Re: School district and creative way to handle student passwords ?

From: Mark Randall (markyr_at_REMOVETHISgoogle.ANDTHIScom)
Date: 04/02/05 

Date: Sat, 2 Apr 2005 22:54:47 +0100

"Byron Hynes" <nospam@byronetta.com> wrote in message
news:91173632480417390937500@msnews.microsoft.com...
>> I know you know this, but - really the need for physical isolation is
>> minimal - I look at it this way, if at any point anyone from either
>> student or staff domains goes online that network might as well be
>> fully exposed to all relevant nasties.
>
> I'm not sure we're talking about the same thing. I mean the physical
> protection layer -- "guards, gates and guns" :) -- In a school setting,
> especially, the DCs need to be physically secured behind a locked door or
> locked cabinet. In general, anyone who can get physical access to a DC
> (let alone *all* DCs for a domain) can do a lot of damage. I didn't mean
> the networks needed to be air-gapped.

This is true, we had our servers locked up in a sealed air-conditioned
server room in padlocked towers.

>> At my old school we used 2 domains, in this case DCS1 (for students
>> and staff) and DCS1ADMIN (for financial administrators etc), I
>> compromised the security on DCS1 quite a few times (mainly due to
>> lousy ACL's and too much API up in my head), however I could not once
>> compromise DCS1ADMIN because I couldent even log on the acursed thing
>> to do anything interesting... say... make myself the schools official
>> paid head of ICT (hey I was a student there at the time).
>
> I assume you logged on to DCS1 from a workstation, not from it's own
> console.

Yes, I never had access to the DCS1 main server... Well, not in any way that
would have allowed me to physically change things on it.

> I also personally think that configuration errors (or "non-configuration
> errors" if you like) are one of the biggest security risks today, and they
> are not talked about nearly enough.

People do not like to mention things that show the large majority of them to
be incompetant.

> The reason I keep harping about the "separate forests, not just domains"
> thing, is that someone like you (creative, knowledgable, lots of time and
> motivated to "explore") who has physical access to a DC could get
> information from all the domains in the forest, not just the domain of
> that DC -- especially if they are not configured or ACL'd properly.
>
>> However, on top of that - we had staff and students in 2 different
>> user groups on DCS1 - each with its own group policy.. maybe that
>> would help in this situation.
>
> Most definately. Locking down student/lab computers is one of my favorite
> hobbies. :)

They never quite managed it on mine =\ pretty decent at just maintainance
but absolute *** at dredging security. I think the first security audit
ever made on the thing was me trying to break into it.

- MR