school needs help stopping hackers

[liquidmonkey]

i work as a math teacher (90%) and computer guy (10%) at a school and on our computers we are using windows XP which is run from another company on a network. in order to access the computers you must login and your own password. i'm sure you know the login screen. without this you cannot access anything OR so i thought.
kids have been getting into the computers, reseting the BIOS passwords, putting in Power Up passwords and such, one kid even installed a totally different version of windows. this is a problem and i would like to know a technical solution on 1) how to stop the kids from doing this and 2) how are they able to do this?
i'm no hacker / cracker and only work on the computers at the school 2 hours a week so i don't have a lot of time to deal with these problems in depth.
can someone out there please help me?

 

[PhillipBelcher]

First of all, Your are obviously on a network, which version of windows server are you using? Secondly, who handles the Active Directory side of it? You should be able to change the user setting through the Group Policy(GPO). As far as the bios setting are conserned, i would go through and set the passwords for the bios, maybe even a power on password, limiting the bios setting that they can fiddle with. Please provide a little more information on the server systems you are running on, and how the groups are set. Thanks

 

[neversleeps]

its easy, make the punishment for getting caught hacking school computers expulsion, problem solved especially after the first one caught is gone, lol. seriously tho, did the computers start with bios passwords or did the kids just go in and set one because there never was one. the only way i kno to reset one is to take the battery out but i doubt the kids r actually taking the pc apart, i dunno havent looked into it before. if there was never bios passwords then ur not trying very hard. i would set the bios passwords and take the cd and floppy drives out of the boot order. that will at least stop them from installing other windows copies unless they r actually resetting the passwords in which case i dunno

 

[Inaris]

If you can also provide information on what the actual machine are, that would help too. What os are they, what brand are they. Different vendors provide different levels of security on the bios so depending on a few things, we can give you more specific information.
The following applies to XP and Win2k only, so if your using win98, then it's not going to work the same...

On the secuirty of the OS, make them all users. Don't grant them admin access. That will stop them from being able to load any programs on the machine that effect the machine level of the OS.
Somthing that works really well, is applying the Secure workstation template. This is a security setting template that takes the machine and adjusts the default settings to use a much tighter set of rights. additionally, if you do have an active directory setup, applying group policy restrictions is a very simple way to stop them dead in their tracks. if you want to get into it, just ask... many people know a lot about it...

Best wishes..

 

[Vormund]

its easy, make the punishment for getting caught hacking school computers expulsion...

My school (local community college) will call the police, if you were to do that Then again, it's not often anyone is that bored...

As everyone has said, you probably didn't have a BIOS password set, thus easy access to add a password...as well as setting the boot device to "CD-ROM"--enabling them to install an O/S.

So...merely set a BIOS password, change the first boot device to the HD with your Windows on it, and *disable* all other boot devices.

Also, a common problem with schools is there is no Admin password set--whoever sets the computers up is not very careful in that case--so check that.

And last of all, ensure "Safe mode" is disabled...!

PS: You only work 20 hrs per week?! (10% = 2 hrs) Sweet!

 

[Tyler1989]

No we don't know what the log on screen looks like depends on what you use please don't tell me you are using just XP and you are using another product such as Netware right?. I also am having a hard time figuring out how students are bypassing the bios password (suprised F2 isn't disabled). Do you even have a bios password by default?

 

[Win2kpatcher]

I would agree before you can even attempt to lock down windows you must prevent them from accessing the BIOS first. Put a power on password for the BIOS this way anytime a machine is powered off manually a administrator or teacher would have to enter this.

Then assuming the PC's are on 24/7 you can lock down the machines with a policy. Be sure to remove all options for "reboot and shutdown" both on start menu items and the CTR-ALT-DEL menu.

 

[EricB]

it's easy to disable a bios password (short the memory cap). give the adminstrator in safe mode a password. a lot of people can't get past that

 

[Crysalis]

I would also suggest a program called DeepFreeze. It is sold in mass licenses for schools, and it would be a GREAT investment. Basically, what you do is you set up your computer exactly how you want it, then you install DeepFreeze and configure it. Once its configured, the computer will ALWAYS...no matter what... boot the EXACT SAME WAY as it did when you configured the deepfreeze software.

Lets say you put some files on the computer. The you shut it down. When it starts up, those files are gone. Say you change every setting possible... when you restart, it will be back to normal without question. The software is password protected and cannot be changed or even opened until that password is entered. If there is a password, it should be random letters and numbers... nothing that makes sense (that way brute-force cracking programs can't get it). If it has any kind of word that is in a normal dictionary, it will pick it up and let the "hacker" in.

As for them getting into BIOS, you should have set your own BIOS
passwords or do as ericB suggested.

You should also look into some sort of lock software. My college has it on every computer where unless you figure out the password (thats if you can even find the way to get to the box to type it in), depending on what the "tech" set it to, you can lock certain features such as settings. You can disable the start menu and make it so that they can't bring it back up by blocking them from changing settings. If you did that, then you could just make shortcuts on the desktop of all the programs the students will ever use. You could also lock the ctrl-alt-delete function. You could set it so that unless you know the password, you can't use ctrl-alt-delete to access the task manager. Libraries use this software... its actually pretty cool. I can "hack" it, but thats only because i know how it all works (there are ways of getting around some things, but not very much...not anything useful). If you dont, then you can be locked up pretty well.

Do some research on how to lock computers and software that is capable of what you need. The stuff is definitely out there. DeepFreeze would be a very good choice.

 

[liquidmonkey]

WOW!!!
thank you for all the great replied everyone, very much appreciated!!
been talking to our network supplier and the way to go is BIOS passwords for all the schools in our group as well as HDD being the only boot device.
i'll check into the 'deepfreeze' program for sure, it sounds great!!
thanks again!!