B.C. School District 67 (Okanagan Skaha) has installed desktop security software from Appsense to lock down desktop PCs for its 7,200 students. The district, which serves the cities of Penticton and Summerland, is using the software across its 19 sites and 2,800 desktop machines.
Managing a high-school student is akin to being in a war-zone, said Danny Francisco, IT manager at SD67 in Penticton. School kids like to test limits, and things are no different on the LAN. They have been known to install keyloggers on machines, for example. “We have 7,000 built-in hackers. We’re worried about the kids on the inside of the network, as well as what’s on the other side of the firewall. And you can’t reprimand them by firing them as you might in a business,” he said.
“The other thing is that the end-users have to be productive. We have to let them use certain software.” The District has 160 different desktop applications in its portfolio including products such as Maya’s 3D modelling software. How do you lock down a network while leaving it open?
As part of a major infrastructural overhaul that began five years ago, SD67 had consolidated different computing platforms to become a Microsoft shop. Francisco’s team installed a high-speed fibre optic network throughout the district and centralised the network, running many applications over Micosoft’s Terminal server, and then standardised all desktop computers on Windows XP SP2.
“Microsoft promised that XP SP2 would be more secure, and it was, but the problem was that most programs they needed to run needed adminsitrator rights, so we had to open up all the security to get things done,” he says. “So Microsoft sold us security, but it’s too bad that you can’t run anything when it’s secure.”
SD67 had been using Application Manager, a product from PC security company AppSense, on its servers for five years. The software stopped students installing software on the server when using Terminal Services. It wanted to use the product on desktop computers, but has held back because the product locked everything down with no ability for exceptions. It had no ability for educators to self-authorize application installation. This was a problem, because educators have to install new software regularly without having to manually get permission from the IT department. Trialling different applications is a regular process in the classroom.
When Appsense included the self-authorization feature in Application Manager, Francisco decided to start using it on the desktop, and rolled it out during the summer. The benefits have been immense, he explained.
“Students now can’t download and run iTunes, MSN Messenger and other programs,” he said. “A lot of staff didn’t realize that when people would go and visit some Web sites, an ActiveX control would pop up, and boom, you’d have spyware cropping up on the machine.”
Now, the IT department doesn’t have to worry about cleaning up or reinstalling machines infected with spyware, and students who want to try and hack the computers are unable to get past the kernel-mode Appsense security. But educators can still install software when needed.
The district is also using Appsense’s Performance Manager to help improve system performance. Occasionally, PCs will lock up, due either to badly-written software (Microsoft Outlook, for example, will occasionally begin chewing up all available CPU cycles for no reason) or because of user error. Students have been known to try and import huge files into photo editing applications, which can lock up a machine for 20 minutes and make it difficult to close the system down. Performance Manager helps to regulate system activity and stop a single application hogging the machine.
Francisco said the secure systems allows him to concentrate on other projects, including partnering with the city to pilot a wireless mesh network using a fibre backhaul network that SD67 has already installed.