A migration to windows 2000 would help a great deal in locking down the
workstations. Now I am not sure if froggy helped you with the internet
tracking part of you question. There is software that you can use that will
help in tracking, filtering, and so on. One possible solution is
"http://www.internet-blocking.net/tracking_internet_use.htm". I am not
endorsing any one product over another. But you might want to Jump online
and do some reading on such software. I know that in High school money is
short. So I guess just as a thought you might want to try talking to some
company's for some software support. I know that many companies would like
to help local schools, and this might be a way that they can.
I hope that this might help some.

James Arnott
Systems Administrator.

-----Original Message-----
From: Paul "Froggy" Schneider [mailto:pxs3po.cwru.edu]
Sent: Tuesday, October 16, 2001 4:04 PM
To: Jason F.; focus-mssecurityfocus.com
Subject: Re: NT Server - 98 WkStn Highschool Lab - Help!

I know that money is always an issue, so these suggestions
may not be particularly helpful.

First thing, ditch Win9x if possible. It offers no security
benefits and no real ability to lock anything down. Without
doing that everything else you try will be moot. Of course,
you may also have packages and applications that only work
on Win9x, in which case, you're mostly out of luck.

Here where I work (Case Western Reserve Univeristy), I run
a lab that, by and large, runs itself. I have a pair of
NT 4 servers on the backend acting as domain controllers
and (in this lab at least) 20 2K workstations (p2 400,
128 MB RAM). Almost everything on the file system is
read only and writable only by administrator. The exceptions
to this are the profile directories and \tmp and \temp.

This and this alone prevents almost all of the problems
associated with running an "open" lab. It prevents the
spread of virii (although CURRENT antivirus software is still
a must) and prevents stupid crap like deleting the start menu,
moving icons and general buffoonery.

Once you have that in place, using policy editor to restrict
things down more is even possible. Note, though, that even
with restrictions and limited privelages, students can still
compile programs, surf the web, use office and a host of other
stuff necessary to being Computer Science students. One
upside for me (and a downside for them) is that they can't
install their own applications. The ability to do this is
often a point of contention, and will probably be one in
your environment. However, after a while, people realize that
having computers that are reliable and do the job far outweighs
the "convenience" of having control over the computers.
Making sure that you do timely updates to the installed software
is, of course, important. Making sure all of the machines are
patched, etc., is still necessary

This brings me to my second point:

Purchase Norton Ghost. Even if you avoid my advice about
migrating to NT on the platforms, do this. At the very least,
you can use ghost to quickly and somewhat painlessly redeploy
and reinstall your clients every single day (if you want).
If a computer gets messed up, just reghost it and all will
be all (assuming your image is in OK shape!) Since you
mentioned your off-site many days, maybe delegating to do
the reinstallations every day might be a solution. In a
Win9x environment, it's quite painless. In NT/2K, Ghosting
becomes tricky when you begin getting involved in domains.
Teaching someone how to use the ghost multicast server and
showing them how to put (correctly configured) boot disks
into machines isn't that tough.

Short of that, you'll have to look far and wide for other
solutions. None of them outlined here are free nor super
easy if you're short on time. However, in the long run, the
benefits definitely DO outweigh the costs involved. The
licensing terms for Ghost are really quite affordable and they
offer generous educational discounts.

In terms of "keeping track of users", if you're using NT/2K,
roaming profiles will fit the bill nicely. Likewise, even
with different software on each machine, it shouldn't be a
problem. Students using our department's Windows servers can
log into any number of labs, each having different applications
installed. Those settings are stored usually in the "all users"
portion of the local profile, which is mixed in with the user's
own profile each time they log in.

If you have any questions, ping me and I'll do my best to
answer them.

Cheers and good luck.

- Froggy

----- Original Message -----
From: "Jason F." <mistertumnusyahoo.com>
To: <focus-mssecurityfocus.com>
Sent: Monday, October 15, 2001 6:50 PM
Subject: NT Server - 98 WkStn Highschool Lab - Help!

> I administer several labs in a rural school division.
> I am often not in these labs for days at a time and
> often chaos has ensued-i.e. - saved user profiles,
> deleted icons and programs, file renaming, etc... I
> did not set up this lab and am wondering the best way
> to reconfigure it, using the existing technology. Any
> suggestions? Here's the specs:
>
> -WINNT 4 Server - latest Service Packs
>
> - Windows 98 - First Edition - (yes, we were right on
> the ball buying the latest MS OS back in '98!)
>
> - Security by Policy Editor and Group Policies - I
> like being able to control some things with this but I
> apparently must have user profiles enabled to use
> Poledit and this allows users to save their profiles
> which means when they screw something up and can't get
> it to work the next time they log on a teacher will
> tell me that the computer is broken
>
> - I'd also like to be able to keep track of where each
> individual user goes on the Internet - when I check
> cookie files - every user has the same cookies for
> some reason
>
> - I'd like to give everybody the same desktop but some
> computers have different programs on them than others
>
> Well those are my main security issues, if anyone has
> any hints or suggestions I'd greatly appreciate it.
>
> Thanks,
> Jason Forester
> Computer Technician
>
>
> ____________________________________________________________
> Do You Yahoo!?
> Get your free yahoo.co.uk address at http://mail.yahoo.co.uk
> or your free yahoo.ie address at http://mail.yahoo.ie
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]