The following is one of three checklists to accompany Jonathan Hassell's Hardening Windows School, a series of six 10-minute webcasts designed to help you quickly and correctly lock down Windows systems.
Lesson #6, Applying network access quarantine options, premieres Thursday, June 22. Click for the course outline.
One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep into your network is not through firewall holes or brute-force attacks -- nor is it any means that might occur at your campus or corporate headquarters. It's through mobile users trying to connect to your business network while on the road.
Consider why that is the case: Most remote users are authenticated only on the basis of their identities, and no effort is made to verify that their hardware and software meets certain baseline requirements. It is not uncommon for remote users to fail any or all of the following guidelines:
You would expect business desktops to follow policy, but mobile users have traditionally been forgotten or grudgingly accepted as exceptions to the rule. Therefore, they become an active port for malware to enter and infect your network. That's why I'm going to explain why you need to use a security feature introduced in Windows Server 2003, Network Access Quarantine Control (NAQC), which gives you a chance to vet computers trying to access your network remotely, effectively closing ports.
Sound like a decent idea? Browse through the checklist below to learn more about quarantining. (Click here for the printable version.)
|Hardening Windows School Checklist: Know your network access quarantine options|
|Understand how Network Access Quarantine Control (NAQC) works|
|Here's basically how NAQC works: Under NAQC, when a client establishes a connection to a remote network's endpoint -- a machine running the Routing and Remote Access Service|
|(RRAS) -- the destination Dynamic Host Configuration Protocol (DHCP) server gives the remote, connecting computer an IP address, but an Internet Authentication Service (IAS)|
|server establishes a "quarantine mode." In quarantine mode, a set of packet filters restricts the traffic sent to and received from a remote access client, and a session|
|timer limits the duration of a remote client's connection in quarantine mode before being terminated. Once the remote computer is in quarantine mode, the client computer|
|automatically executes the baseline script. Windows runs the script and, if satisfied with the result, contacts the listening service running on the Windows Server 2003 back-end|
|machine to report it. Quarantine mode is then removed and normal network access is restored. If Windows is not satisfied with the result, the client is eventually disconnected|
|when the session timer reaches the configured limit as described above.|
|Decide on your preferred criteria for allowing regular access to your network|
What would you like to check when remote users try to connect? Here are some ideas:
|Begin planning your resource areas for users in quarantine mode|
|Under NAQC, you can establish a limited set of resources within the quarantine area where users can download information and software to help them rectify any issues that prevent|
|them from accessing the unrestricted network. Consider posting a Web page explaining the quarantine process. Include information on how to get help from the help desk.|
|You might also include a link to the latest service pack, a copy of your corporate antivirus software and individual links to hotfixes that you require. Give your users the|
|power to self-correct their problems while still enhancing security on your network.|
|Explore the Routing and Remote Access Service (RRAS) policy functionality|
|A great guide to RRAS can be found at ServerWatch.com, and Chapter 11 of my book Learning Windows Server 2003 explains how to set up RRAS, and teaches you how to use|
|policies and quarantining.|
Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.
More from Hardening Windows School
|ABOUT THE AUTHOR: Go back to Checklists|
|Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.|
This was first published in June 2005