locked" computers here simply because they left me with Internet Explorer. Replace it with Firefox, and read the Firefox docs on how to lockdown the browser settings.

Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.

Re:

[99BottlesOfBeerInMyF]

Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.

I was in a university lab with the old Powermac G3 towers shortly after they were introduced. I don't know if you've ever seen them, but there was a handle on the side to open them. No screws, no tools needed, the side just hinged down taking half t

Get some hackers

[Anonymous Coward]

Between 1990 and 1996 I had a high school computer lab. It was a time when the school's computers were better than what most of the kids had at home. Thus there were lots of kids who wanted to stay after school to play with the school's machines. The deal was simple: You can do anything you want with the school's computer as long as it is available for use the next morning. It worked well. Other than hardware problems, I had approximately 100% up time. We never had a machine go down due to a virus.

A few Suggestions

[haplo21112]

1. Virus protection is a good start.
2. True limited user accounts where the students have only User level rights. Make accounts individual per user, you'll need a domain controller if there is not already one to accomplish this however. (Depending on scope you might be able to rededicate one of the machines as a DC)
3. Force password changes on a monthly basis, to help stop the passing around of passwords.
4. Secure the Domain Admin account, a good idea is share the account between two users, each with only

Lock it down hard

[Shawn is an Asshole]

Dealing with destructive high school students one of the things I have to do. Here's a few things to keep in mind.

• Use a domain.
• Put all desktop and menu items in the netlogon/All Users folder.
• After creating the user's profile and it's copied to the server, rename ntuser.dat to ntuser.man (means mandatory). Set Samba to disallow write access. This will prevent them from writing changes back to the server.
• Use the administrative templates to lock down everything that can possibly locked down. If you don't, some bastard will change it and you'll have to fix it. This can be scripted.
• Make use of whatever lockdown features are available in your software. Believe me, you'll need it.
• Install the Shared Computer Toolkit [microsoft.com]. It provides many addition lockdown features. Anoying thing about it, though, is that it requires the computer to be "validated". Not just activated. Make use of it's "Disk Protection" feature.
• Disable access to everything you possibly can, except what's needed.
• Use optical mice. Keep many extras. Expect buttons to be torn off. Expect mice to be regularly stolen, so use cheap ones. Also expect paper or other garbage to be jammed into the sensor. That also applies to floppy drives and cdrom drives.
• Keep many extra keyboards. Be prepeared to spend time every week putting the keys back in the correct order. Keys will also be stolen.

Most of the student won't try to break things, but a few assholes will so you have to make sure they can do the least amount of damage possible. Unless, of course, you feel like cleaning things up daily.

You could also get an Active Directory domain and push the restrictions that way. I prefer to script it since I prefer to have my servers run Linux.

possibly redundant suggestion

[Fry-kun]

The best implementation of "protection" I've seen in schools was re-imaging the OS automatically over the network on every bootup. The students can do WHATEVER they want, (giving them the local admin access becomes safer, though still not recommended) - at logout the computer reboots and it is once again clean for the next user.
HD space is cheaper now, so you might be able to get away with a hidden partition for re-imaging. Problem is, what if they modify the hidden partition with something malicious?
As for

two suggestions

[DaveJay]

First: get a router for all the computers to pass through, with a web site whitelist (like the cheap and widely available DLink 808HV or 404HV); tell students that if they want to access a site that's blocked, they have to ask permission for it to be unblocked. Over time, useful sites will fill the whitelist.

Second: install VNC as a service on all the machines, with a good password, and configured to not allow keyboard/mouse control. Then switch all students to non-administrator access so they can't turn it off (stop the service) or uninstall it. Finally, announce to each and every class that you have the capability to watch any desktop at any time remotely, and will basically be scanning through every desktop in the room regularly and punishing everyone caught doing stuff they shouldn't. Then DO IT, until the message sinks in that you're serious.

Third: over time, do consider switching to a more secure OS, provided it can support what you're trying to accomplish in the lab.

Turn everything off

[bcmm]

Students won't be able to do anything, so it will be totally secure. A lot of schools have had great successes with this approach.

4 years IT support for Public Schools

[Dewser]

Evil little bastards will steak anything that isn't (and sometimes is) fastened down. So make sure you get those PCs locked down physically. Keep this in mind.. out of site, out of mind. If they don't see it, they won't try and break it. I came across a Dell tower one day while wondering the high school and found that someone had punched a hole though the empty bays as well as poked out the PCI slot covers in the back. They managed to swipe the CD-ROM, Memory and processor. The dumb ass teacher didn't even think to report this to use. And its not like the system was hidden under the desk, it was right on the counter in the front of the classroom. Another kid brought in a duffle bag and bolt cutters. He actually made it to the parking lot before security caught him. Oh did I mention he got this thing unsecured and in the bag during class?

Anyway as far as locking the system down, if you own Windows 2000/2003 server Active directory is the easiest and cheapest way to go. It will take some tweaking but it works pretty well. I also found striking the fear of god into the kids was equally effective. ;-)

And the guy who posted about the stock of mice and keyboards, he is also right on! They run through that equipment like water! So you strike a good deal with a vendor and buy those things in bulk. We got the keyboards down to like 7 bucks ea. and the mice about 3-4 bucks each.

Group policies are your friend

[raistphrk]

I administered a computer network at a high school for three years, so I can toss out a few suggestions:

VLAN your network. If you have Cisco switches, this should be easy. Set up seperate VLANs for students, the staff, and servers. You'll be able to isolate what resources can be accessed based upon these access lists.

SET UP A PROXY SERVER! Seriously. One of the first systems you should implement is ISA Server 2006. ISA Server will act as an internal proxy to control what users have access to the Internet, and what resources they can access. Set ACLs on your internal switches to prevent routes to the Internet from the student VLAN unless they go through the ISA Server. Set up the ISA Server in front of a filtering appliance, pass all HTTP traffic, and allow access only to HTTPS sites you've added to an allow rule on your ISA server. Add the same limits to SWF, DCR, and possibly java or class files.

Only allow Internet traffic to port 80 and (to a limited extent) 443 for students: Look, your students aren't going to need any other services besides HTTP and HTTPS, and if you're not careful about HTTPS, they'll be popping holes in your proxy using an encrypted web service.

Set your web filtering to deny unrated sites: Students are going to try and circumvent your web filter though phproxy or cgiproxy. The smartest kids will go so far as to set up their own domain to get around your filter. The solution? Block what's not rated. It's also important that your filter have a mechanism to request that a site be unblocked. From a security perspective, it's important that you not open yourself up to risks that you can't control - including websites - but it's also important for the students' development that they have an opportunity to view controversial subjects and make up their own minds about the topic.

Use groups: Set up an OU for each grade in your school. Create a global domain group for each grade. Set up another OU for classes, and create a global security group for each class section. That way, you'll be able to allow or deny access to resources for each grade or class.

Software Restriction Policies: If you have a Server 2003 network, group policies are an amazing asset for your Windows XP clients. Group policies allow you to change settings on users and computers in your network. For instance, you can disable access to the registry or lock down Internet Explorer. Within group policies are a special policy component called Software Restriction Policies that allow you to decide whether or not applications can run based upon the hash, path, or filename. On my network, I designed the SRP around hashes. Managing those policies was a pain (the list was around 400 executables), but it was worth limiting what code would execute on the systems.

Admin tools: You'll want to turn off access to all administrative tools, so disable access to the command prompt, registry editor, and MMC. Also, disable access to the security tab in Explorer to prevent students from changing file permissions. For your computer policies, set the local security policy to disable storing the LM hash for passwords.

Use the Windows firewall: I know it's not much, but it does provide a lot of benefit over nothing at all. Using group policies, configure static rules into the Windows firewall. This will prevent malware from causing problems on your network, and will also prevent iTunes from eating your bandwidth.

Web browsers: It pains me to say this, but don't allow browsers other than Internet Explorer to run on your machines during school. When Firefox adds group policy support, I'll relent on that, but you have no control over what code is executed in Firefox, whereas group policies give you a lot more control over Internet Explorer. Example: after implementing our software restriction policies, students began downloading Flash games in swf form to their laptop hard drives. After receiving complaints from teachers, we simply disabled Firefox through SRPs, and disable

ADS Security and Ghostcast

[Zerbey]

I'm going to assume here that you must use Windows. Honestly, it's not much harder to lock down than Linux.

* It's relatively simple to lock down users with GPO where all they see is a start menu and specifically what you want to give them. Make sure you remove access to the C: drive. Be warned that there are ways around it so keep you eyes open.
* If you MUST give them net access, force proxy and restrict the hell out of them. Teenagers will look at stuff they're not supposed to and are very creative at getting around firewalls :) Dan's Guardian is an excellent free solution that does content filtering. Squidguard also works well. The best advice is to block everything except what you want them to see. Ditch IE and use one of the Kiosk addons for Firefox or Mozilla (there are several).
* Get ghostcast, or opforce, or something free and reimage them every night. You'll thank me later.
* There'll be one or two kids (usually just one) that always manage to get around your restrictions. These are the kids that will one day have hugely successful IT careers. My experience is it's better to give them some extra responsibility to help YOU out, they'll thank you for it.

Don't lock them down, let them do it

[Allnighterking]

(I won't say install Ubuntu, Kubuntu is much better.) However I'd rather get down to what really works in a situation like this. Don't lock them down. Anything an adult imposes will be viewed as a challenge and "Repressing their inner need to grow" However if they choose a security team, they get involved (even if it's just listening) with the process of locking down the systems, seeing how the bad guys work and what to do about it. Suddenly they are no longer "The schools computers" but their computers. If the students themselves are in charge of the lock down then if and when one of their own walks outside the line they are much more effective at pulling their peers back in line than you can be (except in extreme cases, like theft.) Not to mention the shear volume of knowledge even the slowest learner will acquire during the process. Put that budding script kiddy in a position where his/her reputation as "cool" is on the line ( SK " Oh man that's ripe any fool can hack that" Teacher "OK since you know the hacks, how about showing us the blocks.") Sure they will push back but be sympathetic and understanding saying "That's OK I'm sure you really don't know that much about this anyway." People protect what they own. Give these kids a sense of ownership.

Re:

[devnull17]

OK. Do you want to teach dozens of teachers and hundreds of kids how to use Linux?

Sure.

[khasim]

First off, the part you'll be authorized to use is almost exactly like Windows. Here's the login screen. Here is the "Start" button. This is your web browser, word processor, etc.

These machines will NOT run most of the applications you have at home. We want it that way.

Re:

[devnull17]

Maybe. But someone's going to have to add user accounts and install software, and fix things when they break. It's not the users I'm concerned about, but rather the admins. It sounds like this school doesn't have an IT department, and I've found that foisting new technologies on people is not a good thing to do unless you're personally willing to support them when things go wrong. And if you're not going to do it, who else can they call?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Freak]

My son's middle school runs their computers on Linux with XPde and OpenOffice.

It's so convincing, it even took me a few seconds to realize that it wasn't XP. (When I looked at the Start menu and saw an X instead of a Windows logo. Everything else on screen would have been 100% 'at home' on a true Windows computer.)

Re:

[miyako]

Really, there shouldn't be much to teach them. It's not like the students and teachers are going to have to be installing or configuring software or anything. Just set them up with a desktop that has two icons on it, one labled "Office Software" that opens up OpenOffice.org and the other that says "Internet" that opens up Firefox. Disallow writing to the hard disk at all, and only allow users to write to floppy or usb.
If you want to go to the effort, you can even customise a setup like this, then create

Re:

[shades66]

>OK. Do you want to teach dozens of teachers and hundreds of kids how to use Linux?

Yeah like mozilla & openoffice are so diffent to the windows equiv's. I'll take years to show them that the back button in mozilla works just like errr. the back button on IE, and open office how long will it take to show people that to open a file you select File/Open unlike microsoft office where you select errr file/open!

Re:

[Anonymous Freak]

My 12 year old son can't tell the difference between Windows XP with MS Office 2003 and Linux with XPde and OpenOffice. On a Pentium II 400 MHz system with 256 MB of RAM.

That's what they use at his middle school, and they use both Windows and Linux. When I installed Linux dual-boot on his home PC (P4 3.2 GHz, 512 MB RAM,) the only way he knows he's in Linux is that he can't find his games.

Your troll would be interesting, if there was fact behind it.

Re:

[urbanriot]

It's unfortunate you were moderated down as troll, when most of the people posting to this topic have been trolling and straying from the original topic. I'm willing to bet a lot of the people who didn't read "these are windows XP systems" and are going on about linux have never configured and maintained a large homogenous or native Windows network, or at least had the knowledge, experience or intelligence to properly configure and lock down a Windows based network. I hope the OP is at least running all th

Re:An Idea...

[An Onerous Coward]

I disagree. While Linux shouldn't even be brought up in the context of securing a Windows XP lab (except maybe to serve network resources and authentication), using a Linux desktop is only going to help high school students learn computer skills.

Basic web usage is portable to Internet Explorer (and even moreso to Firefox on Windows). Basic word processing skills can be easily transferred from OpenOffice to MSOffice. Basic fragging skills are transferrable from Quake 3 to Half-Life (c'mon, these are high school students).

More important, learning to accomplish the same task using more than one application can really help cement in the kids' minds that they're not learning "how computers work," but "how this particular application works." Which is very important for a real understanding of computers. Where differences exist, they open up opportunities for learning. What is a file format? How can multiple programs handle the same data, and why do they sometimes do it slightly differently? What are web standards?

Couple that with the number of programming languages freely available to educational institutions under the apt-get license, and it seems to me that there is definitely a place for Linux in the classroom.

Re:

[Zantetsuken]

that and it's possible that they may get interested enough (out of geekyness or for the money) in linux to go and learn advanced stuff, and become a network or server admin, thus making much larger sums of money in their career path than they would if they only ever use WinXP and instant messenging...

Re:

[bersl2]

When users are not responsible for administration of the system, the right distro becomes just another operating environment, which can be taught without significant difficulty to the vast majority of students: the look-and-feel is just a little bit different from what they are used to, the names of programs are different (though if a distro is smart, it will list the function of each program in its label, e.g. "Firefox (web browser)", so don't give me any of that crap about letting programmers name stuff b

Re:

[InadequateCamel]

Seeing as how the lab in question already has (we assume) fully licenced versions of Windows XP, suggesting that they throw away the software and learn how to use Linux does strike me as very unhelpful and, yes, a little bit offtopic. If this were a discussion about upgrading a computer lab then the Linux comment would have some merit, but here it just comes off as needlessly preachy and unhelpful.

my 2 cents

Re:

[account_deleted]

Comment removed based on user account deletion