We've just found out kids in the school are avoiding logon settings and getting unrestricted internet acess by logging onto the computer so a local profile is created, logging off then unplugging the network cable, logging on to be told their roaming profile is not available but instead a local profile will be used. Then once logged on the cable goes back in and suddenly they can load up IE and have access to the connections tab where they can see the proxy settings, can create and delete files on the C: drive but fortunately not delete existing files.
So has anyone come across this before and can suggest the best way to combat it? We are thinknig have delprof to delete all local profiles at log off, setting policy refresh to something like every 1 or 2 minutes, or some kind of thing to stop logon if no active network connection is detected?
Any suggestiong would be welcomed!
Usually, a GPO setting on the roaming profiles section to stop the logon process if an error occurs will work how you want it.
In the machine policy section under user administrative...system...user profiles...
'Log users off when roaming profile fails'
It's going back along way but I'm sure that if you have a mandatory profile NTUser.man inside a folder whose name ends in .man, then a user cannot logon without their profile being read from the network.
Ah, found a reference, look for super-mandatory profiles - [ame="http://en.wikipedia.org/wiki/Roaming_user_profile"]link[/ame].
On your router block access to port 80 for everything other than you poxy server.
That way if your proxy server is bypassed no internet access will be allowed.
We set a wallpaper for all users. All the script does is it runs from the local machine and looks to see if the wallpaper settings have been set in the registry.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings]
Problem with Jon idea is what happens if the proxy server dies? How would staff, for example, get onto the internet to download the exams results. It is however, the only 100% sure they'll go though the proxy server.
I agree with ICTSM's method. This'll stop them using this technique, if you use roaming profiles of course
Also if you set the 'delete profiles at logoff' option (can't tell you where it is off hand) and make sure that the number of cached logins to be saved is set to zero on the security settings, this will stop them from logging in without the network cable plugged in even if they have just logged in a few seconds ago, they'll be no details saved.
It's an old trick that students have been using for years in the schools I've worked in. We have a super mandatory profile on our new network (going live from september) which won't let them login unless the network is connected. Changing to mandatory profiles is surprisingly easy and I recommend it for anyone running a vanilla type windows network.
There are currently 1 users browsing this thread. (0 members and 1 guests)