Networking

Monitoring suspicious activity on a K-12 computer network

K-12 computer networks are often not monitored in the way corporate networks are (in some cases, they're not monitored at all). Mostly this is attributed to funding. Here are some free scripts to use when your budget is tight.

By William T. Evans

Computer networks, regardless of what industry or sector, require maintenance and monitoring. Monitoring activity on a corporate computer network is more than common; it is often necessary and sometimes required legally. However, K-12 computer networks are often not monitored in the way corporate networks are (in some cases, they're not monitored at all). Mostly this is attributed to funding. A K-12 school district often cannot justify budget spending for software and utilities to monitor their computers.

The solution to this problem lies in using low-cost or no-cost tools. A good number of school districts have begun to use such methods with great success. There are three core pieces: file storage, network traffic, and host connectivity monitoring.

File storage monitoring

File storage monitoring is the most significant method of tracking suspicious activity. This is because K-12 users have very restricted access to local resources. The only area they have control of is their personal file storage location (home directory or shared directory typically on network file server). It's where they can store and save "damaging" and "dangerous" files such executables, code, and programs. Using a number of scripts an administrator can not only monitor suspicious files, but they can also process them.

Get Education Security news in your inbox
Stay up to date on the latest Security news in ZDNet Education. Don't miss the latest weekly news on popular topics: Viruses, anti-virus, risk assessment, and campus networks.
Automatically sign up today!

To do this, the following packages are required:

The details of each file are as follows:

  • lfind.exe (ported Linux find utility, part of the UNXutils package, must download)
  • lpaste.exe (ported Linux paste utility, part of the UNXutils package, must download)
  • Seclude.bat (primary processing file):
REM Seclude Processing script originally create by Bill Evans and Bill Santoro
REM 06-01-06
REM @echo off
REM Locate and quarantine (seclude) files that are found hazardous
REM Files will be located by extension
date /t > Seclude.log
time /t >> Seclude.log

REM Find files with an extension EXE and update log file
lfind E:\Users\Home -name *.exe > Seclude.txt

REM Prep files by adding quotes to all lines
cscript //NoLogoaddquotes.vbs Seclude.txt > Seclude1.txt

REM Create secondary work file
copy /y Seclude1.txt Seclude2.txt
XchangeCL -B Seclude2.txt /home/seclude/

REM Combine both work files
lpaste Seclude1.txt Seclude2.txt > Seclude3.txt

REM Process Secluded files
for /F "delims=" %%a in (Seclude3.txt) do call seclude3.bat %%a

REM cleanup
del /q Seclude.txt
del /q Seclude1.txt
del /q Seclude2.txt
del /q Seclude3.txt

REM Complete and exit
time /t >> Seclude.log

Seclude3.bat (secondary processing file):

REM Seclude Processing script originally create by Bill Evans and Bill Santoro
REM 06-01-06
REM @echo off
REM Secondary processing from Seclude.bat
REM Run Copy and Delete commands against Seclude2.txt file
REM This process requires f.txt to exist in the current directory
if %1==bytes GOTO end
if %2==bytes GOTO end
attrib -h %1
xcopy /y /q /i %1 %2 < f.txt
del /q %1
:end

,

F.txt—input parameter file:

F

AddQuotes.vbs—text file editing script:

Option Explicit
Dim oFileSystem, sFileName, oFile

Set oFileSystem = CreateObject("Scripting.FileSystemObject")

If Wscript.Arguments.Count = 0 Then
  Wscript.echo "cscriptaddquotes.vbs filename"
  Wscript.Quit
Else
  sFileName = Wscript.Arguments(0)
End If

Set oFile = oFileSystem.OpenTextFile(sFileName)

While oFile.AtEndOfStream <> True
  Wscript.Echochr(34) & oFile.ReadLine & chr(34)
Wend

  • **XchangeCL.exe (text file editing program, from Sadman Software, must download)

Additionally, this tool assumes the following:

  1. The tool is being run from the server/computer that stores user data
  2. The required files are all stored together in one folder
  3. The user data is located in E:\Users\Home
  4. A folder E:\Users\Seclude exists
  5. The proper permissions (ACLs) are set on the server/computer

The tool processes as follows:

  1. The data and time stamp are written to file Seclude.log
  2. The user home directories are scanned for all executable files and the results are written to work file Seclude.txt
  3. The required quotes are added to the Seclude.txt file so that it can be processed (because of the possibility of spaces in the paths quotes are required)
  4. A second work file Seclude2.txt is created by processing Seclude.txt and replacing all instances of "Home" with "Seclude"
  5. Both work files, Seclude.txt and Seclude2.txt are combined into Seclude3.txt
  6. Work file Seclude3.txt is fed into script Seclude3.bat and processed (this process moves any executable files from the users Home directory to a duplicate location in the Seclude folder so that it can be analyzed if necessary)
  7. Clean up commands are run to remove temporary work files (this section can be commented or removed for troubleshooting purposes)
  8. The time stamp is written to file Seclude.log
  9. The tool is finished processing

The function and purpose of this tool can be seen in its processes. The main purpose of this tool is to remove, and securely relocate, any executable files from user home directories. With this base functionality, the tool can be modified to search for other file extensions, specific file names, and even files by size.

By automating this tool using Windows Task Scheduler you can build a simple yet effective file monitoring system. And, since the files are relocated (quarantined, in a sense) and not deleted, they can safely be reviewed at a later date. Also, since a log file is created, it's possible to track user activity in the storage system.

Network/traffic monitoring

Monitoring traffic on a K-12 computer network is also important. Traffic monitoring can be used to:

  1. Troubleshoot performance problems
  2. Locate rouge client stations
  3. Locate "improper" known clients
  4. Locate bottlenecks and utilization issues
  5. Track down network based viruses and worms

However, it's important to note that a baseline is required. Therefore, it's necessary to periodically monitor network traffic so as to be familiar with what typical traffic looks like—every organization is different. There are a number of no-cost products out there. A couple are:

    • Ethereal—a network protocol analyzer and traffic analyzer
    • PRTG—a Microsoft Windows-based port of MRTG that does bandwidth and network usage monitoring

    Host/connectivity monitoring

    As K-12 computer networks become more complex, and more critical to operation, host and connectivity monitoring becomes very important. This type of monitoring allows an administrator to react to problems/outages much more quickly—often even before the end user is aware of a problem. Some no-cost host monitoring products are:

    • Nagios—formerly known as NetSaint, this is a Linux only product, it also can be difficult to initially configure
    • FREEping—simple ping based host monitoring
    • IPcheck Server Monitor—simple ping based host monitoring

    Conclusion

    When it comes to monitoring suspicious activity on a K-12 computer network, there are a number of critical areas. One must monitor the user, network traffic, and the critical hosts to ensure proper functionality and prevent misuse. Doing so will allow a proactive and reactive approach that will provide a better overall experience for the end user and keep management content.

    Editor's Picks

    Free Newsletters, In your Inbox