Students are using hacking tools to compromise school computers

N

Ned Hart

Hello everyone

My week was a good one until today. Students were sending 'NET SEND'
messages to the domain and they appeared on all workstations. Further
inspection revealed a bunch of sysinternals tools, including remote
shutdown, SAM password crackers, and packet sniffers stored on network
shares that are used for student files. The labs are infested with
this stuff. I've done my best to lock down these windows 2000
workstations by resticting access to C:, removing run prompt, and
locking down just about everything I can with a GPO. Today I modified
the GPO to disable the messenger service. I have a feeling my work is
just beginning. I considered allowing and disallowing certain
executables, but this only works for explorer, besides, what if they
just rename the EXE to something like winword.exe or something else
that is allowed. Tracking students is hard because they all use the
same user ID. Something I've been trying to get the administration
away from.

Anyway, I'd really appreciate hearing from others with suggestions on
how to handle this. I have approximately 300 student workstations and
a lot of kids with too much time on their hands. How long before they
capture someone's password? Things don't look good right now.

Thanks
 
S

Steven L Umbach

Hi Ned. I can get back to you later but first a few questions. Do these
students need to be local administrators and do they need to store files on
their local hard drive? --- Steve
 
J

Jeff Cochran

Tracking students is hard because they all use the
same user ID. Something I've been trying to get the administration
away from.

There's your base problem. You can't discipline if you can't
identify. You need individual logons, auditing turned on and a policy
that states students will be suspended, expelled or prosecuted for
hacking.

Jeff
 
N

Ned Hart

Hi
The students are users, not power and not administrators. They store
data on a a D: partition, a network share, and A: The C: drive is
restricted. Wether or not they MUST be able to do this is a question
I would have to ask the teacher. It would be nice if could tell
windows to only run programs from c: and nowhere else.
 
S

Steven L Umbach

Hi Ned. I agree with Jeff, and eventually you should get to individual
accounts for users, but there are still things you can do to secure things.
First consider a signed user policy that specifically states that the
computer/software is property of the school and what is and is not allowed
and what the consequences will be. Then have each student and
parent/guardian sign it. Here in Illinois they will expell you from school
for having an aspirin or nail file on you so I suppose they could put some
teeth into a computer user policy hopefully.

Since they can store files on their hard drive, it will be difficult to stop
a lot of software utilities like you mention, even using Group Policy. See
if the budget will allow a couple of copies of Windows XP Pro. The Software
Restriction Policies are very effective at stopping use of unathorized
software.
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791

It is very easy for malicious users to gain administrative privilges to a
computer if they can boot from a floppy, cdrom, etc. Configure cmos on the
computers to allow booting only from hard drive, disable usb ports if not
needed [flash/pen drives], and password protect cmos settings. Of course
computer cases will need to be locked as it is easy to reset cmos by
removing battery. Disable cdrom autorun in W2K. I know you have a lot of
users, but maybe you can target the problem ones first. You almost count on
some users having administrative rights already if they can boot from
floppy/cdrom, so you may want to check local administrator group members and
change password on computers for problem students.

If students do not need file and print sharing on their computers, then you
could disable or uninstall it assuming you do not need to manage the
computers remotely which my guess is you do. You could use uers rights
assignments for "access this computer from the network" and deny access to
this computer from the network to disable the ability of students to access
computers that they should not. For instance you could create an OU and move
the student computers into it. Then create a new Group Policy for the OU and
configure the user rights assignment for acess this computer from the
network to contain only domain administrator and other groups that may need
access, but remove users, and everyone. The idea is that the students could
not access each others computers for processes that require credentials to
try to hack passwords using administrative shares, swap files, or try to
access Computer Management on another students computer. Then for the other
computers in the domain that you do not want the students to try and access,
add the students group to the "deny access to this computer from the
network". Of course they will need access to domain controllers and their
file server, etc.

A more extreme measure to protect network computers is to use ipsec.
Possibly user rights assignments for network access will accomplish what you
want, however that will not stop things like tcp/ip utilities - port
scanners, etc. Ipsec can be configured to use "filtering" like a firewall
which involves a set of rules that use the permit and block filter action or
it can use negotiate actions for request or require
encryption/authentication using kerberos for machine authentication in a
forest. If you look into ipsec, be sure to test it out thoroughly before
implementing because you can shut down a whole lot of computers real fast.
Any ipsec policy for domain members also need a rule to exempt domain
controllers. If you have computers with sensitive data on them in the school
it may make sense to have a ipsec require policy for them and a ipsec
client/repond policy for the computers that need to access them. Ipsec only
works for W2K/XP/W2003 computers.
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp

Hope some of this helps and good luck. --- Steve
 
J

JasonW

Our college uses a product called DeepFreeze
(http://www.faronics.com/main.asp) that resets the computer at each reboot
to the way it was set up by the administrator, regardless of what was
changed. It worked pretty well, but didn't keep me from making temporary
changes. I could still gain administrator access and do what I wanted until
a reboot was required, and then any chages were undone. The group policy and
other methods are necessary for stopping real-time hacking. And get everyone
their own login. It seems like more work right now, but will be less hassle
in the long run. Make sure you develop a good password policy including
aging.

-JasonW
 
J

jaimin

Two suggestions for you.

Firstly, you can use Browse Control, this has an application Blocker
which will allow you to stop students launching any undesireable
applications.
You can download from: www.browsecontrol.com

Secondly, you can use DriveShield which is a windows Protection
system. Any changes students make to PCs are wiped away when the PC
is rebooted, you have to try it to believe it works! You can download
from:
http://www.codework.com/driveshield/index.htm

Regards
Divyesh
 
K

Karl Levinson [x y] mvp

Also, there are programs like Securewave.com that can let you set which
executable files are permitted to run and forbid all others.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top