Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Securing a High School Windows XP Computer Lab?

Cliff posted more than 7 years ago | from the locking-your-windows dept.

533

An anonymous reader asks: "My SO just inherited a computer lab from a departed teacher who was no security guru. These are Windows XP systems, and security basically consists of a password on the admin account, a subscription to McAfee Security Center, and a free Internet filter. The students have access through a non-passworded 'limited' user account that doesn't seem to limit much. They have been going in and changing settings, downloading games and music, and generally screwing the computers up during class time, in many cases leaving them unusable. As the geek in our house, she has asked me to give her a hand, but while I have dealt with some security issues in the past, it was to protect against remote intruders, not against someone who has to have access to the keyboard. Any suggestions on the best way to lock these systems down?"

cancel ×

533 comments

Sorry! There are no comments related to the filter you selected.

Come on, did you really have to ask Slashdot? (3, Insightful)

pdpTrojan (454023) | more than 7 years ago | (#16564136)

95% of the answers given here are going to be smartasses telling you to install Ubuntu.

Re:Come on, did you really have to ask Slashdot? (4, Funny)

HoosierPeschke (887362) | more than 7 years ago | (#16564226)

Nah, try gentoo [gentoo.org] . It'll be really secure then.

Easy solution (4, Funny)

brucmack (572780) | more than 7 years ago | (#16564144)

Lock the door.

Obligatory Star Wars Quote (5, Funny)

Anonymous Coward | more than 7 years ago | (#16564412)

...and pray that they don't have blasters.

Re:Easy solution [OT] (0)

HoosierPeschke (887362) | more than 7 years ago | (#16564446)

Wow, that was pretty good. It seems that some moderators:
  1. Have no sense of humor.
  2. Haven't read the Guidelines [slashdot.org] before moderating.

Hopefully it'll be fixed with other mods and meta-mod.

Re:Easy solution (0)

blindd0t (855876) | more than 7 years ago | (#16564462)

I must ask - where did you go to high-school where locking the door meant something was safe from being broken in to? That had better be a steel-reinforced door with some serious locks, and the room should have no windows (or at least protective steel bars on the windows - and no pun was intended here, honestly).

Re:Easy solution (0)

Psychofreak (17440) | more than 7 years ago | (#16564944)

Locks are for the honest. Any door in my HS that was not deadbolted (any many of those too) could be opened with a small pocket knife. Just push the latch over through the door jamb crack, and pull. Most doors would open on the first try. Also keep a 3/16 allen wrench on hand to unlock windows.

I *never* got into mischief.

Phil

Policy Editor (2, Informative)

drrck (959788) | more than 7 years ago | (#16564150)

Policy editor combined with logging in to a domain with a restriced account seems to make life difficult enough for me on my work lappy.

Re:Policy Editor (1, Insightful)

liquidpele (663430) | more than 7 years ago | (#16564278)

That, and get a really restrictive webfilter. If they can't get the anything interesting online, it'll work out a lot better.

An Idea... (0, Offtopic)

Praedon (707326) | more than 7 years ago | (#16564162)

Why not convince the school that linux would save them tons of money, and wont ever have a problem with kids getting in to things. All they need is a browser and Open Office!

Re:An Idea... (1)

devnull17 (592326) | more than 7 years ago | (#16564192)

OK. Do you want to teach dozens of teachers and hundreds of kids how to use Linux?

Re:An Idea... (1)

Praedon (707326) | more than 7 years ago | (#16564236)

Honestly, there have been some major leaps and bounds to unfortunately make a desktop for linux newbified enough for anyone to use it. I converted a lot of my older relatives to it in less than a day.

Re:An Idea... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16564362)

Oh, please, could we all just shut the fuck up about Linux? It's definitely not ready for the desktop. Are you expecting users to wait 7 minutes until OpenOffice starts to write their "Hello, world!" letter?

Seriously, forcing students to use such an inferior operating system will only lead to frustration and anger.

Re:An Idea... (0)

Anonymous Coward | more than 7 years ago | (#16564600)

Seriously, forcing students to use such an inferior operating system will only lead to frustration and anger.

I believe Microsoft already did that with Windows to begin with.

Re:An Idea... (3, Interesting)

Anonymous Freak (16973) | more than 7 years ago | (#16564742)

My 12 year old son can't tell the difference between Windows XP with MS Office 2003 and Linux with XPde and OpenOffice. On a Pentium II 400 MHz system with 256 MB of RAM.

That's what they use at his middle school, and they use both Windows and Linux. When I installed Linux dual-boot on his home PC (P4 3.2 GHz, 512 MB RAM,) the only way he knows he's in Linux is that he can't find his games.

Your troll would be interesting, if there was fact behind it.

Re:An Idea... (1, Troll)

NickCatal (865805) | more than 7 years ago | (#16564272)

Yes. Because you know, Linux is going to take over the workplace and OpenOffice is going to cause a revolt.

Linux skills are pointless for 95% of today's high school students.

Re:An Idea... (0)

Anonymous Coward | more than 7 years ago | (#16564472)

Yeah, because navigating gnome is soooo differint than navigating windows(/sarcasm)

Re:An Idea... (4, Insightful)

An Onerous Coward (222037) | more than 7 years ago | (#16564792)

I disagree. While Linux shouldn't even be brought up in the context of securing a Windows XP lab (except maybe to serve network resources and authentication), using a Linux desktop is only going to help high school students learn computer skills.

Basic web usage is portable to Internet Explorer (and even moreso to Firefox on Windows). Basic word processing skills can be easily transferred from OpenOffice to MSOffice. Basic fragging skills are transferrable from Quake 3 to Half-Life (c'mon, these are high school students).

More important, learning to accomplish the same task using more than one application can really help cement in the kids' minds that they're not learning "how computers work," but "how this particular application works." Which is very important for a real understanding of computers. Where differences exist, they open up opportunities for learning. What is a file format? How can multiple programs handle the same data, and why do they sometimes do it slightly differently? What are web standards?

Couple that with the number of programming languages freely available to educational institutions under the apt-get license, and it seems to me that there is definitely a place for Linux in the classroom.

Re:An Idea... (1)

bersl2 (689221) | more than 7 years ago | (#16564900)

When users are not responsible for administration of the system, the right distro becomes just another operating environment, which can be taught without significant difficulty to the vast majority of students: the look-and-feel is just a little bit different from what they are used to, the names of programs are different (though if a distro is smart, it will list the function of each program in its label, e.g. "Firefox (web browser)", so don't give me any of that crap about letting programmers name stuff being bad), and there are no drive letters, and some things out there just don't work because they cater only to Windows (which is a benefit, because much of that is non-academic), but other than that, I can't think of significant differences in paradigm or presentation that can't be overcome. So feel free to list more.

Re:An Idea... (0)

Anonymous Coward | more than 7 years ago | (#16564968)

>Linux skills are pointless for 95% of today's high school students.

So's what they're teaching now, too. When I was in high school, we learned how to use DOS/Win 3.1/WP5.1. I use that combo every day at work. Every day.

From what I've seen, there's still a few high schools with crappy enough equipment that's what they're *still* running. The better ones get Win '98/MS Word 6.0. Still nothing relevant to the office.

Unfortunately, most schools simply don't have the budget for the MS software that is used in today's business. To really make the skills relevant the schools would have to be ahead of the curve, since it will be a decade after high school before the skills are used on the job (those who drop out or don't take any form of postsecondary education usually don't end up in jobs that require many computer skills).

Sure. (4, Interesting)

khasim (1285) | more than 7 years ago | (#16564280)

First off, the part you'll be authorized to use is almost exactly like Windows. Here's the login screen. Here is the "Start" button. This is your web browser, word processor, etc.

These machines will NOT run most of the applications you have at home. We want it that way.

Re:Sure. (2)

devnull17 (592326) | more than 7 years ago | (#16564372)

Maybe. But someone's going to have to add user accounts and install software, and fix things when they break. It's not the users I'm concerned about, but rather the admins. It sounds like this school doesn't have an IT department, and I've found that foisting new technologies on people is not a good thing to do unless you're personally willing to support them when things go wrong. And if you're not going to do it, who else can they call?

Re:Sure. (1)

liquidpele (663430) | more than 7 years ago | (#16564484)

Most schools don't administer student computers.
They just re-image them when they break. You can do that with Linux just as well as you can with windows.

Re:Sure. (1)

Praedon (707326) | more than 7 years ago | (#16564494)

Thats the problem with this economy. Because we have a lack of funding in schools, technology lacks.

Re:Sure. (1)

Praedon (707326) | more than 7 years ago | (#16564442)

Actually that is completely true... That is all a school needs on a computer, to be honest with you. Those teachers/students who would need some "windows" compatible programs for whatever reason, could go one of two ways, virtual machine, or a few windows machines that are closely watched.

Re:An Idea... (2, Interesting)

Anonymous Freak (16973) | more than 7 years ago | (#16564690)

My son's middle school runs their computers on Linux with XPde and OpenOffice.

It's so convincing, it even took me a few seconds to realize that it wasn't XP. (When I looked at the Start menu and saw an X instead of a Windows logo. Everything else on screen would have been 100% 'at home' on a true Windows computer.)

Re:An Idea... (1)

sandoval88419 (765880) | more than 7 years ago | (#16564854)

Wow ! you were modded as "offtopic". It seems the signal/noise ratio decreases on slashdot, too many astrosurfers or microsoft lamers out there... Sooner or later I may unsubscribe

FTW (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#16564174)

Format and put Lunix on it.

Re:FTW (0)

Anonymous Coward | more than 7 years ago | (#16564782)

Yeah! that will fix so no one can get anything done. Eventually all the computers will go unused (or should I say no one will attempt to use them) and they can all be discarded.

What a great idea!

Well... (1)

NickCatal (865805) | more than 7 years ago | (#16564200)

The only way that I have seen it done is using Novell or Microsoft's Server Software. Both of which are pricey. Although you may be able to find something from them for a smaller lab.

Kids reading this: Load quake 2 onto USB or CD-Rs and dump it into a directory you and your friends have access to. Keep a word document open and alt tab as needed. /fuck myspace surfing at school

Locking them down (-1, Redundant)

autophile (640621) | more than 7 years ago | (#16564222)

Lock them up?

--Rob

Check out the microsoft shared computer toolkit (5, Informative)

Aarondeep (90981) | more than 7 years ago | (#16564224)

http://www.microsoft.com/windowsxp/sharedaccess/de fault.mspx/ [microsoft.com]
Is a good place to start for newbies. Or if these are XP pro machines you can use gpedit.msc (start->run->gpedit.msc)

If these are XP home machines try this http://www.dougknox.com/xp/tips/xp_home_sectab.htm / [dougknox.com]

Not made for XP home (2, Informative)

maddogsparky (202296) | more than 7 years ago | (#16564644)

Have you tried the above link on an XP home machine? The MS website says it is for Win NT and Win 2K.

Re:Check out the microsoft shared computer toolkit (1)

kennova (1017600) | more than 7 years ago | (#16564648)

Windows Shared Access is really nice. There is a third-party app that does similar things. It's called DeepFreeze by Faronics. Very cool program. No matter what they do it will be gone the next day. Very cool stuff. You may still want to apply the security measures others have suggested, but without something like Shared Access or DeepFreeze it will be broken indefinitely until you fix it.

Re:Check out the microsoft shared computer toolkit (4, Informative)

Deathlizard (115856) | more than 7 years ago | (#16564840)

i'll second this, although We use a domain to set user permissions, but it would work without domains using gpedit.msc

Basically, make an admin account (call it "school user" for example) and Password protect it install everything using that account, secure using gpedit.msc, Remove CREATOR OWNER permissions on the C:\, C:\program files, C:\windows and C:\windows\system32 folders then log out.

From there, log into administrator (the real one) copy the "school user" profile into the Default user profile using the Users profiles settings found in system properties Giving "everyone" access when you copy the profile, then change the permission manually in the "default user" profile so that everyone cannot write to it. Then make a third user account. Use compmgmt.msc to make that account a member of the guests and users groups. (make sure that guest accounts will delete once they log out. It's in gpedit.msc somewhere) optionally hide both administrator and "school user" and log out of administrator.

Log into the third account and test everything. it should not allow you to install anything if done correctly or write anywhere except for the third user profile. once you log out it should delete the profile (sometimes it doesn't for some reason. This [microsoft.com] helps with that a lot) and the settings should be safe.

Of course I'm assuming XP Pro. I'm pretty sure XP Home doesn't have these utils available.

Slashdot Style Solution: (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16564258)

Just replace all the Windoze boxes with L1nux!!!1111 LOLOLOLOLOLOLOLOLOL

Virtual Machines (4, Insightful)

clintp (5169) | more than 7 years ago | (#16564266)

Set up the machines to run in a VM environment. When the host OS boots and logs in, make a copy of the VM and run that. When they exit, destroy it.

Lock down the user accounts (4, Insightful)

William_Lee (834197) | more than 7 years ago | (#16564268)

The easiest thing to do is to lockdown the user account that the students use. It is unacceptable from a security standpoint to allow them access to more than being able to run simple preinstalled apps like Firefox, MS Office, etc. It sounds like you're not running on a domain based on the fact that it is a simple 'limited' account. I'm not really in a position to go into the details of XP security in a quick reply, but it is possible to lockdown a user account very tightly in XP on a domain. In a corporate environment, users typically can't even install things like print drivers without admin rights.

Windows XP? Secure? (0, Redundant)

Burritos (535298) | more than 7 years ago | (#16564288)

Maybe you can run Knoppix?

Windows is insecure.

deep freeze (5, Informative)

hustlebird (908138) | more than 7 years ago | (#16564314)

http://www.faronics.com/ [faronics.com] has a program called deep freeze, its not free, but after implementing it in several of our public labs it cut down just about all the troubles. Just reboot and the thing is exactly how it was when you froze it.
Please note i'm not associated with faronics or deep freeze in any way, just found the program useful and thought it might help you out.

Re:deep freeze (2, Informative)

DocBoss (956304) | more than 7 years ago | (#16564408)

Deep Freeze is truly the way to go. It is the single best program for a situation like this.

Re:deep freeze (5, Insightful)

liquidpele (663430) | more than 7 years ago | (#16564826)

I disagree.
In the school I worked, the kids had no problem re-downloading the programs and music every. single. day. I assumed finding and re-downloading the stuff was more fun than listening to the teacher anyway. Plus, most of them started playing flash-games on the game websites as well.

Deep-freeze will keep the OS from being permanently destroyed by student/virus/whatever, but it doesn't make it any less of a distraction in the classroom if it is not further locked down.

Re:deep freeze (1)

Joe The Dragon (967727) | more than 7 years ago | (#16564960)

At my high school they had Deep Freeze and no password on the local admin login. Even then you can't get around it without the Deep Freeze password.

Re:deep freeze (1)

Nimey (114278) | more than 7 years ago | (#16564468)

Yeah, my uni's got a similar product called Centurion Guard in all the public labs. You set the machine up, activate the software, then all changes made after you activate it go away when you reboot. You can deactivate it temporarily to install new software. Works pretty well.

Re:deep freeze (1)

DeadboltX (751907) | more than 7 years ago | (#16564634)

I would also highly recommend deep freeze.
many school in the Sacramento area use it with great success and I myself have deployed it on several machines I oversee at public study-hall areas for apartment complexes in a college town.

Every time the computer reboots it resets itself to how it was when you first installed it, so even if you have no further access prevention (although I would recommend Microsoft's tool which helps you put extra access prevention, just to discourage that sort of behavior) you can simply restart the computer to get it back to how it was (nothing extra installed, no malware or viruses etc)

Re:deep freeze (1)

Jonah Hex (651948) | more than 7 years ago | (#16564676)

Thanks for pointing Deep Freeze out, I couldn't remember the name of it but it's definitely the way to go! If I could get my corp to buy it I'd be much happier, Active Directory policies don't help when they give everyone admin rights to their own computer.

Jonah Hex

Re:deep freeze (3, Informative)

Anonymous Coward | more than 7 years ago | (#16564878)

Apple uses the Mac version of Deep Freeze on all Apple Store front-of-house demo machines, if you want a corporate pedigree.

Install Linux (2, Insightful)

Fireflymantis (670938) | more than 7 years ago | (#16564318)

No, Really. Drop on somethign easy to use like ubuntu, set up a single, very limited user account, and have the students login to a fileshare that requires login. Have a link on the Desktop that asks for username and password and uses sshfs if you want simplicity.

Re:Install Linux (1, Flamebait)

Spiked_Three (626260) | more than 7 years ago | (#16564856)

Just curious, how is this any different than doing the same thing with windows? Besides the fact that its linux.

In a computer science class I can understand how using Linux is not a burden - ie learning diffcult intricate details of the computer in order to use it is ok - but if these are students trying to prepare for the real world using Linux is not going to help them get that job at 80% of the companies looking to hire computer litterate employees.

Backup Software (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#16564320)

You're going to hear a lot of "install Linux" comments and a lot of "linux sucks" comments in reply to them. I'm not going to go there. Assuming you're looking for some minimal security, not a whole architecture revamp, look into some good backup software, make a clean install image with everything you want on it, add a network storage server (Linux?) for persistent data, and just periodically wipe the machines and replace them with a known good image. Keep the image up to date, virus scan the network storage, and you're probably going to be fine.

Re:Backup Software (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16564570)

Linux sucks as a network storage server!

Re:Backup Software (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#16564898)

I would have modded this as "funny" but some days it is hard to tell, especially when the coffee is all gone.

Re:Backup Software (1)

Spiked_Three (626260) | more than 7 years ago | (#16564890)

Bingo! I even went so far one time is to create a CD that would boot and copy a ghost image into it. It was a pain to make, but if I had a Lab full of machines it would be worth it.

Re:Backup Software (1)

mikelieman (35628) | more than 7 years ago | (#16564990)

"look into some good backup software, make a clean install image "

A Knoppix boot cd and the 'dd' utility makes that a snap.

XP security (3, Interesting)

maxwells_deamon (221474) | more than 7 years ago | (#16564334)

Setup individual accounts for each student. Anything else is insane as there is no way to discover who did what.

reimage each machine every night.

Make sure they are on a differnent subnet from all of the admin computers and that the only path to the admin computers from the labs is down through a router.

Files must be stored on a locked down server. Or students own USB drives.

Otherwise. Remove all the hard drives. Lock the door and update resume.

Security (3, Funny)

Nimey (114278) | more than 7 years ago | (#16564338)

This is my suggestion. [russian-mosin-nagant.com]

One word: Don't (4, Interesting)

PaxTech (103481) | more than 7 years ago | (#16564376)

If you lock them down, they'll work but you'll have a lot of complaints as people are restricted from using the computers for any purpose you haven't specifically allowed. In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.

What I would do is try to create a network disk image that could be quickly and easily reverted to when the machines inevitably get messed up. Let the students play and learn, a large part of learning is in messing things up and trying to fix them.

Re:One word: Don't (1)

KingDaveRa (620784) | more than 7 years ago | (#16564492)

I have to say, I both agree and disagree. I build student PC base setups for the uni I work at. I try to keep things as standard as possible, but I still restrict things. The idea is, you can do things the same as you could on your own PC at home, but you might be restricted in WHAT you can do. We do it via ZenWorks mostly, through Group Policy settings, but on occasion we'll re-image a PC if it goes bad. For the most part, our users (and they are users) don't have many problems. We have issues with big applications like 3DStudio Max or programming environments, but we can work around those.

Re:One word: Don't (1)

TubeSteak (669689) | more than 7 years ago | (#16564628)

In a business environment, this is fine, you pay the people to work and they aren't using the computer as a toy. In an educational environment though, you want students to be able to experiment.
Not really. A school is almost exactly like a business, employees and kids both have to agree to an Acceptable Use Policy (AUP) and that is that.

The main difference is that a school is liable, for things that happen on the network, in ways that a business is not.

The IT guy want kids to use the computers for educational related stuff.
Games, IM, Myspace, music... not educational materials

Re:One word: Don't (1)

Pharmboy (216950) | more than 7 years ago | (#16564888)

Not really. A school is almost exactly like a business

Not exactly, as only half the kids at a school network are looking at porn and playing games, compared to 80% of employees...

But your other point, that a business is not liable for what happens on the network is incorrect. A male employee checks out porn, offense a female, the company is liable for sexual harassment. Your computers get infected and start spewing out spam, you are liable and your T1 shut down for a while. You run a server that accepts credit applications and your server gets pwned, you are liable.

If anything, a business is MORE liable because you can't blame it on a 14 year old kid.

It can't be done anyway. (5, Insightful)

mrchaotica (681592) | more than 7 years ago | (#16564632)

No matter what you do, sufficiently motivated students will hack their way around it. At least, that was my experience in high school. It doesn't even matter if you try stuff like BIOS passwords, etc. -- the students have physical access to the machines, or at least can con the teachers into getting it (e.g. in order to fix a problem, unless you've got a much less understaffed IT department than my school had).

So what's the solution? Give up, and let them do it. Re-image the machines if they get screwed up, discipline the students if they do something unacceptable (e.g. download porn, etc.), and don't waste your time bothering with anything else.

Re:One word: Don't (1)

LiquidCoooled (634315) | more than 7 years ago | (#16564638)

This is the best advice I have seen in the thread so far.
A workstation is disposable, you should never "worry" about it falling down or being hacked because you should be able to restore any damage done during break time.

Make sure your network image is locked down against the silly stuff (just one clean run through the gpedit.msc console should do 99% of whats needed) then create an image.

Re:One word: Don't (1)

godsfilth (999026) | more than 7 years ago | (#16564694)

as someone who used to activly help in un-securing school computers to do what i wanted. i have to agree with the dont bother comment becuase its much more trouble than its worth make and image and push it out over the network that what they did at my school. also the filtering thing should only be done for porn (and even then its easy to get around with patience/other languages thats no problem to get around) becuase you have no idea how often legit school searches will be blocked (tattoo health issues for anatomy = blocked due to being in bad taste) just protect the PC's from virus's and spyware and make an image for when they break it saves a lot of frustration

Re:One word: Don't (2, Funny)

SpottedKuh (855161) | more than 7 years ago | (#16564838)

as someone who used to activly help in un-securing school computers to do what i wanted. i have to agree with the dont bother comment becuase its much more trouble than its worth make and image and push it out over the network that what they did at my school.

I think what you're trying to say is...that you screwed around with school computers during English class?

Re:One word: Don't (1)

vertinox (846076) | more than 7 years ago | (#16564974)

Well said...

If this class is about learning computers, I would teach them computers. If they screw up the operating system or break something, teach them how to fix it. Teach them how to re-image the drive or use the rollback feature.

If we hide knowledge we aren't teaching our kids anything.

If they do something bad then punish them, but don't treat them like criminals when they are here to learn.

Image the machines (1)

slapout (93640) | more than 7 years ago | (#16564378)

Are most of the machines the same? Of so, set one up properly and make an image of the hard drive with Ghost or a similar program. At least then you'll have an easy way to restore it when they mess it up.

Get a domain controller and follow these policies (3, Informative)

jmauro (32523) | more than 7 years ago | (#16564388)

Get a system to be a domain controller. Lock that DC far away from everything else. Reformat the machines and configure them according to this: http://www.nsa.gov/snac/downloads_winxp.cfm?MenuID =scg10.3.1.1 [nsa.gov] . It'll pretty much prevent any silly things with the keyboards. Also disable the local admin accounts after the machines join the domain and don't give anyone the domain admin password or privilages except those who need it.

This is the only way I've found to keep people from messing up Windows Machines.

Users are Users... NOT ADMINS (1)

richrumble (988398) | more than 7 years ago | (#16564396)

Take away admin rights, they surely don't need them. Your savings are two fold. 1) You've just mitigated 99.9% of spyware and Viri 2) Less time needed to keep spyware/viri off, as well as keeping your boxes from becoming bit-tortent or other P2P server and or a spam zombie. http://richrumble.blogspot.com/2006/08/anti-admin- vs-anti-virus.html [blogspot.com] http://clintonforbes.blogspot.com/2006/10/10-pros- cons-of-switching-from-windows.html [blogspot.com] (read the second to last paragraph of that blog) -rich

Deep freeze software (0)

Anonymous Coward | more than 7 years ago | (#16564400)

Depending upon the requirements of the computer lab, a solution like Deep Freeze [wikipedia.org] may work for you. It restores the computer's state to a known point instantly and completely upon reboot. You can "unfreeze" the system when installing new applications or upgrading.


It works great if there is no persistent state that needs to be kept on the computers. Persistent state can be kept on network shared drives or removable media.

Shared Computer Toolkit WDP (4, Informative)

internetstruck (1002239) | more than 7 years ago | (#16564414)

It's free, and designed for XP [microsoft.com] and schools and libraries. It's pretty easy to install and configure too, if you know how to repartition your drive using Partition Magic. I use it, so reply if you want hints on getting it to work. You need WPA, and Hive cleanup service installed for it to go. It lets AV programs update, and Grisoft gave me a script to make it work with the SCT Windows Desktop Protection. Just reboot, and changes are gone, unless you save them first. Have the computers update overnight, because it doesn't work when people need to use the computer.

Deep Freeze (2, Informative)

Anonymous Coward | more than 7 years ago | (#16564418)

As a network admin I am in charge of 3 windows labs(high schools) and 35 Mac OSX labs, amazingly I used to have to spend more time working on the 3 windows labs than the 35 mac labs put togather. I encouraged my department to purchase Deep Freeze and have not had to re-image a machione (other than yearly maintenance) since. I dont ushually promote products but Deep freeze really is an amazing piece of work, it was simple to install and configure and any change that a student makes to the computer gets reset back to the defaults on then next reboot. Its amazing that in june the machine is exactly the same (except for updates) that the machine was in september. With the proper settings you can configure deep freeze to boot in thawed mode (meaning changes will stay) with the keyboard and mouse disabled, run anti virus and windows updates than refreeze we have this set to happen at 2am twice a week. I can remotely thaw or freeze computers from my desk accross town. All in all even though the software is not cheap it has paid for itself multiple times in saved labour and hassle.

3 simple steps... (0, Redundant)

Fallen Kell (165468) | more than 7 years ago | (#16564422)

1) Download KNOPPIX
2) Burn KNOPPIX
3) Boot KNOPPIX


...

Well, I said it was simple. Just might not be what you wanted. If you want to really lock them down, install knoppix in kiosk mode (system disk is write protected, simply reboot and you are back to normal).

software (1)

SuperStretch (1005515) | more than 7 years ago | (#16564434)

The school that I used to intern at had a great solution for the public terminals. Email me and I'll refer you to the SysAdmin over there.

Reinstall and lock down (1)

mnmn (145599) | more than 7 years ago | (#16564444)

Reinstall XP on each machine first thing. Theres no way you can uninstall the rootkits spyware etc.

Next create one or multiple student accounts, possibly one for each student so it can be traced, and lock it down. By that I mean take away write access to c:\,c:\windows,c:\windows\system32\ most program files folders etc. In short, they should only be able to write to their desktops, and other profile folders. If they cause a mess just delete the profile folder and let them login to recreate it.

Apart from that, of course get firefox and find a way to force it, like link iexplore.exe to it. Make sure you install all programs and printers that they should use and take away printer, device driver and app install privileges from that group. Done.

you can't.. (0)

Anonymous Coward | more than 7 years ago | (#16564448)

basically.. kids being kids.. good luck with it..

rather than try to prevent disaster.. embrace it..

just make an image of the workstations (or a single image if they're identical hardware) and then have the machines re-image themselves every night.

every morning you have a clean install, free of key loggers, spy-ware, macro viruses, etc..

hell.. you could probably go so far as to ditch the AV software.. just keep the admin network routed/firewalled seperately from the student network.

Don't go too far... (1)

Gothic_Walrus (692125) | more than 7 years ago | (#16564454)

My high school had a similar issue, and their reaction was simple. They removed all - ALL - but maybe five programs from the start menu. If you wanted Microsoft Office or Internet Explorer, you were in luck. Anything else...well, not so much. If that wasn't bad enough, they also removed access to Windows Explorer, which made using things like USB drives virtually impossible, meaning that, because of the exceedingly strict filter, the only possible way to send files home at all was floppy, and even that was strongly discouraged.

This was two years ago, mind you.

Whatever you do, don't go that route. Someone will always find a way to break the system and to have fun with it, but it's entirely possible to make the computers so dysfunctional that they lose any value as an academic tool.

This may be modded redundant... (1)

Tarlus (1000874) | more than 7 years ago | (#16564564)

But definitely tighten restrictions on the accounts that the students log in with. You can tighten security to the point where they can't install software or even save files to the hard drive (requiring external media to save their documents, if that's how you want the system to work). You can use Windows Server for managing accounts, but it sounds like overkill in this case (since Windows Server is geared more toward corporate environments, not labs that use only one or two login names).

Preventing access to things like myspace.com can be done with a simple null route in the c:\WINDOWS\system32\drivers\etc\hosts file.

And keep the virus scanner running and updating itself at all times!

If you want to restrict their web browsing then you could set up a proxy or a license with something akin to NetNanny. This is also handy for blocking ports so that IM software won't be able to get in or out (or even between), if they find a way to run it.

Deep Freeze (1)

scatteredsun (981481) | more than 7 years ago | (#16564568)

Deep freeze worked well in our labs until we bought enough Ghost Licenses. You set it up on a base configuration, then whatever the little creeps do will be wiped out by a reboot and deep freeze will return the computer to that base configuration. http://www.faronics.com/html/deepfreeze.asp [faronics.com]

Deep Freeze a great solution (5, Informative)

ironwill96 (736883) | more than 7 years ago | (#16564582)

A good solution if you are concerned about generally maintaining the same exact image consistently when people use the machine is to utilize Deep Freeze. In our IT Department at a medium-size University (10,000 students) we use Deep Freeze extensively to keep students from ruining lab computers. Deep Freeze is as others have mentioned, a virtual partition system. Each time you reboot the machine, the original image you had is restored and any changes wiped (only files kept in the "Thawspace" are maintained, all others are lost). This means that no matter what your students do, the machine will be restored on bootup.

Now, if you want to further limit what they can do, you can make many changes to the registry in windows to block users from doing many things such as using the "run" menu, installing applications or a number of other things as simple as changing screen resolution or color depth. Once you set everything up and create the image of your restricted setup, Deep Freeze will maintain it every time for you.

You can get Deep Freeze from here: http://www.faronics.com/ [faronics.com] or look there to find out more information about how it works.

We have tried other products in the past that claimed to "restrict" Windows such that users could not make harmful changes (e.g. OnGuard) but none of the ones we utilized were able to be fool-proof and stop students from getting around it or messing something up. Short of reformatting the machine Deep Freeze is pretty hard for the student to get around. Thawing the machine to make changes requires a lengthy key combination to even bring up the password box (key combination is customizeable by you), or you can enter a key combination on bootup to access the password box to thaw the machine. You can also maintain the systems through a Deep Freeze console so you can admin all the machines at once and even push new images to them that way.

That's my three cents on how we do things in an Academic environment, but our general policy has been slight restrictions but allow them a lot of free reign - except we reset the system every time it is rebooted. I'd suggest for Middle and High school to implement a lot more restrictions on the base image that you use with Deep Freeze than what we have here at the University level.

couple of quick things to do (1)

farker haiku (883529) | more than 7 years ago | (#16564594)

first, disable the cd rom (no bootable linux cds)
second, remove the run command from the start menu through group policy.
third, disable the hot keys for run.
fourth, make the password for the admin account 15 characters long so the usual password hash rainbow tables won't be able to insta crack it.
password protect the bios so that the smart kids can't change the boot order to boot from usb. that'll prevent them from getting the sam files.

make an image and store it.

Easy (1, Troll)

tktk (540564) | more than 7 years ago | (#16564660)

Remove all the power cords, and put epoxy in the resulting empty power sockets.

Well, speaking from experience... (3, Insightful)

MostAwesomeDude (980382) | more than 7 years ago | (#16564668)

From experience, here's what you need to do.

First, lockdown all accounts. Some people mentioned Deep Freeze, some people mentioned group policy. My old school used Active Directory with group policies, so yearbook students and teachers could save files to the central server.

Take away the Task Manager, right-click, and Internet Explorer. Those are the most common amateur attack vectors. I'm at Oregon State University, and have had no problems compromising the "locked" computers here simply because they left me with Internet Explorer. Replace it with Firefox, and read the Firefox docs on how to lockdown the browser settings.

Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.

Re:Well, speaking from experience... (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#16564988)

Tell teachers to supervise kids in computer labs. There was one lab at my old school which kids stole drives, memory, and fans from all the time simply because the teacher in that lab was incapable of monitoring his students. It was bemusing but also expensive.

I was in a university lab with the old Powermac G3 towers shortly after they were introduced. I don't know if you've ever seen them, but there was a handle on the side to open them. No screws, no tools needed, the side just hinged down taking half the internals out with it. It was so easy to steal the RAM I once jokingly told a sys admin assistant it was hot swappable and then had to stop him from yanking some out to test it :)

Get some hackers (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16564722)

Between 1990 and 1996 I had a high school computer lab. It was a time when the school's computers were better than what most of the kids had at home. Thus there were lots of kids who wanted to stay after school to play with the school's machines. The deal was simple: You can do anything you want with the school's computer as long as it is available for use the next morning. It worked well. Other than hardware problems, I had approximately 100% up time. We never had a machine go down due to a virus. I also learned a lot about security for Win 3.1 and Win 95. Everyone benefitted.

The college where I work now uses Deep Freeze. I agree with several other posters: it's good. Before we got it, we had at least a couple of times when the school's entire network was down for days because of a virus. Since we got it there have been zero such problems.

A few Suggestions (1)

haplo21112 (184264) | more than 7 years ago | (#16564724)

1. Virus protection is a good start.
2. True limited user accounts where the students have only User level rights. Make accounts individual per user, you'll need a domain controller if there is not already one to accomplish this however. (Depending on scope you might be able to rededicate one of the machines as a DC)
3. Force password changes on a monthly basis, to help stop the passing around of passwords.
4. Secure the Domain Admin account, a good idea is share the account between two users, each with only half of the password.
5. Remove all local user accounts, and rename the local admin account, disable guest if it is enabled.
6. Content Filtering Proxy, if it can be budgeted for...
7. Microsoft SMS Server, but now things are starting to get expensive

Less is more (1)

Grakef (443124) | more than 7 years ago | (#16564734)

When I was going through High School and Junior High we took the If you didn't need to see it or use it you couldn't approach. Internet acess was limited by http://dansguardian.org/ [dansguardian.org] with a proxy at the Junior High lvl that only the teachers had the password for. This education system was parinoid about passwords too. I remeber finding a password only to have it change by the end of the month. We used limited account acess that only granted acess to the programs that were needed. All labs had similar hardware so we made one static disk image with Norton Ghost for each lab. Should a teacher ever feel a computer was some how comprimised they just inserted the CD and bingo clean working useable system again in about 15mins or so. The internet filter is going to be the best bet though. Get that clampped down block all ports but http/https for students. When there find out there games and music software don't work they will stop trying for the most part. Don't be afraid to make examples of students that are trouble makers they know the teachers they can walk over and practice there malicious hacking on. YMMV per district, but last I checked computer time is still a privliged class there is always the typerwriters for typing skills classes.

disable right click (0)

Anonymous Coward | more than 7 years ago | (#16564770)

Disable the right click mouse button. When I was in high school, our teacher did this along with restrictive permissions on users.

requirements (1)

marimbaman (194066) | more than 7 years ago | (#16564790)

What is it used for?

Lock it down hard (3, Informative)

Shawn is an Asshole (845769) | more than 7 years ago | (#16564806)

Dealing with destructive high school students one of the things I have to do. Here's a few things to keep in mind.

  • Use a domain.
  • Put all desktop and menu items in the netlogon/All Users folder.
  • After creating the user's profile and it's copied to the server, rename ntuser.dat to ntuser.man (means mandatory). Set Samba to disallow write access. This will prevent them from writing changes back to the server.
  • Use the administrative templates to lock down everything that can possibly locked down. If you don't, some bastard will change it and you'll have to fix it. This can be scripted.
  • Make use of whatever lockdown features are available in your software. Believe me, you'll need it.
  • Install the Shared Computer Toolkit [microsoft.com] . It provides many addition lockdown features. Anoying thing about it, though, is that it requires the computer to be "validated". Not just activated. Make use of it's "Disk Protection" feature.
  • Disable access to everything you possibly can, except what's needed.
  • Use optical mice. Keep many extras. Expect buttons to be torn off. Expect mice to be regularly stolen, so use cheap ones. Also expect paper or other garbage to be jammed into the sensor. That also applies to floppy drives and cdrom drives.
  • Keep many extra keyboards. Be prepeared to spend time every week putting the keys back in the correct order. Keys will also be stolen.


Most of the student won't try to break things, but a few assholes will so you have to make sure they can do the least amount of damage possible. Unless, of course, you feel like cleaning things up daily.

You could also get an Active Directory domain and push the restrictions that way. I prefer to script it since I prefer to have my servers run Linux.

DriveShield! (1)

macpulse (823760) | more than 7 years ago | (#16564834)

We use DriveShield to secure around 5000 student PCs with WinXP at a community college. It works like a champ and doesn't seem to interfere with any known applications. http://www.centuriontech.com/products/driveshield/ [centuriontech.com] Users can manipulate the desktop, install software, change settings, and download potentially harmful files from the Internet! A simple reboot of the computer restores it back to the administrator's pre-defined pristine configuration. DriveShield(TM) and MacShield(TM) simply wipe the session changes free... leaving the computer like new. Additionally, DriveShield(TM) and MacShield(TM)protect the computer from viruses prior to discovery and remedy. When DriveShield disposes of the changes made to the computer, potentially harmful files such as worms, trojans, viruses and spyware are wiped free from the machine, never getting the opportunity to reach the hard drive.

Well, it depends... (1)

gQuigs (913879) | more than 7 years ago | (#16564894)

What do they use the computers for? If this is a programming lab, you have different needs then if this a lab for English class. Any attempt at security should first begin with realizing what the user is supposed to be doing in the first place.

Of course, this is slashdot, so could you install Linux on a few of them just to give the kids a taste?

Dr. Hibbert says... (0)

Anonymous Coward | more than 7 years ago | (#16564896)

I prescribe fire ! And lots of it!

My solution as a HS teacher: (1)

SpoonDog_SVT (691767) | more than 7 years ago | (#16564932)

DriveShield [centuriontech.com] , which is what I used in my classroom lab. Allows you to manage the HD 'locks' from the network, as well as reboots, shutdowns, etc. Excellent product (Windows & Mac versions), excellent support (always very knowledgeable and friendly when needed), and mostly trouble-free. Only times I needed to call was to help recover licenses when client HDDs suddenly died for whatever reason. I'm sure this compares very similarly to DeepFreeze, just I'm not as familiar with that product.

possibly redundant suggestion (1)

Fry-kun (619632) | more than 7 years ago | (#16564982)

The best implementation of "protection" I've seen in schools was re-imaging the OS automatically over the network on every bootup. The students can do WHATEVER they want, (giving them the local admin access becomes safer, though still not recommended) - at logout the computer reboots and it is once again clean for the next user.
HD space is cheaper now, so you might be able to get away with a hidden partition for re-imaging. Problem is, what if they modify the hidden partition with something malicious?
As for speed, the implementation I've seen took an average time to boot up; if one wasn't looking at the screen they'd think it was regular windows installation. I'm guessing it wasn't re-imaging the WHOLE partition, just the parts that have been changed.
Don't remember the name of the software they used, though :(

two suggestions (2, Interesting)

DaveJay (133437) | more than 7 years ago | (#16565000)

First: get a router for all the computers to pass through, with a web site whitelist (like the cheap and widely available DLink 808HV or 404HV); tell students that if they want to access a site that's blocked, they have to ask permission for it to be unblocked. Over time, useful sites will fill the whitelist.

Second: install VNC as a service on all the machines, with a good password, and configured to not allow keyboard/mouse control. Then switch all students to non-administrator access so they can't turn it off (stop the service) or uninstall it. Finally, announce to each and every class that you have the capability to watch any desktop at any time remotely, and will basically be scanning through every desktop in the room regularly and punishing everyone caught doing stuff they shouldn't. Then DO IT, until the message sinks in that you're serious.

Third: over time, do consider switching to a more secure OS, provided it can support what you're trying to accomplish in the lab.

Fear is a good tool (1)

spacenut20 (171235) | more than 7 years ago | (#16565002)

If you catch one of the little buggers screwing around with a computer, cut off one of his/her fingers (your choice) and show it to the rest of the class as an example to what happens when you download party poker for the 1000th time...

That'll keep 'em in line >:)

Turn everything off (1, Troll)

bcmm (768152) | more than 7 years ago | (#16565064)

Students won't be able to do anything, so it will be totally secure. A lot of schools have had great successes with this approach.

Securing Windows for a lab (1)

wicked_little_critta (624800) | more than 7 years ago | (#16565072)

I run a grad-school lab, and what we do sounds a lot like what you need.

I think you're saying that you have a single account on each machine that every student logs in as. If that's the case, enable the "Guest" account [microsoft.com] , and let students use that (passwordless) account to log in. the Guest account has the tightest restrictions, and most of the things you can change as Guest get wiped away by a simple reboot. This is what we do, with the systems set to automatically log in as Guest - see http://www.kellys-korner-xp.com/win_xp_passwords.h tm [kellys-korner-xp.com] for details.

If I'm wrong, and you need individual accounts for each student, then you'll need Windows XP Pro on every machine and some flavor of domain controller (SaMBa [samba.org] does a dandy job for us). Make your student accounts members of the "Domain Guests" group, and viola!

One other note: ditch the "administrator" account. It's trivial to find tools that will let a person reset the password of the default "administrator" account. Create another administrator-level account, then delete or disable "administrator".

This being Slashdot, somebody of course suggested that you "put Linux on it", but in this case they might be on the right track. We have a general-use lab that is running Ubuntu with Crossover Office, and the users are happy as clams (and these aren't techies, folks - these are writers, pastors, and chaplains). We use a single shared unprivileged account with automatic login (similar to what I described above for Windows), and everything works beautifully. It's also more stable than the Windows lab, which makes everybody happy!

Hardware solution (1)

jla0 (644106) | more than 7 years ago | (#16565080)

Here at the school I work, we always try to use a hardware solution. Right now we use Radix (http://www.radix-int.com/). It adds to the cost of the lab but it works 100% of the time. Deep freeze is good but people have found ways to hack it in the pass.. so for us it's not a 100% trouble free solution.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>