+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 27
How do you do....it? Thread, Admin & Curric networks -a different spin on the old problem in Technical; I know this one has come up before but I have a slightly spin on the age old problem: Primary ...
  1. #1
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29

    Admin & Curric networks -a different spin on the old problem

    I know this one has come up before but I have a slightly spin on the age old problem:
    Primary School
    Current setup:
    Admin Network - Server 2003. Set up with DIRE security (by a 3rd party company who STILL haven't managed to get the backup working )
    Curric network - Server 2000. Set up by me (so is utterly brilliant ).
    Me:
    I'm just the ICT coordinator so none if this is really my business but it's so cr*p I feel that I ought to do something!

    They are not directly joined at all, they share the same router for the Internet but have different subnets.

    Aim: I would like some connection between the 2 networks. In the future I'd like to put in email or something in. I'd like the head to access planning etc.. on the curric network. It would also be handy for curric network to be able to print to admin machines via the wireless network.

    Extra spin: I'm joining staff laptops to the curric network with files stored on the server and made available offline via synchronisation. Hopefully, I can set up a VPN for this to be done over from home. Problem is that some staff keep sensitive files (eg staff performance management) on their laptops or pen drives(!) and they are rubbish at locking computers and having good passwords. That ain't going to change and it isn't practical to ask them - pc's drive the whiteboards and staff will inevitably leave them logged on all day.

    So, hows about:
    1. Join the networks. What's the best way? Just put them all on the same IP range? (I would quite like to keep them separate, mainly so the curric network doesn't get 'blamed' for causing problems on the admin network.) How does this work with handing out dhcp addresses? Or something better/more secure.
    then
    2. Give staff a username on the admin network (with complex password requirement). Can I then make it so they connect to the admin server from the curric network but are prompted for their admin password on the (rare) occasions they want to access admin files? Can they also keep the admin files offline on their laptops? How will that work when you sync back up - will it prompt for the password?
    Can I make it so that the admin password CANT be saved by ticking the box?
    I would quite like to enable encryption for the admin files. If I log onto the curric network then map a drive to the admin (using an admin password) will windows be able to decrypt the files? i.e. will it use the share password for the key or the windows password? (If it is the latter, can it be made that the admin and curric usernames can both decrypt the files?).

    Or, just KISS and use some sort of 3rd party folder protection for sensitive files - recommendations?

    I know there's a lot of issues here. Thanks for reading!

  2. #2

    Join Date
    May 2007
    Posts
    84
    Thank Post
    0
    Thanked 3 Times in 2 Posts
    Rep Power
    15

    Re: Admin & Curric networks -a different spin on the old problem

    I'm not even an ICT co-ordinator, but from what I understand of our place, the two networks are now one. Curriculum pcs use DHCP and admin pcs, including laptops have a fixed IP on a separate subnet (I think). The sensitive stuff is on a separate logical drive and permissions are set as appropriate, so that only those pcs within the fixed IP range have access to the sensitive stuff. This means staff have to use a laptop or pc in the staff rooms to access admin data. . Staff have one login and can access everything from the staff pcs. Don't ask too many techy questions in reply, but I'll try find out. Hope this makes sense.

  3. #3

    Join Date
    Sep 2006
    Location
    Essex
    Posts
    777
    Thank Post
    1
    Thanked 31 Times in 29 Posts
    Rep Power
    23

    Re: Admin & Curric networks -a different spin on the old problem

    Have a look Domain Trust Relationships

    http://technet2.microsoft.com/window....mspx?mfr=true

  4. #4
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29

    Re: Admin & Curric networks -a different spin on the old problem

    Thanks for your replies so far.
    so that only those pcs within the fixed IP range have access to the sensitive stuff.
    I think we'd need it accessable everywhere but via an extra password ontop of the normal windows password.
    Anyone else got some ideas on this one?

  5. #5
    monkeyx's Avatar
    Join Date
    Nov 2006
    Posts
    364
    Thank Post
    8
    Thanked 52 Times in 41 Posts
    Rep Power
    25

    Re: Admin & Curric networks -a different spin on the old pro

    I menioned this in another post yesterday.

    In theory it would allow you to assign different password policies to users groups at a domain Level.

    Not had a chance to test it, so can not verify how well it works.

  6. #6
    eean's Avatar
    Join Date
    May 2006
    Location
    Kuala Lumpur
    Posts
    559
    Thank Post
    65
    Thanked 52 Times in 37 Posts
    Rep Power
    29

    Re: Admin & Curric networks -a different spin on the old problem

    Thanks, but not really going to solve my problem. I'm not looking to have 2 domains so that I can enable complex passwords for some users.
    What I'm trying to do is add an extra layer of security above the teacher's standard logon. Windows won't let you connect to the same server with 2 different usernames, so it's going to have to be cross domain.

  7. #7
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,452
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    50

    Re: Admin & Curric networks -a different spin on the old pro

    It a good argument to tighten security on both networks. If you are using SIMS it requires you to log on again. Joining the network will improve security and patch management. How do you think it will interfere you are just going to be turning your admin server into a member server. You can do static DHCP by assigning ip address based on mac address. Have you tried a server in the no inheritance container in AD we had a problem with are nas box and you could not access files.

    If people have accounts on both networks you got your work cut out.

  8. #8
    monkeyx's Avatar
    Join Date
    Nov 2006
    Posts
    364
    Thank Post
    8
    Thanked 52 Times in 41 Posts
    Rep Power
    25

    Re: Admin & Curric networks -a different spin on the old pro

    Article is about apply multiple passwords in a single domain ?

    Found this google. Not sure if it works on Windows Server though

  9. #9
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Admin & Curric networks -a different spin on the old pro

    We have 2 domains staff & pupils, all interconnected. We have strong passwords set on the staff domain, relatively loose 5 character p/ws on the pupil domain. There's a one way trust between the domains, staff can see both, pupils can only see their own.

    Staff PCs are used by pupils by SMT decree. Logins and NTFS permissions determine access.

    Our weakest point is if a member of staff were to let a pulil use their login, or divulge their paswords, which does happen. This is a matter for SMT to sort.

  10. #10

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,717
    Thank Post
    1,267
    Thanked 1,639 Times in 1,096 Posts
    Blog Entries
    22
    Rep Power
    504

    Re: Admin & Curric networks -a different spin on the old problem

    First off let me put my hands up and say I’m dead against joining the admin and curriculum networks. Having some responsibility for Data Protection in my role makes me very cautious; if I have to pick up pupils reports and performance management reports that are left lying around the printers who knows what teachers leave on their laptops for anyone to see! The penalties for breaking the Act can be severe. Currently all the schools I work at have a single physical network separated into admin and curriculum via VLAN. Access to the MIS is restricted to those who actually know what they are doing so we don’t end up with a school full of pupils named George

    Quote Originally Posted by eean
    I'd like the head to access planning etc.. on the curric network
    To achieve this at one school we simply stuck another NIC in the Head’s desktop (one to admin and one to curriculum) so that she could access the files on both networks.

    Quote Originally Posted by eean
    In the future I'd like to put in email or something
    Could you clarify how this is affected by the network config? I assume you want to run an email server?

    Quote Originally Posted by eean
    Just put them all on the same IP range?
    Now I ‘m not sure on this as I don’t get involved in the admin network much but I believe that where I work, the admin stations need to be on IP addresses fixed by the LA so that your MIS works correctly (ie sending and receiving data to LA). Starting to alter admin machines could cause a lot of probs. Again I’m not sure but worth checking before you get going.

    I realise that one of the motivations behind the trend to join networks is so teachers can easily get at data from the MIS. The way I am approaching this is by waiting for the implementation of our VLE. Once this is up and running teacher will be able to get at the info for the children that they need, and not alter it!

    I know that this post hasn’t really helped you with your question on *how* to do it but may be of some use when thinking about *whether* to join the networks or not.

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Admin & Curric networks -a different spin on the old problem

    VLAN's are not an effective security measure. If you wish to separate two networks, do it correctly with an air gap.

  12. #12

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,717
    Thank Post
    1,267
    Thanked 1,639 Times in 1,096 Posts
    Blog Entries
    22
    Rep Power
    504

    Re: Admin & Curric networks -a different spin on the old pro

    Quote Originally Posted by Geoff
    VLAN's are not an effective security measure. If you wish to separate two networks, do it correctly with an air gap.
    Ah I didn't say it was, just that's how its setup around here and probably a lot of other places - before I started working in my schools the LA told everyone to buy VLANs, so they did! Every school I've been in in this LA has one.

    Anyway given that I work in primary schools, I'm not too worried about the kids launching a VLAN Hopping attack

  13. #13
    monkeyx's Avatar
    Join Date
    Nov 2006
    Posts
    364
    Thank Post
    8
    Thanked 52 Times in 41 Posts
    Rep Power
    25

    Re: Admin & Curric networks -a different spin on the old pro

    I still can not accept that 2 domains is more secure. I am still fairly new to education sector, it seems to me that staff that have spent more time in the education sector as it has evolved, are pushing the 2 domain model, so there could be some issues I am not aware of. In my LEA there were 2 domains in the schools at one point for political reasons not technical :P

    I have worked on some projects where security was much higher than in schools. Not many schools use smart cards for staff logins, which would help improve security. In most other sectors giving your password to someone else when working in a secure environment or leaving a terminal unsecured was a major issue! That does not seem to be the case in most schools. So implementing two domains in that instance works around the fact that staff are breaking security procedures, and is not improving security

    Perhaps under BSF, the private sector IT firms will be allowed to enforce higher securtiy standards, as the network will be secured and enforced by them, rather than the school itself.

  14. #14
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Admin & Curric networks -a different spin on the old pro

    Quote Originally Posted by sparkeh
    I realise that one of the motivations behind the trend to join networks is so teachers can easily get at data from the MIS. The way I am approaching this is by waiting for the implementation of our VLE. Once this is up and running teacher will be able to get at the info for the children that they need, and not alter it!
    Teachers have access to the MIS here to take registers every lesson. Management want kids to use that computer too as otherwise it's a lump of expensive plastic and metal going to waste.

    MIS Systems have permission systems, so only assigned individuals have access to change details.

    If staff are logged into a VLE - the exact same problem exists... sensitive data exposed.


    Quote Originally Posted by monkeyx
    Perhaps under BSF, the private sector IT firms will be allowed to enforce higher securtiy standards, as the network will be secured and enforced by them, rather than the school itself.
    It's not a technical problem really, more a problem of getting staff to carry out basic security themselves.

  15. #15

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,717
    Thank Post
    1,267
    Thanked 1,639 Times in 1,096 Posts
    Blog Entries
    22
    Rep Power
    504

    Re: Admin & Curric networks -a different spin on the old pro

    @monkeyx

    You are right, working in school is very different to working in industry. I have done both and its an eye opener.

    And yes you might be right that the two domain model reflects on the users inability to follow procedure. However, I am happier to use the two domain model and remove those problems than try to change the prevailing culture. Don't get me wrong, I am trying to build in good practice, but not on something that is terribly important. If users can demonstrate good practice then perhaps in the future I would consider a single domain, but we aren't there. Perhaps sounds patronising but I think we all have horror stories to tell

    In essence I think its about providing a solution to the problem at hand. Technically a single domain might be better but it means nothing if, practically, you end up in the mire because people can't follow the procedure.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Complience with the Data Protection Act on admin networks.
    By Dos_Box in forum School ICT Policies
    Replies: 9
    Last Post: 27th November 2007, 08:29 AM
  2. Laptop, 2 nics, 2 networks - internet connection problem
    By WithoutMotive in forum Wireless Networks
    Replies: 3
    Last Post: 27th July 2006, 12:14 PM
  3. Admin staff to 'admin' AD phonebook
    By ITWombat in forum MIS Systems
    Replies: 2
    Last Post: 31st May 2006, 10:08 PM
  4. keeping office and curric separate
    By adamyoung in forum Wireless Networks
    Replies: 22
    Last Post: 22nd March 2006, 12:37 PM
  5. Admin and Curriculum networks seperate?
    By woody in forum Wireless Networks
    Replies: 49
    Last Post: 2nd December 2005, 10:43 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •