• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 593
  • Last Modified:

Student Lab

I would like some suggestions on re-doing a student lab. Currently we have 10 PC’s with Win 98 on some and Win 2000 on others. The lab is completely separate from the network that the employees use and that is a Windows 2003 domain mainly because of the threat of viruses and spyware/adware. There are a few things that I would like to address when updating the lab. It is a workgroup network and the students wreak havoc in the OS’s of the computers. They install all kinds of programs and change so many Windows settings that we often have to reload the OS. Spyware/adware and viruses have been a big problem. So basically I would like to be able to centrally manage the computers, have the ability to block inappropriate websites, block spyware/adware, mange viruses and lock down the computers. We will be purchasing all new PC’s so the OS will be XP but if there are other options like some type of thin client that would be nice to know other options. Thanks for your help.
0
jmoody
Asked:
jmoody
  • 7
  • 3
  • 2
  • +4
1 Solution
 
jabiiiCommented:
you need to use a proxy server for web management.
and if they are on a domain, give them a user account in the user group with no install rights.
or give them local user rights with no priviliges.
0
 
iedenCommented:
Get GhostEnterprise and set the task to reimage the PC's every weekend. That way anything on the PC's is wiped clean and the kiddies enjoy the whole week of a brandy spankin new OS to mess with. Tell them the PC's belong to the school and any content saved to the HDD's is subject to deletion every weekend.
0
 
The_IT_GarageCommented:
We have a student lab (7 PC's), with the same issues! In addition to the above, when creating the user accounts create mandatory roaming profiles - changes they make will not be saved when they log off and the profile is stored on the server where you can make duplicates / backups at will
http://support.microsoft.com/default.aspx?scid=kb;en-us;307800

In addition Jabiii is right, make them only a member of the User group and not Power User or local admin. Use GPO's to further lock down the desktops.

We have had no issues after implementing the above scenario + installing Spybot and updaing / scanning regularly.

You will need a firewall that will allow you to block websites as well as montitor where they go. For AV grab some centrally managable solution (some of our clients use Trend Micro, others use Symantec).

Ieden's solution I have not heard of before but sounds viable as well.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
jabiiiCommented:
I've seen labs that do either, and they both work well. Both will require a firewall/proxy.

1) lock down the accounts
2) rebuild the boxes daily/weekly
3) both


locking the accounts, using a proxy server or firewall or both, and running a spybot as ITG said. is probably your best bet.
0
 
jmoodyAuthor Commented:
The user accounts that they use are in the user group and not power or admin and that does not stop the spyware. I have not had much luck with spybot. Since I'm not at the cite very ofter and GPO's aren't very user friendly are there any good software apps that can lock down the desktops so that someone with not much computer experience can manage how they want the computers locked down.
0
 
The_IT_GarageCommented:
Mandatory user profiles will help keep things consistant. As for Group Policy...

GPMC installs on Server 2003 and is a HUGE improvement for managing group policy: http://tinyurl.com/6c8a8 . One view gives you a summary of only GPO changes from the default settings. Your situation sounds again similar to ours as the student site we deal with we are onsite perhaps 1hr every 3 months.

** HIGHLY RECOMMEND GPMC **

If that's too much TweakUI can be used to lock things down, but via GPO s better. Windows 2003 Server and Windows XP you can REALLY lock down the PC's, especially vs the Windows 98 machines.

Other thoughts: At a public library site we lock down IE into a "KIOSK" mode, remap the keys so CTRL+ALT+DEL does't work (in this case it's CTRL + HOME + DEL, but it sucks if you're used to the HOME key!), etc.


0
 
kevinf40Commented:
The Microsoft shared computer tool kit for Windows XP contains the tools and information you need to lock these machines down, read the details and download the msi from here:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sct/default.mspx

We have used these tools to lock down internet cafe pc's provided in the canteen of our office to good effect.

Bear in mind wou'll need to trade off useability / safety - depending on what you want the users to be able to do.

Combine this with automated re-builds e.g. using something like ghost and you should have few issues.

Obviously ensure all the machines hve AV and anti-spyware.

Also use a proxy server of some sort (e.g. squid) to allow logging and control of users web access - apart from issues with inappropriate content this is of less concern when the users are running in a very restricted way as they will be able to do far less to harm the machines.

cheers

Kevin
0
 
jmoodyAuthor Commented:
Thanks, I will check out GPMC and XP shared computer tool kit. I have the AV covered but am still looking at anti-spyware options.
0
 
prueconsultingCommented:
Take a look at DeepFreeze , it basically locks a system configuration and when you reboot it goes back to that configuration.  So basically they can install / regedit / whatever and then a restart freshens it all up and back to normal.
0
 
jmoodyAuthor Commented:
That deepfreeze looks great I am downloading now to try it out but looks like it may be a great solution. That and a good proxy or internet filter may be just what I am looking for. Any suggestions on an Internet filter?
0
 
iedenCommented:
make sure you have restore points turned off on the workstations as this is a favorite hidding spot for spyware and viruses. A proxy server could also aide in fending off spyware as you can get plugins to block them and their installer programs.
0
 
kevinf40Commented:
jmoody

try squid for your proxy - open source and very well supported.

cheers

Kevin
0
 
jmoodyAuthor Commented:
I will take a look at squid. Thanks.
0
 
Psyco_666Commented:
Jmoody - What is the Lab used for?

This looks like an excellent chance for you to up you linux knowladge!! :-)
0
 
jmoodyAuthor Commented:
It is used for checking email, web surfing, word processing, and taking some testes that are on CD and on a web site. I thought about that but we are short on staff and not much time to learn diferent OS's. We can barley keep up as it is.
0
 
Psyco_666Commented:
Believe me i understand that! :-)

You sound like you want to keep things very seperate though. For the MS solution, maybe a dual homed server that could sit between the LAB and your current domain. Create it as a new tree in your forest and put Internet Acceleration Server on it to control the web through your current ISP.

That should allow you to mannage any of the PC's from anywhere in the domain, with the correct setup.
0
 
jmoodyAuthor Commented:
That's funny that you mentioned that. It was orignally setup that way before I got there when the servers where NT. They had some issues with a few students that got into the other side of the network and causes some problems. Shortly the network was upgraded to Windows 2003 and the lab was seperated. They are very nervous about doing that again so I haven't thought about it much but it is something to consider. I don't remember much about Windows NT but I'm sure that Internet Acceleration Server is much better than what was on NT.
0
 
Psyco_666Commented:
IAS is the Proxy server 2.0 replacment.

Technically its a viable solution in my eyes, as you say though you would have to be very carefull in terms of security. But i think with the firewall on the server ONLY allowing connections to your internal internet gateway it would be fine, doing this however would mean that you would have no forrest and you would have to manage the computers physicaly from the lab as a seperate domain.
0
 
prueconsultingCommented:
If you are looking at content filtering solutions there are many such as WebSense , Surf Control etc which interface with Squid and or other firewall products.


0
 
jmoodyAuthor Commented:
Sorry for the delay with the points. I used the deepfreeze that pureconculting suggested and it seems to be working great. thanks for eveyones help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 7
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now