Handling User Grown Machines on a Large Network?

matth asks: "Recently with the outbreak of the MSBLASTER worm and the startup of the college semester here in the US we've been hit by a big problem here where I work. Many students are bringing in machines from home, often times infected. The infections are so bad that they bring the whole network to a crawl. Yes, you can install ACLs on edge routers and put a router between the dorms and the rest of your network, but it still brings the dorm to a crawl. You can make sure people install the patches, but what if someone re-installs Windows, or brings in another machine, and what about NEXT year? From the Slashdot community, how have sysadmins out there dealt with this? How can you manage each machine in a network such as a college, where people are bringing their own machines in from the outside? ACLs on routers... but what about for the segmented network?"

Simple...

[woodchip]

just ban users from your network.

You could just...

[gsperling]

...tell students at registration that Windows machines are not allowed on the network, and that they must install Linux. This will not only clean up your network problems, but it will also give the students a sense of doing the right thing for their computers. Along with their free condoms, give 'em free Linux CDs.

YES, THAT'S A GOOD IDEA

[YOU ARE SO FIRED!]

"Along with their free condoms, give 'em free Linux CDs."

"Here. You'll never use this first item if you choose to use the second item. Have fun, and welcome to college."

You are sooooo fired.

DHCP tricks

[TheSHAD0W]

You ought to be able to tweak your DHCP so you can block machines that are broadcasting this badly by telling them their default gateway is localhost.

start with the freshman handbook

[b17bmbr]

Chapter 2 Personal Computers

No personal computers will be allowed unless they are running Linux, FreeBSD, OS X, or another variety of *nix. If you are bringing a PC, please see the installtion CD in the back of the Freshman orientation handbook. For installation instructions, find the guy in your dorm with long hair, glasses, birkenstocks, and a penguin on his shirt. For payment, beer will usually do. Or, if you are under 21, and can't find someone to buy for you, perhaps a bag of Starbucks will suffice. However, if you are a female, just acknowleging him at least once during the semester, when you are with your friends will be plenty.

Post lists

[Maxwell'sSilverLART]

Assuming you can identify the port from which the infected traffic is coming, post a list of all infected rooms on the front door of the dorms, with an explanation that "these computers are causing your network to suck."

The problem will be fixed.

Our Solution

[skroz]

We have an incident response team that locates each individual infected host, then identifies the primary user of that machine. If they're unavailable, we install the patch and leave a message that they should come by our offices as soon as possible.

Once the patch has been applied, we sit down with the user and assure them that they're not in trouble; everyone makes a mistake from time to time, and we have simple and effective means of dealing with the problem. Once they're calmed down and convinced that we're not upset with them, we wish them a good day and send them on their way.

When they turn their backs, we shoot them in the back of the head and put their bodies on display in the courtyard as an example to the rest of the imbiciles that might practice unsafe computing.

Re:The state of employment.

[dipipanone]

First they came for the menial jobs. I never spoke out because I didn't have a menial job.

Somebody has obviously made a serious mistake then. Can I suggest you apply at the sign of the Golden Arches to find something more commensurate with your intellectual abilities?

Re:Ban 'em

[lewiz]

Having an A4 sheet detailing where to get the patch and removal tool (possibly mirrored locally) would be a good idea too.

Okay, so you give them the URL on the paper, right? Then what do they do? Call up the tech. support people and ask them to shout the patch down the 'phone? I can imagine it now: ``was that `one-one-oh', or `one-oh-oh'?''

Re:No more

[KoolDude]

I am seriously considering moving my smaller clients to Mac of Linux pretty soon

Hmm... sounds interesting, got a torrent ?

Re:Easy solution:

[Anonymous Coward]

Oh yeah. Good solution. And I suppose that computer hobbyists and programmers should be left out in the cold and be forced to use your shitty public PCs that will undoubtly be running the only OS affectd by worms and virii... Windows!?

Thanks, but no thanks.

Re:You could just...

[KoolDude]

Along with their free condoms, give 'em free Linux CDs.

Dude... you gotta follow the rules. It's ( condoms XOR Linux ).

Re:responsibility

[Durandal64]

How about we tax stupidity next?

We do. It's called the lottery.

Re:I'm actually wanting to know the same thing, bu

[KoolDude]

running Mac OS X and I haven't had to lift a finger to do much of anything for more than a year

That's what I call a boring life. Compare this to the action packed life of a Windows(tm) Admin. I can imagine the next Microsoft tagline:

Windows: Bringing Unlimited Action to bored System Admins, since 1981.

Re:Domain logons

[cptgrudge]

Quickly! Someone establish solid prior art before some company patents it and starts charging licensing fees to virus writers!

Re:Public humiliation

[Mike1024]

Maybe you can spice it up with an introductory text that gives the impression that when you're saying "most inept" you actually mean "dumb as a door-knob"

You could have a comparitive scale down the side, comparing the most inept to 'brick', ranging through 'hammer' and 'cabbage' with the cleverest compared to, say, '$10 digital watch'. You could have little iconic pictures on the scale to give it some colour.

Just my $0.02,

Michael

attn: geeks

[Barbarian]

These girls need help with their computers.

Re:forcefully

[G33kboy]

If the problem really is due to the 810577 patch, then the call to Microsoft is supposed to be FREE FREE FREE! Did removing the patch fix the problem?