Decided by who? in consultation with who? for what purpose?
I've been asked to add Python to the school network which is easy enough as an msi is provided however am unsure as to whether installing this on the native system is a good idea. Should I be implementing a Virtual PC image with this? With GPO restrictions in place, is this neccessary?
The school's never needed anything like this on the network before so haven't had to worry about this before however due to recent public comments, it's been decided that we need this.
Decided by who? in consultation with who? for what purpose?
This is a request by the ICT department as they want to teach students Python. Ideally I want to know what the risks are and in what way this could be done if it's a good idea then once I know either way, I can go back to them and the SMT and let them know whether this is possible rather than just saying no from the get go.
Are there schools out there who have been asked to implement something similar?
Giving kids a python interpreter means they can use the computer to do what they like with - access the C:\ drive, call system commands, run network commands.
Is Python the security risk or is windows the security risk?
I personally don't think it's an issue. If you think it is then run it on *nix or in a virtual machine.
What @dhicks said. You could even set up an ubuntu box joined to AD, one decent desktop should allow for a full class of students (probably more) all doing "commandline" based python. Use an easy text editor like "joe" and you're away. You may have problems with students trying to be clever and DOS the box by running compute-intensive stuff, but it is easy enough to spot these and apply a LART.
You could position this as a "first step" into the python world - also one box means you have a LOT of control over the runtime environment, a (competent) IT teacher can easily distribute sample scripts to students, it might even be possible for students to log in from home to do work.
Looking at the same thing here, tbh my preferred option is the raspberry Pi if they can get it out of the doors in enough quantity for September, which is looking increasingly unlikely.
I think we'll be going down the route of having VM's set up with a dev image:
Eclipse with PyDev
Android Dev Environment
Windows 7 Mobile Dev Environment
Microsoft Robotics Developer Kit
Running python programs on windows will give program the same security restrictions that the user would have if the had access to the command line, windows explorer or the save/open dialogs in most windows applications. They could run any program on the system that they have read and execute permissions on.
If you have denied students access to a file/folder/network drive, then they still can't get it, because they will be running python under their own account. However, one thing that does occur to me is if the students hand in a program (in any language, not just python) to a teacher and the teacher runs it, then it would run as the member of staff. If a student were crafty, they could get the program to access a confidential file and send it via email or network share to themselves when the teacher runs it. Staff marking the work would need to be very strict about reading the code before running it. I would also give the staff a restricted environment of some kind to run it in, Maybe a vm or linux server, or another un-privileged username.
Unless they can find a privilege escalation type bug, then they shouldn't be able to do any admin level stuff. That is assuming you have the PCs locked down properly. I think the worst they are likely to be able to do is crash the pc, or maybe corrupt the python install. Neither of those should take long to fix (either reboot. or reinstall python).
You probably want to make sure the rest of the network is secured properly, with firewalls, backups, system images, etc, but any vulnerabilities there are present if the students can bring in their own equipment, or use VMs/ssh/raspberry pi or Java or Visual Basic. Its possible that they could create programs to do denial of service or other attacks against hosts on your network. This applies to any network however, with or with out development tools installed.
This is based on my personal experience with python, I don't use it in a teaching environment.
I really think school sysadmins need to relax a little and give kids chance to explore.
The worst that's going to happen is they'll create a mass email spam program, temporarily knock out a server or exploit some privilege escalation bug and gain some confidential information. They'll do that if it's on a (networked) raspberry pi or (networked) Virtual machine. There are not going to many kids that could do it, and even fewer that would do it. You or the teachers will be able to identify those bright but misaligned students in a flash.
Real learning doesn't happen in a sterile environment. I've had kids that have written their own proxy servers in their bedrooms, to be able to get to games sites and others that have attempted to DoS our internal email system. The only thing that has come from it is good, the kids learned important lessons.
We aren't working in a military environment. Sometimes it is good to say YES to things that will be good for teaching and learning, and learning Python certainly will be. Even of it means 'letting go' a little.
garethedmondson (4th February 2012)
What I would suggest is dropping a couple of Universty IT departments an e-mail, a lot of them have Python and other interpreters installed for CompSci students, in a domain environment. In fact, I learnt Python in a Windows 7 domain environment towards the end of last year.
I would recommend a bunch of (virtual) servers in a DMZ with only SSH inbound open. The kids can play, the servers can be reset once they have royally stuffed them up and the rest of the school can keep running as normal with a reasonable level of risk.
I think we shouldn't all overreact to what 'could' happen, or we'll end up banning a whole load of useful educational tools like raspberry pi and running student machines a DMZ; back to the separate staff/student networks of eons ago. Relax, it will be fine
As long as it runs under a standard user account I really don't see what the problem is.
There are currently 1 users browsing this thread. (0 members and 1 guests)