Minecraft for Education - security discussion
174 views
Skip to first unread message
Sam McNeill
Jun 14, 2016, 3:40:57 AM6/14/16
to Techies for schools
Hi All,
We have some teachers that are super keen to be using Minecraft Education edition with the new release this last few days.
I see on Twitter there is a bunch of NZ schools that are already using it, and I'm curious to know how IT admins have approached this from a security perspective. From what I can tell, it's intended to be hosted on the teacher's laptop and the students then connect to this locally hosted world on the LAN.
Like most schools I'm sure, we run student/staff devices on separate VLANs. One of my techs has already identified the necessary port that would likely need to be opened in the ACLs to allow student traffic to connect to the the teacher device so Minecraft can run.
This is where I start to question this approach from MS. It seems entirely counter-intuitive to separate student/staff traffic with various levels of security, only to turn around and allow students to connect directly to the staff device in this way. Given it will (if it's not already) become public knowledge about that open port it would seem entirely probable that other students may try to do other things by connecting to the staff laptop via that same way.
It would, in my view, have seemed far more judicious for MS to have continued the hosted solutions that Minecraft Edu used (confusing names, Edu vs Education) and simply added the O365 authentication into a cloud hosted solution. This would have allowed simple web traffic rules AND allowed for continued development by students outside of school as well.
I had a very disappointed teacher today when I told him I was not prepared to have student devices connecting directly to staff devices without further investigation into the security implications. On a side note - in our own testing on a few laptops, we had 5 client devices connecting to a surface Pro 4 as the host server and it started to get pretty hot with just 5 clients connected .... wondering how performance would be with 30 devices!
I'm not suggesting I've got all the facts here and there may be some other info to consider, but I'd certainly be keen to hear how other schools have approached this.
Thanks in advance,
Sam
Pete Mundy
Jun 14, 2016, 4:16:03 AM6/14/16
to techies-f...@googlegroups.com
Heya Sam
I think the cold harsh reality is that overall very few schools actually do this segregation. Sure they all should (and most of mine do!), especially given the equipment made available to them to do so via the [W]SNUP[1|2|3] projects, but the reality is they just don't. There are an embarrassingly large number of IT providers for small schools in NZ don't even really understand what VLANs are or how routing between them is achieved or secured.
I think that's probably part of the core reason why MS haven't taken it into consideration; because it probably only effects a small number, and for those that it does, they have the skills to work out other solutions.
That's just my personal view of reality from the coalface.
Thinking pragmatically about getting a working solution... Rather than hosting on a teacher's laptop, would it be suitable in your environment to build a server on your server's VLAN for this purpose? Then it would be accessible from both sides and an eye could be kept on it by your IT team like any other local server.
Pete
> On 14/06/2016, at 7:40 pm, Sam McNeill <s...@mcneill.co.nz> wrote:
>
> <snip>
I think the cold harsh reality is that overall very few schools actually do this segregation. Sure they all should (and most of mine do!), especially given the equipment made available to them to do so via the [W]SNUP[1|2|3] projects, but the reality is they just don't. There are an embarrassingly large number of IT providers for small schools in NZ don't even really understand what VLANs are or how routing between them is achieved or secured.
I think that's probably part of the core reason why MS haven't taken it into consideration; because it probably only effects a small number, and for those that it does, they have the skills to work out other solutions.
That's just my personal view of reality from the coalface.
Thinking pragmatically about getting a working solution... Rather than hosting on a teacher's laptop, would it be suitable in your environment to build a server on your server's VLAN for this purpose? Then it would be accessible from both sides and an eye could be kept on it by your IT team like any other local server.
Pete
> On 14/06/2016, at 7:40 pm, Sam McNeill <s...@mcneill.co.nz> wrote:
>
> <snip>
>
> Like most schools I'm sure, we run student/staff devices on separate VLANs.
>
> <snip>
> Like most schools I'm sure, we run student/staff devices on separate VLANs.
>
Sam McNeill
Jun 14, 2016, 4:24:39 AM6/14/16
to techies-f...@googlegroups.com
HI Pete,
Thanks for the reply.
Not having worked in too many other schools, it's interesting to hear your first hand experience of this, so might explain why MS have taken this approach ... a little worrying!
We could definitely run a VM of this no worries, however from what I understand so far, it seems MS have built this application to essentially be a turn on/off by the teacher by opening/quitting the app and it needs to run on Win10 (we could virtualise a Win10 desktop edition of course). Furthermore, it doesn't appear to run like a proper server app allowing multiple connections on the same port, so we would need to have it configured (if possible) to run on different ports and then advise students which port their game is being hosted on etc ... starts to get hard with primary school aged kids.
Oddly, the Microsoft Edu version (NOT Education version) does support cloud hosted Minecraft worlds (excellent!) but doesn't support O365 SSO (bad) so it seems like some sort of bastardised version has been launched on us and teachers simply don't understand (or care) about the potential security risks here.
googling "microsoft minecraft education edition security" returns nothing apart from telling me how secure SSO sign in is as there are no needs for new/shared passwords.... nothing about network or teacher laptop security!
Cheers
Sam
--
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/ZL611rw1sxI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
gre...@staff.cbhs.school.nz
Jun 14, 2016, 7:08:07 AM6/14/16
to Techies for schools
Off the top of my head -
Have a server running a port forwarder (to teachers' laptops); have it multi-homed with an IP address per teacher/game. This assumes a relatively small number of interested teachers to be simply manageable. Bonus: likely get a log of connections for free. [Could be a Raspberry Pi.]
- Ben.
Have a server running a port forwarder (to teachers' laptops); have it multi-homed with an IP address per teacher/game. This assumes a relatively small number of interested teachers to be simply manageable. Bonus: likely get a log of connections for free. [Could be a Raspberry Pi.]
- Ben.
Patrick Dunford
Jun 14, 2016, 8:46:32 AM6/14/16
to techies-f...@googlegroups.com
They do it like everyone seems to do these days, try to get
around pesky security restrictions that uncaring IT administrators
put onto networks (lol)
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
Alan at Wadestown School
Jun 14, 2016, 5:00:13 PM6/14/16
to Techies for schools
Uncaring and unhelpful when the security measures are in place, incompetent and negligent when there are consequences from the measures being relaxed!
Message has been deleted
Kevin Whelan
Jun 14, 2016, 5:21:51 PM6/14/16
to Techies for schools
On Wednesday, June 15, 2016 at 9:21:13 AM UTC+12, Kevin Whelan wrote:
Same as all the new education features coming in the next update of windows 10, none of them work or are designed for nondomain joined machines,they are all made to help a teacher buy a set of new machines and configure them themselves into some sort of class set,things like the new faster logon and removing default apps,better SSO are all for non domain joined machines only.absolutely ridiculous scenario and a huge step backwards. Nothing to help a real school network like better policies or profile management
seem to be heading the way apple have gone were everyone has there own machine and has admin authority over it.
its like the whole skydrive onedrive then onedrive buisness and now back to just onedrive mess.
Sam McNeill
Jun 14, 2016, 6:54:24 PM6/14/16
to techies-f...@googlegroups.com
HI Kevin,
Yes the SkyDrive --> OneDrive fiasco is best left unmentioned (although never forgotten!) ...
Well at least I'm not alone in having concerns about this, however it doesn't present too many viable options going forward. Perhaps we need to spin up our own non-Education Minecraft server as other schools have done and then manage it in that way ... Would have preferred to not need to do this however.
Cheers
Sam
On Wed, Jun 15, 2016 at 9:21 AM, Kevin Whelan <kwhel...@gmail.com> wrote:
Same as all the new education features coming in the next update of windows 10, none of them work or are designed for domain joined machines,they are all made to help a teacher buy a set of new machines and configure them themselves into some sort of class set,things like the new faster logon and removing default apps,better SSO are all for non domain joined machines only.absolutely ridiculous scenario and a huge step backwards. Nothing to help a real school network like better policies or profile management
seem to be heading the way apple have gone were everyone has there own machine and has admin authority over it.
its like the whole skydrive onedrive then onedrive buisness and now back to just onedrive mess.
On Wednesday, June 15, 2016 at 9:00:13 AM UTC+12, Alan at Wadestown School wrote:
--
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/ZL611rw1sxI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Julian Davison
Jun 14, 2016, 7:00:04 PM6/14/16
to techies-f...@googlegroups.com
In the absence of creating a path between your isolated staff/student networks you're going to end up running your own something. Whether it's a custom VM for the Education Minecraft, or a regular Minecraft ends up being a choice between what you find easier to administer. A workstation VM with remote desktop might be close enough to running it on their local computer for staff...
The other similar requirement I've encountered is to make it accessible to students while they're at home, which has similar issues.
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
Sam McNeill
Sep 13, 2016, 10:06:44 PM9/13/16
to Techies for schools
Kia Ora katoa,
After getting pretty frustrated with the security side of things with MInecraft for Education, one of the guys in my team has brewed his own solution and I've written a reasonably detailed write up of the key Mods you'd need to do something similar. If you're interested in trying to get a secure and sustainable Minecraft server this may be of assistance:
https://eblog.stac.school.nz/2016/09/14/managing-minecraft-in-a-school/
I don't profess it is the ONLY way, and if you've got suggestions for improving this solution I'd love to hear them,
Cheers
Sam
After getting pretty frustrated with the security side of things with MInecraft for Education, one of the guys in my team has brewed his own solution and I've written a reasonably detailed write up of the key Mods you'd need to do something similar. If you're interested in trying to get a secure and sustainable Minecraft server this may be of assistance:
https://eblog.stac.school.nz/2016/09/14/managing-minecraft-in-a-school/
I don't profess it is the ONLY way, and if you've got suggestions for improving this solution I'd love to hear them,
Cheers
Sam
Sam McNeill
Nov 6, 2016, 9:17:24 PM11/6/16
to Techies for schools
Just an update for you Minecraft users - we were alerted that using Bukkit might potentially be violating some copyright code so we have had to use a workaround with some other third party mods. The changes have been updated in the blog post here:
Cheers
Sam
Sam McNeill
Nov 1, 2017, 10:59:38 PM11/1/17
to Techies for schools
Hi Guys,
Just reviving an older thread about Minecraft.
If you’re not across the new Minecraft: Education Edition then it’s worth exploring. I’ve written a blog post about how best to deploy it:
https://samuelmcneill.com/2017/11/02/deploy-code-in-minecraft/
There is also links to all the information you will need and an introduction to the Code Builder app that is now included which is a great way to introduce students to the idea of programming concepts.
I posted earlier in this thread whilst I was still at St Andrew’s College and running our own Minecraft server. I’m now in the MSFT Edu team so full disclosure 
Cheers
Sam
Reply all
Reply to author
Forward
0 new messages