What is the most sensible and non expensive way to separate the student and teachers areas of a secondary school LAN

Posted on 2004-11-30
Medium Priority
Last Modified: 2010-04-11
Here in Norway, the school authorities recommend that we use two separate networks for students and teachers.

But is that really necessary?

Isn't it enough with a single 2003 server domain, well set up group policies and permissions?  A password on the bios.  Use a group  policy to force student PCs to log onto the domain.  (although I'm not sure how to hinder student access at the dos level)

We have a small school with only 35 computers.  Both students and teachers need access to the internet from one broadband connection.

Since we are not running any web or email servers out to the public internet, is it really necessary to buy a hardware firewall?  They are so expensive.  We just have a basic NAT broadband modem.

If we have two separate networks, then as far as I understand, we will need 2 servers instead of one, and a hardware firewall with 2 or 3 legs to separate the two networks whilst giving both access to the internet.  All of this is going to be much more expensive!!

What do you guys do in other SMALL schools???

I would really value some well informed advice on how to set it up, from those of you in the know.
Question by:Alistair7

Assisted Solution

magus123 earned 450 total points
ID: 12709965
question is why do they believe 2 networks are better than  just 1.
also it is possible to set 2 networks with 2 different ip schemes in the same room , its more work and
depending on how you set it up , can either be sperated entirely until you hit your internet connection
or   binded in a way where they coinside together which is a headache to work with.

review your pro and cons

1. cost value
2. overall efficency
3. cost of maintenance
4. possible pros for seperation

(although I'm not sure how to hinder student access at the dos level)
1. bios password
2. remove bios bootable options and boot to C: or os partition  , remove floppy and cd-rom option
3. lock tower
4. disable usb use
5. use gpos to create a more restricted desktop , were all their allowed to do is run items from the
startmenu and maybe save items to my docuements.
6. remove the run command
7. disallow cd-rom access , and startup options
8. 1 month scan for virus ,malware , adaware
9. try to hack yourself into the system with the security in place.
10.a remove right click option
11. audit "success" on  valuable data on your teachers systems. track pc.

theirs more options but you get the idea.
hopefully someone can give you better insight on seperation of student and teacher.

Author Comment

ID: 12710176
I guess my basic questions are:  

Isn't a single 2003 domain, with one subnet, secure enough to stop secondary students gaining access to teacher computers.

And do we really need an expensive hardware firewall when we have no web server or mail server? (I have used Zonealarm, Adaware, Winpatrol, etc..... )  But only Winpatrol is free for use in a school setting.
LVL 11

Expert Comment

ID: 12714148
It is not necessary to have an expensive hardware firewall: use a cheap PC with two NICs and install Smoothwall on it. It is really simple to set up even if you don't know anything about Linux, free (and Open Source) and has a great documentation.
LVL 11

Assisted Solution

elbereth21 earned 525 total points
ID: 12714175
You can also configure smoothwall to work as a proxy, which would be a benefit in a school to control access towards internet and to speed up many operations.
As for your domain, I think you could simply disable login for the students on some machines, that will be used only by teachers, then protect shares (use subinacl.exe downloadable freely from Microsoft and maybe DumpAcl, also free, from http://www.systemtools.com/somarsoft to have a report of the permissions you already gave). Other than this, use sound group policies and you should be done.
Hope it helps, Elbereth.
LVL 26

Accepted Solution

Leon Fester earned 525 total points
ID: 12716222
You can easily use windows 2K3 using group level security add your students to 1 group (user permissions only) and your teachers to another group. Check that only the teachers group have access to their PC. You can check that on the security tabs of your folders. Just also remember your default shares if using Windows 2K on your desktops. In your default domain policy on your Active Directory, you can further secure your workstations by modifying the "Allow log on locally" option. To find your group policy in Active Directory, right-click the domain name, click properties, click Group Policy, click Edit. You should then enter a MMC console screen. Drill down as follows: Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignment. Here you will find a whole host of options to restrict user logins and their security across the whole domain. Just checkout the help if you get stuck...Microsoft did some decent work on the help here.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question