Re: NT Server - 98 WkStn Highschool Lab - Help!

From: Dan Heskett (danh@network-systems.com)
Date: 10/17/01


From: "Dan Heskett" <danh@network-systems.com>
To: <focus-ms@securityfocus.com>
Subject: Re: NT Server - 98 WkStn Highschool Lab - Help!
Date: Wed, 17 Oct 2001 11:04:15 -0400
Message-ID: <PFEDJJPOCFPONPBNPDEFKEPMCAAA.danh@network-systems.com>

Good Morning Jason,

Interesting problem - I used to help administer my high school network a few
years back. We started with Win95/98 clients, but quickly moved to NT 4.
Now they are at Win2k.

In all reality, you will have no luck using Windows 98. Windows 98 can be
toyed with in so many ways it almost impossible to keep it running without
direct daily interventions. Two sets of solutions, speaking from
experience:

First set involves upgrading at least the clients (and hopefully the
servers) to Windows 2000. Using Windows 2000 you can setup a
roaming-profile for each student or one profile for many students.
Applications, especially the essentials, can be set to be "managed", which
by and large reduces the complexity of deploying software. In my current
position as a programmer/IT person at a small company we are deploying Win2k
internally now. Using Group Policy, Active Directory, and a really good
unattendend install routine, I can bring a new Win2k workstation online in
about 1 hr 15 minutes. Most of that time requires no intervention on my
behalf. To get a base workstation with network connectivity, service packs
and hotfixes, Internet Explorer, Office, basic Adobe products, and a few
other odds and ends takes me about exactly one key press. All that is
needed is to insert the Win2k setup disk, boot, and press a key. Its pretty
much the easiest possible installation.

For the workstations it would be trivial to prevent users from installing
new software. You can even limit them to a specified list of applications
they can execute or not execute. Its pretty flexible.

The second option is to stick with Windows 98. This is of course not as
good as the upgrade option, but I understand if its not possible to upgrade.

As someone else suggested, you really should go a "ghost" route. Get a copy
of Norton Ghost. Assuming the machines are the same (or nearly the same),
I'd setup a "pristine" Windows 98 machine - complete with applications,
security settings, etc.

Take an image of that workstation (and one for each different hardware setup
you have) and burn it to a CD-ROM. Make that CD-ROM self-booting and script
up the autoexec.bat file to automatically restore the image to the hard
disk. Give a copy of each CD to each teacher/person who might need it.
After that, I'd give a quick demo to the teachers and give them a
hare-trigger on the restore CD. That will eliminate a lot of your problems
right there - if not introducing the issues of inflexibility - major changes
will require re-making image CDs.

Onto the other questions - logging website activity by cookies is a bad
idea. You really need to do that on the server level. If you are using NAT
to do Internet routing I am quite sure that NT can log that activity.
Elsewise look into a router with logging. The profile-based logging method
really won't cut it - any student devious enough to go to some bad places
can easily figure out how to circumvent the "cookie" based tracking system
you use now.

I hope some of these suggestions make sense to you. By far I recommend the
first option. A lot of people shy away from Win2k, but in your case, it
really makes good sense. And dont believe what people tell you for minimum
specs. I run Win2k on quite a few lower-end boxes with good results - I'd
say something about P166-P200 with a good 128 Mb of RAM should do it.

If I can help you any more email me directly or respond to the list!

--dan heskett
Network Administrator, Programmer, Student (MCP)
danh@network-systems.com

----- Original Message -----
From: "Jason F." <mistertumnus@yahoo.com>
To: <focus-ms@securityfocus.com>
Sent: Monday, October 15, 2001 6:50 PM
Subject: NT Server - 98 WkStn Highschool Lab - Help!

> I administer several labs in a rural school division.
> I am often not in these labs for days at a time and
> often chaos has ensued-i.e. - saved user profiles,
> deleted icons and programs, file renaming, etc... I
> did not set up this lab and am wondering the best way
> to reconfigure it, using the existing technology. Any
> suggestions? Here's the specs:
>
> -WINNT 4 Server - latest Service Packs
>
> - Windows 98 - First Edition - (yes, we were right on
> the ball buying the latest MS OS back in '98!)
>
> - Security by Policy Editor and Group Policies - I
> like being able to control some things with this but I
> apparently must have user profiles enabled to use
> Poledit and this allows users to save their profiles
> which means when they screw something up and can't get
> it to work the next time they log on a teacher will
> tell me that the computer is broken
>
> - I'd also like to be able to keep track of where each
> individual user goes on the Internet - when I check
> cookie files - every user has the same cookies for
> some reason
>
> - I'd like to give everybody the same desktop but some
> computers have different programs on them than others
>
> Well those are my main security issues, if anyone has
> any hints or suggestions I'd greatly appreciate it.
>
> Thanks,
> Jason Forester
> Computer Technician
>
>
> ____________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
> or your free @yahoo.ie address at http://mail.yahoo.ie
>