Problem solve Get help with specific problems with your technologies, process and projects.

How to create shared services that two different parties can use

To mitigate a problem common to educational facilities, the student hacker, network security expert Mike Chapple suggests isolating student and administrative networks or creating shared services that both parties can use. Learn how to accomplish this task in this Ask the Expert Q&A.

I manage the computer systems for a university. We have a local Win2k network domain with an intranet Web site and Exchange 5.5 Server running on it. Sometimes our students try to hack into the teachers' computers. In an effort to prevent this, I want to set up another domain for the students, but still allow them to access the intranet and Exchange mail system when their teachers are monitoring them. How can I accomplish this?
You're facing a problem common to educational institutions. I would strive to isolate student and administrative networks as much as possible. It's extremely difficult to secure environments where users have two different security levels (e.g. students and teachers) on the same network, regardless of their domain membership.

It's entirely possible to implement shared services, such as the mail and Web services you mentioned. I suggest using a four-interface firewall to create separate zones for students, teachers, shared services and the Internet. The Web server and intranet server would then live in the shared services zone or DMZ and benefit from the protection of the firewall's rulebase.

This was last published in August 2006

Dig Deeper on Secure SaaS: Cloud application security