+ Post New Thread
Page 3 of 3 FirstFirst 123
Results 31 to 32 of 32
School ICT Policies Thread, Laptop loophole in School Administration; Originally Posted by W32/Jbot We just add the allstaff domain group to the local administrators group on laptops to give ...
  1. #31

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Re: Laptop loophole

    Quote Originally Posted by W32/Jbot
    We just add the allstaff domain group to the local administrators group on laptops to give staff full priviledges on their own machines.
    This is abit dangerous as it makes any member of staff an administrator on any staff laptop whether or not they have signed for it. This means an attacker just has to get of staff crendentials from a careless member of staff then they could mount remote attacks on any laptop. You may get some protection if the staff laptop has an operational software firewall (XP or 3rd party) with well defined exceptions. Or maybe a kid gets physical access to a teachers laptop to give a power presentation. While he's groups preparing he could do the odd runas install the odd keylogger.

    That's on the extreme end, more likely it just increases the chances of a member of staff causing a problem on someone else's machine. They come in to cover a lesson and borrow someone's laptop for electronic registration. They may browse the web install the odd tool bar or spyware etc. User education and good manners should stop a lot of this but there is no safety net if everyone is an admin on everyone else's machine.

    Quote Originally Posted by W32/Jbot
    All student laptops are rangered.

    We also create a local admin account for them to use at home so they dont have to keep changing our proxy settings to use their own broadband connections.
    Does Ranger have offline logging? Once a kid has admin they own the machine in the hacker sense. They can do all the nauhgty stuff at home, even disabling the Ranger client.

    Quote Originally Posted by W32/Jbot
    We have very few problems like this.
    Ultimately, a good school displinary record is probably the only defence when you have to give admin to kids and staff with varying levels of IT expertise.

  2. #32
    eean's Avatar
    Join Date
    May 2006
    Location
    Seoul
    Posts
    572
    Thank Post
    71
    Thanked 57 Times in 41 Posts
    Rep Power
    31

    Re: Laptop loophole

    Quote Originally Posted by ITWombat
    Quote Originally Posted by W32/Jbot
    We just add the allstaff domain group to the local administrators group on laptops to give staff full priviledges on their own machines.
    This means an attacker just has to get of staff crendentials from a careless member of staff then they could mount remote attacks on any laptop.
    I agree with ITWombat; also, am I right in thinking that a virus or malware that infects one staff laptop could use the logged-on teacher's credentials to infect all the others when networked? (I know we all have virus scanners, but they are only part of the solution)
    If staff must have admin rights, would it not be safer to just add the laptop owner's username to the local admin group?



SHARE:
+ Post New Thread
Page 3 of 3 FirstFirst 123

Similar Threads

  1. Where to buy XP Laptop
    By SimpleSi in forum General Chat
    Replies: 11
    Last Post: 6th January 2008, 10:20 PM
  2. Why would anyone buy this laptop?
    By sidewinder in forum General Chat
    Replies: 4
    Last Post: 5th September 2007, 10:47 AM
  3. best laptop out there
    By callumtuckey in forum General Chat
    Replies: 19
    Last Post: 1st June 2007, 10:31 PM
  4. SEN Laptop
    By Irazmus in forum Hardware
    Replies: 0
    Last Post: 18th December 2006, 01:25 PM
  5. My new laptop
    By Dos_Box in forum Hardware
    Replies: 10
    Last Post: 21st November 2006, 12:05 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •