Clever Students - Need help

[karl]

Ok so i feel a little stupid doing this, but we have some extremely clever students, who run rings around my IT Staff, this have been going on for the last two years. The problem is because we don't know who they are.

They don't log into the network with there allocated user names, they run USB or CD Boot loaders of Fedora and and browse the internet bypassing everything we have.

They ran DC++ For a week before we new!

One of the students had a partition in the HDD using Hackintosh on and old AMD Machine and was playing games!

The worst thing is we are allowing the students to bring in there own laptops, but these kids, run Linux and im scared to say, they could do some damage if they wanted to.

Any help guys?

[p858snake]

Set up a transparent proxy so everything has to go though it and block all the other ports from accessing the web.

Also why are there cd drives in your student machines?, thats like a $50 saving you could make per machine by cutting them out.

Also you could disable your usb drives and protect the bios with a password so they can't change back but thats a pain when you want to ghost/image ect.

You should be able to set your network up so they [non school machines [since they iirc see a diff operating system as a completly diff system]] either get dished out a false/fake ip range from the dhcp server or not given one at all, but i have no idea on how to do that.

[SYNACK]

From the sounds of it the primary security breaches are occouring because of the boot controls on the computers and the apparent lack of supervision. It takes quite some time to install a whole OS.

First off I would suggest going round to all of the computers and setting up password protection on the BIOS for all machines as well as changing the boot order to hard drive first so as not to let the students boot off CD or USB. You would also need to disable the boot device selection popup option if the computer has one. This step should stop them from installing any OSs or booting to random live linux cds.

The next push would be staff awareness, if you can get the staff involved to actually moniter the kids this would also be a huge benifit to the security of the computers. This is probably the hard bit though depending on your staff.

As to internet access I would have all access filtered at the network level not via the clients, this means that any other client pcs or devices that are added are still subject to the same filtering rules. You could use smoothwall which is recommended by many on here, a LA proxy server if they offer it or ISA with a filtering package like websence. Both ISA and smoothwall will allow you to permit or deny certain protocols like p2p etc.

Moving on to isolation of random devices you could do this with NAP (Network Access Protection) in Windows Server 2008 or packetfence to limit the abilities of non-managed devices and/or setup a guest VLAN for them to go onto with only web access or simmilar.

As long as you keep your systems up to date with patches and your file and share premissions locked down you systems should be reasonably safe.

As another suggestion depending on your location you could talk to some other IT people from your area and possibly ask them to do a peer review of your network to provide suggestions. I am assuming that you are a NM or manager as it you are a teacher at the school this may need to be approached differently so as not to step on anyones toes.

Hope this helps.

[p858snake]

From the sounds of it the primary security breaches are occouring because of the boot controls on the computers and the apparent lack of supervision. It takes quite some time to install a whole OS.

You don't need to install, you can run most (if not all) linux distros off a cd or usb drive these days and then just take them around with you.

[mac_shinobi]

You don't need to install, you can run most (if not all) linux distros off a cd or usb drive these days and then just take them around with you.

so if you disable the ability to boot from usb or optical drive ( cd / dvd or w/e ) can you still run a linux distro from cd or usb memory storage ( memory stick or external hdd ) ??

Only way I could think of doing that would be through some virtual machine such as virtual box or virtual pc ( microsofts version of it ) that or vmware may have a virtual machine application ?

[f21970]

Are these PC's networked? If so, then stop students running exe, bat or msi files through AD. An alternative is Access Patrol by codeworks - pretty cheap - if you need a graphical front end to control student access.

[Midget]

long arduous task ahead, but one I've gone through.

Go to each machine, set a BIOS password and set the boot order to ONLY boot from the local hard drive (and PXE if you use it) allow no other boot devices.

Open the case and unplug teh CD drive's power and IDE cables.

Also fit cable ties to the rear of the case through the lock eye most cases have to stop them from just unscrewing the case and opening it to plug in cd drive/reset BIOS/swap HDD.

Set up a proxy server that blocks everything but port 80 (HTTP) and 443 (HTTPS) - the smoothwall guys view the forum so they can help there. IPCop, Smoothwall, pfSence, any of these dedicated proxy OSs will be great here.

That's the basic stuff, now you have to secure your domain.

Set the folder shares - even the shared ones - to deny non authenticated users. I would hope it already is but just covering all grounds.

Group Policy time. Lock this down to the maximum you can get away with. Manditory Remote Profiles would be a must for me, and blocking out access to CMD, right click menus and lots of other stuff, you can fill a whole book on all of the GP options, but ultimately it's down to you what works best.

[f21970]

But don't do what I did & ban cmd.exe and *.bat in a computer policy..... unless you don't want your login scripts to run....stupid girl me!!!! LOL

[Midget]

you're a girl in IT? Be careful admitting that near Jake otherwise we'll have to lock him in his cage again.

[richard_s]

you're a girl in IT? Be careful admitting that near Jake otherwise we'll have to lock him in his cage again.

I've got the chains and padlocks ready just in case.......

[srochford]

You definitely want to make sure that the machines have strong BIOS passwords set; at the risk of being boring (again!) can I just stick in my old mantra - "if it takes a long time, you're doing it wrong" :-)

Most modern PCs ought to have a BIOS whose settings can be managed remotely - it's certainly true for HP and Dell and I'm pretty sure it's true for most others (anything labelled vPRO or AMT can also do this). Use the tools to do the remote management and you can then get the hardware locked down so that people can't boot from anything you don't want.

Introducing software restriction policies can be time consuming but probably needs doing but you need to focus on protecting stuff first; you may not want pupils playing games but it doesn't really do any harm. If there are open network shares which allow access to confidential material then that's far more serious and needs dealing with first.

How should traffic get out to the internet? if it's just that there's a default gateway set on machines which points to a router going outside then can you change it so that the default gateway has no internet access and then configure your web browsers to use a proxy? It will break some applications but the vast majority of genuine internet use will be with a web browser and it will work fine with (eg) Squid or ISA server

[Michael]

They don't log into the network with there allocated user names, they run USB or CD Boot loaders of Fedora and and browse the internet bypassing everything we have.

I have to agree with previous comments. Password restrict the BIOS on every machine and configure the hard disk as the only boot device. This then makes it impossible to boot from anything else, unless they fancy taking the computer case off and removing the battery (highly unlikely). As there's a team of you, it shouldn't take too long to do.

As for access to CD-ROM and USB, maybe you need to evaluate school ICT policies and try and clamp down where you can. Do all students genuinely need access to these? Or maybe only certain groups?
I would also take a look at ABE or Access Based Enumeration which only displays shares based on ACLs.

[Midget]

USB access will be required for students to take work home I assume since noone uses floppies any more.
Students playing games in the lesson isn't of any consequence to the IT team and the security of the network - if teachers don't want them playing them they can stop them.
If you are using mandatory profiles and have a correctly locked down network with a good virus checker on the storage server, anything brought in on USB should have no affect on the rest of the network.

[Stuart_C]

Echo most of the above, BIOS passwords and then a block on all exe/msi files from external storage (I use my McAfee EPO server to so that, it's not 100% but as no-one I know of has worked out the flaw I'll live with it)

I also use DHCP reservations for all my machines (time consuming but usefull when I'm using websense and want to block an IT suite from the internet). My actually range of "free" IP addresses for DHCP leases is only about 10 address and all these are totally blockeed from uning the internet. Again not foolproof but filters out most of the people trying things.

[synaesthesia]

Disable "legacy USB" in the bios. They'll still work in Windows allowing the students to save their work etc (although I sincerely hope USB pens will be banished in schools in the very near future - I've convinced half of mine to ditch them already) - however they'll be unbootable/unrecognisable until Windows is started.