Solved

How to stop students installing local applications

Posted on 2007-04-10
7
486 Views
Last Modified: 2013-12-04
Hi,
I have a college who wants me to lock down the client machines in a particular room, because the
students keep installing MSN, Limewire etc on the computers.
Its a windows 2000 AD network. When the a student logs in from the client it maps a drive to the server which points to their home directory (H). The login script also sets up the nearest printer according to location. The users only need access to the printer in the local area (Student Room). I understand (from the last company) not giving adminstrator rights to the local machines for the students inhibits this script from running and therfore problems occur. Is there a way to stop the students installing all these programs without preventing them working properly.

Hope you can help

0
Comment
Question by:dlloyd37
7 Comments
 
LVL 2

Expert Comment

by:couritech
Comment Utility
Modify the group policy rights on the server they login to and put the users in .man group for the machine ID when they login. You can grant the admin right if you have to (but that doesn't sound correct for an AD 2000 environment?) You can disable the right to modify or upload programs and specifically vlock these ports on your routers from opening. That prevents any local hardware programs completely.

Also go this link and search for all the file sharing ports you can block - Gnutella - P2P, Limewire, etc. and block them at your permiter routers. There is no requierment for these ports to be open on a scholl system for any reason.

I take it a step further and run a base image of Ghost every morning via a pushed login prompt when the machine boots. That means it deletes anything that got run the day before in case you get a very knowledgable student. You can also block specific programs from loading on your system by naming them in the internet hosts black list in a hosts file. If your .man profile specifies the reading of this list you'd be hard pressed to find many students who can find their way around that.
0
 
LVL 2

Accepted Solution

by:
couritech earned 500 total points
Comment Utility
You may also find this site helpful  - http://www.holland-consulting.net/tech/imblock.html

and here is a pretty good list of Ports and the directions they should be blocked on a campus network:

The following ports are ones we definitely block or redirect on our DNS servers this may help:
This report is generated from the access-list filters that are implemented
in the on-campus "edge" routers, which control traffic ...

   E: between the campus and the external world, and
   R: between the campus and OurNet, and between the OurNet subnets

   .----------.             .--------.             .--------.
   | external |  <---E--->  | campus |  <---R--->  | OurNet |
   '----------'             '--------'             '--------'

The assigned uses of the ports are registered by the Internet Assigned
Numbers Authority in its file http://www.iana.org/assignments/port-numbers
which was last updated 2007-04-05. However, some applications are
subversive; they ignore the IANA assignment and use that port for their
own illegitimate purposes.

=========================================================================

In the "deny" lists, a protocol or port is being blocked because it is
known to be a vehicle for scanning for or exploiting vulnerabilities, or
is used by applications that cause excessive network load that is not
relevent to Ournets mission of advancing learning and knowledge through
teaching, research, and scholarship. (In a few cases, exceptions are made
to enable communication with specific essential campus servers.)


deny TO any OurNet computer FROM any non-OurNet computer ...

  IP protocol   port  condition
  -----------  -----  -----------------------------------------
          any    any  unless initiated by the OurNet computer


deny FROM any OurNet computer TO campus ...

  IP protocol   port  SANS or IANA name [description]
  -----------  -----  -----------------------------------------
          tcp    135  loc-srv [NCS Location Service], to ...
          ...    139  SMBRelay
          udp    135  loc-srv [NCS Location Service], to ...
          ...      ?  netbios-ss
          udp    445  microsoft-ds [Win2k+ Server Message Block]
          tcp    445  microsoft-ds [Win2k+ Server Message Block]
          tcp    593  http-rpc-epmap [HTTP RPC Ep Map]


deny FROM any OurNet computer TO anywhere ...

  IP protocol   port  SANS or IANA name [description]
  -----------  -----  -----------------------------------------
          udp    161  snmp
          udp    162  snmptrap
          udp    514  syslog
          udp    520  route [router routed -- RIP]


deny FROM any external computer TO campus ...

  IP protocol   port  SANS or IANA name [description]
  -----------  -----  -----------------------------------------
         icmp      -  echo
           53      -  -
           77      -  -
         icmp      -  redirect
          tcp      0  - [Reserved]
          udp      0  - [Reserved]
           55      -  -
         icmp      -  -
          tcp      -  cmd
          udp      7  echo
          udp     19  chargen [Character Generator]
          udp     42  name [Host Name Server]
          tcp     42  name [Host Name Server]
          tcp     53  domain [[trojan] Lion]
          udp     69  tftp [Trivial File Transfer]
          tcp     79  finger [[trojan] Firehotcker]
          tcp     87  priv-term-l [any private terminal link  ttylink]
          tcp    111  sunrpc [portmapper  rpcbind]
          udp    111  sunrpc [portmapper  rpcbind]
          tcp    135  loc-srv [NCS Location Service], to ...
          ...    139  SMBRelay
          udp    135  loc-srv [NCS Location Service], to ...
          ...      ?  netbios-ss
          udp    161  snmp
          udp    162  snmptrap
          tcp    177  xdmcp [X Display Manager Control Protocol]
          udp    177  xdmcp [X Display Manager Control Protocol]
          tcp    412  synoptics-trap [Trap Convention Port]
          tcp    445  microsoft-ds [Win2k+ Server Message Block]
          tcp    512  exec [BSD rexecd(8)]
          udp    512  comsat
          tcp    513  login [[trojan] Grlogin]
          udp    513  who [BSD rwhod(8)]
          udp    514  syslog
          tcp    515  Ramen [[trojan] Ramen]
          tcp    540  uucp [uucpd]
          tcp    707  borland-dsj [Borland DSJ]
          tcp   1034  activesync [ActiveSync Notifications]
          udp   1214  Grokster [Grokster file sharing app]
          tcp   1214  Grokster [Grokster file sharing app]
          tcp   1433  ms-sql-s [Microsoft-SQL-Server]
          udp   1434  ms-sql-m [Microsoft-SQL-Monitor]
          tcp   1521  oracle-tns [TNS Listener]
          udp   1900  ssdp
          udp   1978  unisql
          udp   2002  slapper [[trojan] Peer-to-peer UDP DDoS (PUD) (used by OpenSSL/Apache "Slapper" worm)]
          udp   2049  shilp
          tcp   2049  shilp
          tcp   2100  amiganetfs
          tcp   2535  madcap
          tcp   2556  nicetec-nmsvc
          tcp   2745  urbisnet
          tcp   2967  ssc-agent
          tcp   3127  ctx-bridge [CTX Bridge Port]
          tcp   3306  mysql
          tcp   3531  joltid
          udp   4156  stat-results [STAT Results]
          tcp   4444  SwiftRemote [[trojan] Swift Remote]
          tcp   4661  eDonkey2000 [eDonkey2000 Server Default Port], to ...
          ...   4665  contclientms
          udp   4661  kar2ouche [Kar2ouche Peer location service], to ...
          ...   4665  eDonkey2000
          tcp   4751  spocp [Simple Policy Control Protocol]
          tcp   4899  radmin [Remote Administrator default port]
          tcp   5000  upnp [Universal Plug and Play]
          tcp   5554  sgi-esphttp [SGI ESP HTTP]
          tcp   5634  -
          tcp   6000  TheThing [[trojan] The Thing], to ...
          ...   6063  x11
          tcp   6050  x11 [X Window System]
          udp   6051  x11 [X Window System]
          tcp   6051  x11 [X Window System]
          tcp   6070  messageasap
          tcp   6101  backupexec [Veritas Backup Exec Advertiser]
          tcp   6106  mpsserver [MPS Server]
          tcp   6129  -
          tcp   6346  gnutella [gnutella (bearshare, limewire, etc.)], to ...
          ...   6349  ?
          udp   6346  gnutella [gnutella (bearshare, limewire, etc.)], to ...
          ...   6349  ?
          tcp   6355  pmcs [PMCS applications]
          tcp   6699  WinMX [WinMX file sharing app]
          tcp   6777  -
          tcp   6881  -, to ...
          ...   6889  ?
          tcp   7937  -, to ...
          ...   7939  ?
          tcp   8099  -
          tcp   8866  -
          tcp   9996  palace-5
          tcp  10000  OpwinTRojan [[trojan] OpwinTRojan]
          tcp  12345  X-bill [[trojan] X-bill]
          tcp  12346  X-bill [[trojan] X-bill]
          tcp  19909  -
          udp  22321  -
          tcp  31337  psybnc [[trojan] psybnc]
          tcp  36794  -
          udp  41170  -
          tcp  41523  -
          udp  41524  ArcServe [Arc Serve (looks for license violations)]


deny FROM campus TO any external computer ...

  IP protocol   port  SANS or IANA name [description]
  -----------  -----  -----------------------------------------
           53      -  -
           77      -  -
         icmp      -  echo-reply
         icmp      -  redirect
          tcp      0  - [Reserved]
          udp      0  - [Reserved]
           55      -  -
         icmp      -  -
          tcp      -  cmd
          udp      7  echo
          udp     19  chargen [Character Generator]
          udp     42  name [Host Name Server]
          tcp     42  name [Host Name Server]
          udp     69  tftp [Trivial File Transfer]
          tcp     79  finger [[trojan] Firehotcker]
          tcp     87  priv-term-l [any private terminal link  ttylink]
          tcp    111  sunrpc [portmapper  rpcbind]
          udp    111  sunrpc [portmapper  rpcbind]
          tcp    135  loc-srv [NCS Location Service], to ...
          ...    139  SMBRelay
          udp    135  loc-srv [NCS Location Service], to ...
          ...      ?  netbios-ss
          tcp    412  synoptics-trap [Trap Convention Port]
          tcp    445  microsoft-ds [Win2k+ Server Message Block]
          tcp    512  exec [BSD rexecd(8)]
          udp    512  comsat
          tcp    513  login [[trojan] Grlogin]
          udp    513  who [BSD rwhod(8)]
          udp    514  syslog
          tcp    515  Ramen [[trojan] Ramen]
          tcp    540  uucp [uucpd]
          tcp    707  borland-dsj [Borland DSJ]
          tcp   1034  activesync [ActiveSync Notifications]
          udp   1214  Grokster [Grokster file sharing app]
          tcp   1214  Grokster [Grokster file sharing app]
          udp   1900  ssdp
          udp   1978  unisql
          udp   2002  slapper [[trojan] Peer-to-peer UDP DDoS (PUD) (used by OpenSSL/Apache "Slapper" worm)]
          udp   2049  shilp
          tcp   2049  shilp
          tcp   2535  madcap
          tcp   2556  nicetec-nmsvc
          tcp   2745  urbisnet
          tcp   3127  ctx-bridge [CTX Bridge Port]
          tcp   3531  joltid
          udp   4156  stat-results [STAT Results]
          tcp   4444  SwiftRemote [[trojan] Swift Remote]
          tcp   4661  eDonkey2000 [eDonkey2000 Server Default Port], to ...
          ...   4665  contclientms
          udp   4661  kar2ouche [Kar2ouche Peer location service], to ...
          ...   4665  eDonkey2000
          tcp   4751  spocp [Simple Policy Control Protocol]
          tcp   5000  upnp [Universal Plug and Play]
          tcp   5554  sgi-esphttp [SGI ESP HTTP]
          tcp   5634  -
          tcp   6129  -
          tcp   6346  gnutella [gnutella (bearshare, limewire, etc.)], to ...
          ...   6349  ?
          udp   6346  gnutella [gnutella (bearshare, limewire, etc.)], to ...
          ...   6349  ?
          tcp   6355  pmcs [PMCS applications]
          tcp   6699  WinMX [WinMX file sharing app]
          tcp   6777  -
          tcp   6881  -, to ...
          ...   6889  ?
          tcp   8866  -
          tcp   9996  palace-5
          tcp  12345  X-bill [[trojan] X-bill]
          tcp  12346  X-bill [[trojan] X-bill]
          udp  22321  -
          tcp  36794  -
          udp  41170  -
0
 
LVL 7

Expert Comment

by:baconyi
Comment Utility
another way is Barracuda Web filter.  its an external hardware firewall-like device and can perform many tasks like blocking web sites, messenging programs, many others.  this is good if you dont want to mess with group policies or tie down the server with more things it has to run.

check out the second item on their prodcut list.
http://www.barracudanetworks.com/ns/products

Billy
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 22

Expert Comment

by:Adam Leinss
Comment Utility
Would be nice to see the script what it does.  It's pretty impossible to lock someone down with administrator rights...you need to get them back to regular users somehow and restrict them so they just have Read access to C:\program files\ and C:\windows
0
 

Author Comment

by:dlloyd37
Comment Utility
Thanks for your help so far with this. I have and am trying a product call netsupport protect and has been installed on half the machines for me to try out.
The other suggestions are very good. The problems i seem to have with group policy is that it seems to work for most things, while other seem not to. An example is the banning of MSN as it still runs.

Will update in another week because i don't think this is the end as yet.

David
0
 
LVL 7

Expert Comment

by:baconyi
Comment Utility
one advantage of barracuda (or similar) is no software needs to be done at the client, its all administered at the console.
Billy
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now