|
 |
|
General Information
|
Add To My Personal Library |
June 5, 2009
• Vol.31 Issue 16
Page(s) 37 in print issue
|
User Access Control In Education Environments
Give Students The Access They Need Without Sacrificing Security
|
| Key Points
• Students with their own laptops usually can have admin rights.
• UAC in Windows Vista should usually be set to no-prompt mode for most students.
• Controlling access is only one piece—how students access is also important. | | It’s a notorious problem in the education market, one that has caused concern among administration staff and IT administrators alike. With students of all ages requiring access to computer resources, there’s a fine line between providing enough access to learn and too much access—such that a student could actually hack into a network and cause damage. For many educational institutions, the problem is exacerbated by concerns over viruses, malware, and other kinds of infections.
“The security threat does increase as access to resources increases, but the threat is not because of the access but because of nonsecure passwords or password management systems,” says Mike Donoho, the technology systems manager at Fergus Falls Public Schools in Fergus Falls, Minn. “We restrict users to try and make it easier for them to do what they need to do, not because of security reasons. It is easier for the non-technical user to find what they want without having to weed through a bunch of resources that don’t apply to them. So I would place that threat as moderate.”
 Grant Appropriate Access Levels
According to Donoho, the main issue with user access control is providing access to the right level of services, rather than just having a carte blanch approach where every student gets the same kind of access. He says students get confused when they have too much access and yet can’t do what they are required to do for their school projects and homework if they do not have enough access.
Other key issues for the school district have to do with storage (which it limits on a per-student basis) and outside access to the Internet (which it also limits due to bandwidth issues).
“If students have too much access, they waste time searching servers for the project they are looking for or decide to print to [a] printer in a building across town,” he says. “In theory, each user should be able to control authentication. In reality, we have found that students will use the excuse that they can’t remember their password or ‘someone changed it’ to get out of doing their class work. Because of this, we do not allow students to control their own authentication.”
Other Approaches To UAC
Of course, Windows Vista has a now-infamous feature for user access control that prompts users when they are about to install an untested program. In Windows 7, Microsoft will introduce sliders that can be customized (and locked by IT staff) so that the prompts do not appear as often.
Scott McCarley, a spokesperson for security company BeyondTrust (www.beyondtrust.com), suggests that schools should lock down the UAC controls in Windows so the end user cannot access administration privileges and will never even see a prompt, negating any security issues with over-access.
“Users on shared machines should not make the security decisions of which processes should run with elevated privileges,” McCarley says. “By setting UAC to no-prompt mode, a school will prevent the standard users from being asked for administrator credentials, which they do not have. If, however, a standard user still needs to perform an action that requires elevated privileges, the school should utilize other products that are available to ensure that the user can still perform the necessary task.”
Yet, McCarley also says that, in the modern K-12 and higher education markets, many students own their laptops and may want to install software at home and not have to switch between UAC modes. And professors may need to install software, access networks not normally available to students, or use Web sites and access private servers. McCarley says schools should monitor user access and set up standard logins and privileged access and then maintain those accounts consistently.
“If a student owns their own computer and is responsible for maintaining the computer, then they should be configured to log in with administrator rights, with UAC enabled,” he says. “If the user retains control over their own computer, UAC will keep them more secure.”
Donoho says utilities and monitoring agents can help IT managers see what students are accessing.
“Whether it is network traffic-based or user interface-based, we can graphically see what is going,” he says. “The drawback to this is it is real time with limited archives. Of course, logs provide the archival piece but only show after-the-fact issues. This is why we use a combination of both [real-time access and logs] to get a handle on what people are doing on our servers and networks.”
Juergen Hoenig, a spokesman for NCP Engineering GmbH (www.ncp-e.com), says UAC is not just about student access to certain servers and networks but also about how they access those assets.
“Schools should control different devices and operating systems and use granular access authorizations, SSL and IPsec, automatic mechanisms for central configuration, software updates, and certificate management,” he says. “And, make sure that the TCO is low. In an IPsec VPN, the options are disconnect, continue in the quarantine zone, or start external applications on the remote PC. For an SSL VPN, access to certain applications will be granted on the basis of predefined security levels.” 
by John Brandon
Distinguish Between Standard & Power Users
Juergen Hoenig, a spokesman for NCP Engineering GmbH (www.ncp-e.com), says schools need to make a distinction between power users and those who just need standard access to IT services. “The power user should have a centrally managed IPsec client for all his devices (laptop, smartphone) with integrated NAC,” he says. “For other users, a SSL VPN connection is normally enough. The administrator should be able to manage both technologies with one management system. Current remote access solutions are easy to use and secure, so the balance is there.” |
|
|
