NAQC prevents unhindered, free access to a network from a remote location until after the destination computer...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
has verified that the remote computer's configuration meets certain requirements and standards, as outlined in a script.
To use NAQC, your remote access clients must be running Windows 98 Second Edition, Windows Millennium Edition, Windows 2000, or Windows XP Home or Professional. These versions of Windows support a connectoid, which is simply a dial-up or VPN connection profile located in the Network Connections element in the user interface, containing three essential elements:
- Connection information, such as the remote server IP address, encryption requirements and so on.
- The baselining script, which is a simple batch file or program used to assess the suitability of the client computer (more on this in a bit).
- A notifier component, which talks to the destination network's backend machine and negotiates a lift of the client's quarantine.
- The remote user connects his computer, using the quarantine CM connectoid to the quarantine-enabled connection point, which is a machine running RRAS.
- The remote user authenticates.
- RRAS sends a RADIUS Access-Request message to the RADIUS server -- in this case, a Windows Server 2003 machine running IAS.
- The IAS server verifies the remote user's credentials successfully and checks its remote access policies. The connection attempt matches the configured quarantine policy.
- The connection is accepted, but with quarantine restrictions in place. The IAS server sends a RADIUS Access-Accept message, including the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes, to RRAS.
- The remote user completes the remote access connection with the RRAS server, which includes leasing an IP address and establishing other network settings.
- RRAS configures the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings for the connection, now in quarantine mode. At this point, the remote user can only send traffic that matches the quarantine filters -- all other traffic is filtered -- and can only remain connected for the value, in seconds, of the MS-Quarantine-Session-Timeout attribute before the quarantine baselining script must be run and the result reported back to RRAS.
- The CMAK profile runs the quarantine script, currently defined as the "post-connect action."
- The quarantine script runs and verifies that the remote access client computer's configuration meets a baseline. If so, the script runs rqc.exe with its command-line parameters, including a text string representing the version of the quarantine script being used.
- rqc.exe sends a notification to RRAS, indicating that the script ended successfully.
- The notification is received by rqs.exe on the back end.
- The listener component on the RRAS server verifies the script version string in the notification message with those configured in the registry of the RRAS and returns a message indicating that the script version was either valid or invalid.
- If the script version was acceptable, the rqs.exe calls the MprAdminConnectionRemoveQuarantine API, which indicates to RRAS that it's time to remove the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings from the connection and reconfigure the session for normal network access.
- Once this is done, the remote user has normal access to the resources on the network.
- rqs.exe creates an event describing the quarantined connection in the System event log.
Step-by-Step Guide to Network Access Quarantine Control
Step 1: Learn how it works
Step 2: Create quarantined resources
Step 3: Write the baselining script
Step 4: Install the listening components
Step 5: Creating a quarantined connection profile
Step 6: Distribute the profile to remote users
Step 7: Configuring the quarantine policy
|ABOUT THE AUTHOR:|
| Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget