Re: Windows Domain Question

[Brian Eckman <eckman () UMN EDU>]

Niedens, Travis wrote:
> All,
>
> In light of the many issues there have been in the past few months with
> viruses and patches of certain operating systems, our organization has
> decided to evaluate and implement solutions that are easily maintained and
> insure that networked systems are secure and virus free.  One of the
> proposed solutions is to require that our students connect to a student
> domain while on the network so that we can update their antivirus product,
> provided by us, as well as their operating system.  Has anyone on here went
> down that path to resolve these issue?  If so, what challenges did you have
> and did it accomplish the goals you had?  I know one main hurdle that we
> have to overcome is the issue of privacy.

Wow, good luck! I can't imagine we here would even want them to join a
domain, let alone require it. Privacy being one of the issues, but
technical support another. An E-mail such as "Hey, my computer had a
keylogger on it, and you have admin rights on my computer, so you must
have put it there. I'm going to sue you for everything you have." would
surely come through at least once a month. Not to mention the potential
police investigation into *us* when the student goes to the police in
the above hypothetical situation.

We are looking at steering our student population to an on-campus SUS
server for Windows patches, and possibly configuring a Symantec
AntiVirus server on campus to act as a "parent server" for their
AntiVirus updates. Participation would be optional but strongly
encouraged, as we generally down network ports during virus outbreaks,
or if the computer is spewing Spam, or port scanning, etc. So, there is
an incentive for them to join in. (Sure, their port will get reenabled
typically within 24 hours of them resolving the problem, but its still a
major hassle for them.)

The Antivirus server would not force any restrictions on them, except
that, if they turn off real time scanning, it would be automatically
reenabled for them 30 minutes later. They would be free to uninstall it,
run LiveUpdate themselves, etc. However they'd automatically get the
daily Symantec update fed to them shortly after it is released.

We are also looking into using NetReg this fall to help ensure that
computers joining the network are reasonably patched.

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.