Jump to content

Students accessing back of PC

SO I am a IT Tech at a school that will remain anonymous for obvious security reasons, however I will refer to this as "The school". 

 

So me and my team are struggling to prevent students from accessing the back of PC's, with this, a lot of students are vandalising the PC's and unplugging the ethernet, which if done correctly, allows for no filtering and allows them to edit the PC, which isnt the best. My team have tried zip tying the back of the PC as well as using the suppiled lock, but the kids are snapping the hooks used to keep the protection in place. We cannot spend significant money either, so moving the PC's to where students couldn't reach it is not an option. If anyone has a solution to this, or a product that would stop kids from breaking these, it would be greatly appreciated. Photos are attached of the affected devices.

 

image.thumb.jpeg.2fbc7f07b47dc563cff24ec33df0a9f1.jpegimage.png.494d7314fad003cac1183e0f434969b4.png

Link to comment
Share on other sites

Link to post
Share on other sites

I mean the nuclear option is to use something like hot glue over the ports, but that will be destructive

Console.WriteLine("Hello World!");

Link to comment
Share on other sites

Link to post
Share on other sites

Seems more important to address the fact that unplugging the Ethernet cable gives kiddos control you don't want them to have, because as long as this is an issue, they'll keep finding new ways to break whatever security you put in place. 

Link to comment
Share on other sites

Link to post
Share on other sites

Unfortunately, there's nothing more destructive than a bored student. You probably can't stop them (especially if disciplinary action hasn't been an effective deterrent), but you can at least slow them down.

 

Try using metal straps instead of plastic zip ties.

 

https://www.amazon.com/Clamps-Stainless-Fasteners-Adjustable-Ducting/dp/B08QCPHDNR/

 

Drill or cut slots in the solid part of the plastic cover for the strap to pass through. If you get the screw in the right spot, they shouldn't be able to take it apart without "real" tools.

 

You may also have to reevaluate the lockdown software you use. It shouldn't leave the computer wide open if it boots up disconnected from the network.

I sold my soul for ProSupport.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, winn_ter_fall said:

SO I am a IT Tech at a school that will remain anonymous for obvious security reasons, however I will refer to this as "The school". 

 

So me and my team are struggling to prevent students from accessing the back of PC's, with this, a lot of students are vandalising the PC's and unplugging the ethernet, which if done correctly, allows for no filtering and allows them to edit the PC, which isnt the best. My team have tried zip tying the back of the PC as well as using the suppiled lock, but the kids are snapping the hooks used to keep the protection in place. We cannot spend significant money either, so moving the PC's to where students couldn't reach it is not an option. If anyone has a solution to this, or a product that would stop kids from breaking these, it would be greatly appreciated. Photos are attached of the affected devices.

 

image.thumb.jpeg.2fbc7f07b47dc563cff24ec33df0a9f1.jpegimage.png.494d7314fad003cac1183e0f434969b4.png

Start with using Bitlocker and not allow bios fiddling, and network boot only

As for preventing physical tinkering you can put a cam to watch the room and expel any wrongdoer

System : AMD R9  7950X3D CPU/ Asus ROG STRIX X670E-E board/ 2x32GB G-Skill Trident Z Neo 6000CL30 RAM ASUS TUF Gaming AMD Radeon RX 7900 XTX OC Edition GPU/ Phanteks P600S case /  Thermalright Peerless Assassin 120 cooler (with 2xArctic P12 Max fans) /  2TB WD SN850 NVme + 2TB Crucial T500  NVme  + 4TB Toshiba X300 HDD / Corsair RM850x PSU

Alienware AW3420DW 34" 120Hz 3440x1440p monitor / ASUS ROG AZOTH keyboard (wireless) / Logitech G PRO X Superlight mouse / Audeze Maxwell headphones

Link to comment
Share on other sites

Link to post
Share on other sites

Back in my day we had the PCs cracked open simply by using a link in Safari that automatically opened Script Editor.

 

I've have to echo the sentiments of "why the hell does unplugging the ethernet defeat the PC security?" That makes zero sense.

Link to comment
Share on other sites

Link to post
Share on other sites

18 minutes ago, PDifolco said:

expel any wrongdoer

I don't think they do this in schools any longer.  For anything.  The parents sue.

Link to comment
Share on other sites

Link to post
Share on other sites

Not sure what resources the school has at its disposal but I think looking non-digital examples of vandalism deterrents could be helpful. What comes to mind is that schools at least in the states normally have a giant rock outside near the front entrance that students can decorate per guidelines. This helps reduce graffiti on the building itself by providing a creative / destructive outlet. This is normally paired with a security system to detect people who deface the building and those cases are handled accordingly.
 

Could you see if you could get your hands on some SBCs like a raspberry pi or maybe some e-waste machines and allow the students to tinker with them in class as part of a project or in an after school club. Not sure what part of the world you’re in and if this is even feasible but by increasing security (including fixing whatever config allows students to bypass security by removing network connectivity) and increasing access to devices that aren’t mission critical and easily repaired (e.g. makes Raspberry Pi’s great is that once a student bricks it, you just flash a new SD card and you’re back up and running) might be a possible solution. 

Or check your local jurisdiction, corporal punishment might be an option /s

 

Link to comment
Share on other sites

Link to post
Share on other sites

23 minutes ago, Erioch said:

I don't think they do this in schools any longer.  For anything.  The parents sue.

Haha stupid woke era

Then let the pricks ruin off the PCs and make them pay for replacement 

System : AMD R9  7950X3D CPU/ Asus ROG STRIX X670E-E board/ 2x32GB G-Skill Trident Z Neo 6000CL30 RAM ASUS TUF Gaming AMD Radeon RX 7900 XTX OC Edition GPU/ Phanteks P600S case /  Thermalright Peerless Assassin 120 cooler (with 2xArctic P12 Max fans) /  2TB WD SN850 NVme + 2TB Crucial T500  NVme  + 4TB Toshiba X300 HDD / Corsair RM850x PSU

Alienware AW3420DW 34" 120Hz 3440x1440p monitor / ASUS ROG AZOTH keyboard (wireless) / Logitech G PRO X Superlight mouse / Audeze Maxwell headphones

Link to comment
Share on other sites

Link to post
Share on other sites

It depends a lot on the physical layout of where the computers are. 

Can they be locked up?  Putting them in a locked box is the easiest thing to do.

Given that it is a school, education is also an option.  Any students caught doing this are welcome to join the computer club, and they can learn about computers and computer policy.  Carrots and sticks!  "if you 'hack' the school computers, the computer club will lose access to the computer lab..."

Link to comment
Share on other sites

Link to post
Share on other sites

Speaking as a Technician at one school district and formerly of another, I too echo...how does a district secure their PCs so poorly that merely disconnecting an Ethernet cable gives any level of power to students?  That seems like a HUGE security hole.

Current Personal Rig

CPU: Ryzen 7 3700X w/ Corsair H60 AIO   MB: ASRock B450 Steel Legend ATX  RAM: 32 GB Corsair Vengeance RGB Pro 3600 (2x16)  GPU: EVGA GeForce RTX 3060 XC Gaming  PSU: EVGA 750GQ Semi-Modular  Storage: 500 GB WD Black M.2 NVMe + 1 TB 2.5" SSD  WiFi: TP-Link Archer TX3000E  Keyboard: Corsair K65 Mini  Mouse: Logitech G502 Wired  Monitor: Gigabyte G27FC 27"

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/7/2024 at 5:19 PM, CrowTheRobot said:

Speaking as a Technician at one school district and formerly of another, I too echo...how does a district secure their PCs so poorly that merely disconnecting an Ethernet cable gives any level of power to students?  That seems like a HUGE security hole.

The GPOs not being applied on startup would do this; unrestricted access might just mean an unrestricted access to a standard account.

Link to comment
Share on other sites

Link to post
Share on other sites

The way I have seen it handled is to simply run them from a locked closet and simply run cabling to the stations. Unless the pcs are set to lock down the bios and the OS is locked down by permissions properly there wont be anyway to stop students from damaging or reinstalling OS (properly setup Bios should stop this). Most of the time the GPO and setup of these stations are by users who do not fully setup these features imo.

Link to comment
Share on other sites

Link to post
Share on other sites

Just remove the computers, then they can't vandalize them then. When they start crying that they need PC's after awhile, let them know that any vandalism will be reported and charged. 

Gaming With a 4:3 CRT

System specs below

 

CPU: AMD Ryzen 7 5700X with a Noctua NH-U9S cooler 
Motherboard: Gigabyte B450 Aorus M (Because it was cheap)
RAM: 32GB (4 x 8GB) Corsair Vengance LPX 3200Mhz CL16
GPU: EVGA GTX 980 Ti SC Blower Card
HDD: 7200RPM TOSHIBA DT01ACA100 1TB, External HDD: 5400RPM 2TB WD My Passport
SSD: 1tb Samsung 970 evo m.2 nvme
PSU: Corsair CX650M
Displays: ViewSonic VA2012WB LCD 1680x1050p @ 75Hz
Gateway VX920 CRT: 1920x1440@65Hz, 1600x1200@75Hz, 1200x900@100Hz, 960x720@125Hz
Gateway VX900 CRT: 1920x1440@64Hz, 1600x1200@75Hz, 1200x900@100Hz, 960x720@120Hz (Can be pushed to 175Hz)
 
Keyboard: Thermaltake eSPORTS MEKA PRO with Cherry MX Red switches
Link to comment
Share on other sites

Link to post
Share on other sites

Simplest workable option is to find some sort of mesh (breathable) case you lock around a computer.

 

At random intervals, inspect all machines before a class start, then inspect afterwards to catch people meddling.

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/7/2024 at 8:13 AM, winn_ter_fall said:

SO I am a IT Tech at a school that will remain anonymous for obvious security reasons, however I will refer to this as "The school". 

 

So me and my team are struggling to prevent students from accessing the back of PC's, with this, a lot of students are vandalising the PC's and unplugging the ethernet, which if done correctly, allows for no filtering and allows them to edit the PC, which isnt the best. My team have tried zip tying the back of the PC as well as using the suppiled lock, but the kids are snapping the hooks used to keep the protection in place. We cannot spend significant money either, so moving the PC's to where students couldn't reach it is not an option. If anyone has a solution to this, or a product that would stop kids from breaking these, it would be greatly appreciated. Photos are attached of the affected devices.

You aren't going to prevent them vandalizing the PC unless it's not physically present. You need to make their goal difficult enough to not be worth the effort.

  • Is it possible to set up a secure SSID or is there some reason it has to be ethernet?
  • Run a powershell script to hide/disable other/unknown SSIDs.
  • Disable creation of local accounts.
  • Implement rolling local admin password. (LAPS)
Link to comment
Share on other sites

Link to post
Share on other sites

On the win XP pentium 4s we had in middle/highschool changing your background was disabled. I liked tracking down the bitmap in the windows folder to replace it with one of the same name, I even retained the network ID in the corner of the wallpaper as a courtesy... The computers got wiped at the end of the school year anyways so its not like it was leaving a permanent trace. I remember the teacher in one of my classes especially even appreciated it, as she would share my desktop when pausing the computers, lol.

 

May be a hot take but part of the magic of computers is how personalizable they are (or were). Locking computers down to the point they are a chore to even tolerate using very well could be part of the reason for these students actions. Make reasonable guidelines of what is acceptable while allowing customization. Had I been able to change my desktop the proper way I wouldn't have had to change it for everyone on the computer. Fostering a cooperative userbase might be easier than keeping it an antagonistic competition with them.

Listens to WAN show while doing dishes. 😊 Living in 2024 with a tech attitude stuck in 2010.

Link to comment
Share on other sites

Link to post
Share on other sites

So Yesterday I was reading a post by a person who was seeking help with a school AD domain. He was trying to stop students from bypassing GPOs by selectively unplugging the network cable. I used to do something simular back when I was in school. Anyway, I kind of ignored it but then ended up doing a bunch of research and I found a solution. I didn't want my research to go to waste so I am creating this post.

 

Answer

https://serverfault.com/a/446497

 

Also this doesn't stop any of the other ways to bypass it.

 

https://medium.com/tenable-techblog/bypass-windows-10-user-group-policy-and-more-with-this-one-weird-trick-552d4bc5cc1b

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/7/2024 at 5:13 AM, winn_ter_fall said:

SO I am a IT Tech at a school that will remain anonymous for obvious security reasons, however I will refer to this as "The school". 

 

So me and my team are struggling to prevent students from accessing the back of PC's, with this, a lot of students are vandalising the PC's and unplugging the ethernet, which if done correctly, allows for no filtering and allows them to edit the PC, which isnt the best. My team have tried zip tying the back of the PC as well as using the suppiled lock, but the kids are snapping the hooks used to keep the protection in place. We cannot spend significant money either, so moving the PC's to where students couldn't reach it is not an option. If anyone has a solution to this, or a product that would stop kids from breaking these, it would be greatly appreciated. Photos are attached of the affected devices.

 

image.thumb.jpeg.2fbc7f07b47dc563cff24ec33df0a9f1.jpegimage.png.494d7314fad003cac1183e0f434969b4.png

Put the computers in a locked desk.

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/7/2024 at 7:13 AM, winn_ter_fall said:

SO I am a IT Tech at a school that will remain anonymous for obvious security reasons, however I will refer to this as "The school". 

 

So me and my team are struggling to prevent students from accessing the back of PC's, with this, a lot of students are vandalising the PC's and unplugging the ethernet, which if done correctly, allows for no filtering and allows them to edit the PC, which isnt the best. My team have tried zip tying the back of the PC as well as using the suppiled lock, but the kids are snapping the hooks used to keep the protection in place. We cannot spend significant money either, so moving the PC's to where students couldn't reach it is not an option. If anyone has a solution to this, or a product that would stop kids from breaking these, it would be greatly appreciated. Photos are attached of the affected devices.

 

image.thumb.jpeg.2fbc7f07b47dc563cff24ec33df0a9f1.jpegimage.png.494d7314fad003cac1183e0f434969b4.png

The first place students usually fiddle with is the bios. In my university, just to avoid exams on the computers in class, my friends would enter the bios and do some changes to the settings that would cause it not to boot and then the teacher would just reschedule the exam. Start with setting a strong bios password for all machines. 

The next place I would do changes in is basically the network. The computer should be setup such that if it is disconnected from the network, the system completely locks down (Not that much of a pro in this). One way to achieve this is using group policy that once you set a policy saying that if the internet is disconnected or the ethernet is removed, the system locks down and requires an administrator to come and fix the problem. Also enable chassis intrusion detection in your bios so that if students with a damn screwdriver have access and open the system, you can identify and rectify the error. the chassis intrusion error can only be cleared if you enter the bios and then save and exit and the bios password will prevent students from doing that. 

Also, get a good antivirus protection installed. I have seen and heard stories of students downloading viruses and stuff especially ransomware to install them and bring the entire school down. You would also need internet filtering. In my school, I remember my friends using the school internet to play games online, download pornographic material and stuff. You need a good network wide filtering software as well. You could look at using a spare pc and installing linux and Pi-Hole on it to get the job done.
if you use windows, you can have an admin account that is super secure and if possible connected to the Azure Active Directory or even a local account would do. The account students would use should just be a basic account which would require permission from administrator to install a program. 

The next thing is students deleting system32. Trust me, I have seen my friends do it and it is the worse time for any IT Admin as they need to reinstall everything from start. Setup windows server on a spare system, enable Windows Deployment Services to use PXE to network boot. This will save you tons of time than to get a USB flash drive and do it manually. I myself use PXE boot on the windows server 2025 evaluation at home and trust me, when i destroy my os while doing some computer science projects, i can just network boot and install windows. it is a time saver than to search for a flash drive and flash it.

 

This should make it difficult for students to do any unauthorized changes. although kids are becoming more and more smarter than us but it should make it difficult and deter them from even trying.

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/7/2024 at 9:19 AM, PDifolco said:

As for preventing physical tinkering you can put a cam to watch the room and expel any wrongdoer

this is kinda dumb

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/12/2024 at 3:29 PM, WiscoMetro said:

May be a hot take but part of the magic of computers is how personalizable they are (or were). Locking computers down to the point they are a chore to even tolerate using very well could be part of the reason for these students actions. Make reasonable guidelines of what is acceptable while allowing customization. Had I been able to change my desktop the proper way I wouldn't have had to change it for everyone on the computer. Fostering a cooperative userbase might be easier than keeping it an antagonistic competition with them.

this is the way

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, NF-A12x25 said:

this is kinda dumb

Why? Cams are used for surveillance everywhere now, and are super cheap

Even just knowing there are cams will prevent most students from touching stuff they shouldn't 

System : AMD R9  7950X3D CPU/ Asus ROG STRIX X670E-E board/ 2x32GB G-Skill Trident Z Neo 6000CL30 RAM ASUS TUF Gaming AMD Radeon RX 7900 XTX OC Edition GPU/ Phanteks P600S case /  Thermalright Peerless Assassin 120 cooler (with 2xArctic P12 Max fans) /  2TB WD SN850 NVme + 2TB Crucial T500  NVme  + 4TB Toshiba X300 HDD / Corsair RM850x PSU

Alienware AW3420DW 34" 120Hz 3440x1440p monitor / ASUS ROG AZOTH keyboard (wireless) / Logitech G PRO X Superlight mouse / Audeze Maxwell headphones

Link to comment
Share on other sites

Link to post
Share on other sites

On 6/13/2024 at 4:51 PM, Roschlynn Dsouza said:

 Setup windows server on a spare system, enable Windows Deployment Services to use PXE to network boot. This will save you tons of time than to get a USB flash drive and do it manually.

PXE solves a lot of the "user tinkered with the thing" problems, but it would be easy for someone to unplug and plug into laptop with a PXE server to then tamper with the computer.

 

PXE should only be done when the physical device is secured first.

 

Like in order:

1. Lock computer in a desk that the user can not pull the USB keyboard/Mouse out of (eg rear ports only) use a zip tie or superglue on a choke on the cable so it can't be pulled far enough to rip it out of the computer. 

2. Password protect the BIOS

3. Install a PXE-booted OS that reads off the network only. No local storage.

4. Use Citrix and make all the users basically use the same "server", not only is there no local storage, they can't insert a USB drive somehow that the server will see.

5. Install webcams on all computers and use the Windows Hello feature so not only can they not login to the computer as anyone but themselves, but it leaves an audit log of who tampered with it.

6. If you're not willing to lock the computer in a chassis, then do yourself a favor and enable the chassis intrusion functions the Dell/HP systems have. Disable all USB ports but the ports the mouse and keyboard are plugged into.

7. Setup a background admin-run script that just pings the server every 2 seconds, and if it doesn't detect 3 consecutive pings, lock the computer.

 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×