Have you consideres VDI? If it is a possibility Sent from my iPhone
On Sep 19, 2010, at 3:36 AM, Brian H <[email protected]> wrote: > I wanted to get some input from the security professionals point of view on > my situation. > > I've been contacted by a local county detention center (read: JAIL), to help > with a computer lab that keeps getting pwned. They keep having problems with > MP3s, Porn, and Gang communication on these computers. They say they keep > trying to clean them up, but the next day everything is back. > > I don't trust these computers one bit, I've already found an number of > questionable programs/processes (that I've removed), and some trojans in the > form of Adobe CS4 cracks that were placed on the hard drives. > > My first objective is (scorched earth) to reinstall from scratch, but that is > on hold while they find the install CD's and Keys. I've been told these will > not be available until later this week, but the first class of the new > session will happen before that. > > So, in the meantime, I have to clean & lock these down as much as I can while > letting the students still run the class programs and save their work > somewhere. > > Environment: > - 20 Lab/Student machines, 1 instructor > - Two (2h) classes per day, AM (beginner) and PM (advanced) > - Windows Vista Home Basic, Dell Optiplex 360, 2GB RAM, 130GB HD > - No server > - Students on closed network, unless teacher plugs in uplink cable > - Students used to drop off work over network to teacher's PC. > - Teacher has filtered Internet access cable next to their PC > - Classes cover basic Office Suite, Typing, and IC3 Certification. > - Previous IT person had "flexible morals", did favors for inmates. > > Ongoing problems: > - Some malicious, computer savvy, felons > - Gang messages hidden on the system to communicate to other members > - Gang communication and file sharing across LAN in class > - Porn and MP3 being spread between computers > > Options: > - Removing all non essential programs > - Installing and using Microsoft SteadyState > - Creating student profile, with standard permissions > - Enabling parental controls on student profile, app limitations, etc. > - Disabling network switch (in the class room) > - Disabling NIC in BIOS > - Password protect BIOS > > Still trying to figure out how to let them save files, yet not leave messages > for other students. I'm considering getting 40x 2GB USB Flash Drives (one > for each student of each class) so SteadyState can just nuke all changes > between students. Teacher would distribute and collect all drives before and > at the end of class. > > ---- > Brian H > [email protected] > http://www.binarynomad.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
