Rebuilding a Network

[six_storm]

I'm about 3 weeks in on taking a new job teaching a CIT class and being a Systems Admin for a local trade school. We have about ~100 PCs and a few servers (will be virtualizing/consolidating very soon), but I'll be recreating the servers along with the new hardware.

I'm having a little trouble planning out what I should do to further improve our network and increasing security; the previous Sysadmin/Instructor did things a little odd IMO.

We have one domain that only the faculty is attached to but all of the student PCs are just hanging out on a workgroup. These student PCs are not filtered and they are all running on a bonded T1. You can imagine how slow it must be right now. So my question is more about how should I get these student PCs under control without having a complicated setup.

I'm doing some testing/research on some new firewalls for our location that have web filtering subscriptions included. Got to have web filtering at the firewall level for sure and get web access locked down.

Also, each classroom has 1 instructor PC and 1 server for testing software. I'm sure I'll just assign static IPs to those and have an "unfiltered IP range" for faculty.

I've thought about having 2 domains, one for faculty and one for students. I've thought about having 1 domain, 2 OUs. Faculty wants there to be no way a student can access their servers.

What does the [H] crowd think?

My end game is that I want all student PCs heavily filtered, faculty not as filtered, yet keeping a simple, secure network.

 

[dashpuppy]

I'm about 3 weeks in on taking a new job teaching a CIT class and being a Systems Admin for a local trade school. We have about ~100 PCs and a few servers (will be virtualizing/consolidating very soon), but I'll be recreating the servers along with the new hardware.

I'm having a little trouble planning out what I should do to further improve our network and increasing security; the previous Sysadmin/Instructor did things a little odd IMO.

We have one domain that only the faculty is attached to but all of the student PCs are just hanging out on a workgroup. These student PCs are not filtered and they are all running on a bonded T1. You can imagine how slow it must be right now. So my question is more about how should I get these student PCs under control without having a complicated setup.

I'm doing some testing/research on some new firewalls for our location that have web filtering subscriptions included. Got to have web filtering at the firewall level for sure and get web access locked down.

Also, each classroom has 1 instructor PC and 1 server for testing software. I'm sure I'll just assign static IPs to those and have an "unfiltered IP range" for faculty.

I've thought about having 2 domains, one for faculty and one for students. I've thought about having 1 domain, 2 OUs. Faculty wants there to be no way a student can access their servers.

What does the [H] crowd think?

My end game is that I want all student PCs heavily filtered, faculty not as filtered, yet keeping a simple, secure network.

Sounds like yuo need a good firewall, few vlans and turn on some good security features.

IE students can see their virtual mapped drive & printer, BUT not talk to each computer. ( slows viruses & spyware infections down.

Staff should be on different subnet & or vlan.

What firewall are you planning to use ? Or are you going to build your own ?

Are you able to give us more input on what hardware you have ? or wish to replace ?

Are you going to do a student ( machine image ) ? something like deep freeze ? system gets wrecked or screwed with, you simply reboot it and it's back to the image you created etc etc ?

 

[Biznatch]

If you setup AD properly, you don't need a second domain to keep students off the servers. The weak link will be if a student figures out a teacher credentials. It will also reduce the number of domain controllers needed, as you should have 2 for each domain for redundancy.

But definately get the student computers on the domain so you can start using GP to lock them down. You will also be able to turn on auditing for the student/teach accounts, which is always good to have.

 

[dashpuppy]

If you setup AD properly, you don't need a second domain to keep students off the servers. The weak link will be if a student figures out a teacher credentials. It will also reduce the number of domain controllers needed, as you should have 2 for each domain for redundancy.

But definately get the student computers on the domain so you can start using GP to lock them down. You will also be able to turn on auditing for the student/teach accounts, which is always good to have.

and on a different subnet / Vlan too ?

 

[AcidBurn]

Put the student pc's on a different vlan and have all of them autologin with a locked down domain account. Run them through qos and a proxy.

 

[Quartz-1]

Air gap between staff and student networks. Separate links to the internet. There WILL be a student who's better than you, and you don't want to be hit by a confidentiality suit. For the instructor server & PC, don't give them static IPs: rather, give them reserved IPs.

I don't see the need for VLANs. KISS applies.

You definitely want a proxy server for the student PCs, also a WSUS server to save on bandwidth. Ideally, you should have something like MS Steady State for the student PCs, which should be re-imaged nightly, weekly, or termly as appropriate. MS Steady State doesn't support Windows 7, but MS think you can get away with using inbuilt Windows 7 features.

Don't forget the quick wins: physically unplug the DVD drives in the student PCs and disable USB drives by Group Policy.

 

[six_storm]

Sounds like yuo need a good firewall, few vlans and turn on some good security features.

We currently run some older Fireboxes but honestly, I'm not impressed with it. I'm hoping to replace them soon with Fortigate firewalls.

Staff should be on different subnet & or vlan.

I totally agree, but I don't want to do VLans if I don't have to. Just trying to keep things simple.

Are you able to give us more input on what hardware you have ? or wish to replace ?

I currently have about 7 servers doing very small roles, but will hopefully be consolidating and virtualizing very soon on a new ESX box.

Are you going to do a student ( machine image ) ? something like deep freeze ? system gets wrecked or screwed with, you simply reboot it and it's back to the image you created etc etc ?

I'm toying with that idea, but this is something I will need to discuss with administration first. I still haven't got a good idea of what each class really uses their computers for.

If you setup AD properly, you don't need a second domain to keep students off the servers. The weak link will be if a student figures out a teacher credentials. It will also reduce the number of domain controllers needed, as you should have 2 for each domain for redundancy.

But definately get the student computers on the domain so you can start using GP to lock them down. You will also be able to turn on auditing for the student/teach accounts, which is always good to have.

This is what my buddy keeps telling me. I would like to try and not have AD accounts for all individual students so it would be more about having computer GPOs instead of user GPOs. Still researching and deciding on that one.

Air gap between staff and student networks. Separate links to the internet. There WILL be a student who's better than you, and you don't want to be hit by a confidentiality suit. For the instructor server & PC, don't give them static IPs: rather, give them reserved IPs.

I don't see the need for VLANs. KISS applies.

You definitely want a proxy server for the student PCs, also a WSUS server to save on bandwidth. Ideally, you should have something like MS Steady State for the student PCs, which should be re-imaged nightly, weekly, or termly as appropriate. MS Steady State doesn't support Windows 7, but MS think you can get away with using inbuilt Windows 7 features.

Don't forget the quick wins: physically unplug the DVD drives in the student PCs and disable USB drives by Group Policy.

Like I mentioned earlier, I'm looking into getting a better firewall with a web blocker subscription with good reporting. One of the things I'm also trying to do is implement a web policy for the school; something that states that they can't view personal sites such as Facebook, ebay, Gmail, Yahoo Mail, etc. Not sure if this will help much but at least we have something in writing ya know?

I may not be able to unplug the DVD drives (students may need them believe it or not) and I probably won't disable USB drives since I have my students saving their files to them instead of the local hard drive.

This is still a fresh idea that I will need to discuss with administration to get the ok on but I wanted to make sure I have a simple plan to not only keep things simple, but get the job done. I think the big concerns will be to disable flash and things like that.

 

[dashpuppy]

We currently run some older Fireboxes but honestly, I'm not impressed with it. I'm hoping to replace them soon with Fortigate firewalls.



I totally agree, but I don't want to do VLans if I don't have to. Just trying to keep things simple.



I currently have about 7 servers doing very small roles, but will hopefully be consolidating and virtualizing very soon on a new ESX box.



I'm toying with that idea, but this is something I will need to discuss with administration first. I still haven't got a good idea of what each class really uses their computers for.




This is what my buddy keeps telling me. I would like to try and not have AD accounts for all individual students so it would be more about having computer GPOs instead of user GPOs. Still researching and deciding on that one.



Like I mentioned earlier, I'm looking into getting a better firewall with a web blocker subscription with good reporting. One of the things I'm also trying to do is implement a web policy for the school; something that states that they can't view personal sites such as Facebook, ebay, Gmail, Yahoo Mail, etc. Not sure if this will help much but at least we have something in writing ya know?

I may not be able to unplug the DVD drives (students may need them believe it or not) and I probably won't disable USB drives since I have my students saving their files to them instead of the local hard drive.

This is still a fresh idea that I will need to discuss with administration to get the ok on but I wanted to make sure I have a simple plan to not only keep things simple, but get the job done. I think the big concerns will be to disable flash and things like that.

To make life esier, why not have a mapped drive for each student, enabling usb ports allows them to bring drives & viruses from home etc etc..

All the power to ya, LOADS OF WORK ...

How do you plan on separating staff from Student ?

 

[six_storm]

To make life esier, why not have a mapped drive for each student, enabling usb ports allows them to bring drives & viruses from home etc etc..

All the power to ya, LOADS OF WORK ...

How do you plan on separating staff from Student ?

While I agree about the USB drives, I'm not going to use any of our server storage to house student anything. I'll have to research the best way to do this.

Not sure how I can separate the students from the faculty since all machines are physically meshed together, plus the fact that each class has an instructor PC and server. I'd honestly have to put in a backend firewall between the servers and the rest of the network but that's getting into complicated. Still a fresh idea.

 

[MrGuvernment]

all servers should be in one location i would think....

also any reason why fortigate? and not some other options?

 

[dashpuppy]

all servers should be in one location i would think....

also any reason why fortigate? and not some other options?

I've seen this setup before, each class has a mini network, and the students projects & other stuff is with in the class, not all over the school. I bet each class isn't wired back to the main central place..

 

[six_storm]

all servers should be in one location i would think....

also any reason why fortigate? and not some other options?

Each teacher has a server in their classroom to host their own testing software; each teacher is responsible for creating/administering their own tests to their class.

I'm leaning on Fortigate since that is what I'm most familiar with. I do have some background with Juniper as well.

I've seen this setup before, each class has a mini network, and the students projects & other stuff is with in the class, not all over the school. I bet each class isn't wired back to the main central place..

This. However, each class network has their own switch, then that switch is connected to the main school switch.

 

[Quartz-1]

This is still a fresh idea that I will need to discuss with administration to get the ok on but I wanted to make sure I have a simple plan to not only keep things simple, but get the job done.

I have set up networks in schools and there absolutely had to be an air gap between student and administration networks. Of course, this is in the U.K. - laws might be different in your location.

 

[Jay_2]

VLANs all the way

1 for each class room

If you put a cisco router at the core setup a VLAN for each room, you can still use a single DHCP server etc

Here is an example

5 networks

Access list 102 is 192.168.204.x

Network 1 = 192.168.200.x (Core Network - DHCP server location, management tools etc)
Network 2 = 192.168.201.x
Network 3 - 192.168.202.x
Network 4 = 192.168.203.x
Network 5 = 192.168.204.x (access list 102 network)
Network 6 = 192.168.205.x

** Below is the router config for VLAN / Network 5 **

access-list 102 permit udp any any eq bootpc
access-list 102 permit udp any any eq bootps
access-list 102 permit tcp 192.168.204.0 0.0.0.255 192.168.200.0 0.0.0.255 established
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.202.0 0.0.0.255
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.203.0 0.0.0.255
access-list 102 deny ip 192.168.204.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 102 permit ip 192.168.204.0 0.0.0.255 any

This should give the network access to only it self and the internet, although it will also have access to pick up DHCP from a central server and also allow the central network (192.168.200.x) to connect to any hosts on this VLAN (not the other way!)

Create manditory profiles for all logins even go as far as using a "Deep Freeze" style program

Still put the student network on its own setup and the teachers network on another seperate setup. No connectivity between them.

 

[six_storm]

I think I've decided on the following:

One domain
Faculty in one OU, 1 "public" student account for all student computers in another OU
Public/Student account will be auto-login, locked down via GP and all web traffic forced through a Squid proxy

With the way that the physical network is connected, this will be the best and easiest way to control everything.

I actually spoke with the director yesterday and got approval to do this. Just waiting on the new servers so I can rebuild the domain. Thanks all!

 

[Quartz-1]

I think I've decided on the following:

One domain

Please take legal advice on this.

 

[six_storm]

Please take legal advice on this.

If I can squeeze out another server for a separate domain, I will consider it. Depends on what we buy for a ESX box.

 

[renixinq]

Please take legal advice on this.

Mind if I ask why?

As long as you have proper security procedures in place there is no reason to have a second domain in this case. It doesn't even sound like the OP is planning on issuing individual AD accounts for the students but rather generic accounts that will surely be locked down via GPO and it even sounds like the passwords will not be available to students. With the enforcement of a 90 day password change with strong passwords I see no reason for concern here.

My suggestion would be students have their own AD accounts for various reasons (auditing, providing them space to store files, etc.). The student accounts just need to be locked down properly (squid proxy, no usb devices, no access to optical drives, remove control panel, etc.). The other big piece is just ensuring your staff/faculty understand the importance of security procedures (locking their computers, proper password procedures IE not writing them down, changing them often, etc.). It would require a little more user account management but it will help in other areas.

Good luck on your project, let us know how it goes.

 

[six_storm]

Mind if I ask why?

As long as you have proper security procedures in place there is no reason to have a second domain in this case. It doesn't even sound like the OP is planning on issuing individual AD accounts for the students but rather generic accounts that will surely be locked down via GPO and it even sounds like the passwords will not be available to students. With the enforcement of a 90 day password change with strong passwords I see no reason for concern here.

My suggestion would be students have their own AD accounts for various reasons (auditing, providing them space to store files, etc.). The student accounts just need to be locked down properly (squid proxy, no usb devices, no access to optical drives, remove control panel, etc.). The other big piece is just ensuring your staff/faculty understand the importance of security procedures (locking their computers, proper password procedures IE not writing them down, changing them often, etc.). It would require a little more user account management but it will help in other areas.

Good luck on your project, let us know how it goes.

Thanks. There is no need for students to store anything on our machines whatsoever, therefore I'm not giving them anything but application and basic web access.

 

[Jay_2]

I still think vlans per classroom will give you much more scope in the future as long as they don't need to pull huge files from a server on another VLAN.

 

[Quartz-1]

Mind if I ask why?

Because you don't want to be liable if someone hacks the administration side and alters records and transcripts, or accesses confidential personal information. There is always someone cleverer and more skilful than you.

 

[bman212121]

Because you don't want to be liable if someone hacks the administration side and alters records and transcripts, or accesses confidential personal information. There is always someone cleverer and more skilful than you.

Except having seperate ADs doesn't really get around the most likely of scenarios, which is a student getting the instructor's password. It doesn't matter what AD they are in if they can just login as the instructor. As long as you use one tree and put the faculty into a separate group that restricts their login to only instructor pcs and servers, that will at least make it so the person trying to login has to be at the instructor pc to do so.

Anytime we've had a security breach it's not because someone leet hacker used a 0 day exploit to inject some data into your database to cause a buffer overflow allowing them to bypass security. It's because the admin person probably has their password stickied to the front of the monitor and the student was able to read that sticky note and login as if they were the instructor. Not saying that the first scenario could never happen but it's not very likely. The only way to protect yourself in that case is to have non accessible backups that you can revert to if someone really gets into your stuff and messes it all up.

 

[Quartz-1]

Except having seperate ADs doesn't really get around the most likely of scenarios, which is a student getting the instructor's password. It doesn't matter what AD they are in if they can just login as the instructor.

That's the whole point of an air gap. They need not only the instructor's credentials but also physical access to an administration machine.

 

[renixinq]

Because you don't want to be liable if someone hacks the administration side and alters records and transcripts, or accesses confidential personal information. There is always someone cleverer and more skilful than you.

I agree there is always someone better than me. But in this case I just disagree with you that separate domains would remove any liability. bman hit most of it already but the other piece I'll add in regards to altering records/transcipts is that most education institutions will have hard copy/microfiche/read-only permanent records of their official records for this very reason. This plays into having a proper backup strategy and change auditing on your most sensitive data.

There is always risk and we have to do our best to mitigate that risk, but in this case I don't believe having separate domains does any better a job at mitigating that risk than having a properly setup active directory with a single domain. Just my two cents.

 

[feffrey]

I have worked in a few schools ranging from 1000 students/staff to 30,000+ students/staff and I've never seen one that did multi-domains to have students and staff separate.

Why not give every student a login / password though? That way you can track what user is doing what on your network.

 

[bman212121]

That's the whole point of an air gap. They need not only the instructor's credentials but also physical access to an administration machine.

I think you missed one of sentences he stated.

Also, each classroom has 1 instructor PC and 1 server for testing software. I'm sure I'll just assign static IPs to those and have an "unfiltered IP range" for faculty.

The instructor pc as well as one of the test servers physically resides in the classroom. So if the instructor leaves the room unattended for a period of time a student can easily gain physical access to the machine.

If they had an office area for faculty to work from that was the only area where they could access things from, then it might make more sense. It would be more ideal to treat the instructor pc as just another student pc, but it might not be possible if the budget / space constraints do not allow it.

 

[Mackintire]

Why not use Hyper-V instead of ESXi If you use Hyper-V Server Core 2012 with VT Technologies' Management Utilities you can have your cake and eat it too. http://vttechnology.com/Products/vtUtilities (adds a GUI for management)

Add http://www.altaro.com/ Hyper-V Backup Unlimited edition and you have the software to run as many VMs as you like and back them up.

Not bad at all if you consider the $645 (one time price) for the software involved.

 

[Bookmage]

So each student pc is essentially a dummy client? Having the teachers and student PCs/logins in separate OUs is a must. You might go one step further and have each classroom be a separate OU. The day will come when one teacher/classroom may need something different than the others and this would make it easier to modify. Apply security controls using GPO/GPP's (assuming Windows 7) and document those settings and label those GPOs appropriately. You can create specific ones for each teacher/student/classroom which will make future changes much easier. What happens when you need to upgrade software or install some new program for just one class? You can lockdown that computer so students can only surf webpages from IE/chrome and only grant them access to approved applications. Using GPOs you can treat the instructor PC like a student PC, but give the instructor a bit more access, like a power user. The test server would have different GPOs that allow access for the instructor to do what's needed and probably have more auditing in place, depending on the function and importance of the server.

It really does depend on what the students and teachers need access to. This should be segmented off from the Important School Servers, if those are supposed to be on the same network as well.

Once you get everything up and running, you could consider granting each student their own logins for more management and auditing, but that would take a bit more time to get setup. But I second that as being a best practice.

If you get a good L3 switch, separate VLANs would actually simplify things and make things easier to manage. Or you can use separate physical switches connected to a good firewall. Block off Important School Server access from other vlans and you set yourself up for future expansion (>254 ip addresses) or setting up a DMZ down the line (future wifi access?). That would depend on your servers and their functions, but you could treat all the student PCs as dangerous and only allow approved things from the start.

If you segment the classrooms, could kill internet access for the whole class and let it be known that Bart broke the internet for the class :-p

 

[haunter]

To make life esier, why not have a mapped drive for each student, enabling usb ports allows them to bring drives & viruses from home etc etc..

All the power to ya, LOADS OF WORK ...

How do you plan on separating staff from Student ?

good luck banning flash drives, good AV will take care of most issues anyways. banning usb flash drives is so 2005

Because you don't want to be liable if someone hacks the administration side and alters records and transcripts, or accesses confidential personal information. There is always someone cleverer and more skilful than you.

not going to help unless you physically separate the networks and students cannot get to any teacher PC. more likely to happen is a student socialy engineers a teacher and then messes something up

So each student pc is essentially a dummy client? Having the teachers and student PCs/logins in separate OUs is a must. You might go one step further and have each classroom be a separate OU. The day will come when one teacher/classroom may need something different than the others and this would make it easier to modify. Apply security controls using GPO/GPP's (assuming Windows 7) and document those settings and label those GPOs appropriately. You can create specific ones for each teacher/student/classroom which will make future changes much easier. What happens when you need to upgrade software or install some new program for just one class? You can lockdown that computer so students can only surf webpages from IE/chrome and only grant them access to approved applications. Using GPOs you can treat the instructor PC like a student PC, but give the instructor a bit more access, like a power user. The test server would have different GPOs that allow access for the instructor to do what's needed and probably have more auditing in place, depending on the function and importance of the server.

It really does depend on what the students and teachers need access to. This should be segmented off from the Important School Servers, if those are supposed to be on the same network as well.

Once you get everything up and running, you could consider granting each student their own logins for more management and auditing, but that would take a bit more time to get setup. But I second that as being a best practice.

If you get a good L3 switch, separate VLANs would actually simplify things and make things easier to manage. Or you can use separate physical switches connected to a good firewall. Block off Important School Server access from other vlans and you set yourself up for future expansion (>254 ip addresses) or setting up a DMZ down the line (future wifi access?). That would depend on your servers and their functions, but you could treat all the student PCs as dangerous and only allow approved things from the start.

If you segment the classrooms, could kill internet access for the whole class and let it be known that Bart broke the internet for the class :-p

lots of good points in there, very over the top, but good nonetheless

AD opens up so many options, especially with GPO to make lots of granular changes that a UTM just cannot do.

a fortigate can segment all sorts of traffic based on IP's, esp with vlans, but not based on who logged into that machine(as long as traffic stays inside)

a DMZ with a l3 switch wouldnt even be necessary for wifi, as you can VLAN that too and just not let it route anywhere but out

 

[haunter]

Why not use Hyper-V instead of ESXi If you use Hyper-V Server Core 2012 with VT Technologies' Management Utilities you can have your cake and eat it too. http://vttechnology.com/Products/vtUtilities (adds a GUI for management)

Add http://www.altaro.com/ Hyper-V Backup Unlimited edition and you have the software to run as many VMs as you like and back them up.

Not bad at all if you consider the $645 (one time price) for the software involved.

you dont need software for GUI management of Hyper-V

if the only role installed on the server is HyperV, it doesnt count as a use of a license, so you then install that license as a VM as well

so with enterprise you get 4 or 5 VM's out of it, and you manage it from inside server 2012 or 08R2, which really dont have much overhead(esp with core install)

 

[six_storm]

So each student pc is essentially a dummy client? Having the teachers and student PCs/logins in separate OUs is a must. You might go one step further and have each classroom be a separate OU. The day will come when one teacher/classroom may need something different than the others and this would make it easier to modify. Apply security controls using GPO/GPP's (assuming Windows 7) and document those settings and label those GPOs appropriately. You can create specific ones for each teacher/student/classroom which will make future changes much easier. What happens when you need to upgrade software or install some new program for just one class? You can lockdown that computer so students can only surf webpages from IE/chrome and only grant them access to approved applications. Using GPOs you can treat the instructor PC like a student PC, but give the instructor a bit more access, like a power user. The test server would have different GPOs that allow access for the instructor to do what's needed and probably have more auditing in place, depending on the function and importance of the server.

It really does depend on what the students and teachers need access to. This should be segmented off from the Important School Servers, if those are supposed to be on the same network as well.

Once you get everything up and running, you could consider granting each student their own logins for more management and auditing, but that would take a bit more time to get setup. But I second that as being a best practice.

If you get a good L3 switch, separate VLANs would actually simplify things and make things easier to manage. Or you can use separate physical switches connected to a good firewall. Block off Important School Server access from other vlans and you set yourself up for future expansion (>254 ip addresses) or setting up a DMZ down the line (future wifi access?). That would depend on your servers and their functions, but you could treat all the student PCs as dangerous and only allow approved things from the start.

If you segment the classrooms, could kill internet access for the whole class and let it be known that Bart broke the internet for the class :-p

I'm going to have to go back on what I last posted as I don't think making each workstation log in with a locked down student account. The reason is that I have 26 students that are studying to be in the IT field and things need to "break" so they can have hands on experience with fixing them. Yes, that includes viruses and such.

So now I technically I need to place a firewall between the core servers and the rest of the network to limit access to them. This will technically have all student PCs in a "DMZ". I'm still going to have all student PCs to send all web traffic through a Squid proxy for filtering.

Nothing is set in stone yet as I don't have my new server yet and I haven't confirmed a solid plan with the director of the school. I want to keep the network as simple as I can to show as an example for my students, but don't want to complicate my job.

 

[Mackintire]

you dont need software for GUI management of Hyper-V

if the only role installed on the server is HyperV, it doesnt count as a use of a license, so you then install that license as a VM as well

so with enterprise you get 4 or 5 VM's out of it, and you manage it from inside server 2012 or 08R2, which really dont have much overhead(esp with core install)

I said Hyper-V Server Core 2012. It requires less updates/less reboots and it is harder to hack. The gui tools I suggested leverage powershell scriptlets so they do not create any additional security risks.

Personally I'd stick each classroom/building in its own Vlan. Let the teachers log into their local machines and place their local machines are in two Vlans.

****Use filesecure on the server/database to ensure auditing compliance.*****

The students machines should all be easy to restore preconfigured deployments. If one gets screwed up, restore it in 20 minutes from an image.

USE AGPM to the fullest!

If you're that worried about security, have the teachers machine setup for two factor authentication with a hardware security dongle.

In that case students would need:

• Access to an authorized machine
• Know the Teachers Password
• Have access to the teachers hardware access key

and even then file secure would be able to show, when the change was made and by what credentials or can be setup to prevent tampering Ex. add data only once to Cell A with a 24 hour window to change it once data is written....then the data is locked from further editing.