+ Post New Thread
Results 1 to 8 of 8
How do you do....it? Thread, How to you lock down foreign laptops? in Technical; We have several student that bring in their own personal laptops. They are granted access to the wireless access points ...
  1. #1

    Join Date
    Mar 2007
    Posts
    323
    Thank Post
    6
    Thanked 7 Times in 6 Posts
    Rep Power
    17

    How to you lock down foreign laptops?

    We have several student that bring in their own personal laptops. They are granted access to the wireless access points across the school. However, this is affectively like plugging directly into our main network (which is flat). They can browse UNC paths n all that

    Files, printers etc are locked down with NTFS permissions but that doesnt mean they can't see or even steal a staff password to try get access.

    Once they have just 1 password with more access rights then standard students then they may screw stuff up.

    I have also tested and can confirm, a student can browse a share and use previous versions tab to restore an entire drive back months.

    So... I've discussed the security issues regarding students bringing in unrestricted laptops and that i'm not supportive of the idea. The general feeling is - they are mature students that will lose the right to bring in a laptop should they abuse it.

    Soo... we have dual channel radio points that I can enable to students could access a Students SID. However, how would I go about blocking everything other then port 80 etc.

    We also use 1 local admin password for all workstations. If one student got hold of this information, they could affectively browse every staff laptop's system and data drive! Well you all know that's at risk.

    I want to put something in place asap and as cheaply as possible.

  2. #2

    Join Date
    Oct 2007
    Location
    Lincolnshire
    Posts
    133
    Thank Post
    0
    Thanked 22 Times in 22 Posts
    Rep Power
    17
    If your APs will support it, you could have a student SSID which connects to a separate vlan and use routing acls to only allow access to 'student' resources.

  3. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by techyphil View Post
    I have also tested and can confirm, a student can browse a share and use previous versions tab to restore an entire drive back months.
    If that's the case then I'm afraid you have a bigger problem.. students should only be able to restore their own files from shadow copies, otherwise - as you say - they can take the whole drive back as far as they want.

    Quote Originally Posted by techyphil View Post
    So... I've discussed the security issues regarding students bringing in unrestricted laptops and that i'm not supportive of the idea. The general feeling is - they are mature students that will lose the right to bring in a laptop should they abuse it.
    Even if they lose the right to use them after the event, that doesn't undo the damage they've already done. First security principle: nobody is trustworthy beyond what you can verify about them independently.

    Quote Originally Posted by techyphil View Post
    Soo... we have dual channel radio points that I can enable to students could access a Students SID. However, how would I go about blocking everything other then port 80 etc.
    That's the way to do it - but you also need to set up VLANs on your infrastructure, assign the students' SID to that VLAN (so their traffic is kept separate) and then firewall them off so they can only do what you want them to do - get to the web through your filter, for example. This all depends on your network hardware.

  4. #4

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    113
    Files, printers etc are locked down with NTFS permissions but that doesnt mean they can't see or even steal a staff password to try get access.

    Once they have just 1 password with more access rights then standard students then they may screw stuff up.
    If your staff have passwords which are that easy to guess or steal, people bringing in unauthorised laptops is the least of your worries.

    I have also tested and can confirm, a student can browse a share and use previous versions tab to restore an entire drive back months.
    These users aren't members of your domain. Why are they able to access shares? Is there a particular reason that they can access these?

    If so, do they just need read access? Take away any and all priviliges that they do not absolutely need.

    Soo... we have dual channel radio points that I can enable to students could access a Students SID. However, how would I go about blocking everything other then port 80 etc.
    As many have said, this'd be your best option. What access do these people actually need to your network?

    We also use 1 local admin password for all workstations. If one student got hold of this information, they could affectively browse every staff laptop's system and data drive! Well you all know that's at risk.
    Do you use the local admin account regularly? If not I'd say disable it using the GPO setting at Computer Policy | Windows Settings | Security Settings | Local policies | Security Options | Accounts | Administrator account status. Renaming it couldn't hurt either.

  5. #5

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Quote Originally Posted by jamesb View Post
    These users aren't members of your domain. Why are they able to access shares? Is there a particular reason that they can access these?
    Because on browsing to the share, they will be prompted for credentials. Students with an account on the domain will just be able to use their normal login details here, and use the share in whatever way it is set up - normal NTFS permissions etc will still apply.

    Do you use the local admin account regularly? If not I'd say disable it using the GPO setting at Computer Policy | Windows Settings | Security Settings | Local policies | Security Options | Accounts | Administrator account status. Renaming it couldn't hurt either.
    I wouldn't, the point of the local administrator account is that it doesn't depend on network connectivity, functioning machine account, etc. If you break your domain membership, this is the only way to fix it.

    I would set a strong password on it though, as you should be for any other sensitive account.

  6. #6
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    76
    Our Sixth Formers connect to an AP in their Common Room (with MAC controls to prevent unauthorised access) on a separate VLAN; the router also has all the unnecessary ports locked down. We have given them instructions on how to configure the proxy server and how to add their networked printer; they then use the RAS (EasyLink in our case) to get at any files.

    I wouldn't in a million years allow uncontrolled laptops to connect to the main network and get standard IP numbers. The risk of hacking programs, viruses, packet sniffers, etc is too great.

  7. Thanks to enjay from:

    mikes (13th May 2009)

  8. #7

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,941
    Thank Post
    1,343
    Thanked 1,788 Times in 1,111 Posts
    Blog Entries
    19
    Rep Power
    595
    As mentioned by others ... separate VLAN for students, use a WLAN controller to control what they can access (port 80 to a specific set of servers) and then run TS on these servers. The TS boxes are locked down, they can access what resources they need and have filtered internet access.

  9. #8

    Join Date
    Mar 2007
    Posts
    323
    Thank Post
    6
    Thanked 7 Times in 6 Posts
    Rep Power
    17
    Ah thanks guys, really good advice.

    @ powdarrmonkey - yup they use their own credentials to access shares.

    Yes I agree with you guys, I want to restrict everything and section them off from the rest of the school.

    They could use the VLE to access their work files should they need to.

    Thanks again


SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 3
    Last Post: 29th September 2008, 03:09 PM
  2. number lock
    By chrbb in forum Windows
    Replies: 11
    Last Post: 31st January 2008, 10:32 PM
  3. icon lock
    By nathan in forum Windows
    Replies: 6
    Last Post: 10th January 2008, 07:30 PM
  4. Firefox lock down
    By stu in forum How do you do....it?
    Replies: 9
    Last Post: 21st November 2007, 12:25 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •