Re: Computer Lab in a Jail...

[Brian H <binarynomad () gmail com>]

@Dale: Sadly, one of the requirements for the class is the Microsoft IC3 certification which is highly dependent on a 
Windows OS.  One of the modules was even complaining that it didn’t' like IE 8 and wanted IE 6 with ActiveX fully open. 
 *sigh*

@Carlos: VDI sounds like a possibility, but there was no hardware for a server to be setup and the whole possibility of 
communication between gang members was high enough that they wanted the network down.

@Andrew: Yeah, I had Zero "$0" budget so implementing anything non-free was out of the question.  I believe the old 
user ID's were "Standard" but either they got the admin password from the pervious IT person, or they esclated their 
privileges somehow.  I locked them down the best I could.  I did go through and pull the product keys using a USB drive 
with an autorun calling "produkey.exe" and outputting the data to a CSV on the USB drive.  Sadly the switches your run 
of the mill Desktop Netgear FS116.  No management.

@Bugbear: Yeah, I notice SteadyState had falled off of MS development list. (that really saddens me, it is a VERY 
useful product for public usage like coffee shops, churches, schools, libraries, ... prisons).  Thankfully the software 
will continue to work, you just cannot find any support for it.  I hope MS is smart/nice enough to deploy a better 
replacement instead of either (a) putting out a commercial product (most of the people that can use this are budget 
strapped), or (b) stepping aside for other commercial vendors to take over the space.

@Jeremy: It would be nice, but (a) they barely had enough money to pay me to refresh the lab, (b) I don't know how many 
class semesters these machines went through, and (c) a corrupt IT admin, it don't think I can find a traceable audit 
trail.

@Xgerms: Needed to be Windows.  (a) IC3 is Microsoft specific, (b) it utilized the specific menu options of Microsoft 
Office suite in its tutorials, (c) I could not teach the instructor some level of familiarity with Linux in the 1-2 
hours I had to actually see/talk to him.



----
Brian H
binarynomad () gmail com
http://www.binarynomad.com

On Sep 20, 2010, at 2:31 PM, Dale Stirling wrote:

> Another solution if you are not bound to Windows is to run desktops without HDD and us a linux live CD as you OS 
> drive.
>
> This removes storage from the desktops and allows a cheap and effective steady state environment that is easily 
> ugradeable. We hqve donthis to provide cheap dumb terminal solutions in the past.
>
> The only down side is that you would need to move authentication and ny writeable storage to either a server or the 
> instructors PC.
>
> Cheers,
>
> Dale
>
>
> > On 20 Sep 2010 02:18, "Brian H" <binarynomad () gmail com> wrote:
> >
> > I wanted to get some input from the security professionals point of view on my situation.
> >
> > I've been contacted by a local county detention center (read: JAIL), to help with a computer lab that keeps getting 
> > pwned.  They keep having problems with MP3s, Porn, and Gang communication on these computers.  They say they keep 
> > trying to clean them up, but the next day everything is back.
> >
> > I don't trust these computers one bit, I've already found an number of questionable programs/processes (that I've 
> > removed), and some trojans in the form of Adobe CS4 cracks that were placed on the hard drives.
> >
> > My first objective is (scorched earth) to reinstall from scratch, but that is on hold while they find the install 
> > CD's and Keys.  I've been told these will not be available until later this week, but the first class of the new 
> > session will happen before that.
> >
> > So, in the meantime, I have to clean & lock these down as much as I can while letting the students still run the 
> > class programs and save their work somewhere.
> >
> > Environment:
> >        - 20 Lab/Student machines, 1 instructor
> >        - Two (2h) classes per day, AM (beginner) and PM (advanced)
> >        - Windows Vista Home Basic, Dell Optiplex 360, 2GB RAM, 130GB HD
> >        - No server
> >        - Students on closed network, unless teacher plugs in uplink cable
> >        - Students used to drop off work over network to teacher's PC.
> >        - Teacher has filtered Internet access cable next to their PC
> >        - Classes cover basic Office Suite, Typing, and IC3 Certification.
> >        - Previous IT person had "flexible morals", did favors for inmates.
> >
> > Ongoing problems:
> >        - Some malicious, computer savvy, felons
> >        - Gang messages hidden on the system to communicate to other members
> >        - Gang communication and file sharing across LAN in class
> >        - Porn and MP3 being spread between computers
> >
> > Options:
> >        - Removing all non essential programs
> >        - Installing and using Microsoft SteadyState
> >        - Creating student profile, with standard permissions
> >        - Enabling parental controls on student profile, app limitations, etc.
> >        - Disabling network switch (in the class room)
> >        - Disabling NIC in BIOS
> >        - Password protect BIOS
> >
> > Still trying to figure out how to let them save files, yet not leave messages for other students.  I'm considering 
> > getting 40x 2GB USB Flash Drives (one for each student of each class) so SteadyState can just nuke all changes 
> > between students.  Teacher would distribute and collect all drives before and at the end of class.
> >
> > ----
> > Brian H
> > binarynomad () gmail com
> > http://www.binarynomad.com
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com