Questions

Manage and monitor Windows Laptops in a school environment

Tags:
+
0 Votes
Locked

Manage and monitor Windows Laptops in a school environment

m-widrig
Dear reader,

I am responsible for managing 40 school laptops.

All of them are connected to Wifi network, and have either windows XP/Vista/7 installed.

I would like to establish a new system by way of which I will be able to:

Block system configuration for students
Software installations for students
Accessing inappropriate websites for students

and also if possible manage them from a central computer.

I was thinking of using Windows server as I still have licences for it but I do not have any experience using it and setting it up.

If you could please advise me.

Thanks in advance,

Lukas Max Widrig

PS: I have tried to simply use the windows account system and do a admin account and a students account but I encountered problems such as when I install a software on the admin account, it will not be installed on the students account. Also the acount control system varies between Windows Xp, Vista and 7.
  • +
    2 Votes
    robo_dev

    Locking down the Windows computers is relatively simple but perhaps not so easy... you need to create and deploy Windows group policy, which would require you to create a Windows domain on the network. Learn it, figure it out, do it.

    The Web content is a different approach. The most common solution is a content-filtering proxy server such as WebSense or an education-specific solution such as cymphonix. The simplest approach is a proxy server appliance...WebSense makes lots of different models that do that.

    You configure the network so that the only way to the Internet is through the proxy server, and the proxy server both filters and logs the Web traffic.

    There are several open-source content filtering solutions such as Untangle or SafeSquid, however these are more difficult to deploy.

    +
    0 Votes
    m-widrig

    Thanks for that, I am a great step forward now. I will watch a tutorial on Windows server 2008 and start without delay. Would it cause any problems though if the client have variations in their OS (Windows XP/Vista/7)?

    +
    0 Votes
    m-widrig

    One more questions please, can I use any modern Desktop PC as a server or is it not recommended at all?
    If you would suggest a server would you recommend a specific one?
    Our budget is very low.

    Regards,

    +
    2 Votes
    Rob Kuhn

    robo_dev already suggested the use of domain accounts and using Active Directory policies ... the only thing to add to that would be CALs. I don't know off hand if you will need a CAL for each machine if the server is just an domain controller and AD server.

    As for web filtering, again robo_dev summarized what you need to do. You could user your Windows server as a proxy server but it would I would recommend the use of a stand alone device/appliance to handle that.

    Question - do you have access to the firewall or is that handled by a formal IT department or your ISP? If you have control (and manage) your own firewall you could use something like OpenDNS.com to help filter and control access.

    Another question - do you anticipate the number of machines and users to grow beyond the 40 you have now? If so I would highly recommend that you start to plan and design your infrastructure now - one that can easily expand and manage. If you don't have it in your budget to implement this year at least put together a shopping list to be submitted for your 2013 budget.

    Good luck! :)

    +
    0 Votes
    robo_dev

    Note that some of the DNS solutions are good but not great with respect to filtering. I have done some testing of DynDNS and found that it was very good at the 'easy and obvious' stuff, but in terms of the finer details, it was not good enough for a school.

    The tricky part is that for a corporate environment it's really not quite so critical if the filtering is imperfect, but most kids these days are smarter than most corporate employees :) , and the liability/consequences for school administrators doing a bad job of filtering content can be fairly severe.

    +
    0 Votes
    m-widrig

    Thanks alot likewise for your time, there are no plans for expansion for the time being but it is an important advice.
    Thanks

    +
    0 Votes
    m-widrig

    Regarding the firewall I could use the firewall from the Belkin router or the Cisco switch.

    +
    0 Votes
    m-widrig

    I do not now anything about CALs but I think that because all machines have a legal Windows Key I should not need to have anything else?!

    +
    0 Votes
    JPElectron

    We use DNS Redirector http://dnsredirector.com for web filtering, you can block sites by categories, which update every night, or you can add any site to the list to block or allow. It can run on the same server your using for the domain controller, so you don't need to purchase more hardware. You can further combat the running or installation of un-wanted software using Group Policy, a local policy such as a white-list of allowed exe's to run, Microsoft steady state (only for XP) or 3rd party software like deep freeze, shadow defender, etc.

    +
    0 Votes
    davep.l

    Having managed the network in a large UK High School, I'd suggest the only way forward is to control access to machines is by Group Policy. If your part of a local authority, I'd be surprised if there wasn't some kind of support from the authority to help set this up if you're not familiar with the system. Where I'm from we used to have dedicated IT staff working for the Authority, particularly with Internet access and blocking of inappropriate sites.

    +
    0 Votes
    m-widrig

    It is a private independent school so we have our own policies and do not receive any governmental help, this is why our budget must stay as low as possible and the solution as simple as possible.

    +
    0 Votes
    a.portman

    You should buy a server class machine. You should be able to find one for less than $1,000 to do active directory. Find a reputable brick and mortar based software distributor. Microsoft offers excellent education pricing, but it is confusing. A good reseller can find the best fit for you.

    Wind 7 has features XP does not. You may need to have a separate group policy for the windows 7 machines. But it can be done and works well.

    +
    1 Votes
    mrsharyf

    To achieve this, eploy the use of Win Server 2008s group policy. Youll be able to create groups with certain defined privelages and add users to them as you see fit. This is pretty much a domain.

    +
    2 Votes
    robo_dev

    Well, if on a tight budget, you do what you have to do.

    Personally, I would goto the used market on eBay and shop for server hardware there.

    The advantages of a rack-mount server in a server cabinet vs. a PC on the floor of an office somewhere.

    a) in terms of theft/tampering, you can lock a server cabinet and thus the server is safe. A PC acting as a server can be on a rack shelf, as well. If a device spits sparks or catches fire, it's inside a metal box, so it's safer for your facility.

    b) Servers tend to have:
    -more fans
    -monitored fans, so when a fan fails, it sends an alert, and the device does not cook
    -redundant power supplies, so when one fails, the other one takes over
    -redundant disk storage, so when one fails, the server keeps going
    -remote hardware management, so when something fails, you can fix it from home
    -faster disk controllers, and multiple processors, for more throughput
    -typically error-correcting memory, so memory errors don't mean BSOD
    - hot swappable front access hard drives, so the server can stay online when you need to install more disk or replace a disk (vs. taking the machine apart).

    c) What to buy? My choice is Dell, HP, or a good budget server is SuperMicro. There are LOTS of used servers out there, and hardware is dirt cheap.

    On eBay I bought three rack mount SuperMicro servers for a grand total of $17, with free local pickup. I just had to add some hard drives and I was all set. I spent $150 for a basic Dell server.

    +
    0 Votes
    patmilton

    Easiest would be to use a complete content filtering application such as Qustodio. I use it and can vouch for its features and ease of use and administration. Its free and has a great reporting feature in addition to real time blocking of sites.

  • +
    2 Votes
    robo_dev

    Locking down the Windows computers is relatively simple but perhaps not so easy... you need to create and deploy Windows group policy, which would require you to create a Windows domain on the network. Learn it, figure it out, do it.

    The Web content is a different approach. The most common solution is a content-filtering proxy server such as WebSense or an education-specific solution such as cymphonix. The simplest approach is a proxy server appliance...WebSense makes lots of different models that do that.

    You configure the network so that the only way to the Internet is through the proxy server, and the proxy server both filters and logs the Web traffic.

    There are several open-source content filtering solutions such as Untangle or SafeSquid, however these are more difficult to deploy.

    +
    0 Votes
    m-widrig

    Thanks for that, I am a great step forward now. I will watch a tutorial on Windows server 2008 and start without delay. Would it cause any problems though if the client have variations in their OS (Windows XP/Vista/7)?

    +
    0 Votes
    m-widrig

    One more questions please, can I use any modern Desktop PC as a server or is it not recommended at all?
    If you would suggest a server would you recommend a specific one?
    Our budget is very low.

    Regards,

    +
    2 Votes
    Rob Kuhn

    robo_dev already suggested the use of domain accounts and using Active Directory policies ... the only thing to add to that would be CALs. I don't know off hand if you will need a CAL for each machine if the server is just an domain controller and AD server.

    As for web filtering, again robo_dev summarized what you need to do. You could user your Windows server as a proxy server but it would I would recommend the use of a stand alone device/appliance to handle that.

    Question - do you have access to the firewall or is that handled by a formal IT department or your ISP? If you have control (and manage) your own firewall you could use something like OpenDNS.com to help filter and control access.

    Another question - do you anticipate the number of machines and users to grow beyond the 40 you have now? If so I would highly recommend that you start to plan and design your infrastructure now - one that can easily expand and manage. If you don't have it in your budget to implement this year at least put together a shopping list to be submitted for your 2013 budget.

    Good luck! :)

    +
    0 Votes
    robo_dev

    Note that some of the DNS solutions are good but not great with respect to filtering. I have done some testing of DynDNS and found that it was very good at the 'easy and obvious' stuff, but in terms of the finer details, it was not good enough for a school.

    The tricky part is that for a corporate environment it's really not quite so critical if the filtering is imperfect, but most kids these days are smarter than most corporate employees :) , and the liability/consequences for school administrators doing a bad job of filtering content can be fairly severe.

    +
    0 Votes
    m-widrig

    Thanks alot likewise for your time, there are no plans for expansion for the time being but it is an important advice.
    Thanks

    +
    0 Votes
    m-widrig

    Regarding the firewall I could use the firewall from the Belkin router or the Cisco switch.

    +
    0 Votes
    m-widrig

    I do not now anything about CALs but I think that because all machines have a legal Windows Key I should not need to have anything else?!

    +
    0 Votes
    JPElectron

    We use DNS Redirector http://dnsredirector.com for web filtering, you can block sites by categories, which update every night, or you can add any site to the list to block or allow. It can run on the same server your using for the domain controller, so you don't need to purchase more hardware. You can further combat the running or installation of un-wanted software using Group Policy, a local policy such as a white-list of allowed exe's to run, Microsoft steady state (only for XP) or 3rd party software like deep freeze, shadow defender, etc.

    +
    0 Votes
    davep.l

    Having managed the network in a large UK High School, I'd suggest the only way forward is to control access to machines is by Group Policy. If your part of a local authority, I'd be surprised if there wasn't some kind of support from the authority to help set this up if you're not familiar with the system. Where I'm from we used to have dedicated IT staff working for the Authority, particularly with Internet access and blocking of inappropriate sites.

    +
    0 Votes
    m-widrig

    It is a private independent school so we have our own policies and do not receive any governmental help, this is why our budget must stay as low as possible and the solution as simple as possible.

    +
    0 Votes
    a.portman

    You should buy a server class machine. You should be able to find one for less than $1,000 to do active directory. Find a reputable brick and mortar based software distributor. Microsoft offers excellent education pricing, but it is confusing. A good reseller can find the best fit for you.

    Wind 7 has features XP does not. You may need to have a separate group policy for the windows 7 machines. But it can be done and works well.

    +
    1 Votes
    mrsharyf

    To achieve this, eploy the use of Win Server 2008s group policy. Youll be able to create groups with certain defined privelages and add users to them as you see fit. This is pretty much a domain.

    +
    2 Votes
    robo_dev

    Well, if on a tight budget, you do what you have to do.

    Personally, I would goto the used market on eBay and shop for server hardware there.

    The advantages of a rack-mount server in a server cabinet vs. a PC on the floor of an office somewhere.

    a) in terms of theft/tampering, you can lock a server cabinet and thus the server is safe. A PC acting as a server can be on a rack shelf, as well. If a device spits sparks or catches fire, it's inside a metal box, so it's safer for your facility.

    b) Servers tend to have:
    -more fans
    -monitored fans, so when a fan fails, it sends an alert, and the device does not cook
    -redundant power supplies, so when one fails, the other one takes over
    -redundant disk storage, so when one fails, the server keeps going
    -remote hardware management, so when something fails, you can fix it from home
    -faster disk controllers, and multiple processors, for more throughput
    -typically error-correcting memory, so memory errors don't mean BSOD
    - hot swappable front access hard drives, so the server can stay online when you need to install more disk or replace a disk (vs. taking the machine apart).

    c) What to buy? My choice is Dell, HP, or a good budget server is SuperMicro. There are LOTS of used servers out there, and hardware is dirt cheap.

    On eBay I bought three rack mount SuperMicro servers for a grand total of $17, with free local pickup. I just had to add some hard drives and I was all set. I spent $150 for a basic Dell server.

    +
    0 Votes
    patmilton

    Easiest would be to use a complete content filtering application such as Qustodio. I use it and can vouch for its features and ease of use and administration. Its free and has a great reporting feature in addition to real time blocking of sites.