IT infrastructure is the backbone of a modern educational institution. From the largest secondary boasting thousands of pupils to the smallest primary with a mere hundred pupils, accessing the network is as much a regular a part of a student life as school dinners.
Every day, pupils up and down the country log on to upload course work, download reading material and chart their academic progress. And it is not just the pupils that rely on the IT infrastructure. Staff members, including teachers and administrative teams, all use the network to store vital resources, share classroom material and review pupils’ work.
So, the IT infrastructure in an academic institution is a complex and multifaceted environment, with far more variation in departments than regular businesses.
As a result, policing network can be difficult, particularly with students who are often determined to get access to sensitive files and folders that they shouldn’t have.
Loopholes within Active Directory security
To manage this, most IT managers and directors, the majority of whom work in a Windows environment, use Microsoft Active Directory to authenticate and control all users. With Active Directory the IT staff can assign and enforce security policies for installing and updating software and most importantly, manage user authentication.
The problem is Active Directory is not a full proof security solution. Yes, it manages passwords and confirms that the username matches the password. But it does not stop multiple users from logging on with the same password at the same time.
This means, for example, that a pupil who has mislaid their log in details can use their classmate’s password to access the network and the IT department will be none the wiser.
An example of how to secure your school network
Camden City School District in the US has 15,000 pupils across 20 primary schools, a middle school and one secondary, and needed to eradicate login sharing and gain the ability to track workstation usage.
Amid an increasing number of students sharing user logins, the IT team found it challenging to track usage and enforce compliance with school internet and email policies. The team had been using a few outdated tools with Windows 2000 and 2003, but they were no longer supported by Microsoft and the capabilities were limited and did not provide the control they desired.
Camden IT staff needed to track down the pupils who were abusing the school’s internet usage policies or sending inappropriate emails. However, it was hard to decide who to reprimand because so many pupils were using the same logins. They needed to ensure that students were limited to using only their own personal login information and all sessions could be accurately tracked and recorded.
Of course, every academic institution has policies and procedures about not sharing passwords. But what happens in reality is if this is not strictly enforced then a culture of sharing passwords grows, and when your classmate is stuck, most people will happily hand over their details. They are blissfully unaware that their actions could lead to a major security breach with sensitive and confidential information falling into the wrong hands.
The best way to stop users from sharing passwords is to clamp down on concurrent user logins. That way, pupils will think twice about sharing details, as they won’t be able to get on the system if someone else is logged in using their credentials. By deploying a solution like UserLock that actively manages concurrent users, schools can control all user access, permitting or denying logins at a certain time, location or device.
In less than a week, the team at Camden was able to deploy UserLock to all PCs across all schools permitting only one login per pupil and two concurrent logins per teacher.
The IT staff no longer have 30 students logged in with the same user name at once. They’ve not only eliminated concurrent logins but now also have the ability to accurately track down and discipline individuals who are out of compliance with the school’s internet and email policies.
Technology such as UserLock that prevents concurrent logins, by physical location and connection time limits, also stops malicious users using valid credentials at the same time as their legitimate owners. By only allowing pupils to be logged on from one device, at the same time, users won’t go around sharing their password as they wont be able to get onto the system when they need it.