Administering Computers
at Ipswich Public Schools

For several years, I spent several hours each week as a parent volunteer helping to administer the computers at the Ipswich Middle/High School.

Many issues we faced have commonly known solutions in the computer-admin world which are well documented elsewhere. A few solutions that we used though are harder to find even though they may be widely applicable, so I've documented them below.

Although I no longer volunteer with the schools (all my kids have outgrown public schools now) I've continued to fiddle with personal computers at home and have found and documented several additional solutions.

• WorldWideWeb Filtering

  Filtering web accesses from a school is important, both to comply with the CIPA law and to limit kids wasting time and so annoying their teachers. For web filtering Ipswich Milddle/High School uses the combination of the Open Source Software DansGuardian and Squid. As high school students' legitimate web uses range very widely, a high false positive rate leading to overblocking is a real problem. Limiting overblocking, which can easily go so far as to not even allow a student to access their own homework which they've emailed to themselves and are trying to access via a webmail portal, seems to require constant maintenance rather than the usual "set and forget" attitude.

  
  

• Transferring server software from older PATA to newer SATA hardware

  Substantial effort may be accumulated in the software configuration of a (Linux) server. Yet the hardware it was running on is failing. So the task is to transfer that whole software image from older hardware to newer hardware. Usually this is straightforward. Sometimes one can simply put the old disk in the new carcass. Other times the simplest strategy is to take an "image" of the old system and restore it on the new system, then let the Linux "new hardware detected" mechanism reconfigure the kernel as necessary. But if the old system had older parallel interface disks ("PATA") while the new system has newer serial interface disks ("SATA"), neither of the usual strategies will work straightaway. Here's one way to tweak the usual procedure so you can transfer an image from PATA to SATA.

  
  

• Setting up a default user on Win-XP

  On Windows 95/98/ME there was an option to have all users use a single configuration. (In fact, those OSs didn't support multiple users all that well, and too often it wasn't even possible to prevent what one user did from leaking into another user's world.) But on Windows 2000/XP there's no obvious option and it isn't at all apparent how to do it. Fortunately there is a Microsoft standard procedure for making all users similar (it's just not very well known).

  
  

• Shutting down most illicit network use by blocking out going packets

  Standard practice if you have a "firewall" between your systems and the open Internet is to block inbound TCP/IP ports. But this assumes that all applications are "well behaved" with respect to TCP/IP ...and the nefarious ones aren't. File sharing programs for example aren't slowed at all by blocking inbound ports and are barely slowed even by blocking specific outbound ports. What's necessary is to treat outbound TCP/IP ports just like inbound TCP/IP ports. Use the same firewall tool(s) you use to block inbound ports to also block outbound ports by default, then open only the few specific ones you really need. Although we considered this, we wound up not actually implementing it. We found the combined psychological effect of new administrative procedures and "traffic shaping" (item below) was sufficient, and we didn't need to do anything else.

  
  

• Internal caching Domain Name Service for fast web access

  We wanted to make world wide web access as quick as possible. That meant both leaving our ISP drop largely free for web traffic, and giving every web browser very fast responses to their queries. A particular waste can occur when several students visit the same website. Each one of them will request the same computer name translation and every request will go out over our ISP drop to servers on the Internet unless special actions are taken. We avoid this waste by providing our own internal caching DNS servers. The first time translation of a new name is requested, our servers don't know the answer and so have to forward the request to the Internet. But it remembers the answer. And when other computers request translation of the same name, our caching DNS servers respond very quickly themselves.

  
  

• Using DHCP for automated administration with very high availability

  We wanted to make administering new devices on our network as easy as possible, correctly assigning an IPaddress to every new device as well as supplying all the network configuration parameters. And we wanted to provide very highly available DHCP service, with both failover and failback being completely automatic. Typical uses of DHCP don't exactly meet these needs (although they come close). We found that with some tweaks to the DHCP configuration, we could make it do exactly what we wanted in our environment.

  
  

• Using "traffic shaping" to prevent any one user from monopolizing the Internet connection

  "Traffic shaping" is reordering outbound network packets according to some priority scheme, rather than just passing them on in exactly the same order they were received. Mostly traffic shaping is used either to give higher priority to time-sensitive communications (for example Voice over IP) or to ensure that downloads continue to run well even when something else is happening at the same time. But traffic shaping can also be used to guarantee a certain amount of bandwidth to every use (or even every computer), preventing one rogue user from monopolizing the Internet connection and hampering everyone else's legitimate network use.

  
  

• Forcing an application to always use particular command line arguments

  Many applications can be made do what you need them to do by specifying particular command line arguments (also known as command line switches or command line options). You can set this up for most users by adding the desired command line arguments to each of three "shortcuts": the one in Start->Programs, the desktop icon, and the taskbar icon. But it's trivial under Windows for a user to bypass all these shortcuts to launch an application without the command line arguments you desire. I've tentatively concluded there's no easy way to force a native Windows application to use particular command line arguments under vanilla Windows 2000/XP.

  
  

• Manually aligning and checking old old LCD Monitors

  Many LCD Monitors were "built in" to laptop machines and used a digital interface. Usually the rest either "just worked", or worked after the monitor's "auto" adjust was used. But occasionally an old old external flat panel LCD Monitor using an analog connection needed to be adjusted manually. (LCD Monitors using a digital connection always displayed correctly.) Here's the test pattern with instructions that was used to do it. This procedure is not needed with current flat panel LCD Monitors. At best, it will be unusable; at worst, it will mess up the display.

  
  

• Converting email addresses to images

  Not so long ago, the most common way an email address was picked up by spammers was off a website. In fact spammers have programs —typically called "spambots"— that do nothing else except "harvest" email addresses off websites. Completely removing email addresses from a website is often not reasonable, because the usefulness of the website depends critically on providing email addresses. One solution is to convert the necessary email addresses from text to images before placing them on the website. Images of email addresses are still readable by humans, but unintelligible to virtually all spambots and hence almost never harvested. Here you can download a program/tool that makes it easy to convert text (such as an email address) to an image.