To use NAQC, your remote access clients must be running Windows 98 Second Edition, Windows Millennium Edition, Windows 2000, or Windows XP Home or Professional. These versions of Windows support a connectoid, which is simply a dial-up or VPN connection profile located in the Network Connections element in the user interface, containing three essential elements:
- Connection information, such as the remote server IP address, encryption requirements and so on.
- The baselining script, which is a simple batch file or program used to assess the suitability of the client computer (more on this in a bit).
- A notifier component, which talks to the destination network's backend machine and negotiates a lift of the client's quarantine.
- The remote user connects his computer, using the quarantine CM connectoid to the quarantine-enabled connection point, which is a machine running RRAS.
- The remote user authenticates.
- RRAS sends a RADIUS Access-Request message to the RADIUS server -- in this case, a Windows Server 2003 machine running IAS.
- The IAS server verifies the remote user's credentials successfully and checks its remote access policies. The connection attempt matches the configured quarantine policy.
- The connection is accepted, but with quarantine restrictions in place. The IAS server sends a RADIUS Access-Accept message, including the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes, to RRAS.
- The remote user completes the remote access connection with the RRAS server, which includes leasing an IP address and establishing other network settings.
- RRAS configures the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings for the connection, now in quarantine mode. At this point, the remote user can only send traffic that matches the quarantine filters -- all other traffic is filtered -- and can only remain connected for the value, in seconds, of the MS-Quarantine-Session-Timeout attribute before the quarantine baselining script must be run and the result reported back to RRAS.
- The CMAK profile runs the quarantine script, currently defined as the "post-connect action."
- The quarantine script runs and verifies that the remote access client computer's configuration meets a baseline. If so, the script runs rqc.exe with its command-line parameters, including a text string representing the version of the quarantine script being used.
- rqc.exe sends a notification to RRAS, indicating that the script ended successfully.
- The notification is received by rqs.exe on the back end.
- The listener component on the RRAS server verifies the script version string in the notification message with those configured in the registry of the RRAS and returns a message indicating that the script version was either valid or invalid.
- If the script version was acceptable, the rqs.exe calls the MprAdminConnectionRemoveQuarantine API, which indicates to RRAS that it's time to remove the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings from the connection and reconfigure the session for normal network access.
- Once this is done, the remote user has normal access to the resources on the network.
- rqs.exe creates an event describing the quarantined connection in the System event log.
Step-by-Step Guide to Network Access Quarantine Control
Step 1: Learn how it works
Step 2: Create quarantined resources
Step 3: Write the baselining script
Step 4: Install the listening components
Step 5: Creating a quarantined connection profile
Step 6: Distribute the profile to remote users
Step 7: Configuring the quarantine policy
|ABOUT THE AUTHOR:|
Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.|
Copyright 2006 TechTarget
This was first published in January 2006