Lock down school network

[SelbyGlenn]

Hi there,

I don't know if this is the correct forum for this but here goes:

I'm running an IT dept in a private boarding school. How do I stop kids accessing the web from their private laptops? We are running 2k Servers. We have DHCP scopes and an ISA server running Surf Control. At the moment there is no way of stopping a kid getting an IP address, entering the proxy settings on their web client, authenticating through the ISA server with their domain account and then using the web.

The reason this is a problem is often the kids private laptops are not patched up, don’t have AV installed and are therefore a menace on our network! If I can restrict internet access to school laptops and desktops the kids will soon stop using the network with their private laptops.

Any ideas would be most appreciated!

Thanks in advance,


Glenn
BEng MCSE CCA

 

[MichealC4]

Try RADIUS. Microsoft has IAS (which in 2k isn't that great ...), and there are various and pay-for implentations of RADIUS. freeradius.org is a popular one for Linux. That's just one way anyway.

----------------------------
"Security is like an onion" - Unknown

 

[Decryptk33p3r]

You could setup a Radius or Tacacs server that they have to auth. before browse, the only problem w/that is you would have to change the auth. pass alot to maintain a balance,

 

[SelbyGlenn]

Thanks for your replies guys. I have printed off the IAS white paper but haven't had a chance to read through the 146 pages! Hopefuly Radius will do the job.

Glenn
BEng MCSE CCA

 

[PSYSMIC]

Cisco's switch IOS can be set to only allow connections from certain MACs.
You really don't want these machines even on your network right? Admin headache though.

Probably being obvious, but make sure that your authentication method is at least partially based on workstation accounts. User credentials have to be provided to the students, but workstation credentials don't.

Native AD? Remote Access Policies have issues in mixed mode.

Just rambling,

 

[lgarner]

authenticating through the ISA server with their domain account"? It's been a long time, but isn't the point of authentication through ISA to gain privileges? I know with BorderManager permissions can be granted to users, groups and OUs based on the user's login. I would look to see if ISA has something similar.

 

[SelbyGlenn]

Hi PSYSMIC,

Do you know how to do this? Is it possible to do this on an ISA server?

"Probably being obvious, but make sure that your authentication method is at least partially based on workstation accounts. User credentials have to be provided to the students, but workstation credentials don't. "

Thanks,


Glenn
BEng MCSE CCA

 

[PSYSMIC]

Been a while since I played with ISA. Can hopefully give you some ideas. Found a good article that bears reading

http://www.isaserver.org/tutorials/The_Mystery_of_the_HTTP_Redirector_and_SiteContent_Rules.html

Your ISA active directory integrated?

So, with that in mind.

Set requests from anyone (anon) to deny and apply your protocol rules to the workstation OU. If current rules/filters are address/site based, then they'll have to be removed. Just remember to back it up before you jack it up
Dm curious now, if this doesn't help, I'm gonna fire it up in a test rack. We use WebSense at the office.

 

[hbdude]

I use a sonicwall firewall that is configured to require users to log in to gain access to the internet. It may work for you

 

[diogenes10]

I dont know about the answer to your question, but since you mentioned school and security issues,

I found this thread yesterday while searching for an answer to something:

http://www.novell.com/coolsolutions/trench/7807.html

Just thought I'd pass it on for your idle reading time in case it had something that would help you sometime.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[SelbyGlenn]

Nice one! I'll have a read through these when I get a moment.

Cheers,

Glenn

Glenn
BEng MCSE CCA