New School Network Administrator

[iano]

Hi guys was hoping you could help point me in right direction and show me some best practices for setting up and mainting a high school network.

I have recently just been told to completely renetwork the schools main computer room aswell as making sure that the security measuers are still effective since they are probably about 5 years old at this stage.(i happen to know the security is well compromised as i was i able to acces anything i wanted with minutes with little to no effort)

So first off i will tell you how the network is currently laid out(i must point out i didn't build this network nor do i have the acces codes used by the previous admin as there was never a single admin only different compaines contracted to do add ons. I do however have admin pirleges belonging the current computer teacher). Networking equipement is as follows:

1. Windows 2003 r2 domain serve currently doing dhcp for whole network aswell as active directory for the two main computer rooms but not the computers outside.

2. An ipcop running on an old p4.

3. Smoothwall firewall running on an old p4.

4. Around 10-15 switches mostly 8-16 port unmanaged as well as 2 24port switches

5. Around 100 computers clients in total spread out around the whole school.

So first off the ipcop and smoothwall firewall seem to be doing nothing at this point. The whole ip address scheme is 192.168.1.XXX and the students in the computer rooms are all using a single account on the active directory to log on so there is no way to trace anything.

After seeing all this i decided that it would make sense to:

A. Remove as many unneeded switches and replace with larger ones as needed.

B. Give each student there own log on.

C. Change ISP to a filtered educatioal one.

But what i would really like to know is how to protect all the computers outside the main rooms as currently all they have is dhcp server giving out ip's and thats it, no security. Plus any suggestions on what to do with the hardware they have or to buy?

If you need any more details let me know.

[Sparda]

The easiest solution to make the computers out side the computer room 'bullet proof' is to use some thing like deepfreeze so that every time they are restarted they revert to the state they where in when they where 'frozen'. Be sure to configure the BIOS to only boot form the hard disk and set a BIOS password. This mitigates (nearly) all malware providing they are reset on a semi-regular basis (every time some one logs off for example). However, software like this can cause performance hits.

For network performance, avoid daisy chaining switches, and make the 'central' switches (the switches that connect all the other switches and server) gigabit and make the connections to the other switches gigabit. A 10/100 per computer is still fine.

Would also be advisable to split the network in to two subnets, one for the 'computer rooms' and another for the rest of the computers, this will be beatifically mainly for security purposes, but will also enable flexibility for expansion.

[Zimmer]

To add to Sparda also have the user's My Docs etc on a network drive and have a limit of say 256mb for their user folder (so they don't fill it up with crap), the network drive will stop that data from being wiped out, also lock out the C drive that has all the windows crap and make every one limited users and you should be fine. Might want to also install a management system so teachers can see what students are doing and lock them out etc and install an av just for extra safety

[Infiltrator]

Since each student will have their own AD accounts, making them limited its important, as not only will it prevent users from installing crap, but minimize any chances of virus damage. It would be a good practice to lock down the machines with group policies, that should prevent students from not only installing, but from modifying settings on the computers as well.

To prevent outside intrusions and viruses infections, I would upgrade from Smoothwall to Untangle it offers IDPS (intrusion prevention system) and the best antivirus on the house (kaspersky).

And then I would use deepfreeze as suggested by Sparda to heal the machines.

[Sparda]

Depending on your budget you might want to consider getting a 'gateway' that has commercial support like Astaro or similar. Just because they pay people to keep site filters and virus definitions up to date (nothing against open source and the willingness of community members to keep them up to date) and then you have some one you can call when some thing goes so wrong you have no idea where to begin fixing it.

[Sparda]

Other hints for security:

Do you damnedest to determine the purpose of all the software running on the server and if it can be disabled or not (includes services). Less services/programs ~= less vulnerabilities. Take a image backup of the server BEFORE making changes ;).

At the same also take a look at the permissions the students have. If they are the normal 'Domain User' you might want to reconsider this and create a new more restricted group as 'Domain Users' have read access to allot of stuff (namely, read access to all domain objects). This 'allot of stuff' will be a massive amount of stuff if the domain is also used as the database for addresses and phone numbers (etc.) for staff or students.

[Infiltrator]

Or if you really want to have a secure server, you could do a core installation, instead of a full installation. Of course that will involve formatting the severs hard drive and reinstalling everything again.

[iano]

Thanks for all the info guys. I really liked Sparda's bullet proof idea of using deepfreeze as it would stop me having to fix a lot of problems but unfortunately most of the computers outside the main rooms are teacher computers and laptops so wiping them is not an option. I was wondering if installing a new central gigabit switch was necessary as the internet connection itself is only at 15Mbps so it could never be maxed with 100Mbps switches.

The subnetting idea was implemented in the past but as far as i know it was then removed after only a few months because of problems with people trying to access the server for a swipe card system they use to log students attendance. What's the main security advantage by using two subnets vs. one?

Currently on the Domain server all students have limited accounts with no ability to install, see control panel or do anything besides use the net and few programs which is fine.

If i were to switch to untangle would it best to place this between the main network switch and the net? Is it complicated to set up/monitor?

Infiltrator when you say do a core install what do you mean? would it offer any less features? I have no problem starting from scratch if its needed but don't want to if possible.

Any recommendations for something like deepfreeze but with the ability to keep data.

[Infiltrator]

I was wondering if installing a new central gigabit switch was necessary as the internet connection itself is only at 15Mbps so it could never be maxed with 100Mbps switches.

Theoretically speaking having a 1Gbps or 100Mbps switch won't make any difference to your internet connection speed. The reason to go with a gigabit switch is to improve the overall network performance. So if the school does a lot of file transfers having a gigabit switch will be a benefit, as you can move the data a lot faster.

Infiltrator when you say do a core install what do you mean? would it offer any less features? I have no problem starting from scratch if its needed but don't want to if possible.

A core installation basically means that, there won't be any GUI or user graphical interface to interact with, everything you do will be from a command prompt, just like Linux. A big advantage to go with a core installation is security.

[barry99705]

Depending on your budget you might want to consider getting a 'gateway' that has commercial support like Astaro or similar. Just because they pay people to keep site filters and virus definitions up to date (nothing against open source and the willingness of community members to keep them up to date) and then you have some one you can call when some thing goes so wrong you have no idea where to begin fixing it.

St. Bernard has an awesome filtering service. We used it in out school district to limit access. The cool part is when kids find new and exciting sites, you can add it to the filter list, which gets synced back to the main iPrisim site and pushed to all it's subscribers. Not sure how much the subscription is, wasn't part of my job at the time. http://www.stbernard.com/products/iprism/default.asp

Any recommendations for something like deepfreeze but with the ability to keep data.

If it's a windows domain, you can set the computers to automount their networked drive at login. Takes a couple days training to get them to remember to put their work in that drive and not leave it at the classroom workstation. The teachers will give you more grief than the students on this one. Don't forget to set the computer's bios to not allow usb boot.

Edited October 18, 2010 by barry99705

[iano]

Thanks for your input barry99705 and Infiltrator i think deepfreeze might work if i can convince the teachers to not leave import documents on there desktop(can see some angry forgetful teachers in my future). The link for filtering the net was interesting but we have a free service here that does much of the same so no real need to switch. I there a way to make the desktop save all documents when the machine is turned off and save them to the server and reload them at restart? So as to stop teachers getting pissed if they forget to use the networked drive.

[Netshroud]

Can you redirect teachers profiles completely (including their desktop) to a shared network drive?

[Sparda]

He probably has qualifications in windows domains an similar, and wants some advice and ideas for improving the existing setup. It's very difficult for a single person to think of every thing.

Segmenting the computer rooms and the other computers would help prevent (for example) the spread of any worms between the computers in the computer rooms and the computers out side of the computer rooms. It would also make it harder for any malicious attacker to create a map of the network.

[Netshroud]

Assuming the school disallows games on the school network:

If you can, subnet the network into computer rooms and block all the common gaming ports. Grab the core executables for all the common games at the school and deny them with group policy.

[iano]

Assuming the school disallows games on the school network:

If you can, subnet the network into computer rooms and block all the common gaming ports. Grab the core executables for all the common games at the school and deny them with group policy.

The school actually lets the kids play some games at predefined times ie. lunch as a reward. However they are not currently blocked during normal times any links to good way to accomplish that with a schedule.

[wh1t3 and n3rdy]

If you can keep them to a small size, maybe use roaming profiles(i'm not a huge fan of them but they can have their uses) for the students throughout the school. Use group policy to restrict their access and depending on how often you have to mess with machines maybe develop an SOE image for your hardware.

[MRGRIM]

What is your budget?

Upgrade Servers/Switches and go XenDesktop? ;)

[iano]

The budget isn't to high probably enough to get 24 new computers to replacing aging one plus a few thousand euro to redo the network. Xendesktop seems a bit much for such a small amount of computers since most are setup with there needed applicants at the moment. I am far more concerned of a virus taking out everyone or a way to quickly update all computers with new versions of firefox, office and solidworks all at once.

[MRGRIM]

:P

Well as people have suggested, upgrade your network backbone. Astaro do a really nice job of content filtering but the firewall and filtering service isn't cheap.

[CoachIT]

I'd start with the network gear and replace all of those switches with 1Gb 48port layer3 stackable equipment (POE gear if you're supporting WAPs or VOIP devices). Then get DHCP/DNS services off that 2k3 environment and on a Infoblox appliance. Then look into moving your server environment towards newer hardware within a ESX setup.

For a ticketing/helpdesk system, try OTRS (open source and free)

For imaging, try FOG (open source and free)

For Syslog services, try Splunk (open source and free)

For remote desktop support, I'd recommend a Bomgar appliance (not free, but very useful)