I'm not convinced about the "scanning" approach. I consult for several universtities and I've found that most new students have XP and SP2 installed on the machines anyway and as a result are firewalled. I may be able to detect strange network traffic but scanning the machine is not a real possibility for most of the end users.

Instead, I've been moving towards getting the universities to isolate student machines from the university network altogether. All students whether local or remote must access the campus resources through the same Internet available resources (fully firewalled). If students in dorm B get infected - they only affect the other students in that dorm who share the same DSL connection.

Since most universities already provide services for remote students, treating ALL students as if they were remote is not an issue. Also, now the students get the same access whether at school or at home with mom and dad.

The campus network then consists only of machines controlled by the university - remediated through Group Policy (Windows Update) and locked down to a level acceptible by IT and faculty. I've had great success with this approach - control the machines you control and isolate/remove the machines you don't. Once students are in control of the quality of their internet connectivity, they amazingly seem to work together to keep machines patched and virus-free. Either way - the campus is not affected and campus IT does not need to support the Internet connectivity since it is being provided by a third party.





[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/267/28493#28493