maxymaxy Posted November 30, 2007 Report Posted November 30, 2007 I am just trying out the trial version of AB Tutor after trialling Lanschool. Maybe I am doing something wrong but what stops students simply going to the control panel and uninstalling it? Lanschool was protected and needed the install program before uninstalling. Is this too obvious or am I doing something wrong? Shouldn't there be a password at least?
meastaugh1 Posted November 30, 2007 Report Posted November 30, 2007 I suppose the root issue is: Is there a good reason students have been given rights to uninstall software? That aside, I guess you could transform the MSI, so that the app's entry is hidden in Add/Remove programs. Although, if the students have local administrator rights, you'd need to try and prevent them from stopping the AB Tutor Control service, probably through group policy system services permissions.
maxymaxy Posted November 30, 2007 Author Report Posted November 30, 2007 Hi, Thanks for the quick reply. The students can log onto the local workstation as teacher/teacher and simply uninstall from that group privilege. It is very frustrating for me as ICT coordinator to try and help teachers cope with students who are hell bent on getting around the system security (what little there is). The network manager believes in an 'open policy' and self regulation ...but he is not in the classroom is he I was getting very excited with AB Tutor because it seemed to do everything I wanted but this major major oversight in design leaves me speechless. AB Tutor should at least need a password or the original install program like Lanschool does to uninstall it. We are looking at getting 10 licenses so Lanschool is expensive.
localzuk Posted November 30, 2007 Report Posted November 30, 2007 Hi maxymaxy - I would ask the network manager how his 'open policy' deals with the data protection act? I would say that any reading of the law indicates that students should never be able to log in as a teacher as they would then have access to confidential information. Why do the kids know the username and password combo for the teacher? Is there only one 'teacher' account? To put it bluntly, you (as in the school) don't have any security and as such are not complying with the data protection act or the child protection act. Is your school a primary by any chance?
meastaugh1 Posted November 30, 2007 Report Posted November 30, 2007 It's not reasonable to expect ABTC to compensate for the lack of desktop security that's been implemented. We use it throughout the school here with no security problems, except for teacher password breaches, which are dealt with swiftly. From your second post, it doesn't even sound like a technical issue. As localzuk says, a) why do students know the teacher's credentials, and b) why is the username the same as the password?
localzuk Posted November 30, 2007 Report Posted November 30, 2007 I'm not reasonable to expect ABTC to compensate for the lack of desktop security that's been implemented. We use it throughout the school here with no security problems, except for teacher password breaches, which are dealt with swiftly. From your second post, it doesn't even sound like a technical issue. As localzuk says, a) why do students know the teacher's credentials, and b) why is the username the same as the password? Exactly, we use it across school also and have no problems with security on it, but that is because we use it in an environment which runs on 'deny first, then allow' as the security policy.
ChrisH Posted November 30, 2007 Report Posted November 30, 2007 I can only echo what others have said. You need to look at your basic setup else you could be saying the same about any program. We use AB tutor and are happy enough with it considering the price.
pedster666 Posted November 30, 2007 Report Posted November 30, 2007 hi we use ab tutor in our school, and it work very well along side our new Bloxx hard/software, the only problem we have is kids unplug the network cables to stop connection lol
maxymaxy Posted November 30, 2007 Author Report Posted November 30, 2007 I agree with all of you. Just to clarify though, the students log in to the workstation locally which means that they have the privileges to uninstall programs but it doesn't allow them to map the network drives hence privacy is not an issue. The novell network means that there are two login screens first to login to the network and the second to login to the workstation. Some problem with one of the servers means that students are able to ONLY login locally which means they can still play LAN games but not have any access to their home drives or network drives. Having calmed down a bit and thinking through some possible solutions, it may be that when ABT is installed the first time I can set up a some permanent policies in ABT and deploy them to the clients which deny students (who log in locally) access to run/cmd and the control panel. I can also do a registry hack to hide the icon in the add/remove programs. This is not ideal, I know, but is it feasible with ABT? The network manager is leaving at the end of this year so I hope the new person will take security a bit more seriously.
maxymaxy Posted November 30, 2007 Author Report Posted November 30, 2007 I have just tried the registry editing policy function in ABT and it works well From the control workstation I was able to easily remove access to add/remove programs. I will go ahead with my pilot plan, create a policy pack to tighten up security (just don't tell the network manager) and .... hope the new guy is more sympathetic to the teacher's plight 8O 1
gwendes Posted November 30, 2007 Report Posted November 30, 2007 Ouch... some serious concerns with the kids able to log in as admin... They could install anything! How about a keylogger? Viruses? I'd scrap the teacher/teacher account immediately. Uninstalling AB Tutor is the last thing to worry about!
meastaugh1 Posted November 30, 2007 Report Posted November 30, 2007 They could install anything! How about a keylogger? Viruses? I was thinking the same. Assuming that your users need to logon locally, why do they need to logon lcoally with such unrestricted accounts?
MkII Posted November 30, 2007 Report Posted November 30, 2007 Ouch... some serious concerns with the kids able to log in as admin... They could install anything! How about a keylogger? Viruses? I'd scrap the teacher/teacher account immediately. Uninstalling AB Tutor is the last thing to worry about! Absolutely - a ridiculous setup - the NW Manager needs sacking!
mrphil Posted November 30, 2007 Report Posted November 30, 2007 maxy i have only one word leave your job and get a new one
GrumbleDook Posted November 30, 2007 Report Posted November 30, 2007 I have just tried the registry editing policy function in ABT and it works well From the control workstation I was able to easily remove access to add/remove programs. I will go ahead with my pilot plan, create a policy pack to tighten up security (just don't tell the network manager) and .... hope the new guy is more sympathetic to the teacher's plight 8O Also let the folks at AB know what you have done as a workaround. They might be interested in changing things in their documentation to help others with similar problems.
maxymaxy Posted December 1, 2007 Author Report Posted December 1, 2007 Thanks everyone for replying. I have taken some reasonable steps to protect the ABT client: 1. By making the /program files/abcontrol folder invisible 2. Using the registry function of the ABT control (a) prevented access to the control panel (b) disabled cmd.exe, run © prevented access to the task manager (d) made invisible msconfig, gpedit (e) disabled .bat files (f) disabled any access to network properties There are still ways around these things though. I have in my IT class a student who is rated one of the top 20 junior programmers in the world He was at the recent programming olympics! Luckily for me he is an ally rather than foe and lets me in on ways the other students are trying to get around the system. OK all of this not ideal but I can only do what I can and hope the next NW manager is better. I still think though the client and install files should be password protected.
mrphil Posted December 2, 2007 Report Posted December 2, 2007 do you think it is acceptable to allow the security of a school network to be run by one of the students. Am I the only one who thinks this is a bad idea??????????
maxymaxy Posted December 2, 2007 Author Report Posted December 2, 2007 mrphil, My main point for starting the thread was to point out that in SOME situations it would be an advantage to have the client password protected. I still think ABT should seriously consider this. Not all of us live in an ideal world. As you can see from my solution I am writing my own group policies 'round the backdoor'. If the NW manager was doing his job, the guest account would obviously have all the necessary restrictions. I don't need reminding that the students have too many privileges. I am being squeezed from both ends - the lack of security from the network, teachers in the middle complaining about students not being on task, and students at the other end just wanting to play games and muck around.
GrumbleDook Posted December 2, 2007 Report Posted December 2, 2007 @mrphil There are lots of bad ideas that go around schools that members have no control over for many reasons. All we can do is help where we can.
MkII Posted December 2, 2007 Report Posted December 2, 2007 I do think tho' that it's a bit rich of maxy to be critical of ABTutor. What's to stop the kids completely wiping the PCs and installing their own O/S's? What you're doing is slowly setting up a secure system the hard way using a tool whose prime purpose is not for this, and then criticising it. What you really need is an Active Directory server and group policy restrictions on your users. Or if you're setting up standalone kiosk PCs use Steady State - for free.
GrumbleDook Posted December 2, 2007 Report Posted December 2, 2007 @Mark That is what he is doing a little of, but being prevented by the fact that the NM (presumably his boss) couldn't give a rat's ear about it all. Part of me is tempted to let the OP know a variety of ways that things can be made to fall over on a more regular basis so that the whole problem needs to be addressed ... but I am not that sort of bloke.
MkII Posted December 2, 2007 Report Posted December 2, 2007 Oh I get it - you're a Teacher. Most times the situation is reversed - it's the teachers who want unrestricted access and the techs who pull their hair out trying to maintain a secure & reliable system despite it. We do, however, have one member on here at least who has argued the case _for_ open access much as you describe. He was running Novell too. I agree with you that it's impossible to control kids fully, and safety measures have to be in place. My ex Head disagrees, and puts any blame onto the teachers for lack of control. All I know is that with ABTutor installed, teachers re-gained control of lessons using IT. I'm sure the logon local issue is actually to do with the client and not the server, but I stand to be corrected.
GrumbleDook Posted December 3, 2007 Report Posted December 3, 2007 I get the impression is that he is a techie, working under an NM who can't be bothered ... and $deity knows that we have had members in this position before.
meastaugh1 Posted December 3, 2007 Report Posted December 3, 2007 The OP's second message states they are the ICT Co-ordinator.
GrumbleDook Posted December 3, 2007 Report Posted December 3, 2007 Oh $deity ... in that case the only thing to do is to apply serious boot leather to the backside of the NM to get him to change his ways. I have to admit that it is amusing to have an ICT Co-ordinator complaining about the system not being locked down enough rahter than the other way around. @maxymaxy Point your NM in our direction and I am sure that various members with experience of a Novell/AD solution will be able to help. Failing that ... here is a clue-bat (a long bit of 2X4) to encourage all to have another look at security.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now