Educause Security Discussion mailing list archives
Re: Windows Domain Question
From: Brian Eckman <eckman () UMN EDU>
Date: Fri, 20 Feb 2004 12:18:27 -0600
Niedens, Travis wrote:
All, In light of the many issues there have been in the past few months with viruses and patches of certain operating systems, our organization has decided to evaluate and implement solutions that are easily maintained and insure that networked systems are secure and virus free. One of the proposed solutions is to require that our students connect to a student domain while on the network so that we can update their antivirus product, provided by us, as well as their operating system. Has anyone on here went down that path to resolve these issue? If so, what challenges did you have and did it accomplish the goals you had? I know one main hurdle that we have to overcome is the issue of privacy.
Wow, good luck! I can't imagine we here would even want them to join a domain, let alone require it. Privacy being one of the issues, but technical support another. An E-mail such as "Hey, my computer had a keylogger on it, and you have admin rights on my computer, so you must have put it there. I'm going to sue you for everything you have." would surely come through at least once a month. Not to mention the potential police investigation into *us* when the student goes to the police in the above hypothetical situation. We are looking at steering our student population to an on-campus SUS server for Windows patches, and possibly configuring a Symantec AntiVirus server on campus to act as a "parent server" for their AntiVirus updates. Participation would be optional but strongly encouraged, as we generally down network ports during virus outbreaks, or if the computer is spewing Spam, or port scanning, etc. So, there is an incentive for them to join in. (Sure, their port will get reenabled typically within 24 hours of them resolving the problem, but its still a major hassle for them.) The Antivirus server would not force any restrictions on them, except that, if they turn off real time scanning, it would be automatically reenabled for them 30 minutes later. They would be free to uninstall it, run LiveUpdate themselves, etc. However they'd automatically get the daily Symantec update fed to them shortly after it is released. We are also looking into using NetReg this fall to help ensure that computers joining the network are reasonably patched. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Windows Domain Question Niedens, Travis (Feb 20)
- <Possible follow-ups>
- Re: Windows Domain Question Ariel Silverstone (Feb 20)
- Re: Windows Domain Question Brian Eckman (Feb 20)
- Re: Windows Domain Question Gary Flynn (Feb 23)
- Re: Windows Domain Question Paul Russell (Feb 24)