Des Moines Public Schools

Public School District Improves Client Security with an Easy-to-Administer Solution

Des Moines Public Schools, located in central Iowa, has 32,000 students who need access to computing resources and the Internet. Liberal network access by staff, students, and the general public left the schools’ systems chronically exposed to an array of potential threats that included hackers, viruses, and spyware. To improve protection against multiple threats, the school district began implementing Microsoft® Forefront™ Client Security. It now looks forward to improved protection against malware as well as viruses. In addition to enhanced client security, Des Moines Public Schools will also benefit from simplified administration through integration with products like Active Directory® service. Finally, the school district anticipates that real-time data reporting will provide much needed insight into trends and emerging threats across more than 60 locations.

Situation

Located in central Iowa, Des Moines Public Schools serves 32,000 students from elementary through high school and has more than 5,000 employees. The school district enhances its curriculum by providing access to computing resources and the Internet, both from home computers and onsite at more than 60 locations. For example, most school libraries provide networked computers that offer access to a variety of databases in addition to Internet search capability. Many of these libraries are available to the general public as well as staff and students.

Providing open network resources to staff, students, and the public is a critical part of the education polices supported by Des Moines Public Schools District. However, supporting that access presents unique challenges, including ensuring system security. Broad access to network resources means a correspondingly broad opportunity for attack by a variety of malicious agents like computer viruses and malware. Malware alone is a significant problem. William Fulton, Network Specialist for Des Moines Public Schools, explains, “It often takes over browsers and redirects Web pages to adware or spyware. It can make the computer unusable to the point where it needs to be re-imaged.”

Malware is a frequent threat because the school district’s current antivirus software only protects against viruses. The school district needs a solution that can help protect against a wider variety of threats. And because virtually anyone can access the schools’ networks from any location, the school district also wants more in-depth reporting and monitoring options. With improved system visibility, the school district hopes to isolate and remove potential threats before they can affect other locations.

Solution

We are able to identify and remove most threats, including malware, before they can become a real problem. When Forefront Client Security is fully deployed, we will be a lot less vulnerable.  William Fulton Network Specialist Des Moines Public Schools

In the search for a more comprehensive approach to client security, Des Moines Public Schools began testing Microsoft® Forefront™ Client Security in the fall of 2005. Network specialist William Fulton and his colleagues were interested in a single solution with the potential for better protection against malware and other threats. They also liked the reports that would provide real-time data, allowing them to respond quickly to emerging attacks.

Ease of administration was also a concern, and the school district’s IT professionals were confident that Forefront Client Security would integrate well into the existing technology environment. Des Moines Public Schools had been using Microsoft System Center Configuration Manager—formerly Microsoft Systems Management Server—since early 2005 to inventory equipment and software, and Group Policy with Active Directory® service to define access and security policies. For data storage, the school district used Microsoft SQL Server™ database software, which could also store information gathered by the client security product.

The school district first installed the central management server on a server computer running Windows Server® 2003 Standard Edition, and installed the Security Agent on twenty client computers. All computers currently use the Windows® XP Professional operating system; the school district plans to upgrade to the Windows Vista™ Enterprise operating system in early 2008. The IT department will use User Account Control, a built-in feature of Windows Vista, to limit administrative privileges on all client devices. Most staff and students will only be able to log on as standard users, which will help prevent unapproved setting changes that could make the computer and network systems more vulnerable to malware and other threats.

In addition, the IT group uses Windows Server Update Services to distribute updates and signatures, and Active Directory Group Policy to configure security agents. Fulton reports that both are easy to set up and use with Forefront Client Security. In particular, “setting up a policy is very easy. We just navigate through each tab to make the setting changes we want, and then implement the policy where we need it,” says Fulton. Integration of the new client security solution with existing technology like Active Directory simplifies management, and familiarity with Microsoft products minimizes the need for additional training.
 
Forefront Client Security has integrated well with the school district’s IT infrastructure and also the IT department’s day-to-day workflow. Des Moines Public Schools relies heavily on daily reports to assess threat levels, and Fulton checks the malware report before anything else. “I check the report summary first to see if any computers are infected and I can see immediately whether the malware has already been removed.” He also notes which computer and, if possible, which user is affected to determine if the infection is a repetitive occurrence. After that, he takes steps to remove any remaining threats and develops targeted strategies to minimize the risk of further attack.

Because Fulton and his team actively monitor their networks for threats, he plans to configure security alerts to notify staff only when a critical threat emerges. The school district is also developing a naming convention that will allow it to pinpoint and quarantine a school where an outbreak occurs, to prevent the destructive spread of malware or viruses to other locations. The next step is full implementation; Des Moines Public Schools began rolling out Forefront Client Security to the other locations in March 2007 and expects to complete the implementation by late May.

Benefits

The unified protection that Microsoft Forefront Client Security delivers improves protection for Des Moines Public Schools. Integration with existing technologies like Active Directory simplifies management, as does the familiar, easy-to-use interface. IT staff can perform all administrative functions from one console, including configuration, updates, alerting, and reporting. Finally, in-depth, prioritized reports delivered through the same console helps IT administrators track trends and respond appropriately to potential system threats.

Helps Reduce Malware, Strengthens System Security

Microsoft is doing a great job at getting us our definition updates—we often receive multiple updates daily. This gives us confidence that we are ready to respond to the latest threats.  William Fulton Network Specialist Des Moines Public Schools

Even the earliest stages of implementation indicated that Forefront Client Security would help Des Moines Public Schools respond more effectively to system threats. Although the school district allows broad access to its computers and networks, IT administrators can use one solution to minimize the threat of exposure to malware and viruses. Fulton says, “It offers us more comprehensive protection, and we are able to identify and remove most threats, including malware, before they can become a real problem. When Forefront Client Security is fully deployed, we will be a lot less vulnerable.”

IT administrators at Des Moines Public Schools also appreciate the frequent malware definition updates and other revisions distributed by Microsoft Update. “Microsoft is doing a great job at getting us our definition updates—we often receive multiple updates daily,” says Fulton. “This gives us confidence that we are ready to respond to the latest threats.”

Simplifies Administration, Improves Efficiency

Forefront Client Security is also easy to manage because it works well with the existing technology environment. By taking advantage of technologies like Active Directory, IT administrators can simplify management of client security. For example, Fulton and his team can define single policies that configure the protection for all the client computers in the school district. He says, “The ability to manage broad protection through one console will improve our efficiency, and interoperable products will strengthen our stability and level of control.”

As malware incidents are reduced and client security protection is streamlined, technical support services can be redirected to other projects. For instance, says Fulton, “Tech service time can definitely be put to better use than re-imaging computers damaged by malware attack.”

Enables Better Oversight, More Strategic Security Management

Malware or virus infection can spread rapidly between schools, and Des Moines Public Schools’ IT department needs to react quickly to potential threats. Thus, the prioritized security reports available with Forefront Client Security are a critical part of the IT department’s security management strategy.

For example, the department can use the reports to analyze real-time data and track emerging trends. The malware report summary helps Fulton identify user behavior that might contribute to a higher incidence of infection. This information will provide critical insights that will help IT administrators protect valuable educational resources and the community that needs them. “We manage a huge environment; we are open to the public and we can’t be everywhere at once,” Fulton says. “It really helps that we can see all our systems at a glance and that we will have the data we need to take effective action.”

For More Information

For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com

For more information about Des Moines Public Schools products and services, call (515) 242-7911 or visit the Web site at:
www.dmps.k12.ia.us

Microsoft Forefront Product Portfolio

The Microsoft® Forefront™ comprehensive line of business security products provides greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Forefront is a comprehensive solution that helps provide protection for the client operating system, application servers, and the network edge.

For more information about the Forefront product portfolio, go to:
www.microsoft.com/forefront

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Document published April 2007