PaulDotCom mailing list archives
Re: Computer Lab in a Jail...
From: Andrew Johnson <email () andrewcjohnson com>
Date: Sun, 19 Sep 2010 15:16:14 -0500
VDI would be great, but there are likely budget constraints that won't allow that (the same is true for some of my suggestions). Nuke them. You can retrieve the keys with this: http://www.magicaljellybean.com/keyfinder/ How is software getting installed? Are they local administrators? If so, take that away ASAP. Use group/local policies to remove a lot of functionality (i.e. run prompt) I think USB drives will cause you more problems than anything. What's to stop them from sharing the physical devices? I'd disable USB (at least for storage devices) if i were you. Why don't you create a folder for each user on a file server and only give access to that user via NTFS DACLs. They can't communicate or share files if no one else can read from or write to the share. You'll probably have to use something stronger than passwords for authentication, otherwise they'd just share those. Fingerprint readers, smart cards, etc. What type of switch do you have? Something like PVLANs could be used to isolate systems on the network level: http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html Those are just a few ideas off the top of my head. Your other options sound good. -A On Sun, Sep 19, 2010 at 11:25 AM, Carlos Perez < carlos_perez () darkoperator com> wrote:
Have you consideres VDI? If it is a possibility Sent from my iPhone On Sep 19, 2010, at 3:36 AM, Brian H <binarynomad () gmail com> wrote:I wanted to get some input from the security professionals point of viewon my situation.I've been contacted by a local county detention center (read: JAIL), tohelp with a computer lab that keeps getting pwned. They keep having problems with MP3s, Porn, and Gang communication on these computers. They say they keep trying to clean them up, but the next day everything is back.I don't trust these computers one bit, I've already found an number ofquestionable programs/processes (that I've removed), and some trojans in the form of Adobe CS4 cracks that were placed on the hard drives.My first objective is (scorched earth) to reinstall from scratch, butthat is on hold while they find the install CD's and Keys. I've been told these will not be available until later this week, but the first class of the new session will happen before that.So, in the meantime, I have to clean & lock these down as much as I canwhile letting the students still run the class programs and save their work somewhere.Environment: - 20 Lab/Student machines, 1 instructor - Two (2h) classes per day, AM (beginner) and PM (advanced) - Windows Vista Home Basic, Dell Optiplex 360, 2GB RAM, 130GB HD - No server - Students on closed network, unless teacher plugs in uplink cable - Students used to drop off work over network to teacher's PC. - Teacher has filtered Internet access cable next to their PC - Classes cover basic Office Suite, Typing, and IC3 Certification. - Previous IT person had "flexible morals", did favors for inmates. Ongoing problems: - Some malicious, computer savvy, felons - Gang messages hidden on the system to communicate to other members - Gang communication and file sharing across LAN in class - Porn and MP3 being spread between computers Options: - Removing all non essential programs - Installing and using Microsoft SteadyState - Creating student profile, with standard permissions - Enabling parental controls on student profile, app limitations, etc. - Disabling network switch (in the class room) - Disabling NIC in BIOS - Password protect BIOS Still trying to figure out how to let them save files, yet not leavemessages for other students. I'm considering getting 40x 2GB USB Flash Drives (one for each student of each class) so SteadyState can just nuke all changes between students. Teacher would distribute and collect all drives before and at the end of class.---- Brian H binarynomad () gmail com http://www.binarynomad.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Computer Lab in a Jail... Brian H (Sep 19)
- Re: Computer Lab in a Jail... Carlos Perez (Sep 19)
- Re: Computer Lab in a Jail... Andrew Johnson (Sep 19)
- Re: Computer Lab in a Jail... Scott Webster (Sep 19)
- Re: Computer Lab in a Jail... xgermx (Sep 19)
- Re: Computer Lab in a Jail... Bugbear (Sep 19)
- Re: Computer Lab in a Jail... Jeremy Pommerening (Sep 19)
- Re: Computer Lab in a Jail... xgermx (Sep 20)
- Message not available
- Re: Computer Lab in a Jail... Dale Stirling (Sep 20)
- Re: Computer Lab in a Jail... Brian H (Sep 21)
- Re: Computer Lab in a Jail... Dale Stirling (Sep 20)
- Re: Computer Lab in a Jail... Carlos Perez (Sep 19)