+ Post New Thread
Results 1 to 5 of 5
How do you do....it? Thread, How to tighten up security? in Technical; Hi, I have inherited an older system that has not been maintained for a number of years, and appears to ...
  1. #1

    Join Date
    Sep 2009
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    How to tighten up security?

    Hi,

    I have inherited an older system that has not been maintained for a number of years, and appears to have been hacked around a bit.

    Three servers running Win 2k3
    1=AD plus Exchange plus plus plus plus bits
    2=AD plus SMS
    3=Terminal Server

    There are around 75 plus workstations ranging from laptops to desktops and a mixture of student and teacher configurations

    The login script is using something called kixstart and is full of errors and registry hacks.

    There is very little in teh way of GPO settings

    The AD is poorly organised and not making efficient use of OUG's

    Where do I start?

    I am no expert, just well informed, so I would need a lot of asssistance.

    The first thing I want to be able to do is stop students from launching any applications/scripts/batch files from anywhere accept the authorised locations such as C drive etc. How do I do that?

    Second, I want to re rationalise policies/profiles and login scripts.

    At the moment each logon creates a profile on teh machine which slowly fills the local machines hard drive and kills it. Would Mandatory Profiles stop this or not?

    I want to be able to first lock the system down for students and also for some staff who are useless at security to protect the sytsme from hackers and wasteful malicious pranks.

    Also would like to expand in the future to add student laptops with a variety of OS's and capablities

    Also would like to know how subnetting could work, as we are only using one domain and if that could have subnets as we are running out of IP address!

    I appreciate your help in advance

    Jim

  2. #2

    Join Date
    Jun 2007
    Location
    Rochdale
    Posts
    233
    Thank Post
    26
    Thanked 35 Times in 30 Posts
    Rep Power
    20
    From the sounds of it the system could do with a rebuild from the ground up, though this probably isnt practical.

    What I would look at is

    1. Seperate Server for Exchange
    Either buy/build a new server and move exchange over to it, or use a new server as a Domain Controller and dcpromo the Exchange box down to a member server (Disclaimer: I am not an Exchange expert so I dont know how feasable this is, or what problems may occur)

    2. Ultimately a seperate server running SMS and all the other bits, so your Domain Cotrollers are just doing AD, DNS and DHCP.

    3. Move to Mandatory Profiles for pupils, these can be used to give quicker logins and to control exactly what icons etc the pupils get. Combine with a shutdown script for the PC running DELPROF (ms utility) which will clean up profiles that havent been used recently (I think the default is 2 weeks)

    4.Group policy /AD
    Have a good look at what policies are set, and how they are applied to OUs. Here we have policys for whole site (things like Proxy server, IE Branding etc) Pupils (locked down everything) Staff (less restrictive) Pupil workstations and Staff workstations. getting the Group policys right will save you a lot of trouble down the line - its probably best to build new policies then remove the old ones, rather than just add on and change existing.

    5. Regarding Laptops with a variety of OS's - is there any way you can rationalise these? its a lot simpler from your point of view if you only have a few configurations to manage, than having lots of different combinations. Ultimatly the Hardware isnt as important in this as the software on it.

    6. Finally re subnetting, I think your best making a seperate post on this in the network forum, with more details of your current setup. eg if you get your Internet connection Via an ADSL router, and dont connect to any other schools there is nothing stopping you changing to a different subnet, or expanding you existing (ie you could change to 10.0.0.0/255.0.0.0 and have 16.7 million addresses ) but if you are connected to other schools etc this wouldnt be possible. in summary - need more info

    I hope my ramblings are of some use to you, if you need any more info on a specific point let me know

  3. #3

    tmcd35's Avatar
    Join Date
    Jul 2005
    Location
    Norfolk
    Posts
    5,878
    Thank Post
    879
    Thanked 960 Times in 791 Posts
    Blog Entries
    9
    Rep Power
    339
    Here's what I did here, from a similar starting point (I was replacing Winsuite with GPO's).

    Firstly build a new OU tree. Don't delete any existing OU's. I created a new OU called 'Summer09change' and designed my new OU structure in there.

    Once you have the OU structure you can start working out your GPO's. What policys you want to apply to which OU's. This is a laborous task and the only way to do it is to read through the GPO options one at a time and deside if that setting applys at that level of the OU.

    Then you'll need a couple of test machines and test users you can place in your new OU strucute and check the GPO's behave how you expect. Once you've tested the new structure and GPO's you can migrate your existing users and machines into the new structure.

    To be on the save side we re-imaged all our machines before adding them to the new structure and deleted all our users existing profiles.

    Once everything is moved accross you can delete the old empty OU's and old unused GPO's and move your shiney new OU tree out of the 'summer09change' (or what ever you call it) OU.

    Problem is the the job takes a lot of planning and testing. Took me 6 months before I was ready to move everything into the new OU structure. And even now I'm still tweeking the old GPO.

  4. #4

    Join Date
    Sep 2009
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Chris_Jones View Post
    From the sounds of it the system could do with a rebuild from the ground up, though this probably isnt practical.

    4.Group policy /AD
    Have a good look at what policies are set, and how they are applied to OUs. Here we have policys for whole site (things like Proxy server, IE Branding etc) Pupils (locked down everything) Staff (less restrictive) Pupil workstations and Staff workstations. getting the Group policys right will save you a lot of trouble down the line - its probably best to build new policies then remove the old ones, rather than just add on and change existing.
    How do I lock down everything for the students.. Is there a guide somewhere?
    This is the most urgent and important aspect and I will need guidance...

    Cheers

    Jim

  5. #5

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,259
    Thank Post
    404
    Thanked 633 Times in 578 Posts
    Rep Power
    185
    You'll probably want to read up on group policies.



SHARE:
+ Post New Thread

Similar Threads

  1. Network Security
    By techyphil in forum Network and Classroom Management
    Replies: 4
    Last Post: 25th August 2008, 12:37 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •