classroom - University of Waterloo

Nexus Classroom Features 2015/11/12 page 1
Nexus Classroom Features
Autologin / ClassCopy / NetRestrict / DriveRestrict / ClassExecute
Engineering Computing
Updated: November 12, 2015
The five features described are all integrated into a common set of drivers installed on the client
workstation. They can be used independently, but are more useful when combined.
Autologin can be used to reboot student workstations, and force automatic logins into
local accounts, or return computers to general nexus logins.
ClassCopy takes over the screens of student computers and displays the instructor’s
screen with approximately 25 frames per second video. Even youtube videos can be
shown, but sound amplification must be performed on the instructor station as sound is
not transported.
NetRestrict is an adaptive software-based firewall which can restrict workstations to only
certain web and other Internet servers. A typical use would be to restrict students to UW
Learn during a quiz or exam.
DriveRestrict turns on or off the ability to connect to remote network drives. The home
drive is allowed to be connected at login time, but no drives may be connected
ClassExecute can run processes in the student user session. It is used by ClassCopy to
load the ClassCopy client on the students’ workstations. Any web page or user space
application can be started with it.
The features are enabled by a trusted (restricted access) server we call a controller, which can
either run Unix (FreeBSD/Linux/etc.) or Windows. The only requirement of the server is that an
HTTP server and PHP is available on it, and that the machine is restricted to trusted personal
only - ie. not allow student logins.
The protocol used to control clients is the FINGER protocol using commands instead of userids.
finger net:c+\\nexus\\autologin\\
would send a particular command to workstation. In practice, it will be
scripts which send the commands, but will do so using the finger program.
An instructor workstation is assumed to be present at the front of the classroom. It is
recommended that this station use security groups to restrict access to faculty and staff - as this
Nexus Classroom Features 2015/11/12 page 2
computer is capable of controlling student workstations, such as remotely rebooting
workstations. The capabilities of this station are not actually true of the workstation, but of the
controller when given instructions from either the instructor workstation or cron jobs on the
Icons may be added to the instructor workstation which enable or disable the various features
such as to (effectively) lock the lab to Learn, unlock the lab, reboot, etc. In most cases, the
icons are simply web URLs to scripts on the controlling server to send commands to the
The one thing the instructor workstation does itself is send screen updates when clients run the
ClassCopy screen replicator. But normally the controller is used first to force the clients to run
ClassCopy.EXE in order to receive the screen updates.
We recommend that the network and workstations be hardened to limit hacking against these
features. This is described in the hardening section, but since these are typically public
workstations, such hardening should always be considered.
The four services are all provided by the autologin.exe service and its associated device drivers,
which are all located in the c:\nexus\autologin subdirectory. Normally one will use Tuque or MS
SCCM to copy the files to this location.
A read-only registry key must be set on the workstations to indicate which server is the
controller. Each workstation has only one controller. All commands are sent from the
controller. If no controller is specified, the controller is assumed to be,
which may be suitable for testing. This key is often set by Group Policy (GPO). The specifics
are given in the configuration section.
A second key indicates which is the instructor’s computer, this second key used for the
ClassCopy feature to limit input to the one workstation. If this key is omitted, any workstation on
the subnet can send screen shots, and that could cause interference on users screens.
Files with the extension .txt, such as learn.txt, may be located in the same subdirectory as the
services can specify which DNS addresses the clients may contact. This is explained under
The subnet and workstations firewalls must allow FINGER protocol be used to communicate
from the controller computer to the workstations. This can be configured by GPO as well.
Finger need only be accessible by the controller. The autologinservice.exe automatically
prevents any useful connection from any other device on the Internet, but still, it never hurts to
further firewall the device using MS firewall and/or hardware firewalls.
General Configuration
The registry key on all workstations (incuding the instructor computer) should be set to specify
the controller’s address. The address is given in dotted IP format.
Nexus Classroom Features 2015/11/12 page 3
Master specifies the controller. Instructor specifies the instructor’s IP address.
Engineering Computing uses a GPO to set these values, as they will vary by lab and so are not
part of the Tuque/MS-SSCM package.
The file learn.txt is provided in the default installation. It includes DNS entries for all the servers
necessary for a Learn test. You may copy it to another filename for your purposes, and add
license servers or other servers you know you will need for your students.
Instructor Configuration
To get started, you will probably want to copy the instructor configuration strategy Engineering
Computing is using. Once you are satisfied it works, you may choose to modify the installation.
We created icons on the instructor machine desktop similar to:
Lock to Learn.uwaterloo.lnk
which points to
and locks the room to only work with Learn (and other things you may add)
Unlock Learn.uwaterloo.lnk
which points to
This returns the room to normal operation
which points to
and forces all workstations to log into local1 on the local workstation (after a reboot), and using
driverestrict, prevents general network logins.
which points to
and causes the workstations to return to normal network logins (after a reboot). Also turns off
points to c:\nexus\autologin\classcopy.exe /server /ip: /16
Ie. turn on server mode, and broadcast to the subnet (replace with your
subnet). Use 16 bit colour.
Hardening Workstations and Networks
We recommend that networks and workstations have the following restrictions
- switches configured to lock to Mac addresses or other technology to prevent insertion of
- DHCP servers not be allowed by clients on the subnet
Nexus Classroom Features 2015/11/12 page 4
ARP impersonation being prevented
RIP either turned off on workstations, or prevented by the Windows firewall
the controller server should be on a server-only subnet
inbound FINGER protocol on the router and MS firewall should be limited to the controller
server. Autologinservice.exe prevents other computers from performing actions, but gives an
error message indicating which machine should be the controller.
- ICMP ECHO (ie. ping), should be enabled to the clients from the controller, (and anywhere
else you need). PING is used to determine if the workstation is up, an explanation of why is
located in the technical details later in this document.
In other words, any method that allows a hacker to impersonate the controller should be
Controller Configuration
Download the files from and place them in a suitable
subdirectory so they can be run over the network. The README file explains current file names
and function.
See the Server Configuration section above to see which scripts we will call.
Typically, scripts called by users call the lockone.php script for each student client workstation.
Lockone first attempts to ping the workstation to see if it is up, this is performed because ping
has a timeout of one second, whereas finger takes several seconds to time out. Labs of 120
machines will typically have a few down/turned off/unpluged machines, these will each incur us
a one second delay, but the up machines respond almost immediately and so the classroomwide script will typically only take a few seconds in total.
It is entirely possible to do your own scripting, such as using cron jobs to enable features, run
programs, etc.
Controller Script Writing
As described earlier, the scripting uses the finger command to send commands to workstations.
You need not read this section unless you wish to write your own scripts to configure the
finger net:firewallfile@workstation
Turns on the fireballing feature given a firewall.txt configuration file. Replace the : in the
filename with +, because colons are treated specially by this system.
eg. finger net:c+\\nexus\\autologin\\learn.txt
Uses c:\nexus\autologin\learn.txt as the firewall file. Note, the shell requires you to
escape the \, so you need \\. If you call from PHP to finger, you must use four slashes.
finger net:@workstation
Turns off the firewall
finger net:firewalllog:w@workstation
Turns on the write mode of the firewall logging feature.
eg. finger n:c+\\nexus\\autologin\\log.txt
Nexus Classroom Features 2015/11/12 page 5
finger net::w@workstation
Turns off the firewall logging.
finger user:local1:password@workstation
Reboots and auto logs into local1 on the local workstation with the specified password.
See finger password… and finger user:@workstations.
finger user:@workstation
Reboots and returns the station to normal logins. Does not reset the password on the
usern accounts. See finger password:… to learn how to clean up accounts after the
finger exec:cmd@workstation
Executes cmd on the user workstation. Again + must be used in place of the colon.
Quotes on the command line may be used to embed spaces:
eg. finger “cmd:start”@maggot4
finger locknet:param@workstation
1 turns on drive restrictions
0 turns off drive restrictions - ie. the workstation works like normal
? lists the current status without changing it
Finger password:account:password@workstation
Changes the password of the account (eg. local1) without rebooting the workstation, and
does not enable autologins. This command is typically used to give a new unknown
password to workstations AFTER an exam is over, so that people cannot continue to
use the exam password.
- the system has not yet been tested with IPv6 connectivity. That should be complete by end
of 2015, we just have to extend IPv6 to my test subnet first.
- net restrictions and locknet are continued after reboots. So a user cannot avoid network
restrictions by just rebooting. Likewise, if a machine is turned off when you send the
remove-restrictions-signal, that workstation will stay locked.
- rebooting does reset the log file if you have logging enabled
- it is not possible to set blank/empty password, as the restrictions of the network do not allow
it. So when you set the workstations’ password, you will want to write the temporary
password on the white/blackboard so that students will be able to unlock if their screensavers
- the autologin feature simplifies logins but does not preclude someone from logging out and
logging in as their own network userid.
Nexus Classroom Features 2015/11/12 page 6
- adding network restrictions does not cancel network connections already established, N:
drives and other network drives are not disabled, but adding new shares is not possible.
- the system can be modified/enhanced if we wish.
- for classcopy, the instructor’s computer is assumed to use 32 bit colour, however we convert
to 16 bit colour for transmission which will result in imperfect colour on the client. The system
is capable of 32 bit colour, but limitations described in Technologies below explain why it
doesn’t work as well over a real network.
- The software is only licensed for the University of Waterloo. We were able to take shortcuts
by licensing components for our use. Sharing with other sites would require additional
licensing to be purchased.
This section is optional for those who wish to know how it works.
Autologinservice.exe is a service which loads a RING 0 device driver and both 32 bit and 64 bit
libraries for 32 bit and 64 bit processes respectively.
For autologin features, the registry is configured to use standard Windows autologin accounts.
The account and password are stored in cleartext - this is a Microsoft thing. Then we reboot to
take effect. Similarly, clearing these fields and rebooting again returns to normal logins.
netrestrictions use our device driver to intercept queries for DNS lookups. When the DNS query
is issued, we look to see if the DNS is specified in the restriction file, if not, the address is
returned as not found and by default, all outgoing IP connections are disabled (a user specifying
an IP address to avoid this will be sadly disappointed). If the DNS is allowed, we do a DNS
lookup, and enable access to that IP address which we return to the client. So it even works
with cloud IPs because we know which could IP addresses the client will use.
Driverestrictions replaces prevents calls to the OS to mount network drives and printers AFTER
the login. So the N: drive connects, but nothing else.
Classcopy takes a snapshot of the screen every few milliseconds. It then must get that data to
clients as fast as possible, but this is a challenge, because video of 1920x1024 is approximately
6MB per frame, or 180 Mbps of raw bandwidth for 30 fps. We compress the colour from 24/32
bits to 16 bit colour to save 33% to 50% of our network traffic, and further compress it using fast
run length encoding to reduce most pages by 80%. The algorithm is much faster than JPEG or
ZIP compression which are too slow for almost-full-motion video. The data is broadcast or
multicast to workstations, so only a single copy is sent over the network. Still, this is a challenge
because Windows workstation has a purposefully crippled IP stack to prevent people from
sending large amounts of data over UDP…. Microsoft wants you to buy Server instead. We
work around this by inserting delays and compression to limit data to what workstation will
ClassExecute uses device drivers to execute programs in the context of the user’s session.
Nexus Classroom Features 2015/11/12 page 7
If you have any questions or suggestions, either regarding this documentation or the application,
feel free to contact me. Erick
Erick Engelke