Securing Windows in a school/classroom setting

slag

Lifer
Dec 14, 2000
10,473
81
101
My sister (38 yrs old) works in a small high school in BFE. She is tasked with setting up windows security for the classroom environment. Evidentally they have a couple kids who consider themselves "hackers" who are messing up the network and causing problems. The kids have been suspended from computers, but will do it again.

Their environment consists of 2 domain controllers and 2 groups, students and staff. The students have a policy applied to their accounts that deny them access to the command prompt, control panel, supposedly block them from writing to their hard drive, and other misc policies.
The client machines are a mix of windows 98 and windows 2000 machines. Students have full use of the floppy drive (ugh), as well as access to USB ports, etc (can you turn these off in a policy editor?)

Problem is, students have been gaining use of their hard drives and command line, even though they are turned off in their policy. I really think that full use of the floppy drive and having it bootable is a bad thing, but she insists they need the floppy drive to bring in assignments from home (not all of them have internet access at home).

Can any of you recommend any books, websites, or general information that would help her (and me) to get a better understanding of how to lock down the environment and make it basically hackerproof? I know there is always a way around things, but there has to be a better way of securing the environment. I told her she needs to rotate her domain admin password on a biweekly basis at minimum, find a way to lock out the floppy drive or at least remove it from the boot sequence and password protect the bios, and disable usb ports if they are not needed (think USB pendrive).

What other ideas?
 

Jeff7

Lifer
Jan 4, 2001
41,596
19
81
Heh, best thing would probably be to put Win2k on those 98 systems, because 98 is in no way secure. Our high school had Fortress, which was a joke. It had more holes than a screen door. When they first attempted to use it, the Start Menu wasn't accessible by the mouse or the Win95 key. Ctrl+Alt worked just fine though. There were just so many ways to run programs. I never caused problems though - just amused myself at how pathetic the security was...gave me a little insight into the world of PC security, and how many ways there are around anything. Later revisions plugged more holes (like using IE to run Explorer), but many remained - like using Access to run programs. Sucked going to all that trouble just to run Paintbrush to edit a pic for use in a project. But I guess that was a dangerous program.
rolleye.gif

Anyway, with Win98 AND full floppy access, they've got full reign. Use Win2k and use NTFS, and they're pretty much screwed, assuming that they're ameteurish hackers. Win2k can slap better restrictions on them, as will NTFS. And with NTFS, they can't just use a boot disk and mess up the hard drive.
That's based on my little bit of knowledge of PC security. I've never heard Win9x referred to as being secure, and with good reason. 2k/XP have better security to begin with, plus they can use NTFS to really crack down on abuse.
 

OffTopic1

Golden Member
Feb 12, 2004
1,764
0
0

You can't secure a Win9.x box, however you can secure a domain. And, booting from Floppy/USB/CD-Rom is at the hardware level.

Turn off CD-rom/Floppy/USB in bios & setup bios password. However, the student can reset the bios password to default setting (nopassword from CDRom/Floppy/USB) when they take out the mobo battery or short the board.
 

Bozz

Senior member
Jun 27, 2001
918
0
0
They get access to the command prompt by start > run > command

the GPO disables the 'cmd' application, not 'command'

Also if you disable the 'run' menu in the start bar, it disables you from entering a URL in internet exploder that does not begin with 'www' such as 'http://forums.anandtech.com'. You however are able to click it via a hyperlink.

If you disable access to the C: drive via a GPO, they simply need to make a text document with notepad that has a hyperlink to the C: drive, click it and they can see the files.

DO NOT make the local administrator password identical to the domain administrator password. The local admin password can be cracked, even with sp1 which uses the syskey encryption of the SAM file by simply using a linux boot disk or even a msdos boot disk with the ntfsdos application. They take the correct .SAM file home, get a program such as L0phtcrack to attack the file using a brute force attack and they get the local admin password.

Try to bring the entire network to a W2K environment so you can switch the DC's to native mode which will (among other things) disable NTLM authentication and use Kerberos for all clients.

Ensure the domain GP disables NTLM and NTLM V2 - note if you do this, all 9x and NT4 clients will not be able to connect.

Try to hack your own network. Get port sniffers and IP scanners working and attack your own server. Try break it. Chances if you're able to do it, the kids will get it too.

Download and study the Windows 2000 hardening guide available M$