Corwin

That and don't give out admin rights.

Works beautifully.

Scotty

But, I think he is talking about hacking, or breaking in and what files are modified, and replacing those files if they are "hacked".
Since Win2k and others are so virus friendly, that is a problem too.
I am sure there are programs out to find and tell you or replace system files if they are "hacked".
-Scott

lpetrich

For what operating system?

That's a no-brainer with Unix-like operating systems. Simply create accounts for your users that do not allow them to change anything critical -- just give them write access only to some "home" directories and their subdirectories.

It may also be possible with whatever Windows flavor you may be using, but I'm not sure of the details.

I don't do that on my home machine, however, because I'm its only user (it runs MacOS X).

Cofffee

I don't think you would find too many commercial programs that let you change a file and then sometime later it changes back to the original version.... In my opinion, that's not a great way to secure a system because the file "temporarily" becomes the "replaced" version... Unless perhaps you are talking about files on the local machine (C: Drive), which you can change, but you reboot and the file is back to normal.

The proper way to secure a school network is to make system files read-only so it can't be changed in the first place. Trying to edit / delete or replace a read-only file will usually result in an error message, unless your editor / copy program is poor-quality.

Perhaps it's not a piece of commercial software, but instead it's a nightly restore script that overwrites any changed files with their original version from a read-only, shared network location.

It could also be a login/logout script, so when you log in, it re-copies the appropriate files from the read-only, shared network location.

Or, perhaps it is a script that executes upon boot-up of the machine. Where the computer has a RAM drive that is created during startup and the network cards automagically connect to the network to boot up the computer and some important files get copied to the RAM drive from the read-only, shared network location. You would be able to change the files on this ram-drive, but the next time you rebooted, it would re-copy the other version of the files from the network. If the computer lab admin powered down the computers every night, or the computers were set to restart themselves on a schedule, then the computers would be cleaned up daily.

Also, instead of a RAM drive, it's possible that an internal hard disk is used to store the copy of the important system files. You may be able to create a "persistent" drive letter by repartitioning this internal hard disk (e.g. perhaps the script would only know about the C: drive, but wouldn't do anything about the "D:" drive it you were to split it into two.)

Windows 2000/XP would be pretty difficult to re-copy / re-install everytime someone booted the computer. It would be pretty painless with Windows 95 or 98.

You could try rebooting one of your computers and looking at the startup messages to see how the computer is booting. It may say something like "Booting from LAN, Looking for DHCP / BOOTP, or show some crazy 16 dight MAC address" and this would be an indication of the computer connecting to the server and logging in and getting the latest copy of the files. Most Admins try to hide as much of the startup messages as possible, but you may be able to repeatedly press DEL, CTRL+A, F1, F2 or F10 and maybe get a little more information about the system configuration.

You could try unplugging the computer from the network to see what it would do in this case. Or even try rebooting with the network cable unplugged and see what error messages you get. Can you log in with the cable unplugged?

Try to see how frequently the file system gets replaced with the original version:

- Is it every login / logout? Then it's probably a login script.

- Is it every night, or every reboot? Then it's probably a boot-up script.

- Is it every minute or every several minutes predictably? You could put a file in a directory and repeatedly press F5 to refresh the folder view in Windows to see how frequently it changes... This would indicate a timed script set to run ever x number of minutes.

- Is it immediately after making a change? This is the only possibility I can think of that could be a commercial program running in the background. It would be something like a virus scanner that just watches all your files and folders and if it detects a change, it immediately restores the original file from a safe backup folder... You may be able to press CTRL+ALT+DEL to see the running programs, you may be able to end a program like this that is watching the files.

Wow, can you tell I like computer lab hacking? They had to institute a computer lab monitor to sit in our high school computer lab for the whole lunch hour to ensure we weren't up to no good. I had to find all sorts of ways to get around their security to get a command prompt, and I even wrote my own hotkey-activated BOSS program so I could play computer games and quickly switch out of it if someone wandered by. I'm so glad no one cared what you did in the University computer labs.