Ipswich Public Schools
For several years,
I spent several hours each week as a parent volunteer
helping to administer the computers at the
Ipswich Middle/High School.
Many issues we faced have commonly known solutions in the computer-admin world
which are well documented elsewhere.
A few solutions that we used though
are harder to find
even though they may be widely applicable,
so I've documented them below.
Although I no longer volunteer with the schools
(all my kids have outgrown public schools now)
I've continued to fiddle with personal computers at home
and have found and
documented several additional solutions.
- WorldWideWeb Filtering
Filtering web accesses from a school is important,
both to comply with the CIPA law and to limit kids wasting time and so annoying their teachers.
For web filtering Ipswich Milddle/High School uses the combination of the Open Source Software
DansGuardian and Squid.
As high school students' legitimate web uses range very widely,
a high false positive rate leading to overblocking is a real problem.
Limiting overblocking, which can easily go so far as to not even allow a student
to access their own homework which they've emailed to themselves
and are trying to access via a webmail portal,
seems to require constant maintenance rather than the usual "set and forget" attitude.
- Transferring server software from older PATA to newer SATA hardware
Substantial effort may be accumulated in the software configuration of a (Linux) server.
Yet the hardware it was running on is failing.
So the task is to transfer that whole software image from older hardware to newer hardware.
Usually this is straightforward.
Sometimes one can simply put the old disk in the new carcass.
Other times the simplest strategy is to take an "image" of the old system and restore it on the new system,
then let the Linux "new hardware detected" mechanism reconfigure the kernel as necessary.
But if the old system had older parallel interface disks ("PATA")
while the new system has newer serial interface disks ("SATA"),
neither of the usual strategies will work straightaway.
Here's one way to tweak the usual procedure so you can transfer an image from PATA to SATA.
- Setting up a default user on Win-XP
On Windows 95/98/ME there was an option to have all users
use a single configuration.
(In fact, those OSs didn't support multiple users all that well,
and too often it wasn't even possible
to prevent what one user did
from leaking into another user's world.)
But on Windows 2000/XP there's no obvious option
and it isn't at all apparent how to do it.
Fortunately there is a Microsoft standard procedure for making all users similar
(it's just not very well known).
- Shutting down most illicit network use by blocking out going packets
Standard practice if you have a "firewall" between your systems
and the open Internet is to block inbound TCP/IP ports.
But this assumes that all applications are "well behaved"
with respect to TCP/IP ...and the nefarious ones aren't.
File sharing programs for example
aren't slowed at all by blocking inbound ports
and are barely slowed even by blocking
specific outbound ports.
What's necessary is to treat outbound TCP/IP ports
just like inbound TCP/IP ports.
Use the same firewall tool(s) you use to block
to also block outbound ports by default,
then open only the few specific ones you really need.
Although we considered this, we wound up not actually implementing it.
We found the combined psychological effect of
new administrative procedures and "traffic shaping" (item below)
was sufficient, and we didn't need to do anything else.
- Internal caching Domain Name Service for fast web access
We wanted to make world wide web access as quick as possible.
That meant both
leaving our ISP drop largely free for web traffic,
giving every web browser very fast responses to their queries.
A particular waste can occur when several students visit the same website.
Each one of them will request the same computer name translation
and every request will go out over our ISP drop to servers on the Internet
unless special actions are taken.
We avoid this waste by providing our own internal caching DNS servers.
The first time translation of a new name is requested,
our servers don't know the answer and so have to forward the request to the Internet.
But it remembers the answer.
And when other computers request translation of the same name,
our caching DNS servers respond very quickly themselves.
- Using DHCP for automated administration with very high availability
We wanted to make administering new devices on our network as easy as possible,
correctly assigning an IPaddress to every new device
as well as supplying all the network configuration parameters.
And we wanted to provide very highly available DHCP service,
with both failover and failback being completely automatic.
Typical uses of DHCP don't exactly meet these needs
(although they come close).
We found that with some tweaks to the DHCP configuration,
we could make it do exactly what we wanted
in our environment.
- Using "traffic shaping" to prevent any one user from monopolizing the Internet connection
"Traffic shaping" is reordering outbound network packets
according to some priority scheme,
rather than just passing them on in exactly the same order they were received.
Mostly traffic shaping is used either to give higher priority
to time-sensitive communications (for example Voice over IP)
or to ensure that downloads continue to run well even when something else is happening at the same time.
But traffic shaping can also be used to guarantee
a certain amount of bandwidth to every use (or even every computer),
preventing one rogue user from monopolizing the Internet connection
and hampering everyone else's legitimate network use.
- Forcing an application to always use particular command line arguments
Many applications can be made do what you need them to do
by specifying particular command line arguments
(also known as command line switches or command line options).
You can set this up for most users by adding the desired command line arguments
to each of three "shortcuts": the one in Start->Programs, the desktop icon, and the taskbar icon.
But it's trivial under Windows for a user to bypass all these shortcuts
to launch an application without
the command line arguments you desire.
I've tentatively concluded there's no easy way
to force a native Windows application
to use particular command line arguments under vanilla Windows 2000/XP.
Manually aligning and checking older LCD Monitors
Many LCD Monitors were "built in" to laptop machines and used
a digital interface.
Usually the rest either "just worked",
or worked after the monitor's "auto" adjust was used.
But occasionally an older external flat panel LCD Monitor
using an analog connection
needed to be adjusted manually.
(LCD Monitors using a digital connection
always displayed correctly.)
Here's the test pattern with instructions that was used to do it.
- Converting email addresses to images
Not so long ago,
the most common way an email address was picked up by spammers
was off a website.
In fact spammers have programs
—typically called "spambots"—
that do nothing else except "harvest" email addresses off websites.
Completely removing email addresses from a website
is often not reasonable,
because the usefulness of the website depends
critically on providing email addresses.
One solution is to convert the necessary email addresses
from text to images before placing them on the website.
Images of email addresses are still readable by humans,
but unintelligible to virtually all spambots
and hence almost never harvested.
Here's a program/tool that makes it easy
to convert text (such as an email address) to an image.