preventing users from installing software

[mrzed]

I am trying to find a way to prevent users from installing software in our student lab. We are a small non-profit adult ed school. I just want to prevent the students, who aren't generally at all advanced, from installing stuff off the net. I also want to prevent the few more advanced students we have from wreaking havoc either intentionally or not.

Right now we are running win98se on a mix of p233 and Celeron 433. I have tried using group policies, but had trouble getting them to work, and in any case they don't seeem to be the right solution.

I am thinking of switching over to NT4, or even Linux. I'd rather use 2000 pro, but the hardware obviously won't allow it. The thing is, I only maintain the systems part time, most of my job is teaching and I really don't have the option to spend a lot of time figuring out new stuff.

If I run NT4 or linux, is there an easy way to prevent installation of ANY software by users? I assume I can't just block access to C: completely because it would not allow cookies (needed for web email).

 

[cleverhandle]

It's pretty much impossible to do this well using only Win98's native tools. Linux or W2K would be easier for the security, though maybe more work for you to get up and running. There are several user-control program for Win98 aimed at the educational sector. The one I use (at a high school) is Foolproof, which is pretty good, assuming you do a good job configuring it. It can be pretty laid back and just keep people from screwing up system files, or you can be a total hard ass and lock people into using exactly the applications you specify. Of course, being published a typically parasitic educational software company (Riverdeep), it costs. I don't recall what we pay for our licenses, but we probably have a lot more machines than you, so it likely doesn't matter much. But I would guess something in the neighborhood of $20-30 a piece, at least.

 

[spyordie007]

regit-

the easiest way to do it with NT would be to format the machines and install NT on the NTFS format partition. Than install the programs (web browsers, office, etc.) that you do want on the machines and create a second "guest" account that your students would log in with. Lastly make sure that the group "everyone" does not have browse rights to the HD. This will make it very hard for anyone to change anything, with guest accounts even things like favorites under the web browser will not be there after they log off. Worse case scenario all you would have to do is log them off, than log the guest account back in.

have fun!
-spy

 

[nihil]

isn't it possible to implement polices on the machines? or would that have to be administered by a win2k server?

 

[spyordie007]

the bad thing about using a program such as this with Win98 is it doesnt provide true security. If someone wanted to play pranks or fool around with the system settings on Win98 all they would need is a boot disk and some basic Windows knowledge to make your life administering it a pain in the ass.
BTW, a Celeron 433 will run Win 2K, and even your P233's would run it, just make sure you have plenty of RAM.
If all they are doing is web browsing, word processing, printing, you could easily get away with 128MB of RAM on a P233, (although it would be what many of us anandtech'ers would consider painfully slow on the boot/login, simple tasks would not be noticably slower)

-spy

 

[spyordie007]

<< isn't it possible to implement polices on the machines? or would that have to be administered by a win2k server? >>


With Win 2K or NT you can have local security policies, so there would be no need for Win 2K server

 

[nihil]

<<

<< isn't it possible to implement polices on the machines? or would that have to be administered by a win2k server? >>


With Win 2K or NT you can have local security policies, so there would be no need for Win 2K server >>



i should have been more specific, i meant under 98 machines. sorry if this is a dumb question, but i don't use windows often.

 

[spyordie007]

<< i should have been more specific, i meant under 98 machines. >>


You can setup policies on the machines, but under no circumstances would I consider it secure. It's also a pain in the ass to configure and administer, whereas a Win NT/2K network of this kind is very easy to configure.

-Spy

 

[nihil]

<< You can setup policies on the machines, but under no circumstances would I consider it secure. It's also a pain in the ass to configure and administer, whereas a Win NT/2K network of this kind is very easy to configure.

-Spy >>



thanks. i was in no way suggesting to do that but i was just curious if it *could* be done. security was in no way a factor in my question. and no, i usually don't think with that attitude when dealing with security so don't get scared heheh.

 

[spyordie007]

the biggest reason that I would use NT in his situation is not because it is so much better than 98, but because it would be easy to configure this way. Whereas with 98 it would be a pain.

 

[mrzed]

Thanks for the replies, it sounds about what I was expecting.

I've used foolproof at another job, and it would do much of what we want, but teh $ are preventing it. Educational pricing from MS is almost free in comparison, so that's why I'm considering switching OS.

Using the native tools in Win98 is a massive PITA, I have tried doing that, and that's what brought me here. Also, anyone who finds the F8 key can pretty much ignore any policy.

I figured Win2000 would run OK on the 433's, but we only have 64Mb on the 233's. Not enough to make it comfortable. I might end up mixing and matching.

And we do have a server running Win2K. Is there any advantage to using group policies loaded from the server? We only have three basic groups: students, staff and admin. The students only need access to one folder on the server and the floppy drives on the workstations. The other staff, besides myself, don't really need much more access, but I can't set them up as a guest.

 

[spyordie007]

<< Is there any advantage to using group policies loaded from the server? We only have three basic groups: students, staff and admin. The students only need access to one folder on the server and the floppy drives on the workstations. The other staff, besides myself, don't really need much more access, but I can't set them up as a guest. >>


That would be an advantage of setting up a domain server. If the logins are all hosted on the domain server you would only have to setup one login for staff that you do want to have rights (on the domain server). If they log into the domain from any machine on it and are part of a group that have access rights to that box than they are good to go. Otherwise you would have to set them up a login on each machine to give them anything other than "guest" rights.

-Spy

 

[mrzed]

We do have our server set up as a domain controller, and the staff all have accounts set up.

Under NT/2K there is a tool to use to set up group policies, correct? I assume this is what I would use, and is it a lot easier/more effective than the one for W98.

The server is pretty much a file server. I am not an admin, just an instructor. I only learned enough to not completely botch things so far.

Another question: If I set up the student account as guest, does that prevent installation of Bonzi buddy/MP3 players/Kazaa etc? I could probably just look throught the permissions and try to figure it out myself, but I want to be clear.

 

[spyordie007]

the way you would setup group policies in this situation is to have a group on the domain server, we'll use the example and make a hypothetical group called "staff". Then the thing to do would be to setup the workstations to give the domain group "staff" whatever rights you want. this way you can change the contents of that group with ease.

This would not stop them from using 100% of software because there is a nubmer of programs that do not need to be installed to run, for example I have a mp3 player that I sometimes burn to CD's that have MP3's on them so I can play the songs on machines without a player installed.
This would stop them from installing any said program or storing MP3's on the machines though.

 

[mrzed]

Thanks for all the info.

Sounds like NT/2K is for sure the easiest way to go. Now I just have to figure out how to get ghost working with NT. I hear it's a bit trickier.