Security when students log in from home

[Paul]

We are an 11 to 18 school and want the students to be able to log in and work from home.
We have a thin client system that will do the job, but won't give them all of the programs they need as some will not work
over a thin client system. As far as we can see, the best way if finance would allow is for each student to have a school
owned laptop that we manage so that it can be locked down and then let them log on to our VPN.
As we haven't the funding for this, is there any way to let them log on to the VPN with their own machines, but still
restrict what they can actually do, for example stop them from running hacking or password changing utils against our
servers?

Thanks
Paul

 

[Steven L Umbach]

A remote control solution is probably the best and will perform the best.
You might try something different from what you are now using and there are
free versions of some such as VNC and other variations of VNC. XP Pro Remote
Desktop is also very good. Whatever you choose your security should be
configured so that it is not possible for students to access servers they
have no business being on. You can use a variety of ways including ipsec [an
advanced topic], share permissions that use the principle of least
privilege, strictly managing privileged local and domain groups, and
managing user rights so that users do not have the logon locally or access
this computer from the network user rights for servers they should not
access however users need access this computer from the network for domain
controllers.

Steve

http://en.wikipedia.org/wiki/VNC

 

[Paul]

Thanks for the reply, most of the security we have relies on them using our machines that are locked down
they can't download and use hacking tools etc. What we are more worried about is that on their own machines they are the
administrator and can download all manner of tools. They might then be tempted to try them against the net work after hours
when they have time on their hands and a valid log on, as I would at that age.
Thanks
Paul

A remote control solution is probably the best and will perform the best.
You might try something different from what you are now using and there are
free versions of some such as VNC and other variations of VNC. XP Pro Remote
Desktop is also very good. Whatever you choose your security should be
configured so that it is not possible for students to access servers they
have no business being on. You can use a variety of ways including ipsec [an
advanced topic], share permissions that use the principle of least
privilege, strictly managing privileged local and domain groups, and
managing user rights so that users do not have the logon locally or access
this computer from the network user rights for servers they should not
access however users need access this computer from the network for domain
controllers.

Steve

http://en.wikipedia.org/wiki/VNC

We are an 11 to 18 school and want the students to be able to log in and
work from home.
We have a thin client system that will do the job, but won't give them all
of the programs they need as some will not work
over a thin client system. As far as we can see, the best way if finance
would allow is for each student to have a school
owned laptop that we manage so that it can be locked down and then let
them log on to our VPN.
As we haven't the funding for this, is there any way to let them log on to
the VPN with their own machines, but still
restrict what they can actually do, for example stop them from running
hacking or password changing utils against our
servers?

Thanks
Paul

 

[Steven L Umbach]

Then you need to make sure your servers are properly secured using best
practices in that only the right users are local/domain administrators, that
those users are using strong passwords, that only the right groups have
access to shares on the servers if there are any shares, review of security
logs, non needed services are disabled, keeping current with critical
updates, etc. Also with a VPN you can strictly manage where a user can go
when logged onto via VPN, For instance with Windows 2003 Server you can have
a remote access policy that restricts users from accessing the IPs of
servers or other sensitive computers if you want.

Steve

Thanks for the reply, most of the security we have relies on them using
our machines that are locked down
they can't download and use hacking tools etc. What we are more worried
about is that on their own machines they are the
administrator and can download all manner of tools. They might then be
tempted to try them against the net work after hours
when they have time on their hands and a valid log on, as I would at that
age.
Thanks
Paul

A remote control solution is probably the best and will perform the best.
You might try something different from what you are now using and there
are
free versions of some such as VNC and other variations of VNC. XP Pro
Remote
Desktop is also very good. Whatever you choose your security should be
configured so that it is not possible for students to access servers they
have no business being on. You can use a variety of ways including ipsec
[an
advanced topic], share permissions that use the principle of least
privilege, strictly managing privileged local and domain groups, and
managing user rights so that users do not have the logon locally or access
this computer from the network user rights for servers they should not
access however users need access this computer from the network for domain
controllers.

Steve

http://en.wikipedia.org/wiki/VNC

We are an 11 to 18 school and want the students to be able to log in and
work from home.
We have a thin client system that will do the job, but won't give them
all
of the programs they need as some will not work
over a thin client system. As far as we can see, the best way if finance
would allow is for each student to have a school
owned laptop that we manage so that it can be locked down and then let
them log on to our VPN.
As we haven't the funding for this, is there any way to let them log on
to
the VPN with their own machines, but still
restrict what they can actually do, for example stop them from running
hacking or password changing utils against our
servers?

Thanks
Paul