[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Student Lab

Posted on 2006-06-05
21
Medium Priority
?
589 Views
Last Modified: 2010-05-18
I would like some suggestions on re-doing a student lab. Currently we have 10 PC’s with Win 98 on some and Win 2000 on others. The lab is completely separate from the network that the employees use and that is a Windows 2003 domain mainly because of the threat of viruses and spyware/adware. There are a few things that I would like to address when updating the lab. It is a workgroup network and the students wreak havoc in the OS’s of the computers. They install all kinds of programs and change so many Windows settings that we often have to reload the OS. Spyware/adware and viruses have been a big problem. So basically I would like to be able to centrally manage the computers, have the ability to block inappropriate websites, block spyware/adware, mange viruses and lock down the computers. We will be purchasing all new PC’s so the OS will be XP but if there are other options like some type of thin client that would be nice to know other options. Thanks for your help.
0
Comment
Question by:jmoody
  • 7
  • 3
  • 2
  • +4
20 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16834744
you need to use a proxy server for web management.
and if they are on a domain, give them a user account in the user group with no install rights.
or give them local user rights with no priviliges.
0
 
LVL 7

Expert Comment

by:ieden
ID: 16836154
Get GhostEnterprise and set the task to reimage the PC's every weekend. That way anything on the PC's is wiped clean and the kiddies enjoy the whole week of a brandy spankin new OS to mess with. Tell them the PC's belong to the school and any content saved to the HDD's is subject to deletion every weekend.
0
 
LVL 5

Expert Comment

by:The_IT_Garage
ID: 16836366
We have a student lab (7 PC's), with the same issues! In addition to the above, when creating the user accounts create mandatory roaming profiles - changes they make will not be saved when they log off and the profile is stored on the server where you can make duplicates / backups at will
http://support.microsoft.com/default.aspx?scid=kb;en-us;307800

In addition Jabiii is right, make them only a member of the User group and not Power User or local admin. Use GPO's to further lock down the desktops.

We have had no issues after implementing the above scenario + installing Spybot and updaing / scanning regularly.

You will need a firewall that will allow you to block websites as well as montitor where they go. For AV grab some centrally managable solution (some of our clients use Trend Micro, others use Symantec).

Ieden's solution I have not heard of before but sounds viable as well.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 9

Expert Comment

by:jabiii
ID: 16836445
I've seen labs that do either, and they both work well. Both will require a firewall/proxy.

1) lock down the accounts
2) rebuild the boxes daily/weekly
3) both


locking the accounts, using a proxy server or firewall or both, and running a spybot as ITG said. is probably your best bet.
0
 

Author Comment

by:jmoody
ID: 16836944
The user accounts that they use are in the user group and not power or admin and that does not stop the spyware. I have not had much luck with spybot. Since I'm not at the cite very ofter and GPO's aren't very user friendly are there any good software apps that can lock down the desktops so that someone with not much computer experience can manage how they want the computers locked down.
0
 
LVL 5

Expert Comment

by:The_IT_Garage
ID: 16839651
Mandatory user profiles will help keep things consistant. As for Group Policy...

GPMC installs on Server 2003 and is a HUGE improvement for managing group policy: http://tinyurl.com/6c8a8 . One view gives you a summary of only GPO changes from the default settings. Your situation sounds again similar to ours as the student site we deal with we are onsite perhaps 1hr every 3 months.

** HIGHLY RECOMMEND GPMC **

If that's too much TweakUI can be used to lock things down, but via GPO s better. Windows 2003 Server and Windows XP you can REALLY lock down the PC's, especially vs the Windows 98 machines.

Other thoughts: At a public library site we lock down IE into a "KIOSK" mode, remap the keys so CTRL+ALT+DEL does't work (in this case it's CTRL + HOME + DEL, but it sucks if you're used to the HOME key!), etc.


0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16841123
The Microsoft shared computer tool kit for Windows XP contains the tools and information you need to lock these machines down, read the details and download the msi from here:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx

We have used these tools to lock down internet cafe pc's provided in the canteen of our office to good effect.

Bear in mind wou'll need to trade off useability / safety - depending on what you want the users to be able to do.

Combine this with automated re-builds e.g. using something like ghost and you should have few issues.

Obviously ensure all the machines hve AV and anti-spyware.

Also use a proxy server of some sort (e.g. squid) to allow logging and control of users web access - apart from issues with inappropriate content this is of less concern when the users are running in a very restricted way as they will be able to do far less to harm the machines.

cheers

Kevin
0
 

Author Comment

by:jmoody
ID: 16843486
Thanks, I will check out GPMC and XP shared computer tool kit. I have the AV covered but am still looking at anti-spyware options.
0
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16844845
Take a look at DeepFreeze , it basically locks a system configuration and when you reboot it goes back to that configuration.  So basically they can install / regedit / whatever and then a restart freshens it all up and back to normal.
0
 

Author Comment

by:jmoody
ID: 16848193
That deepfreeze looks great I am downloading now to try it out but looks like it may be a great solution. That and a good proxy or internet filter may be just what I am looking for. Any suggestions on an Internet filter?
0
 
LVL 7

Expert Comment

by:ieden
ID: 16848216
make sure you have restore points turned off on the workstations as this is a favorite hidding spot for spyware and viruses. A proxy server could also aide in fending off spyware as you can get plugins to block them and their installer programs.
0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16850135
jmoody

try squid for your proxy - open source and very well supported.

cheers

Kevin
0
 

Author Comment

by:jmoody
ID: 16851376
I will take a look at squid. Thanks.
0
 
LVL 2

Expert Comment

by:Psyco_666
ID: 16886525
Jmoody - What is the Lab used for?

This looks like an excellent chance for you to up you linux knowladge!! :-)
0
 

Author Comment

by:jmoody
ID: 16889789
It is used for checking email, web surfing, word processing, and taking some testes that are on CD and on a web site. I thought about that but we are short on staff and not much time to learn diferent OS's. We can barley keep up as it is.
0
 
LVL 2

Expert Comment

by:Psyco_666
ID: 16892959
Believe me i understand that! :-)

You sound like you want to keep things very seperate though. For the MS solution, maybe a dual homed server that could sit between the LAB and your current domain. Create it as a new tree in your forest and put Internet Acceleration Server on it to control the web through your current ISP.

That should allow you to mannage any of the PC's from anywhere in the domain, with the correct setup.
0
 

Author Comment

by:jmoody
ID: 16893867
That's funny that you mentioned that. It was orignally setup that way before I got there when the servers where NT. They had some issues with a few students that got into the other side of the network and causes some problems. Shortly the network was upgraded to Windows 2003 and the lab was seperated. They are very nervous about doing that again so I haven't thought about it much but it is something to consider. I don't remember much about Windows NT but I'm sure that Internet Acceleration Server is much better than what was on NT.
0
 
LVL 2

Expert Comment

by:Psyco_666
ID: 16893979
IAS is the Proxy server 2.0 replacment.

Technically its a viable solution in my eyes, as you say though you would have to be very carefull in terms of security. But i think with the firewall on the server ONLY allowing connections to your internal internet gateway it would be fine, doing this however would mean that you would have no forrest and you would have to manage the computers physicaly from the lab as a seperate domain.
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 2000 total points
ID: 16897349
If you are looking at content filtering solutions there are many such as WebSense , Surf Control etc which interface with Squid and or other firewall products.


0
 

Author Comment

by:jmoody
ID: 17068763
Sorry for the delay with the points. I used the deepfreeze that pureconculting suggested and it seems to be working great. thanks for eveyones help
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question