One of the most challenging aspects of keeping a safe, productive university network is that students insist on using it. To be precise, it’s that students insist on using the university network after browsing malware-laden web sites and inadvertently stuffing their laptops full of malicious code while home on holiday.
New capabilities mean new reasons for refreshing the PCs in the university-owned fleet, but no one wants to have new systems instantly infected with malware. Is there any hope for the IT professional in education?
There is, of course, hope, and it comes in three steps:
These don’t have to be taken in sequence, but they must be taken—the sooner, the better, for everyone who uses the network.
It’s obvious that not every user needs access to every corner of your online facilities. Modern authentication and network directory facilities make it rather straightforward to logically segment the network into pieces that can be kept safe from one another.
The real key, though, is to implement device configuration policies that require any device that connects to the network to:
Be up-to-date with application and OS versions
Have specific anti-malware protection installed
Connect through a VPN
Meet any condition (or set of conditions) that administrators require
Once the conditions are met, then the device can be routed to (and limited to) any logical network segments that the user’s network privilege allows.
As a condition of the device authentication and authorization process, administrators can set up device scans that quickly search for known malware or vulnerabilities and then quarantine the device on a “safe” network segment (with no access to the rest of the network) until the infestation and vulnerability can be remediated.
At some universities, IT departments also find it useful to have “open scan” days set up (often around orientation at the beginning of the term or just after long holiday breaks), where students can bring laptop computers to tables staffed by professionals who will scan for problems, install anti-malware, and make sure the systems meet network standards before returning them to the student. These days are also perfect for beginning the next step—education.
Students frequently bring evil to the campus network through ignorance of basic safe-computing protocols and practices.
Education, through in-person outreach, authentication-screen messaging, or online courses, can help insure that students are less likely to engage in practices that load their computers with the kind of software you don't need on campus. While students (and, let's be honest, faculty members, as well) can be careless, most don't want to be the source of problems. Teach them to be your allies, and you'll cut down on malware infestations and support calls.
If you follow these three steps you will increase the chances that the investment you make in new desktop and laptop PCs will result in increased productivity—and not just fast, new locations for malware to call home.