Computer Science Canada :: View topic - Creating a Hack Proof/Protected Image

Computer Science Canada

Creating a Hack Proof/Protected Image

Author:	ChaoticMetroid [ Fri Oct 20, 2006 10:26 pm ]
Post subject:	Creating a Hack Proof/Protected Image
Hey, this is my first comp sci post although I lurked around a bit last year, so here goes. I'm currently attempting to create a hack proof/file protected image through which I can reimage a computer lab in my school. The problem that's arrising though is protecting the computers so students can't access areas they don't need, as well as are unable to right-click. We currently use Folder Guard 7.0 in the school, but the license has expired so I'm in search of alternative software (preferably free). Any other tips to help prevent unwanted tampering and the exploitation of loop-holes in security software are also appreciated. Thanks.

Author:	rdrake [ Fri Oct 20, 2006 10:38 pm ]
Post subject:	Re: Creating a Hack Proof/Protected Image
I doubt you'll be able to do all that without spending at least some money... but there is an option from Microsoft called Shared Computing Toolkit for Windows XP. Though, it being from Microsoft might present some problems. ChaoticMetroid wrote: ...a hack proof/file protected... A lot of places make use of DeepFreeze, might be something to consider. Though it is not free.

Author:	Silent Avenger [ Fri Oct 20, 2006 10:41 pm ]
Post subject:
Well make sure you get all the loop holes unlike my school did. We were able to share files and games over the whole school network and this year they fixed that but came up with more loop holes. I know that you can use a program which I think is called deep freeze and it will delete anything off the c drive in the computer that a student may have saved there such as a video game. I also think it may restore any files that have been deleted off of the hard drive as well but I'm not so sure about that part.

Author:	ChaoticMetroid [ Fri Oct 20, 2006 10:43 pm ]
Post subject:
Thanks for the tip off on Deep Freeze it seems like a good alternative, I guess now my main concern would be looking for loop holes, if anyone knows any common ones please let me know.

Author:	Silent Avenger [ Fri Oct 20, 2006 11:25 pm ]
Post subject:
Well I found the website for deep freeze and of course you have to pay for it, I'm not sure how much though. website: http://www.faronics.com/html/deepfreeze.asp I know of some tips to look out for: make sure they can't use any search features that comes with windows make sure they can't put any files on the network where it is accessible to all members *make sure they can't change some settings on the computer such as the screen resolution There are more loopholes I know of but I can't think of them right now. we also have a program at our school that checks if anyone has downloaded an exe file or running an unauthorized exe and it alerts the admins of the network. I'm not sure what they call the program but I'm sure if you google it you should be able to find something similar.

Author:	ericfourfour [ Sat Oct 21, 2006 12:31 am ]
Post subject:
Quote: *make sure they can't change some settings on the computer such as the screen resolution In my school, some of the computers have this and this is the feature that pisses me off. When the screen resolution is locked at 800x600 there isn't enough room on the screen for anything. Also, when the refresh rate is locked at 60hz it kills my eyes. Personally, I think students should be able to adjust atleast the screen resolution and refresh rate because many people prefer different screen settings.

Author:	Tony [ Sat Oct 21, 2006 12:48 am ]
Post subject:	Re: Creating a Hack Proof/Protected Image
ChaoticMetroid wrote: as well as are unable to right-click dumbest... idea... ever... if you go to such extend to limit and outright annoy students (right-click is just a shortcut menu, available through keyboard and/or other menu lists), why let them use computers in the first place? the best solution (also cheapest with a whooping price is FREE) is to install and run an actual multi-user OS system (so anything but Microsoft Windows). Unix groups, file permissions, and user privilages are your best friend for administering such environments. The student is completely free to use the computer to its full utility, yet are limited to their own user container and will not interfere with anyone else. If for whatever political reasons, the expense of Microsoft Windows is justified, DeepFreeze is the way to go. Let the students run wild, the machine will just reimage itself at boot. Just _please_ don't purposly cripple the machines. Also implement policies/guidelines for having students request additional software to be installed. There are a lot of programming languages and applications one might be interested in.

Author:	ChaoticMetroid [ Sat Oct 21, 2006 10:56 am ]
Post subject:
They will be able to request software is put in, and programming languages needed such as VB, Turing, and JCreator will be installed before hand. The main concern is something like Counter Strike getting installed. As for right-click disabling people have in the past put up vulgar desktop backgrounds, and this would be an easy fix. The computers this is being done on will most likely only be used for occasional internet access, microsoft word, powerpoint, and programming, none of which I believe truly require right-click.

Author:	wtd [ Sat Oct 21, 2006 11:04 am ]
Post subject:
Using any MS Office app without right-click sounds like a nightmare to me. As for desktop backgrounds, one need only access the control panel and the background can be changed without right-clicking once. Really, I think on some things you simply have to take the approach of finding meaningful ways of punishing students who break the rules (which must be clearly posted in no uncertain terms). Otherwise you might as well chuck the machines.

Author:	Silent Avenger [ Sat Oct 21, 2006 11:54 am ]
Post subject:
wtd wrote: As for desktop backgrounds, one need only access the control panel and the background can be changed without right-clicking once. You can also use MS Paint to change the background as well, that's what we do at our school.

Author:	rdrake [ Sat Oct 21, 2006 12:11 pm ]
Post subject:
ChaoticMetroid wrote: As for right-click disabling people have in the past put up vulgar desktop backgrounds, and this would be an easy fix. If you allow a browser such as Internet Explorer to be used, as I recall students can hover their mouse over the image and set it as a background there. If you're really concerned about saving money, perhaps you should consider replacing Microsoft Office with OpenOffice.org. It's a beautiful, free MS Office replacement that's 100% free and open source.

Author:	neufelni [ Sat Oct 21, 2006 12:12 pm ]
Post subject:
At my school, we can right click but we can't get into the display properties. If we click on properties it says we don't have access to the properties. I think that doing something like that is a much better idea than completely disabling right clicking.

Author:	Tony [ Sat Oct 21, 2006 1:07 pm ]
Post subject:
ChaoticMetroid wrote: As for right-click disabling people have in the past put up vulgar desktop backgrounds, and this would be an easy fix. Well as it's been pointed out above, there are a dozen different ways of changing the background. Including through the VB accessable Win32 API (which you plan on installing) - I've used it to overwrite my backgrounds even with a locked 'display settings' properties. That's why, as I've mentioned before, a multi-user OS choice is so good - the backgrounds could be changed, but they are limited to the specific user, so noone will end up loading the machine and finding an 'interesting' background left for them. And I'm siding with wtd here - it would be best to meaningfully punish a few, but let the rest use computers in full, rather than purposfully break the machines for all.

Author:	Silent Avenger [ Sat Oct 21, 2006 5:04 pm ]
Post subject:
Well I find that our school has quite a good system running with deepfreeze and seperate accounts for each student. By having separate accounts and giving each student a "spot" in the server there is no chance of them leaving an interesting background for the next person who uses the computer. But instead of cripling the computers let them be a little more functional just punish the ones who break the rules. A good punishment is kicking them off the computers for a week and letting them see how hard it is to do their work without a computer and they should learn that abusing the privilege to use the computers at school is wrong. Although somestudents may not learn so if there are students in the school that you know just won't learn then do what Tony suggested by running a multi-user OS.

Author:	md [ Sat Oct 21, 2006 7:26 pm ]
Post subject:
I'm surprised it hasn't been mentioned; but if you make a general vmware image for each student and then run it on login you can be pretty secure. Limit hte vm's access to things; and store all files on a networked share. You can even just have one image for everyone and make it non-persistant. Then just have the vm reboot on logout and it'll wipe itself clean.

Author:	bugzpodder [ Sat Oct 21, 2006 8:11 pm ]
Post subject:
Tony wrote: ChaoticMetroid wrote: As for right-click disabling people have in the past put up vulgar desktop backgrounds, and this would be an easy fix. Well as it's been pointed out above, there are a dozen different ways of changing the background. Including through the VB accessable Win32 API (which you plan on installing) - I've used it to overwrite my backgrounds even with a locked 'display settings' properties. That's why, as I've mentioned before, a multi-user OS choice is so good - the backgrounds could be changed, but they are limited to the specific user, so noone will end up loading the machine and finding an 'interesting' background left for them. And I'm siding with wtd here - it would be best to meaningfully punish a few, but let the rest use computers in full, rather than purposfully break the machines for all. that wont work. priviliages are often abused rather than respected. it takes time and resources to track down these people, something most schools are unwilling to deal with.

Author:	Amailer [ Sat Oct 21, 2006 8:41 pm ]
Post subject:
My school disabled partically everything on the computers (for the library only though..). They even removed the whole Menu bar in Internet Explorer, so everytime I want to open another window, I would have to right click a link and click "Open in New Window", honestly its annoying If they wanted, they could have simply found a way to disable the Internet Options or something, not the whole menu bar My old school did it well, I'm not sure what they were using but they disabled specific things, like games, things from being installed (any even if you installed it, anything installed on the C drive would get reset everytime the comp restarted) and right clicking on the desktop and changing the properties wasn't allowed either... (But of course, this was only in the Library, all the computers used in classes we had full access to pretty much all features...) I don't think that software was free btw-- Cool part was, they installed Firefox so you didn't HAVE to use Internet Explorer

Author:	Silent Avenger [ Sat Oct 21, 2006 9:04 pm ]
Post subject:
Amailer wrote: My old school did it well, I'm not sure what they were using but they disabled specific things, like games, things from being installed (any even if you installed it, anything installed on the C drive would get reset everytime the comp restarted) and right clicking on the desktop and changing the properties wasn't allowed either... (But of course, this was only in the Library, all the computers used in classes we had full access to pretty much all features...) I don't think that software was free btw-- Cool part was, they installed Firefox so you didn't HAVE to use Internet Explorer Having things reset on the computer is because of the deep freeze program or another program of a similar type. It's also pretty cool that you can access just about anything on the regular computers. At our school we aren't allowed to do that but we are able (by a little hacking) install things right to the whole network and access things that we aren't supposed to like the overide program for teachers at our school where you can take over someone else's computer.

Author:	Tony [ Sat Oct 21, 2006 9:20 pm ]
Post subject:
Amailer wrote: Cool part was, they installed Firefox so you didn't HAVE to use Internet Explorer Oh yeah, that's another important point to stress -- do install Firefox, and better yet make it the default internet browser.

Author:	ChaoticMetroid [ Sat Oct 21, 2006 11:33 pm ]
Post subject:
Firefox is installed, as well as internet explorer. Md can you please provide details on how to go about limiting hte vm's I'm not really familiar with this, but it seems like an alternative to consider.

Author:	md [ Sat Oct 21, 2006 11:57 pm ]
Post subject:
I wish I could, but I don't know how to set it up like I described. I know it can be done, as I have seen it, I simply don't know how.

Author:	ChaoticMetroid [ Mon Oct 23, 2006 6:43 pm ]
Post subject:
Hey, I found out it is required that I block .exe files and installers (not my idea, but this is apparantly mandatory). Any tips for this?

Author:	wtd [ Mon Oct 23, 2006 6:48 pm ]
Post subject:
It really sounds as though your school has no interest in actually running a computer lab. I suggest you advocate that they invest their funds elsewhere. The arts can always use more funding.

Author:	Tony [ Mon Oct 23, 2006 7:15 pm ]
Post subject:
ChaoticMetroid wrote: Hey, I found out it is required that I block .exe files and you expect to run any applications, how? arbitrary blocking any .exe would also prevent students from actually executing any programs they write.

Author:	ChaoticMetroid [ Mon Oct 23, 2006 9:27 pm ]
Post subject:
I think its stupid, and it'll lead to more work for me when they realize they need new software, but they don't want any .exe running in case they contain games like CS. I've been able to accomplish most of everything else using the registry and microsoft shared computer toolkit, so this is the last hurdle.

Author:	Amailer [ Mon Oct 23, 2006 9:54 pm ]
Post subject:
Why don't you just restrict installation of programs to admins only? And install all the necessary programs yourself

Author:	Silent Avenger [ Mon Oct 23, 2006 10:03 pm ]
Post subject:
There are programs out there that you are able to input a list of exe files so for example MS word, MS paint, Turing, VB, Internet Explorer and the program will detect any programs that are run that are not in the list. I find that this would be the best idea because every time someone tries to run a game in our class the next day the principal always catches them. I'm not sure what the name of the program is called but a google search may find it. I'll also ask my compsci teacher tomorrow because he used to be the tech guy for our school 5 years ago so he may know the name of the program.

Author:	md [ Mon Oct 23, 2006 10:50 pm ]
Post subject:
Locking down a computer that tight makes it next to useless, especially in a teaching enviroment. I'm glad I don't go to whatever institution employs you, anywhere that requires that computer be locked down that much can't possibly know anything about teaching.

Author:	Tony [ Mon Oct 23, 2006 10:53 pm ]
Post subject:
md wrote: Locking down a computer that tight makes it next to useless, especially in a teaching enviroment. I'd just bring my cellphone with me, and use that instead. Because at this point any Java enabled cellphone offers more educational utility.

Author:	Dan [ Tue Oct 24, 2006 10:34 am ]
Post subject:
I hate to break up the deepfreze love fest but deepfreze has magor security holes in it. Any student that knows how to use google could find a script kiddy hack to expoite it. Almost every school "security" program there is for windows has some masive hole or overlook in it. With windows if you have phsyical access to the mashen then you might as well be the admin with full access. What i whould recomened is trusting your students. To make windows secure to the point you whont you whould have to remove all funontionality and you might as well just teach them to right code on paper. Deepfrezze will stop the average student and it allows for alot more freedom then locking everything down, but it causes problems when students save to the local hard drive rather then the network and it makes it hard to add programs. Also as i side any one that can use google and click a buttion can expoite it....

Author:	octopi [ Tue Oct 24, 2006 11:23 am ]
Post subject:
If you worried about games like counter strike. Here might be an option: Make a program that sites in the background, and kills all processes that match the name of the counter-strike game. If I was doing it, I'd set it so it only does it once every 20 seconds, Or however long it takes for a kid to load up counterstrike, and just about start to play. This will surely annoy them. To top it off, I'd output some random error to mislead the kids, such as "Not enough memory."-If they think its a hardware thing, then they're not going to try to fix it. For this to work, you've got to make sure that they don't know that you have a program killing there games though, or else they'll look for ways to beat it. If you need help making something like this, I can try and help you out, PM me, if you'd like. This way, it wouldn't kill legitimate programs, or programs made by students in a programming class, just CS (or programs with the same filename)

Author:	wtd [ Tue Oct 24, 2006 12:07 pm ]
Post subject:
There is an important lesson in all of this: You cannot fix sociological problems with technology.

Author:	rdrake [ Tue Oct 24, 2006 12:23 pm ]
Post subject:
octopi wrote: Here might be an option: Make a program that sites in the background, and kills all processes that match the name of the counter-strike game. If I was doing it, I'd set it so it only does it once every 20 seconds, Or however long it takes for a kid to load up counterstrike, and just about start to play. This will surely annoy them. Funniest thing is the kids wouldn't be bright enough to stop, and keep trying to launch it . Honestly though, the best you can home for is to let them do whatever, then restore everything on logout. No matter what you do, they will always find ways around your restrictions. The only way to stop them will be to make the computer completely unusable, and not very productive.

Author:	wtd [ Tue Oct 24, 2006 12:31 pm ]
Post subject:
One final technological suggestion: install Linux. You'll get 99% of the educational functionality Windows would give you, plus some stuff Windows wouldn't give you, and you wouldn't have to worry about malware, or a huge number of games working. It's not a solution, but it gets you a lot closer to your goal. You get the added value of students being forced to adapt to a new computing environment. This will help to ensure that their skills are based on a solid conceptual understanding of computing, rather than rote memorization of the quirks of a version of Windows doomed to obsolescence in the near future.

Author:	ChaoticMetroid [ Fri Oct 27, 2006 9:32 pm ]
Post subject:
Thanks for the help guys. I've gotten permission to allow full access to internet and software on the computer which is a major plus. What looks like the last hurdle now is making it impossible to save files on the desktop or delete shorcuts. The reason for this is that files are expected to be stored into a Student Folder on the computer.

Author:	Silent Avenger [ Fri Oct 27, 2006 10:38 pm ]
Post subject:
Well I don't think disabling the desktop so that you can't delete short cuts and save files to it is a good idea. Our schools system allows us to put whatever we want on the desktop and the system saves the file to our accounts at the school and the only icons that can't be deleted are the vital ones that are reset by the admins.

Author:	ChaoticMetroid [ Sat Oct 28, 2006 8:48 am ]
Post subject:
Each student has a TEL account, which is a service the Toronto District School board offers so they can store their own files. When transitioning files from the computer to the TEL account a Student Folder is used. The main reason is just to keep things looking neat, and make everyone's lives easier by having all software they will use in school constantly on the desktop.

Author:	wtd [ Sat Oct 28, 2006 12:29 pm ]
Post subject:
Is there a way you could link the desktop to their account on the server? Such that any file placed there is actually stored in some kind of "Desktop" directory on their account on the server?

Author:	ZeroPaladn [ Wed Nov 01, 2006 1:36 pm ]
Post subject:
I think my school has that... There is a folder with all the shortcuts in it, and the contents of the folder are plopped onto the desktop upon loging in. You can delete them, but when you log of and log back on again, they reset to the ones in that folder. I think that's what your looking for, wtd. Quote: If you worried about games like counter strike. Here might be an option: Make a program that sites in the background, and kills all processes that match the name of the counter-strike game. If I was doing it, I'd set it so it only does it once every 20 seconds, Or however long it takes for a kid to load up counterstrike, and just about start to play. This will surely annoy them. To top it off, I'd output some random error to mislead the kids, such as "Not enough memory."-If they think its a hardware thing, then they're not going to try to fix it. Or, you can just make a program that check each program that executes, and if it is not a program inside a safe lst, then halts the execution of the program, the logs of the user. Thats what my school does. They also check every new .exe file that is bring onto the system, and if it is not on a safe list, then it get deleted and logs off user.

Author:	Silent Avenger [ Wed Nov 01, 2006 4:17 pm ]
Post subject:
ZeroPaladn wrote: I think my school has that... There is a folder with all the shortcuts in it, and the contents of the folder are plopped onto the desktop upon loging in. You can delete them, but when you log of and log back on again, they reset to the ones in that folder. I think that's what your looking for, wtd. Quote: If you worried about games like counter strike. Here might be an option: Make a program that sites in the background, and kills all processes that match the name of the counter-strike game. If I was doing it, I'd set it so it only does it once every 20 seconds, Or however long it takes for a kid to load up counterstrike, and just about start to play. This will surely annoy them. To top it off, I'd output some random error to mislead the kids, such as "Not enough memory."-If they think its a hardware thing, then they're not going to try to fix it. Or, you can just make a program that check each program that executes, and if it is not a program inside a safe lst, then halts the execution of the program, the logs of the user. Thats what my school does. They also check every new .exe file that is bring onto the system, and if it is not on a safe list, then it get deleted and logs off user. Well there are programs that will do what you such as detecting exes that do not belong on the network but our system only alerts the principle of the exe and deosn't delete the program because at our school we use VB and we make exes of all our programs to hand them in so it makes more sense to have it just alert the admins rather than delete the program all together.

:

You can syndicate this boards posts using the file backend.php or view the topic map using sitemap.php.

Terms of Use | Privacy Policy