School district and creative way to handle student passwords ?

Discussion in 'Security Software' started by Marlon Brown, Mar 28, 2005.

  1. Marlon Brown

    Marlon Brown Guest

    K-12 institution, 15,000+ WinXP student accounts, Win2003 AD Domain.
    Helpdesk and local technicians cannot keep up with password reset requests.
    My proposal for password management is a webform that let students input
    answers to 'secret' questions and let them get accounts reset . I would make
    URL available on kiosks and let students themselves handle the password
    resets - OK.

    This is the problem that people brought up:

    Classrooms are 45 minutes long. Students sometimes go to classroom, and
    because they don't use AD accounts very often, they have a tendency to
    forget passwords very often. So if they go to the kiosk to request the
    password reset, that should take at least 10 minutes to do so. That would
    take too long, according to theachers.

    What's your opinion on this ?

    I see two things here:

    a) I could say "instruct students to double check their accounts prior to go
    to the classroom"
    b) I could say "students cannot handle password policies in the domain. Let
    me justify I need to setup a separate domain for students and do not force
    them to change password". That would be a very weak security policy, but at
    least the student domain would be isolated from the staff domain.

    What do you think ?
     
    Marlon Brown, Mar 28, 2005
    #1
    1. Advertisements

  2. Marlon Brown

    Byron Hynes Guest

    Idea #1: Let the teachers manage the student's passwords then. IOW, give
    a teacher's account permission to reset the password on his/her students
    accounts, instead of or in addition to the kiosk. Heck, for that matter,
    since students will tell each other their "secret" questions anyway, let
    any account access the web page.
    The students *should* be isolated from admin/teacher accounts and networks,
    in my opinion, anyway. However:

    Idea #2: Teaching students to manage proper passwords is a good thing because
    some day they will be users and should be aware that passwords matter. I'll
    bet that not one of them forgets their MSN/Yahoo/AIM password.

    Idea #3: Remember that if you do want to isolate properly, a domain isn't
    really a security boundary, a FOREST is.

    - Byron Hynes
     
    Byron Hynes, Mar 29, 2005
    #2
    1. Advertisements

  3. Marlon Brown

    Roger Abell Guest

    If they really, really wanted to, or should I save need to, remember their
    password then they are fully capable of doing so.
    Educate them to use passphrases. This are more simple to remember
    for most people.

    I am in home Room 12 !
    is an example.

    I assume that you have place student accounts into some OU structure,
    and I assume you have some group for faculty. Delegate to the faculty
    group on the OU of the student accounts the ability to change passwords.
    Educate the faculty on how to use the ability.

    The pain for the faculty will "assist" them in imprinting upon their
    students the importance of remembering their passphrases.
     
    Roger Abell, Mar 29, 2005
    #3
  4. Marlon Brown

    Mark Randall Guest

    CMD>
    Your password reset now takes 3 seconds....

    CMD>
    Now it takes 1.

    - Mark R
     
    Mark Randall, Mar 29, 2005
    #4
  5. Even just doing it in the good 'O Fashioned GUI only takes about 30 seconds.
    Why in the world is it taking 10 minutes?
     
    Phillip Windell, Mar 29, 2005
    #5
  6. Marlon Brown

    Marlon Brown Guest

    Thanks for the posts.
    I already granted ability to teachers and local IT tech assistants reset
    passwords. We have now have 50+ people resetting passwords, and I am still
    getting lots of complaints. One of the complaints that it can be legitimate
    is that our wireless system has a limitation in which it doesn't allow
    people to complete logon once the password has expired. As a result of that,
    students go tho the classroom and find out their password got expired and
    they can't login. The class time is limited (45 minutes). Imagine if you are
    a teacher resetting passwords. 10 minutes doing that is considered a long
    time. It is true I am not asking people to change passwords every month
    here. It is only every 180 days, but that's the type of complaint I am
    getting.
    I strongly believe that there is an educational component to this. Same way
    kids are educated to bring notepad and books to classrooms, they could also
    be educated to check computer credentials prior to attend a class. Not sure
    if I have power to change that though. If it continues like this, I would
    setup a domain or forest one-way trust and try to isolate the staff domain
    and let the students domain with very relaxed password policies.


     
    Marlon Brown, Mar 29, 2005
    #6
  7. Marlon Brown

    Mark Randall Guest

    Why the fricken hell are their accounts expiring if they need to use them
    for a class in the first place?

    - Mark R
     
    Mark Randall, Mar 29, 2005
    #7
  8. Marlon Brown

    Magoo Guest

    Many students use their accounts once in a while. The password is set to
    expire every 180 days. Instructional representatives argue that that 180
    days expiration policy is causing too much maintenance for them.
     
    Magoo, Apr 1, 2005
    #8
  9. Marlon Brown

    Mark Randall Guest

    It does not sound like a very good policy in my opinion, here would be my
    prefered solution:

    Use 2 domains, one for students and one for staff, isolate the students
    group from the staff completly.

    Set minimum password lengths at 8 for both STUDENT and STAFF domains, have
    staff, being privy to private information, change their passwords every 90
    days, with no option to use one used before. There is no need for expiry on
    the STUDENT domain, the information available to that domain (if correctly
    configured) would not justify the rediculous amount of time that is being
    taken (Its only K12 - not the NSA national archives).

    Does each school have its own network, or is it all on the one AD setup?

    Secret password systems are notoriously, crap. Especially with K12's who
    would probably put it as boobies or something (Hey im British, I have no
    idea what K12 is like for real).

    If your network is suitably locked down tho... 180 day password expire isnt
    really needed anyway... its not like someone is going to try brute forcing
    someones password, or leave it laying around with their username on A3 paper
    in size 150 Arial font.

    - MR
     
    Mark Randall, Apr 1, 2005
    #9
  10. Marlon Brown

    Byron Hynes Guest

    Use 2 domains, one for students and one for staff, isolate the
    Two domains will not achieve this goal unless they are in separate forests.

    - Byron Hynes
     
    Byron Hynes, Apr 1, 2005
    #10
  11. Marlon Brown

    Mark Randall Guest

    Would that really be so bad? You simply need to allow trusting of STAFF
    domain accounts across the STUDENT resources, and have any relevant files
    that staff need to put up for students put in a network drive, with relevant
    ACL's set.

    Seems best solution to me if there is such worry about student acounts that
    they need to have password expiry on, that way your STUDENT domain could get
    blown to pieces, hacked, riped to shreds - you would lose nothing sensative.

    - MR
     
    Mark Randall, Apr 1, 2005
    #11
  12. Marlon Brown

    Byron Hynes Guest

    Would that really be so bad? You simply need to allow trusting of
    I don't know enough about the OP's situation to firmly recommend one over
    the other. Personally, I would likely use one forest, but make very, very
    sure that the domain accounts and DCs for the student account were both physically
    and "logically" protected.

    I meant only to point out that *if* you are investing the admin overhead,
    hardware and financial costs to implement two domains *for the purpose of
    complete isolation* that you will not achieve that purpose if they are in
    the same forest.

    If the administration is done carefully, you could probably secure resources
    adequately even in one domain, however, as someone else pointed out, to get
    separate password policies (barring 3rd party tricks or custom passfilt's),
    you need separate domains.

    - Byron
     
    Byron Hynes, Apr 1, 2005
    #12
  13. Marlon Brown

    Mark Randall Guest

    I know you know this, but - really the need for physical isolation is
    minimal - I look at it this way, if at any point anyone from either student
    or staff domains goes online that network might as well be fully exposed to
    all relevant nasties.

    At my old school we used 2 domains, in this case DCS1 (for students and
    staff) and DCS1ADMIN (for financial administrators etc), I compromised the
    security on DCS1 quite a few times (mainly due to lousy ACL's and too much
    API up in my head), however I could not once compromise DCS1ADMIN because I
    couldent even log on the acursed thing to do anything interesting... say...
    make myself the schools official paid head of ICT (hey I was a student there
    at the time).

    However, on top of that - we had staff and students in 2 different user
    groups on DCS1 - each with its own group policy.. maybe that would help in
    this situation.

    - MR
     
    Mark Randall, Apr 1, 2005
    #13
  14. Marlon Brown

    Marlon Brown Guest

    Byron, I thought about this, but a forest isn't more adequate when you have
    administrators that would handle each domain/forest totally separately ?

    One thing is for sure:
    Thanks for the posts and I agree, I will setup a damn domain where I will no
    longer request kids to change passwords.

    I will put a one-way trust where staff can access student resources,
    including printers and student folders. The other way around won't work
    because students won't be able to even touch staff resources. I think that
    should take care of the freaking problem and this people will leave me
    alone.
     
    Marlon Brown, Apr 1, 2005
    #14
  15. Marlon Brown

    Paul Adare Guest

    microsoft.public.security news group, Marlon Brown
    If you want a one way trust between domains then by definition you're
    looking at separate forests.

    --
    Paul Adare
    http://www.identit.ca/blogs/paul/
    Scientists were excited this week at having isolated a brief sound which
    occurred immediately before the Big Bang.
    Apparently, the sound was, "uh oh".
     
    Paul Adare, Apr 1, 2005
    #15
  16. Marlon Brown

    Byron Hynes Guest

    I know you know this, but - really the need for physical isolation is
    I'm not sure we're talking about the same thing. I mean the physical protection
    layer -- "guards, gates and guns" :) -- In a school setting, especially,
    the DCs need to be physically secured behind a locked door or locked cabinet.
    In general, anyone who can get physical access to a DC (let alone *all* DCs
    for a domain) can do a lot of damage. I didn't mean the networks needed to
    be air-gapped.

    I'm not sure what you mean by the last sentence. Obviously, there are lots
    of nasties flying around a LAN or the internet, but that doesn't mean that
    access or exposure is automatically the same for all machines on that network.
    I think I'm just not reading your comment correctly.
    I assume you logged on to DCS1 from a workstation, not from it's own console.

    I also personally think that configuration errors (or "non-configuration
    errors" if you like) are one of the biggest security risks today, and they
    are not talked about nearly enough.

    The reason I keep harping about the "separate forests, not just domains"
    thing, is that someone like you (creative, knowledgable, lots of time and
    motivated to "explore") who has physical access to a DC could get information
    from all the domains in the forest, not just the domain of that DC -- especially
    if they are not configured or ACL'd properly.
    Most definately. Locking down student/lab computers is one of my favorite
    hobbies. :)
     
    Byron Hynes, Apr 2, 2005
    #16
  17. Marlon Brown

    Mark Randall Guest

    This is true, we had our servers locked up in a sealed air-conditioned
    server room in padlocked towers.
    Yes, I never had access to the DCS1 main server... Well, not in any way that
    would have allowed me to physically change things on it.
    People do not like to mention things that show the large majority of them to
    be incompetant.
    They never quite managed it on mine =\ pretty decent at just maintainance
    but absolute shite at dredging security. I think the first security audit
    ever made on the thing was me trying to break into it.

    - MR
     
    Mark Randall, Apr 2, 2005
    #17
  18. I have a program that automates the creation of student accounts from any
    database conceivable. You can import into active directory from a counselors
    enrollment database or any student management program.

    Set School OU's, then Grade Level OU's, the graduating year OU's. The reason
    for the graduation year OU is that it technically will never change over the
    course of the students stay with the district. You could then set Group
    Policy Objects to groups to deny students access to network resources. You
    can do it all in one domain.

    The program I created will also allow you to automatically update any users
    coming in our out of the district at the interval you set, usually every
    night at midnight. Typically, usernames for school consist of the students
    first 4 letters of their lastname followed by the last 4 digits of their
    student ID (school ID or state ID), but do not use their social security #.
    This password policy lets teachers easily refer back to a master username and
    password data sheet to look up any students.

    It works flawlessly as I have impolemented it in many large school districts.
    Its called Smart Directories from Smart Admins, LLC,
    Email me for more details.

    ___________________________________________________________
     
    Christian Castro, MCSE, CCNP, Jun 22, 2005
    #18
  19. "Christian Castro, MCSE, CCNP" <Christian Castro, MCSE,
    > wrote in message
    Of course it will change. Only full time students that stick to the exact
    schedule will graduate at the expected time. Part time students and others
    who progress more slowly may take 5, 6, 7 years to get a 4-year degree.
     
    Phillip Windell, Jun 23, 2005
    #19
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.