Securing the laptops that schools give to children

Posted on 2024-05-27 by Matt Strahan in Business Security

This week Alexei and I will be presenting at the AISNSW ICT Management and Leadership Conference. Alexei is giving workshops on physical security and going from on-prem active directory to cloud based Microsoft 365. I’ll be presenting on Essential 8 for schools, why they might use it and what it’s trying to protect.

A while ago I talked about how healthcare has extremely specific security requirements and limitations around how they can approach security. Really, though, every industry faces their own unique challenges. For schools, they have the rather unique requirement of having to provision and secure devices that are going to be used by children. Imagine asking a primary school child, for example, to get out their phone and type in a multi-factor authentication code to get access to their learning platform? The way of “locking down” their systems must be approached in a very different way to enterprises.

In this post I’ll be giving my opinion on it. There’s no “right way” to secure the laptops of school kids and even amongst individual schools they may have to have different approaches for different year groups, but hopefully I can give out some ideas.

The danger of prescriptive standards

I’ll be presenting this week around the ASD Essential 8 for schools and how they can use this standard to improve their security. Essential 8 provides a lot of ideas around how to prevent real world attacks from being successful, being led by the experience of the Australian Signals Directorate (ASD). An organisation that implements the Essential 8 should expect real improvement in their security.

All that said, it’s still a generic, prescriptive standard that cannot consider anything that might be unique about your organisation. There’s no “see whether it’s appropriate for you or not” about it, instead it says “do this and this and this.” For those organisations with special requirements they might need to pick and choose what is appropriate for them.

Which brings me to the special case of securing the laptops of school kids. What is appropriate? What won’t work?

Inconvenience becomes infeasible

The obvious starting point is to identify the controls that aren’t even feasible to expect a child to complete. The number one control that children struggle with is one I’ve already mentioned: Multi-factor authentication.

The standard way people think of for protecting their systems would be to have the user enter a username and password, then enter a token usually through either an SMS message or some sort of mobile app. The password must meet complexity requirements, of course, having at least 12 characters and including numbers and capital letters.

We can already see a few issues with this login flow. Phones, for example, are often banned in classrooms, so expecting a school child to use a mobile device to login is not going to work very well. For younger children even a password might cause issues! If you’re expecting a child to type in a long password when they may very well be only learning how to type, you’re going to have some delays in class.

The second factor also needs to be carefully considered. If we’re going to start using biometric data, for instance, we begin to hit not only practical issues but privacy issues as well. Using fingerprinting or facial recognition for school kids, for instance, can be somewhat problematic from an ethical standpoint.

Where does that leave us, then? We have struggles authenticating our users, so how do we provide access?

What are the controls that we can easily implement?

Luckily it’s not all hopeless. There’s a bunch of controls that are extremely feasible to implement and should probably be standard for all school issued laptops:

  • Anti-malware: This should be the first control that’s applied. It doesn’t have to be a pricy solution - Microsoft Defender for example is a great solution.
  • Automatic updates: I speak to a lot of IT managers who feel reluctant to turn on automatic updating because of fear of a misapplied or broken patch. The prospect of this happening during test time, for instance, would be a nightmare for schools. Over the past 5-10 years, though, the risks of this happening have shrunk to the point of being negligable. While I’d still keep major updates to school holiday periods, automated security updates should be safe to enable.
  • Automated backup: With cloud platforms like Onedrive or Google Drive being readily available to schools for reasonable prices, automated backups should be a standard control for student laptops. These laptops have a nasty habit of breaking down and a quick re-issue of laptops is a must for all schools.
  • Content filtering: The students should be blocked from browsing to illegal content, dangerous content, and adult content.
  • No admin access over laptops for students: Students should be provided a regular user account for the laptop, rather than local administrator.
  • Device encryption: Laptops get stolen or lost. Encrypting them now-a-days using something like Bitlocker is often just a flipping of a switch.

I’d like to add one more that I think all schools should put in:

  • Application control: I know that this is put into the “too hard” basket, but if there’s one control that provides safety for laptops from cyber security attacks this would be it. Malware that can’t run can’t harm you.

From the essential 8 side, believe it or not, this is a fair part of the standard already implemented. It’s a bit of pick and choose, but it’s perfectly OK to use the standard like this.

Permissions and access

Before I speak about authentication, it’s important to take in the context of what children will access. Should you even require authentication to access the system? Are there creative ways of validating access?

If I were going from scratch, here’s the security model I might choose for a school that has school issued laptops:

  • For each laptop, use client certificate based authentication to access the school’s student wireless network. This would prevent students from needing to input a password for the network.
  • Conditional access policies would allow access to non-sensitive information to users on those wireless networks without requiring authentication. Non-sensitive information would include homework assignments, lessons, school news, and most things not specific to that student.
  • Access to sensitive information such as the student’s own work would use certificate based single sign-on tied to the device itself. (This would, of course, cause upkeep - students would not be able to share laptops and temporary laptops might require IT staff for issuing.)
  • Students would login to their own laptops with in-device biometrics and a simple pin code as a backup.
  • Parents would be issued the user account password for backup access, and teachers will be able to access student devices using their own account credentials.

This security model might work for some schools and might be impossible to implement for others. Their learning management system might not support single sign-on or their devices might need to be shared in some way. I’d like to put forward some principles though that I think would be beneficial to follow:

  • Students should only be able to access what they need to access. Their devices shouldn’t have access to the entire network, so use firewall rules to limit network access. They shouldn’t have access to change laptop administrator settings. They shouldn’t be able to load up even the login screen to school staff systems.
  • Automated or seamless authentication should be preferred over password based or multi-factor authentication.
  • Backup authentication should be available if students are unable to login to their own systems.

Unfortunately the details of what might be appropriate to you might depend on your specific school, your capabilities, the devices you’re providing, and the applications you use. Creative solutions might be the best solutions, though. For instance, could you use conditional access policies that lock authentication to a specific wireless network? Could you use QR codes with an in-built authentication token?

The ultimate inside attackers

A discussion on laptops issued to school kids can’t end without acknowledging the other role a student might play - they can be attackers themselves! It’d be somewhat hypocritical of me to pretend I didn’t do any exploration of digital boundaries as a child so I can’t really fault kids for trying the same thing.

For enterprises they talk about “Advanced Persistant Threats” or APTs. Often schools are teaching the APTs that are targeting them!

The same controls that protect the school from a compromised laptop will also protect the school from kids being trying their own attacks. In general, network restrictions on student subnets, application control, access controls, and restricted permissions on services like Learning Management Systems will all help protect the school. If you’re concerned about the prospect of being attacked this way maybe opt for a penetration test from the perspective of a student. Believe it or not the students will do the same attacks we will so you might need professionals to look at it!

From someone who ended up in cyber security, I feel that if you do catch kids looking at how their computing systems work and even stretching the boundaries then a bit of encouragement could even end up with them in an amazing career in IT or cyber security!

A large challenge for schools

The complexity of cyber security for school issued laptops is often discounted by parents, teachers, and school administrations. There are unfortunately no easy answers (even the choice of Chromebook or Microsoft laptop makes a huge difference!) but there are good guidelines to follow. If you want us to help you with your cyber security, let us know!

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Brooke Cagle on Unsplash

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn