restricting nfs to specific stations
 

I work at a small charter highschool, I have ~20 linux stations that I set up, clone systems.

Basically I have a server configured that shars the home directories to all the stations via nfs. I accomplished this by having it share /home to 192.168.93.*(rw) (the ip scheme)

This has worked very well, however a student was able to boot up his laptop into linux, change his ip to one within the above range, then mount /home, he then simply created a user account with the same name as another students home directory and then had full access to that students files. (root is squashed)

I am wondering if there is some way to secure against this short of banning laptops from our network (NOT an option).

The stations are all identical clones, the only exception to this si they each have a different static ip set.

is it possible for you to set-up the LAN clients and laptop clients on a different zone in the firewall?? this way the server can be firewalled from the laptops... of course if the laptop people have physical access to the ethernet then this would only be a speedbump... =/

my NFS experience is virtually nil, but it is my understanding that NFSv4 has strong built-in authentication, while NFSv3 doesn't... proper authentication would have prevented the attacker from accessing the victim's /home folder... so, assuming you are using NFSv3: have you considered upgrading to NFSv4??