verify security level of student computers BEFORE allowing network access

Created by Scott Crevier (St. Norbert College) on July 18, 2005

I just made some source code available on our web site last week that I thought others may be interested in. We use NetReg to require all computers on campus to register before gaining access to the campus network (and the internet). Last summer (2004), we were trying to figure out how we can enforce some minimum requirements on our student computers before allowing them to register. For example, we make McAfee Virusscan available for all students, but we didn't have a way to require them to install it.

So, I wrote a small program (using AutoIt) called SNC Validator to accomplish this. When a student first fires up their computer, they only have access to one web page, our page that allows them to register their computer. This web page now allows them to download SNC Validator (a 124KB exe file) and run it. The program reads some registry settings (for Windows version, SP level, installed apps like McAfee, etc), builds a long URL, then lauches that URL in the default browser. By launching the URL, it is sending info about the computer to our NetReg server. Then, the Perl CGI script on the NetReg server analyzes all of the data and decides if the computer can be registered or not.

For example, if the CGI script sees that the user is running Windows XP, it can also make sure the user has SP2 installed. Or it can require that a certain version of McAfee Virusscan is installed based on the OS. If a specific requirement is not met, the CGI script prints a message telling the user what they need to do (i.e. install McAfee). Once the user does that, they need to run SNC Validator again, which reads the registry again and the process keeps going until all the requirements are met. Note that the SNC Validator program makes no decisions. It simply gathers and reports information. The Perl CGI script on the NetReg server is what makes the decision.

The nice thing about this setup is that the register/no register decision can be made based on any registry settings, the existence of any file, etc on the student's computer. But it does require some programming with AutoIt and Perl. If you haven't used AutoIt yet, you gotta check it out; it's quite handy for many other uses too (and it's free).

If you're using NetReg and want to give this a shot, the source code is available on our SNC Validator web page. This is only the source for the Windows EXE file. It's my hope that based on this setup, you'd be able to edit the CGI script yourself to incorporate whatever requirements you have for your campus.

We've been using this for a year now, and it has improved the overall level of security on our student computers greatly.

Scott's blog
Login or register to post comments
4751 reads

Re: verify security level of student computers BEFORE allowing n

Submitted by Stuart Yeates (University of Oxford) on July 18, 2005 - 7:13pm.

Looking at the program, the licence under which you're releasing the source code appears to be http://www.autoitscript.com/autoit3/docs/license.htm

Could you tell us why you choose this licence, rather than, for example, and open source licence, and the process you went through to get approval from your institution (who presumably own the fruits of your employment) to release it?

Re: verify security level of student computers BEFORE allowing n

Submitted by Scott Crevier (St. Norbert College) on July 19, 2005 - 8:12am.

First, I think you may have misunderstood the licensing. The source code that we're making available is just scripting code that I wrote. It can be run as a script, but it's meant to be compiled with AutoIt3. I did not author AutoIt3, only this particular piece of source code. The license that you linked to is the license for AutoIt itself, and of course I cannot speak for the authors of AutoIt. It's just as if I wrote a C program, and released the source. I'm not licensing the C compiler, or even an executable program, only the source code.

Second, we published it under the GNU General Public License to make sure anyone who needs it will have it.

As for the process, it wasn't too major. But first a bit of background. I wrote the program last summer, and it's been working well for us since last fall. Our CS director and others in the department have been sharing information about the program with colleagues at various conferences over the past year. We're a very small private college (2,000 students), so we depend heavily on sharing information/tips with our peer institutions. It's a result of those discussions with our peers that the order came for me to release the source code.

So, while it wasn't my decision, I definitely agree with it. We benefit so much from the work of others every day, by way of open source and other similar solutions. So it's only appropriate that we give back just a little. The general spirit is to share the source code at no cost with anyone who may find it helpful. And that's why it's released under the GNU General Public License.

Re: verify security level of student computers BEFORE allowing n

Submitted by Stuart Yeates (University of Oxford) on July 20, 2005 - 11:11pm.

You're right. I mistook the licence on AutoIt for the licence on your code.

Sorry.

cheers
stuart

		verify security level of student computers BEFORE allowing network access Created by Scott Crevier (St. Norbert College) on July 18, 2005 I just made some source code available on our web site last week that I thought others may be interested in. We use NetReg to require all computers on campus to register before gaining access to the campus network (and the internet). Last summer (2004), we were trying to figure out how we can enforce some minimum requirements on our student computers before allowing them to register. For example, we make McAfee Virusscan available for all students, but we didn't have a way to require them to install it. So, I wrote a small program (using AutoIt) called SNC Validator to accomplish this. When a student first fires up their computer, they only have access to one web page, our page that allows them to register their computer. This web page now allows them to download SNC Validator (a 124KB exe file) and run it. The program reads some registry settings (for Windows version, SP level, installed apps like McAfee, etc), builds a long URL, then lauches that URL in the default browser. By launching the URL, it is sending info about the computer to our NetReg server. Then, the Perl CGI script on the NetReg server analyzes all of the data and decides if the computer can be registered or not. For example, if the CGI script sees that the user is running Windows XP, it can also make sure the user has SP2 installed. Or it can require that a certain version of McAfee Virusscan is installed based on the OS. If a specific requirement is not met, the CGI script prints a message telling the user what they need to do (i.e. install McAfee). Once the user does that, they need to run SNC Validator again, which reads the registry again and the process keeps going until all the requirements are met. Note that the SNC Validator program makes no decisions. It simply gathers and reports information. The Perl CGI script on the NetReg server is what makes the decision. The nice thing about this setup is that the register/no register decision can be made based on any registry settings, the existence of any file, etc on the student's computer. But it does require some programming with AutoIt and Perl. If you haven't used AutoIt yet, you gotta check it out; it's quite handy for many other uses too (and it's free). If you're using NetReg and want to give this a shot, the source code is available on our SNC Validator web page. This is only the source for the Windows EXE file. It's my hope that based on this setup, you'd be able to edit the CGI script yourself to incorporate whatever requirements you have for your campus. We've been using this for a year now, and it has improved the overall level of security on our student computers greatly. LAN (Local Area Networks) \| Network Security and Applications \| Student Computing Support Scott's blog Login or register to post comments 4751 reads Re: verify security level of student computers BEFORE allowing n Submitted by Stuart Yeates (University of Oxford) on July 18, 2005 - 7:13pm. Looking at the program, the licence under which you're releasing the source code appears to be http://www.autoitscript.com/autoit3/docs/license.htm Could you tell us why you choose this licence, rather than, for example, and open source licence, and the process you went through to get approval from your institution (who presumably own the fruits of your employment) to release it? Login or register to post comments Re: verify security level of student computers BEFORE allowing n Submitted by Scott Crevier (St. Norbert College) on July 19, 2005 - 8:12am. First, I think you may have misunderstood the licensing. The source code that we're making available is just scripting code that I wrote. It can be run as a script, but it's meant to be compiled with AutoIt3. I did not author AutoIt3, only this particular piece of source code. The license that you linked to is the license for AutoIt itself, and of course I cannot speak for the authors of AutoIt. It's just as if I wrote a C program, and released the source. I'm not licensing the C compiler, or even an executable program, only the source code. Second, we published it under the GNU General Public License to make sure anyone who needs it will have it. As for the process, it wasn't too major. But first a bit of background. I wrote the program last summer, and it's been working well for us since last fall. Our CS director and others in the department have been sharing information about the program with colleagues at various conferences over the past year. We're a very small private college (2,000 students), so we depend heavily on sharing information/tips with our peer institutions. It's a result of those discussions with our peers that the order came for me to release the source code. So, while it wasn't my decision, I definitely agree with it. We benefit so much from the work of others every day, by way of open source and other similar solutions. So it's only appropriate that we give back just a little. The general spirit is to share the source code at no cost with anyone who may find it helpful. And that's why it's released under the GNU General Public License. Login or register to post comments Re: verify security level of student computers BEFORE allowing n Submitted by Stuart Yeates (University of Oxford) on July 20, 2005 - 11:11pm. You're right. I mistook the licence on AutoIt for the licence on your code. Sorry. cheers stuart Login or register to post comments
		© Copyright 1999-2009 EDUCAUSE Need Help? \| Feedback \| Privacy Policy
	Unless otherwise noted, EDUCAUSE holds the copyright on all materials published by the association, whether in print or electronic form. In certain cases the work remains the intellectual property of the individual author(s) (see Special Circumstances). Content from conference speeches, presentations, blogs, wikis and feeds reflect the opinions of the author, and not necessarily those of EDUCAUSE or its members.