Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
You have a tough nut to crack with wireless connections and a group that
will have a fairly large percentage of undisciplined users. You don't give
much info either as to type of domain controllers. I assume all the laptops
are XP Pro hopefully since this is an XP newsgroup.
Since the students can take the computers home, that also gives them plenty
of time to hack the computer, gain administrator access to do whatever they
want and then logon to the computer locally [instead of the domain] to
bypass domain user configuration Group Policy. I am not saying they are all
doing that but it is something you should be aware of. Most schools
organizations have an acceptable computer use policy with stated
consequences. It may be a good idea to have such and a copy signed by both
student and parents. If the school does not have the backbone to enforce
such a policy consistently it will be a waste however.
As far as restricting internet access, that needs to be done at the gateway
or firewall. There are plenty of devices that will interface with content
management subscription services that will help you restrict access to
undesired websites. These services work full time updating their database
with website info. ISA 2004 is a very powerful application filtering
firewall that can be used to help control what users are accessing and
attempting to download. The link below explains this capability in more
detail.
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx
It can be difficult to force a user to use a domain computer. A couple
things may help. Users may try to unjoin their computers from the domain to
bypass restrictions. If there are domain computers [other than domain
controllers] that they must access then you can create an ipsec policy for
some of those computers with a "require" ipsec policy that will allow only
domain computers access with the default kerberos computer authentication.
Ipsec is something that needs a lot of testing and domain controllers must
be exempted from ipsec negotiation traffic between them and domain
computers. In Domain Controller Security Policy you should also remove
authenticated users from the user right to add workstations to the domain to
prevent users from removing and adding their workstations to the domain [up
to ten times] at their convenience.
Group Policy is a challenge in your environment. Your users can unplug their
wireless card, logon with cached credentials, then plug their network card
in to access the network but in doing so bypassing startup/logon scripts and
Group Policy refresh. I don't know of a way to prevent that as long as
cached logons are allowed which they probably are if the user can take
"your" computers home. What may help somewhat though is to shorten the Group
Policy refresh interval. By default it is 90 minutes for domain
workstations/users. You might try shortening that to 20 minutes or maybe
less for computer and user. If you go to computer
configuration/administrative templates/system/Group Policy you will see some
options for "policy processing" such as registry policy processing which
would be a good one at least to enable and then select the option "process
even if Group Policy objects have not changed". This would help in
reversing changes students have made possibly by modifying the registry on
their [your's actually!] computers.
As far as Windows Updates. You can configure it via Group Policy to download
and install updates automatically by schedule and the user does not need to
be a local administrator. Many larger organizations are using Software
Update Services to manage their updates along with client Group Policy for
Windows Updates.
http://www.bris.ac.uk/is/services/computers/operatingsystems/sus/configuring.html
-- Group Policy Automatic Updates
To answer your main question, certificates may help. If you can enable
802.1X authentication with EAP-TLS for the wireless connections that may
force users to logon to the domain to access the networks. EAP-TLS requires
certificates for the user AND computer to both authenticate to the network
to access it. The problem is you will need wireless access points and
wireless network adapters that support 802.1X AND work well with it as they
all do not. Some have a problem with a user booting ther computer in that
the wireless card does not initialize fast enough to do the computer
authentication. So if you would consider 802.1X be sure to test it out and
buy products that work well in a domain environment for EAP-TLS. The link
below explains 802.1X more. PEAP can be used but is not as secure a
solution, though you could try it to see if it helps your situation. PEAP
requires a certificate only on the IAS server.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx
-- general wifi link
Something else you need to be aware of is that students may install "rouge"
wireless access points to bypass your wireless access security. This is a
big problem. If you are using Windows 2003 domain controllers and use
Service Pack 1 you can implement a wireless access policy that allows access
to only approved wireless access points with the authentication methods youe
specify such as 802.1X. You should periodically scan your network for rouge
wireless access points. They will usually show only ports 80 TCP and maybe
23 TCP for telnet. It may also help to occasionaly war drive or war walk
your school with a wireless laptop looking for wireless devices. There are
free programs [net stumbler?] that can search for wireless access points
that have their SSID broadcasts disabled.
PKI [public key infrastructure] can be implemented failry easy, particualry
if you you have a Windows 2003 Enterprise Server on the network that can
become a CA to issue certificates that can even be done automatically via
autoenrollment to domain users and computers. Windows 2000 can issue
computer certificates automatically but not user certificates. There is a
LOT of documentaion on PKI at Microsoft but if you are seriously considering
it just buy Windows Server 2003 PKI and Certificate Security by Brian Komar.
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx ---
Windows 2003 PKI.
The ultimate solution would be a quarantine. Right now Microsoft supports
quarantine network access but only for VPN access. Quaratine runs scripts on
the computer attempting network access to do things like check for security
updates and anti virus software. If the computer does not comply there are
servers on the quarantine network that can user can use to update their
computer to comply in order to gain access. The scripts can be very complex
but there are a lot of ones available for use that can be used as is or as a
template to create your own. Hopefully in the near future MS will develope
quarantine for regular network access.
Anyhow I wish you luck and certainly 802.1X would be something to look into
for your network. --- Steve
"Fred T" <fredt2@mail.com> wrote in message
news:%23g6C%23HHRFHA.3496@TK2MSFTNGP12.phx.gbl...
> My domain has 8000 laptops we give to our high school kids. I hear you!
> To further complicate our lives, they are all wireless. If there is a way
> for them to download and share music or surf porn on campus, they'll find
> it. My shops challange is to stop them and help direct them to more
> educational subjects while trying to stop them from crashing the domain
> controllers / NAS boxes. We have several fine products to help us but
> where there is a kid, there is a way. Our recent trouble is kids have
> figured out to just close their lids at home where they have a home
> wireless network. When they open their laptops they get a new IP address
> and able to bypass all the stops we have in place.
>
> Now our challange is to have the kids, when they get a new school IP
> address, force them to log in to our network so they get the updates and
> GPOs. We're toying with Microsoft Certificates but we have issues.
> Namely, we have not experience with certificates or if this is the right
> path to achieve what we want.
>
> Anyone want to weigh in?
>
> Thanks!
>
> Fred
>