Educational Security/Networking Questions - Windows NT

This is a discussion on Educational Security/Networking Questions - Windows NT ; Hey Guys, Sorry for the cross posting, but this is quite a scenario. It's a setup like a high school on an NT network with all the student and most the faculty workstations running W2k or XP and TCP/IP protocol ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Educational Security/Networking Questions

  1. Educational Security/Networking Questions

    Hey Guys,

    Sorry for the cross posting, but this is quite a scenario. It's a setup
    like a high school on an NT network with all the student and most the
    faculty workstations running W2k or XP and TCP/IP protocol with DHCP
    assigned addressess. I have several hundred machines all on the same
    backbone, but two domains (Each with their own PDC) one for the students and
    one for the administrators. How is the best way to ensure that traffic is
    not sent back and forth between the two domains (ie I want to make sure that
    student computers can only see other student computers), would subnetting be
    the best solution for this? If I subnet are there still ways to see one
    side from the other? Since the staff uses their accounts to work on student
    grades, tests, and other FERPA type of stuff, I want to be sure that
    information transmitted on the faculty side can not be picked up by some kid
    with an ethernet sniffer, which leads me to another question...

    How concerned should I be with standard networking tools like nbtstat being
    used to collect information about the network. If I catch someone using it
    should I be concerned? Is it easy to disable tools like nbtstat or the net
    commands (to prevent file shares from being setup) without losing
    functionality in my network? Also, is there a way to protect against the
    kind of hacking tools that can be downloaded from the internet? Especially
    programs like PWDUMP. At what point should I be concerned, as a Sysadmin,
    if I catch students looking at, downloading or using those kind of programs
    and what is the generally accepted procedure for dealing with that? Talk to
    the kid, give him detention, kick him out of school, have him arrested...?

    I have one lab that the students need local admin rights to complete their
    assignments. How's the best way to go about giving them this kind of
    access? Is there any reason I should be worried about the students having
    local administrative access to the student machines?

    My last question I guess is one of ethics. As a system administrator, where
    do I have to draw the line with privacy and other issues. How much latitude
    does the sysadmin have in monitoring network traffic? Does it make a
    difference if it is traffic strictly on our intranet vs. traffic to outside
    servers? Also, the students all have personal, private space on the file
    server. What kind of legal steps do I have to take before going through a
    cursory examination of a students private storage space? Before going into
    an in depth investigation (Pulling back up tapes, etc)? Also, if I believe
    I have evidence that someone has been trying to gain unauthorized access to
    my system, what are my first steps in:

    a. protecting the network
    b. protecting the evidence
    and
    c. protecting users from being setup by a third party.

    Thank you for any help y'all can provide, I will appreciate it greatly!!!

    God Bless,

    Mike



  2. Re: Educational Security/Networking Questions

    "Michael Bradley" wrote in
    news:c3ba61c8d815ab66be63e971c7cebc7f@free.teranew s.com:

    > Hey Guys,
    >

    ....
    > the students and one for the administrators. How is the best way to
    > ensure that traffic is not sent back and forth between the two domains
    > (ie I want to make sure that student computers can only see other
    > student computers), would subnetting be the best solution for this?
    > If I subnet are there still ways to see one side from the other?
    > Since the staff uses their accounts to work on student grades, tests,
    > and other FERPA type of stuff, I want to be sure that information
    > transmitted on the faculty side can not be picked up by some kid with
    > an ethernet sniffer, which leads me to another question...

    ....
    At our faculty we have a similar situation (staff member PCs and a
    public PC lab). We decided to have only
    one subnet because the profs want to access their files from the PC lab
    too to show presentations...
    I recommend to use the "professional" Windows product line and to make
    sure you have encrypted passwords in use...
    Additionally the staff members should get some education and
    motivation to care for technical security. (i.e. not placing the
    password on a sheet beside their computer, choosing secure passwords...)

    The two links below may be of interest for you. The first one is
    about securing Windows NT (I use much of it to prevent people from
    "optmizing" the PCs and playing with configuration),
    he second one about securing Windows 2000. Many of the things
    told about Win NT are valid for Win2000 too.

    http://www.microsoft.com/ntserver/te...rces/security/
    Secure_NTInstall.asp

    http://nsa2.www.conxion.com/win2k/index.html

    >
    > How concerned should I be with standard networking tools like nbtstat
    > being used to collect information about the network. If I catch
    > someone using it should I be concerned? Is it easy to disable tools
    > like nbtstat or the net commands (to prevent file shares from being
    > setup) without losing functionality in my network? Also, is there a
    > way to protect against the kind of hacking tools that can be
    > downloaded from the internet? Especially programs like PWDUMP.


    I think there is no way to prevent users definitely from bringing such
    programs into the PC lab. Typically there are floppy and CD drives
    in the PCs. You could use floppy locks and such things and dismount
    CD drives but we found this brings much problems and trouble in
    dayly usage.
    A better idea is to decrease the impact of such programs by using
    switched cabeling (standard today) instead of coaxial cable. Transmissions
    over network should be encrypted if possible. Unsecure protocols
    transmitting passwords in plain text (telnet, ftp, pop3...) should
    be disabled or tunneled.
    In Windows XP Prof you can deny the execution of programs. The list
    entry is not only based on program name (which would be easy to change)
    but on checksums too. But I did not yet test it (we are still on Win2000).
    Unfortunately you need to know about all the programs possibly
    "of interest", you must build checksums for all the versions of all the
    programs you do not want.

    > At
    > what point should I be concerned, as a Sysadmin, if I catch students
    > looking at, downloading or using those kind of programs and what is
    > the generally accepted procedure for dealing with that? Talk to the
    > kid, give him detention, kick him out of school, have him arrested...?


    You should talk to your faculty leaders and agree about a usage
    policy. This policy should be a written document
    accessable for all the users (students and stuff members).
    Each user has to agree to this policy and sign for that before getting
    access to the PCs.
    This policy should clear at least the following things:
    - Who is responsible for licensing (buying licenses and making sure
    usage is according to license terms).
    - All users are bound to the license terms your school has
    accepted in license agreements.
    - What are users allowed to do, which things are forbidden.
    (i.e. in our PC lab only the administrator is allowed to install
    software or to change configuration settings...)
    - Which punishments (we use to deny all access to faculty computers
    for some weeks or months).
    - Which data is logged about the users (login/logout times), after
    which period is it deleted.
    - If user data is inspected by administrators/other faculty stuff
    or automatically (i.e running virus scanners on the servers)
    users should know about this.
    - On suspects, which investigations is the administrator allowed to
    do without requesting explicit permissions.
    - Who has to permit further investigations.
    For some of the points you have to take care of your country's laws.
    Before discussing the policy with the faculty leaders you should
    prepare a suggestion paper meeting the needs of your environment.
    It is up to you to suggest regulations you can handle.

    >
    > I have one lab that the students need local admin rights to complete
    > their assignments. How's the best way to go about giving them this
    > kind of access? Is there any reason I should be worried about the
    > students having local administrative access to the student machines?


    In general it is a bad idea to grant administrator permissions to
    persons you do not trust. Because administrators can install backdoors
    and have access to data where other users do not have permissions to.
    I'd recommend to place the machines in subnet strictly separated -
    if possible physically separated - from both of your domains to
    make sure "hacking" on these machines has no impact to other computers.
    These machines should have no internet access so they can not be
    abused for hacking into other people's computers.

    > My last question I guess is one of ethics. As a system administrator,
    > where do I have to draw the line with privacy and other issues. How
    > much latitude does the sysadmin have in monitoring network traffic?
    > Does it make a difference if it is traffic strictly on our intranet
    > vs. traffic to outside servers? Also, the students all have personal,
    > private space on the file server. What kind of legal steps do I have
    > to take before going through a cursory examination of a students
    > private storage space? Before going into an in depth investigation
    > (Pulling back up tapes, etc)? Also, if I believe I have evidence that
    > someone has been trying to gain unauthorized access to my system, what
    > are my first steps in:
    >
    > a. protecting the network
    > b. protecting the evidence
    > and
    > c. protecting users from being setup by a third party.


    All this must be regulated in a policy.
    If you think there is a reason to do investigations you need
    to consult the faculty leaders and do the investigation after they
    agreed. In the meantime you can lock the suspected user out to
    prevent damage.
    When doing investigations without explicit authorization people
    might suspect you are illegally viewing their files and violating
    their privacy.

    Regards,

    Dirk

    --
    Dirk Krause
    http://et.fh-schmalkalden.de/personen/dhp/krause

+ Reply to Thread