+ Post New Thread
Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 69
Windows Thread, Stop Pupils Sharing their logins! in Technical; Originally Posted by FAA IMHO, not implementing efficient login session controls in an educational organization might cause serious problems. Think ...
  1. #31
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by FAA View Post
    IMHO, not implementing efficient login session controls in an educational organization might cause serious problems. Think of these situations for example:

    - It’s very easy for students to disclose their credentials to unauthorized third parties as there is no consequence on their own access to the network.
    Thus, several workstations can unduly be blocked by one user and serious security flaws can occur (e.g.: server attacks).

    - A student/pupil having managed to get a teacher’s credentials will be able to access confidential information (exam questions, results, etc…) from any workstation on the network.

    - In the event of abnormal or suspicious behavior having been detected on a workstation, Windows native features will not allow the administrator to remotely disconnect the user or lock the session from a central console or any online computer

    - If a student/pupil leaves his session open or locked, the workstation is unavailable to all other students/pupils willing to login with their own account.

    We make 'their' logon 'their' responsability in the AUP that they and their parents sign, if they disclose this and there are issues they are directly responsible and punished accordingly.

    How does limiting multiple sessions prevent a student gaining access to a staff password and logging on as the member of staff? This would only prevent them logging on at the same time as the member of staff which doesn't solve the issue of the student knowing the password.

    You can use Gencontrol or VNC to log off a remote user both are GPL and free, most schools us a remote control app e.g. NetSupport anyway.

    We don't allow students to lock their station as they only use shared terminals so this isn't an issue.
    Last edited by cookie_monster; 18th March 2010 at 03:44 PM.

  2. #32

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,085
    Thank Post
    352
    Thanked 1,317 Times in 903 Posts
    Blog Entries
    4
    Rep Power
    1135
    Quote Originally Posted by JJonas View Post
    We did it this way for free

    Prevent Multiple Logons With GPOs
    I have set this up here.

    It didn't take long at all. I made a few modifications [by separating the users and the computers text files I can see who is logged on now. I also added three other text files: Historical Logons, Historical Logoffs and Duplicate logon attempts. These three files all record the day/time/workstation where the logon request originated. All works like a dream.]

    Thanks given.

  3. #33
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by DaveP View Post
    I have set this up here.

    It didn't take long at all. I made a few modifications [by separating the users and the computers text files I can see who is logged on now. I also added three other text files: Historical Logons, Historical Logoffs and Duplicate logon attempts. These three files all record the day/time/workstation where the logon request originated. All works like a dream.]

    Thanks given.


    What happens if a station crashes and the logoff script doesn't run?

  4. #34

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,085
    Thank Post
    352
    Thanked 1,317 Times in 903 Posts
    Blog Entries
    4
    Rep Power
    1135
    Quote Originally Posted by cookie_monster View Post
    What happens if a station crashes and the logoff script doesn't run?
    I am still working on that one. At the moment I am willing to delete the files that have been created which prevent the students logging on after a crash.

    Longer term if the script doesn't run I will...

    ... get back to you on that one.

  5. #35
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by DaveP View Post
    I am still working on that one. At the moment I am willing to delete the files that have been created which prevent the students logging on after a crash.

    Longer term if the script doesn't run I will...

    ... get back to you on that one.


    Same problem I’ve had with similar solutions then, let us know how you get on cheers.

  6. #36
    FAA
    FAA is offline
    FAA's Avatar
    Join Date
    Aug 2008
    Posts
    41
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Arrow Workstation restrictions

    Quote Originally Posted by cookie_monster View Post
    How does limiting multiple sessions prevent a student gaining access to a staff password and logging on as the member of staff? This would only prevent them logging on at the same time as the member of staff which doesn't solve the issue of the student knowing the password.
    You have a point here, as I did not think of limiting concurrent logins but of implementing workstation restrictions.

    UserLock indeed allows user group's network access restriction per workstation or IP range. Thus, a student/pupil will not be able to login using a teacherís credentials from a room equipped with free access workstations.

  7. #37
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by FAA View Post
    You have a point here, as I did not think of limiting concurrent logins but of implementing workstation restrictions.

    UserLock indeed allows user group's network access restriction per workstation or IP range. Thus, a student/pupil will not be able to login using a teacherís credentials from a room equipped with free access workstations.


    What if a teacher want's to log on to the machine? Our staff frequently use class PC's.

  8. #38
    FAA
    FAA is offline
    FAA's Avatar
    Join Date
    Aug 2008
    Posts
    41
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Arrow Detect people impersonating other user accounts

    Quote Originally Posted by cookie_monster View Post
    What if a teacher want's to log on to the machine? Our staff frequently use class PC's.
    Well, you can't have your cake and eat it ...

    More seriously, in this case you might want to:

    1) restrict students to only login from classroom computers

    2) not to set workstation restrictions for teachers (or at least not restricting them for log on from classroom PCs)

    3) educate your teachers to carefully check the UserLock warning message.

    UserLock indeed allows notifying all users prior to gaining access to a system with a tailor-made warning message.
    These messages can for example include:
    - a tailor-made legal disclaimer or AUP
    - last workstation logged on
    - date and time of last successful logon
    - history of all logons denied by UserLock and Windows since last successful logon
    - number of logons denied by UserLock and Windows since last successful logon

    This is one of the most effective ways to detect people impersonating other user accounts, providing your teachers are reasonably security aware.

  9. #39
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by FAA View Post
    Well, you can't have your cake and eat it ...

    More seriously, in this case you might want to:

    1) restrict students to only login from classroom computers

    2) not to set workstation restrictions for teachers (or at least not restricting them for log on from classroom PCs)

    3) educate your teachers to carefully check the UserLock warning message.

    UserLock indeed allows notifying all users prior to gaining access to a system with a tailor-made warning message.
    These messages can for example include:
    - a tailor-made legal disclaimer or AUP
    - last workstation logged on
    - date and time of last successful logon
    - history of all logons denied by UserLock and Windows since last successful logon
    - number of logons denied by UserLock and Windows since last successful logon

    This is one of the most effective ways to detect people impersonating other user accounts, providing your teachers are reasonably security aware.


    The features look ok but I'm not sure that it's anything that can't be achieved for free and in conjunction with a good password policy and staff training i.e training them to take care when entering their password, we also have a good password policy that forces them to change it frequently.
    I'm sure some schools have that kind of money but I couldn't justify the cost myself, we don't have enough PC's to be restricting them to either staff or students (except for office PC's of course)

    Thanks.

  10. #40

    Join Date
    Aug 2008
    Location
    Northwest
    Posts
    79
    Thank Post
    1
    Thanked 10 Times in 10 Posts
    Rep Power
    14
    Quote Originally Posted by DaveP View Post
    I am still working on that one. At the moment I am willing to delete the files that have been created which prevent the students logging on after a crash.

    Longer term if the script doesn't run I will...

    ... get back to you on that one.
    I had a stab at limiting logon sessions last half term and fixed the problem of crashed PCs leaving orphaned files behind (using a third script). I put the idea on the back burner and didnít end up using it (fully) so it hasnít be thoroughly tested in anger.

    Itís not based on those scripts but pretty much the same concept; Iíll tidy them up a bit and post them tomorrow if I get half an hour.

  11. #41

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,129
    Thank Post
    522
    Thanked 2,540 Times in 1,975 Posts
    Blog Entries
    24
    Rep Power
    875
    How about some form of service which periodically checks for a logged on user, sending this to an MSSQL database when someone logs on, then just have the services also check the server when someone tries to log on, looking for logins within a certain time frame - if one exists, they're still logged in elsewhere (the service could also include functionality to force log off the other logged in account), if not, they can log in.

    Thoughts?

  12. #42

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    9,085
    Thank Post
    352
    Thanked 1,317 Times in 903 Posts
    Blog Entries
    4
    Rep Power
    1135
    Quote Originally Posted by localzuk View Post
    How about some form of service which periodically checks for a logged on user, sending this to an MSSQL database when someone logs on, then just have the services also check the server when someone tries to log on, looking for logins within a certain time frame - if one exists, they're still logged in elsewhere (the service could also include functionality to force log off the other logged in account), if not, they can log in.

    Thoughts?
    My thoughts are 'That sounds like a plan!'

    However I am not a programer.

    It would be great if we could deploy this as a server only based solution to speed up deployment/re-deployment. Would that be an option?

    Edit: I have noticed that the scripts are, of course, dependant upon DNS to correctly identify the station the user is logged onto. I have seen some stations mis-identified in the logs today. I will have to tackle my DHCP/DNS issues but is there a way of picking up the station name from the station locally [the station the user is logging onto] rather than have the script ask DNS for a name resolution? [Only my servers and printers have static IPs]
    Last edited by DaveP; 18th March 2010 at 08:39 PM. Reason: Add deatil to the post.

  13. #43

    Join Date
    Aug 2008
    Location
    Northwest
    Posts
    79
    Thank Post
    1
    Thanked 10 Times in 10 Posts
    Rep Power
    14
    Quote Originally Posted by localzuk View Post
    How about some form of service which periodically checks for a logged on user, sending this to an MSSQL database when someone logs on, then just have the services also check the server when someone tries to log on, looking for logins within a certain time frame - if one exists, they're still logged in elsewhere (the service could also include functionality to force log off the other logged in account), if not, they can log in.

    Thoughts?
    In a sense thatís what my third script does; it checks periodically that the records are a true reflection of who is actually logged on. Though I agree a service would be nicer.

  14. #44

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,129
    Thank Post
    522
    Thanked 2,540 Times in 1,975 Posts
    Blog Entries
    24
    Rep Power
    875
    Quote Originally Posted by DaveP View Post
    My thoughts are 'That sounds like a plan!'

    However I am not a programer.

    It would be great if we could deploy this as a server only based solution to speed up deployment/re-deployment. Would that be an option?

    Edit: I have noticed that the scripts are, of course, dependant upon DNS to correctly identify the station the user is logged onto. I have seen some stations mis-identified in the logs today. I will have to tackle my DHCP/DNS issues but is there a way of picking up the station name from the station locally [the station the user is logging onto] rather than have the script ask DNS for a name resolution? [Only my servers and printers have static IPs]
    Interesting, a server side only option could work. All log-on and log-off can be set to be logged in the event log, so something could be set to monitor them. However, I think the system would be susceptible to the crashed/missing log-off events. So, if someone's computer crashes, the server won't have record of it.

    This is why the client side service would be more reliable - it would poll.

    However, thinking about it, if WMI were used, this might be able to be overcome, as the server could be set to poll. You could do this several ways - for example, by combining with the event logs - so you'd only poll the machines which have recent events. Either that, or you'd have to ping the network (and therefore ICMP would need to not be blocked on clients), to discover active windows machines, and then poll those which are active.

    Sorry about all that, spit balling ideas in my head

    And to answer your question about machine name, a local client can get it from environmental variables easily in .Net. Very simple.

    Quote Originally Posted by Kipling View Post
    In a sense thatís what my third script does; it checks periodically that the records are a true reflection of who is actually logged on. Though I agree a service would be nicer.
    It shouldn't be that difficult to figure out I don't think. I may give it a go once i've finished my kiosk.

  15. #45

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    For one thing, it performs an irreversible Active Directory Schema modification (!)
    ::shrug:: As someone who registered an OID for doing precisely that 10+ years ago, I find that about as scary as some app creating a registry key. We obviously don't want every other app extending the schema coz the poor quality of too many apps means it would get ugly, but an unused schema extension (which I assume in this case just describes a new attribute or two for use with a user object) is not IMO, a big deal.


    LimitLogon using AD and a deletable app partition doesn't seem at all strange to me, it was the SOAP that made me groan.

SHARE:
+ Post New Thread
Page 3 of 5 FirstFirst 12345 LastLast

Similar Threads

  1. Stop pupils emailing each other Exchange 2003
    By tazz in forum How do you do....it?
    Replies: 12
    Last Post: 18th November 2010, 03:08 PM
  2. Stop pupils writing to root of C:\
    By gerardsweeney in forum How do you do....it?
    Replies: 14
    Last Post: 21st January 2010, 03:48 PM
  3. Primary schools: Foundation pupils logins
    By Little-Miss in forum How do you do....it?
    Replies: 24
    Last Post: 21st July 2009, 09:24 AM
  4. Stop pupils hiding documents
    By timbo343 in forum Windows
    Replies: 8
    Last Post: 19th November 2008, 09:53 PM
  5. Pupils puling out rj45 cable to stop scripts and policys
    By MManjra in forum Wireless Networks
    Replies: 13
    Last Post: 6th March 2006, 08:18 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •