Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Handling User Grown Machines on a Large Network?

Cliff posted more than 11 years ago | from the where-infections-run-rampant dept.

The Internet 611

matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"

Sorry! There are no comments related to the filter you selected.

FP (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6833338)

FP

The state of employment. (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6833408)

First they came for the menial jobs. I never spoke out because I didn't have a menial job.
Then they came for the unskilled laborer jobs. I never spoke out because I wasn't an unskilled laborer.
Then they came for the skilled labor jobs. I never spoke out because I wasn't a skilled laborer.
Then they came for the call center jobs. I never spoke out because I didn't work in a call centre.
Then they came for the middle management / clerical jobs. I never spoke out because that wasn't my job either.
Then they came for the programmer's jobs. And there was no-one left in employment who wanted to help me.

FACT: This country is being hollowed out from the inside by filthy subhuman animals. An invasion of scum, often illegally entering the country, who are crawling their way into good jobs. Why? Because they are wanting to take everything over. We all know to what effect that
'positive discrimination' has altered employment practises. Now, instead of the most valuable person for the job, companies are obliged to employ rancid, workshy immigrants.

Of course, the animals want to get into good companies, so they in turn can influence management decisions to outsource further jobs to their cousins overseas. Thus destroying an entire nation.

From the lowliest Janitor to the highest executive, foreigners MUST be eliminated from our corporations.

THEY BREED FASTER THAN OURSELVES BECAUSE THEIR LIVES ARE WORTH LESS.

Re:The state of employment. (3, Funny)

dipipanone (570849) | more than 11 years ago | (#6833490)

First they came for the menial jobs. I never spoke out because I didn't have a menial job.

Somebody has obviously made a serious mistake then. Can I suggest you apply at the sign of the Golden Arches to find something more commensurate with your intellectual abilities?

WHOA SOMEONE JUST DISCOVERED WHAT IT'S LIKE (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6833340)

TO BE A FAG

morons (-1, Flamebait)

bombashack (695805) | more than 11 years ago | (#6833342)

one word to solve all your problems: Linux

Re:morons (1)

calebtucker (691882) | more than 11 years ago | (#6833375)

I really hope you're kidding. I hear this way too often, and it pisses me off. I know this is slashdot with a bunch of linux geeks, but I hope you all don't seriously think this will really happen any time soon.

Yeah, I like linux as much as the next geek, but in it's current state, there's no way the P2P'ing and IM'ing "normal" people are going to switch.

Re:morons (1)

bob670 (645306) | more than 11 years ago | (#6833401)

Right, because there are no P2P or I.M clients for Linux?

Re:morons (0)

Anonymous Coward | more than 11 years ago | (#6833466)

Do you really like Linux as much as the next geek? I have the feeling that to write a comment like that you've never used it before. Never mind that the P2P clients on Linux are spyware-free, and the IM clients usually support multiple protocols? (AIM, MSN, Yahoo, Jabber, ICQ etc.)

To anyone who doesn't know - yes, Linux has these things.

Re:morons (0)

Anonymous Coward | more than 11 years ago | (#6833391)

yes, currently leading the way with 61% of web defacements happening to linux web servers....kickass OS you got there pal.

Re:morons (2)

shokk (187512) | more than 11 years ago | (#6833412)

Right. [sans.org] Let's see how many people are patching against those vulnerabilities. That "Linux is invulnerable" attitude is preventing many from even thinking about security holes in Linux. I see a major wake-up call coming...

Re:morons (0, Flamebait)

mslinux (570958) | more than 11 years ago | (#6833479)

Simplistic responses to complex questions are stupid. Steve Jobs would have said Mac, instead of Linux and we all know that Mac addicts are a stupid, religious bunch of idiots, so don't make Linux addicts out to be like them as well.

Wait until a Linux distro gains significant market share... then we'll see how well it fairs against worms and viruses... sendmail anyone???

No more (1, Interesting)

bob670 (645306) | more than 11 years ago | (#6833343)

Windows? I am seriously considering moving my smaller clients to Mac of Linux pretty soon, I'm drawing up the proposals today.

forcefully (3, Insightful)

OriginalSpaceMan (695146) | more than 11 years ago | (#6833344)

Force them to login to an Active Directory domain and hand out updates...

Re:forcefully (5, Insightful)

bob670 (645306) | more than 11 years ago | (#6833383)

Then who supports them when the latest Windows update hoses thier machine? It happens less than it used to, but I have one client who lets auto updates run, and one patch in paticular (810577) has brought network browsing to a crawl. We have done literally hundreds of test and narrowed it down to this patch, but neith the knowledge base, user community nor a direct (and expensive call) to MS support can fix his issue. Now he has users screaming about slow network browses to files and folders, time outs hitting their home-brewed data base and his phone never stops ringing. Now mulitply that by the body of a college campus?

You'll need something more reliable than Windows if your plan is to mandate that sort of thing.

Re:forcefully (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6833421)

Well it's a bit rediculous to think you can make everyone happy all the time. Maybe it's his hardware conflicting with something...guess what, his problem... Besides, if you are blocking the correct ports at the firewall then an insecure system is still safe to a degree and only a scan/clean would need to be scripted for login.

Re:forcefully (1)

bob670 (645306) | more than 11 years ago | (#6833476)

What an amazingly simplisitic viewpoint, do you work for MS support? Your blaming hardware that worked fine before a patch, so you must work for MS or Symantec, the world's largest purveyors of such ill logic.

Judging by your post you have never had to support end users, or you would know on some level you do have to make end users happy all the time. And your supposed solution only deals with the current threat, how many scans/cleans should we run at log in each day? I can see it now, you enter a classroom, fire up your laptop, and by time the entire class has been subjected to scrpts for every MS vulnerability the session is over.

Re:forcefully (2, Interesting)

shokk (187512) | more than 11 years ago | (#6833447)

As the systems admin who will test those patches in a test lab before rolling them out to people, you will make sure that will not happen if you valuie that paycheck. Blindly checking off security updates for addition to the network is studipity no matter what the platform, wther you use up2date or MS AutoUpdate. For MS systems, having a SUS server helps centralize this process since you check off what you authorize to get pushed to the network. Active Directory policies can enforce this. Those that don't want to play in the domain can piss off. If you want to keep them off the network, there is always 802.1x.

Re:forcefully (3, Informative)

Anonymous Coward | more than 11 years ago | (#6833478)

Software update service (SUS) - MS website

Basically it Windows update server that you run yourself, you can approve which update it allows clients to download.

check it out.

Re:forcefully (1)

mslinux (570958) | more than 11 years ago | (#6833511)

There is a flaw in your thinking. If you don't trust Windows Update, then why do you trust MS enough to buy their product in the first place???

Re:forcefully (2, Insightful)

bob670 (645306) | more than 11 years ago | (#6833522)

No flaw here, I totally don't trust MS, but as a support person I have no choice but to deal with them, as do most of us. Too bad the school can't mandate load out on each laptop, sell 'em pre-loaded at a discount.

Re:forcefully (4, Insightful)

Samari711 (521187) | more than 11 years ago | (#6833530)

what about the seniors who are still running 98. then you also end up slowing down student machines and you get a bunch of unhappy students. micromanaging a few thousand computers who's specs are all over the board will cause more headaches than it solves

responsibility (4, Interesting)

NetMagi (547135) | more than 11 years ago | (#6833357)

You can only separate networks so much.

If you make them bear some financial responsibility for not checking their machines first this might help.

Re:responsibility (5, Insightful)

gykh (625487) | more than 11 years ago | (#6833507)

If you make them bear some financial responsibility for not checking their machines first this might help.
Are you sure about that? What are you going to fine for? Not having a secure enough computer? Everyone (i.e. /.) knows security holes appear every week, major ones every 4 months or so. Do you fine someone who just reinstalled windows and was just logging on to download patches and got hit? For getting a virus? How about we tax stupidity next?

Students go to university to learn and give back some knowledge, not to constantly maintain their tools.

Re:responsibility (1)

NetMagi (547135) | more than 11 years ago | (#6833526)

as part of the "returnin to school process" you hand out papers on how to update, a cd, and a number if you need help.

if they ignore and connect their machine anyway. .BLAM $15 to the tech that comes to do it for them

Simple... (5, Funny)

woodchip (611770) | more than 11 years ago | (#6833358)

just ban users from your network.

Higher admission standards (1)

delirium of disorder (701392) | more than 11 years ago | (#6833359)

Only admit students intelligent enough run a virus scanner if they are on a Micro$oft platform.

Domain logons (4, Informative)

kevin_conaway (585204) | more than 11 years ago | (#6833360)

At my university, at least for the public machines, when you logon to the domain, a script executes that automatically patches your machine and runs fixblast and fixwelch. you might want to investigate into something like that

Re:Domain logons (0)

Anonymous Coward | more than 11 years ago | (#6833397)

This is exactly what we are doing at my college. When a student first connects, they are kept in a separate vlan for a while, until a script has finished scanning them to ensure they are updated and aren't infected. Of course, the virus is spreading there, but the people that are connecting normally are just fine. Better than my sister is doing at Wagner, where they have had their students moved in for nearly 2 weeks and their network was still down. Last I heard.

Re:Domain logons (1)

Phleg (523632) | more than 11 years ago | (#6833409)

Don't forget, if you use this solution, to give users notice that you will install patches on their system, and make them accept this. If not, you could face serious legal issues.

Re:Domain logons (1)

shokk (187512) | more than 11 years ago | (#6833474)

EULAs like this can be incorporated into a web page like those used in airport WiFi networks that sell you connection time on their access points. This scripted VLAN solution sounds pretty nice. Does this use 802.1x?

Re:Domain logons (1)

mindstrm (20013) | more than 11 years ago | (#6833536)

Some of us would equate that joining your computer to the domain (which requires administrative priveleges on your computer) is BY DEFINITION turning control over to the domain administrator.

Great idea, but... (4, Interesting)

aetherspoon (72997) | more than 11 years ago | (#6833448)

... when you go to a university where you do not log on to a domain in dorms.
I've found that to be very common (including the Uni that I'm typing this at) since it is MUCH easier to set freshman up on movein day.
Also, certain things do not work when you start logging onto domains. Example: XP's fast user switching. You'd have students complaining about the administration restricting their rights to their own computer, blah blah blah... then on top of it, automatically patching something. Legal nightmare. Works great for lab PCs, horrid for dorm PCs.

Ban 'em (5, Insightful)

larien (5608) | more than 11 years ago | (#6833362)

If you can track down where the traffic is coming from (which I believe you can with MSBLASTER, at least to the extent of IP address and from there, MAC address), block their port until they fix their machine. Once they've (a) patched up and (b) removed MSBLASTER, let them back on. Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.

Re:Ban 'em (1, Insightful)

SnowWolf2003 (692561) | more than 11 years ago | (#6833435)

If you block them, how are the supposed to patch their machine?

How about netsending them with a message saying their machine has been infected with a virus - please go to x website to download and install the patch. Also give them a helpdesk phone number so they can be walked through the process.
If they aren't tech savvy enough to be keeping their virus scanner up to date, they probably haven't turned off the messenger service either.

Re:Ban 'em (0)

KoolDude (614134) | more than 11 years ago | (#6833473)

Nice idea. Better yet, let them go back home, enjoy a long vacation and come back in 2004 when the worm expires...

No, I am not one of 'em :)

Re:Ban 'em (2)

figital (576803) | more than 11 years ago | (#6833524)

i bet this works great with 20000 users. or not :(

Possible solution (4, Informative)

Phleg (523632) | more than 11 years ago | (#6833363)

Do some intrusion detection on the network--possibly through Snort. If any machine is spamming out MSBlast messages or Sobig emails, drop their connection via MAC address and refuse to give them another DHCP lease. Then, when the person comes in to complain, let them know their computer was infected and flooding the network, and give them a floppy with the proper security patch on it.

It might be a bit annoying to automate the process (except for handing out floppies) at first, but it seems like it could significantly help, while at the same time educating users to update their patches.

MAC address lockdown (1)

Peachy (21944) | more than 11 years ago | (#6833366)

At the switch level.

Re:MAC address lockdown (0)

Anonymous Coward | more than 11 years ago | (#6833405)

it's easy to hijack one and use that one. at least under OS like linux. dunno about the point&click interface.

You could just... (5, Funny)

gsperling (625206) | more than 11 years ago | (#6833367)

...tell students at registration that Windows machines are not allowed on the network, and that they must install Linux. This will not only clean up your network problems, but it will also give the students a sense of doing the right thing for their computers. Along with their free condoms, give 'em free Linux CDs.

Re:You could just... (3, Insightful)

Phleg (523632) | more than 11 years ago | (#6833394)

Because I'm sure that they'd far rather spend sixty times the amount of support costs trying to get users acquainted with Linux, rather than have their network flooded with virii every now and then.

Now don't get me wrong--I'm just as much a die-hard Linux advocate as anyone, but it's just not feasible to tell every kid on a college campus to suddenly switch operating systems. They're going to need to figure out how, and you're going to be the ones to tell them. This is going to send your costs through the roof.

He's trying to solve problems for his university, not create new ones.

Re:You could just... (1, Informative)

Anonymous Coward | more than 11 years ago | (#6833429)


flooded with virii every now

Repeat after me: viruses not "virii"

YES, THAT'S A GOOD IDEA (5, Funny)

YOU ARE SO FIRED! (635925) | more than 11 years ago | (#6833414)

"Along with their free condoms, give 'em free Linux CDs."

"Here. You'll never use this first item if you choose to use the second item. Have fun, and welcome to college."

You are sooooo fired.

Re:YES, THAT'S A GOOD IDEA (0)

Anonymous Coward | more than 11 years ago | (#6833505)

"Darn, Linux is too hard to set up. I'm just going to go screw." -Incoming Freshman Geek

Re:You could just... (1)

PhoenixFlare (319467) | more than 11 years ago | (#6833456)

Riiight...Let's not let personal bias get in the way of answering the guy's question, shall we?

As things stand today, the school's administrators would have to be certifiably insane to try something like that...Maybe in a controlled work environment you could get away with it, but not at a college- it'd be a toss-up between the tech support guys or angry students getting to kill you first.

Communist! (1)

jefu (53450) | more than 11 years ago | (#6833467)

You must be a steenking commie to even think of such a thing!

That it would help solve the problem, educate students a bit - probably leaving them far closer to computer literacy than anything else they'll do in college ... Thats all irrelevant. You are proposing something that is clearly unamerican, anti-capitalist, communistic, anarchistic, anti-christian, and so on.

I'd love to see it done.

Re:You could just... (1)

il_diablo (574683) | more than 11 years ago | (#6833482)

Right.

And tell that to the professors teaching classes that require use of Microsoft programs (Visual Studio, Access, Excel, etc) that they have to rewrite their curriculum and learn to use and teach new software on a new OS.

Most professors not in CS are technophobes, or at least, not as comfortable with the machines they use to teach to renovate their entire set of courseware.

Finally, a vergein! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6833368)

First Post!

You are failing miserably (-1)

Suicide Bomberman (679592) | more than 11 years ago | (#6833450)

Your post is not first, it is 6833368th, you, sir, are a fucktarded failing loser.

Maybe give out some info to the people? (3, Insightful)

TheWart (700842) | more than 11 years ago | (#6833370)

Here at my school, for the last week, starting about a day before freshman move in, they have had flyers *everyewhere* telling people not to hook up the network until they install this patch provided by the IT dept. Of course, there are still the bozo's that don't pay heed to the warnings....but there are lots of them in the world anyways.

Re:Maybe give out some info to the people? (2, Interesting)

PhoenixFlare (319467) | more than 11 years ago | (#6833471)

I know of at least one school in my area taking a tighter approach- no machines have their access to the network turned on until they've been personally looked at by a support tech. Long delays, obviously, but at least nothing should get by.

one way. (5, Informative)

grub (11606) | more than 11 years ago | (#6833371)


Ensure that home machines (ones that you haven't configured) get IPs in a VLAN group which you've bandwidth throttled on the routers/switches along the say so the rest of the VLANs don't get choked by home-grown disasters.

Machines you have control over can get IPs in another VLAN which isn't throttled, or at least not as much as your "uncontrollable" VLAN. At the router where the VLANs can meet have strong ACLs and traffic flow control.

Just because you give them access with their own machines doesn't mean you have to give them unrestrained access.

managed switches (5, Informative)

Feyr (449684) | more than 11 years ago | (#6833374)

assuming your network is switched, and your switch are "manageables" (ie you can log in them remotely)

you could have an IDS (or similar) with a rule looking for specific attacks (ie blaster). when you detect such an attack, fire off a script that shuts down the user's port on the switch. they'll bitch and moan that they can't access the net but you'll know who they are now and charge them a cleanup fee (make sure to include it in the terms of use)

another solution is to require anyone bringing a computer from home to have it inspected by your techs, block access based on mac address and only give them access once they passed the test. it does require more ressources tho, and ideally you'd still need the first option (in case where someone reinstall windows)

diversity and not allow attachments (1, Interesting)

Chuck Bucket (142633) | more than 11 years ago | (#6833378)

Time to diversify so that the target infestation isn't as large. But you can't tell people what OS to run, so as for protecting the network, not allowing email attachments is pretty harsh to some people, but I think it's what will need to be done in the long run.

Email should be used for communication, not for transfering files.

CB

Must not be in college (0)

Anonymous Coward | more than 11 years ago | (#6833441)

A lot of times, the easiest way to transfer files is to email them to yourself. Just attach your documents and pick them up when you reach your destination. Beats a floppy.

On top of this... (1)

aetherspoon (72997) | more than 11 years ago | (#6833469)

... not only is it the only way that I can send small files to myself from my Uni's own computer labs, but that doesn't stop out-of-uni-mail mailclients, or even MSBlaster considering it isn't a mass mailing worm.

File transfer & security holes (1)

Phronesis (175966) | more than 11 years ago | (#6833520)

Email should be used for communication, not for transfering files.

The problem with prohibiting email attachments is that this essentially pushes students in the direction of running servers on their personal computers in order to transfer files. This would be a much larger security hole.

If they're running Windows, they're likely to use the servers that come with the OS (http or ftp), which have much worse greater potential security holes than the email reader.

Deny them DNS services (5, Interesting)

eaglesnax (238705) | more than 11 years ago | (#6833379)

I think this was one of the approaches Stanford was going to take. No DNS for your machine until you get it checked out by their IT department.

Chris

Re:Deny them DNS services (1)

mslinux (570958) | more than 11 years ago | (#6833525)

How does one check 30,000 student PCs? There are universitys with that many undergrads you know.

Re:Deny them DNS services (1)

GigsVT (208848) | more than 11 years ago | (#6833531)

That's not very effective, unless they have DNS firewalled to the net in general, which is pretty lame.

Try and clean it up when it happens (0)

DrunkEvilPenguin (680517) | more than 11 years ago | (#6833380)

I live in a college, about 30 people on my floor. All we could really do is go around and knock on everyone's door, see if they were running an affected system, and patch the hole and remove the virus if it was there. We couldn't really find any other way.

Another college did a bit more and made people more aware of it, and then went around to everyone's computer, but that wasn't hugely more succesful. And seeing it infected all labs etc in the uni, and IT support are fairly incompetent (enough not to think to block that port at the routers), our entire network slowed to a crawl.

One word (well, abbreviation) (1)

marsvin (84268) | more than 11 years ago | (#6833384)

LART

Fix it closer to the problem (0)

Anonymous Coward | more than 11 years ago | (#6833385)

It sounds to me like you should be stopping the problem closer to the source - at the switch.

Option B is (assuming of course you guys use DHCP) is to flag network cards and don't give them IP addresses.

It doesn't sound like an answer, but in the college enviornment all you can realistically do is damage control.

fix packets (2, Informative)

zumbojo (615389) | more than 11 years ago | (#6833386)

I work as a tech for a major midwestern university. Aside from offering a website with complete instructions, we published packets bundled with CDs that guide the students visually through the process of fixing Blaster and Welchia and installing Norton AntiVirus. With so many pictures in the guide we have yet to have anyone mess it up.

msblaster cleaner worm (0)

Anonymous Coward | more than 11 years ago | (#6833390)

Just spam your network with the msblaster cleaner worm untill everyone is clean.

I'm actually wanting to know the same thing, but.. (4, Interesting)

aetherspoon (72997) | more than 11 years ago | (#6833396)

... from another point of view.

I'm a student at a university whose dorm network got nailed by blaster something fierce. Almost as bad as it was Klezed a couple years before. Anyways, because of all of this, the sys admins decided to completely eliminate the dorm network from the upper campus one - also cutting off 'net access - during school hours. This is a real big pain in the butt, and I'm actually hoping there are some great answers in this topic so I can give them to my sys admin.

Of course, compounding the situation are seemingly (dunno if they actually are or not considering I've never even SEEN one before) incompetant dorm techs taking an entire day to clear out just one dorm building of ~50 rooms (2 people per room, but often less than 2 PCs per room...). Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

I'm just annoyed because my room (along with my entire hall since I'm the resident 'hey, call him!' computer geek and have patched everyone) is completely free of blaster and its ilk, yet I have to deal with the people who either don't know to patch Windows often, or don't care.

How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?

Re:I'm actually wanting to know the same thing, bu (1)

Phleg (523632) | more than 11 years ago | (#6833439)

How about this one: What can a STUDENT at one of these schools do to help? I've tried teaching as many people as possible about computer safety (take a health classes' STD safety course, apply to computers basically), and I'm ineligable to become a dorm tech right now... anyone?

Write your own exploit of the vulnerabilities that patches them, and force feed it to any computer spamming you with virus-born packets ;)

Re:I'm actually wanting to know the same thing, bu (0)

Anonymous Coward | more than 11 years ago | (#6833444)

How about finding some other colleges with REAL plans for these situations so good that they are practically untouched by these worms..there are plenty out there....then bring a list of them to your admin and say..."Hey fuckstick, why are you so incompetent?"

Re:I'm actually wanting to know the same thing, bu (2, Informative)

NMerriam (15122) | more than 11 years ago | (#6833458)

Considering Blaster only affects 2000/XP/2003 machines, that means that the roughly 50 computers running those took 8 hours to clean? Something seems wrong here.

unfortunately not -- updating random systems is harder that it seems. When we got hit at our university i helped out cleaning a bunch of systems and I couldn't believe how long it took -- Win2k installs had to have Service Pack 4 installed before you could apply the security patch for the worm, other dependancies changed because of that, had to install and update the university verson of norton antivirus, which refused to install on many systems unless I started them in safe mode, etc. All in all, the half-dozen systems i cleaned up took several hours because of all the rebooting and screwing around that was necessary before the patch could even be applied.

The XP and 98 systems were a piece of cake, though.

Re:I'm actually wanting to know the same thing, bu (0)

Anonymous Coward | more than 11 years ago | (#6833484)

Is that one person taking 8 hours to clean 50 machines? That sounds like a fine number, under 10 minutes per computer, which is what it would take to go to next place, start computer, explain to user what is going on, answer random questions for user, fix problem, move on. You think they are incompetent b/c it takes them less than ten minutes per? What exactly is wrong with that?

Re:I'm actually wanting to know the same thing, bu (1)

aetherspoon (72997) | more than 11 years ago | (#6833518)

7 people. On top of that, not all of the machines are infected and/or unpatched.

Re:I'm actually wanting to know the same thing, bu (0)

Anonymous Coward | more than 11 years ago | (#6833494)

Do what I did... start your own tech support team. I figured out the most capable people, and they quickly became my assistants. They were good at fixing basic problems, and if it was something they couldn't handle, they brought it to me. Handle payment you best see fit, money or favors later.

I don't use Windows (0)

Anonymous Coward | more than 11 years ago | (#6833398)

I don't use Windows. I haven't even noticed.

My Uni's policy (1)

fliplap (113705) | more than 11 years ago | (#6833402)

At my school they've got monitoring software setup. If you're infected, you're dropped off the network. At the switch, no questions asked. If and when the student contacts the help desk as to why thier computer doesn't work on the network they're informed they're infected and told to bring thier machine down to have the patches applied.

Don't let them on your network... (0, Flamebait)

filledwithloathing (635304) | more than 11 years ago | (#6833404)

Don't let them online. They're only going to download porn and trade mp3's and get you sued anyways.

I feel your pain... (1)

Chordonblue (585047) | more than 11 years ago | (#6833410)

Oh yes I do - TESTIFY! What's more, how can you even begin to troubleshoot an issue when you can't read Korean or Japanese (I work for an international school)?

There are no easy answers. Fortunately, I work in a small school, so I take the time to try and do updates on each machine when they come in. We run adaware on each, and then install the network version of Sophos so they are protected from viruses.

From that point, we have to hope that the firewall filters do their job in keeping out the junk, but it's certainly not perfect. We've often toyed with the idea of mandating our own dorm terminals, and know schools that do, but we're not ready for this kind of expense yet. Of course, in my environment, I have a bit more flexibility than you might in yours.

We do offer leased computers though, and this year we had more takers than ever - even though the price was as high as a fully equipped desktop system! Some parents just don't want to have to deal with the updating, anti-virus, and other issues. The obvious advantage to this is that we can start these systems out fresh and updated every year. It's tempting to lower that price a bit just to get more takers and therefore, less issues.

Block E-Mail (2)

N8F8 (4562) | more than 11 years ago | (#6833415)

  1. Block POP3 and SMTP access.
  2. Block trojan ports.
  3. Provide webmail access. (Even allow them to connect to their own email accounts elsewhere)
Outlook and Outlook Express are the two largest vectors for virii.

Re:Block E-Mail (0)

Anonymous Coward | more than 11 years ago | (#6833534)

the two largest vectors for virii

VIRUSES is the plural of VIRUS, not "VIRII". Using that term doesn't make you look l337, it makes you look like an idiot.

Easy (1)

The Creator (4611) | more than 11 years ago | (#6833418)

Just get copies of all the malignent viruses/worms and make versions of them that patch the machines. :)

Re:Easy (0)

Anonymous Coward | more than 11 years ago | (#6833503)

Read any news lately? Apparently not idiot.

DHCP tricks (5, Funny)

TheSHAD0W (258774) | more than 11 years ago | (#6833420)

You ought to be able to tweak your DHCP so you can block machines that are broadcasting this badly by telling them their default gateway is localhost.

Best method when dealing with it on such a level (0)

Anonymous Coward | more than 11 years ago | (#6833424)

is to do your network segments with Cisco switches. Catalysts and such run IOS just like Cisco's routers- so you can administratively (is that even a word?) take down any port/interface. perfect for that kind of situation, and if the network is so clogged you can jack in on the console with a laptop.

good luck.

start with the freshman handbook (5, Funny)

b17bmbr (608864) | more than 11 years ago | (#6833425)

Chapter 2 Personal Computers
No personal computers will be allowed unless they are running Linux, FreeBSD, OS X, or another variety of *nix. If you are bringing a PC, please see the installtion CD in the back of the Freshman orientation handbook. For installation instructions, find the guy in your dorm with long hair, glasses, birkenstocks, and a penguin on his shirt. For payment, beer will usually do. Or, if you are under 21, and can't find someone to buy for you, perhaps a bag of Starbucks will suffice. However, if you are a female, just acknowleging him at least once during the semester, when you are with your friends will be plenty.

If you grow machines, just get right fertilizer! (0)

Anonymous Coward | more than 11 years ago | (#6833428)

Never forget to water them and make sure they get plenty of sunlight.

I don't know how much work you want to do but... (1)

Xistic (536149) | more than 11 years ago | (#6833430)

You could set up the dhcp to only give out IP's to specific MAC addresses leaving everyone out in the cold. Then only add computers to the list as they are verified clean. Use an off kilter subnet like 10.25.6.* to keep people from guessing it. Also only allow internet access to verified clean machines. Basicly make them as non funtional as possible until you give them the go ahead. Post notices on the dorm doors. Maybe sniff out "unauthorized" IP's and then track them down. Maybe bring a line backer to strangle the little geek into submission. =)

I know this sounds like a hassle but it's the only thing that could force people ot come to you.

Kyle

Post lists (5, Funny)

Maxwell'sSilverLART (596756) | more than 11 years ago | (#6833433)

Assuming you can identify the port from which the infected traffic is coming, post a list of all infected rooms on the front door of the dorms, with an explanation that "these computers are causing your network to suck."

The problem will be fixed.

Easy solution: (1)

Krapangor (533950) | more than 11 years ago | (#6833442)

No computers in dorms.
And that's in fact the best solutions. Students usually use the computers for playing, trading mp3s or collection pr0n. There are some courses where you need a computer - CS etc. But usually the departments have sufficient computer pools for their students. So student don't really need computers at the dorms. In fact, they usually keep them from learning. So a computer ban would increase their grades and their learning curve. And the value of computers for non-CS/programming related education has been proven to be nil.

Some ad hoc polls at my university have shown that students with less computer usage usually have the best marks. Interestingly this also applied to CS students, so the computers at home doesn't seem to improve their understanding of computer science at all. A collegue of mine went even so far to reject all hacker-type students (more than 50 hours of computer usage per week) from entering graduate courses, but I think he goes too far with this approach.
However, some deparments (Maths/Liberal Arts/Chemistry) are lobbying hard to get a dorm-wide computer ban.

Re:Easy solution: (1)

PhoenixFlare (319467) | more than 11 years ago | (#6833521)

Try a policy like that anywhere but a completely liberal-arts college, and you would be roasted....College students in technical programs can be and are extremely possesive about using their personal systems.

I'm curious, which university is this that you work at?

mac address registration + managed AV software (2, Interesting)

irabinovitch (614425) | more than 11 years ago | (#6833446)

Seeing as in this situation you wont be able to convince your students to switch:

1) Require all machines to register their mac address via nice gui or website. This way when you use all the rest of the stuff mentioned here (snort, etc) you can easily track the student down.

2) Run snort, router, acls, etc in a way to automatically blocks infected users. Or at the very least it should at least alert you of them. But blocking is best so that they dont spread the infection further on your network or to the internet via your fat pipe.

3) Buy a site license of the managed versions of Norton Antivirus for the dorms and hand one to every student as they walk in the door. Once they've installed it you can force the updates on to them.

Good question (2, Interesting)

RobinH (124750) | more than 11 years ago | (#6833449)

I hadn't thought of this implication. Unfortunately, it's not feasible to force the users to do anything in this kind of situation - that would be an administrator's nightmare.

I'm assuming you have each computer connected to a central switch, right? What I would do is block all communication between the PCs on the network. Allow each one to get out to the internet through the firewall, but block them from connecting to each other. That would give them the ability to browse the web, check email, instant message, etc., without needing to worry about them setting up servers, file sharing, and trading viruses, etc., between each other. It's heavy handed, but at least you're still providing the service you're supposed to (internet connectivity).

Just a thought. I'm not completely sure this is even feasible with a switch, but I would think so.

Our Solution (2, Funny)

skroz (7870) | more than 11 years ago | (#6833464)

We have an incident response team that locates each individual infected host, then identifies the primary user of that machine. If they're unavailable, we install the patch and leave a message that they should come by our offices as soon as possible.

Once the patch has been applied, we sit down with the user and assure them that they're not in trouble; everyone makes a mistake from time to time, and we have simple and effective means of dealing with the problem. Once they're calmed down and convinced that we're not upset with them, we wish them a good day and send them on their way.

When they turn their backs, we shoot them in the back of the head and put their bodies on display in the courtyard as an example to the rest of the imbiciles that might practice unsafe computing.

when they register their MAC address (1)

Moleman (74531) | more than 11 years ago | (#6833493)

At my school (university of maryland, college park) we have to register the computer we're using on the port we're using.

Before you're doing that you have to download the patches and run a cleaning utility. So our network is pretty much 100% clean.

set some bait (0)

Anonymous Coward | more than 11 years ago | (#6833495)

it has already been said but I have to agree. install a box to just sit and record incomming packets (pref. a linux box). look at the logs, any computer showing signs of a virus should be taken off the network. you can tell by mac address which should (if you keep good records) lead to a specific port on a switch leading to their room. it seems harsh but my school is doing this and if works.

Usage Policy (1)

nry (703007) | more than 11 years ago | (#6833496)

I'd say this: basically, anyone who wishes to connect their machine to the network has to go sign a policy and at the same time be told to prove which AV software they are using. If they don't have one then I'd be looking at the licence for the establishments current AV software as ours (NAV) allows us to provide copies of it to students so they can use it 'whilst they are studying at our establishment' and should be removed once they leave. I guess you could even go so far as only allocating IP addresses to authorised users, so if someone connects without agreement then they don't get an IP and can't use the LAN..... nry

What is happening at my university... (4, Informative)

acehole (174372) | more than 11 years ago | (#6833499)

When the blaster worm hit, we had to work for a few days to clear the thing from the staff network.

Now that we well and truly cleared it after much scanning to make sure, we've moved on to the on-campus student's network.

We have to physically go to each room, patch and scan to remove both blaster and welchier.

It's both an annoyance for us and the students who pretty much treat us like unwanted guests on their pcs.

You gotta use hard justice. (1)

sQuEeDeN (565589) | more than 11 years ago | (#6833501)

Let's face it. I'm a student. I'm lazy, and I don't read everything listing stuff I should do. So, to deal with that, AcIS (Academic Information Systems) at Columbia University doles out some hard but good justice.
If your computer is detected with a worm, clogging up the network, the router is configured to remove your machine from the network. A CD-R with the latest patches finds it's way to the student's mailbox, along with a (gasp) phone message saying what's up. When the student can show somewhat that they're clean to the hall's student tech, they're let back on. It's probably not cheap to do, but it's effective and the easiest way to motivate people.

Combination of... (1)

Wingie (554272) | more than 11 years ago | (#6833508)

Where I go to school (I also work for IT here) we basically combine all the techniques everyone here described: a login script that scans for the patch and prompts the user to patch if the machine isn't patched, have the login script run an anti-virus tool, postering the ENTIRE college, recruiting residential life and handing out patch CDs to every RA on campus, and banning MAC addresses AND closing off ports via hourly scans of the network. So far it's been doing really well. The only problem we have now, actually, is the 5000 or so SPAM (and mostly infected) messages that comes in every hour, slowing our e-mail servers to a crawl.

Sorry (1)

nite_warrior (151737) | more than 11 years ago | (#6833514)

I've been living the same problem in my University, and it isn't as big as US colleges with students living in dorms and bringing most of them their computers. While many of the other replys might work like just block ports and wait for ppl to complain, I know that for a big number of machines that would be a real pain to search for every single infected machine, so I don't find it a solution. Also seting up a domain is hard if u don't know all the computers that come into it. So our solution to the problem has been to just segmet our network as much as possible, and block all trafic for each vlan, each of our vlans grow as much as 255 hosts, so an infected machine won't hurt much.

treat it like a small ISP (1)

Darth_brooks (180756) | more than 11 years ago | (#6833528)

My old ISP put their "setup" on a CD for ease of installation. just simple scripts that created detected the modem, configured DNS, and (here's the relevant part) set the IE homepage to www.isp.com.

Bulk out a CD with the nessicary information and distribute them to the dorms. As part of the setup, point IE or netscape to someplace like http://housecall.trendmicro.com, or set up your own remote AV scanner. Make a completed scan part of the setup. If a machine doesn't do a complete scan, it doesn't get network access.

I know at U of A... (1)

haut (678547) | more than 11 years ago | (#6833537)

They are cutting off DHCP access to infected machines. In my department I have to go to these machines and give them a temp IP, patch them, and wait for the computing department to reenable them. I'm not sure how they tell if its infected or not, but this seems to be a workable solution. With student's PC's however, passing around CDs with the patch seems a much better solution.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?