Problem solve Get help with specific problems with your technologies, process and projects.

Step 1: Learn how it works

Windows Server 2003's Network Access Quarantine Control (NAQC) prevents remote users from connecting to your network with machines that aren't secure.

This Content Component encountered an error

NAQC prevents unhindered, free access to a network from a remote location until after the destination computer...

has verified that the remote computer's configuration meets certain requirements and standards, as outlined in a script.

To use NAQC, your remote access clients must be running Windows 98 Second Edition, Windows Millennium Edition, Windows 2000, or Windows XP Home or Professional. These versions of Windows support a connectoid, which is simply a dial-up or VPN connection profile located in the Network Connections element in the user interface, containing three essential elements:

  • Connection information, such as the remote server IP address, encryption requirements and so on.
  • The baselining script, which is a simple batch file or program used to assess the suitability of the client computer (more on this in a bit).
  • A notifier component, which talks to the destination network's backend machine and negotiates a lift of the client's quarantine.
These elements are united into one profile using the Connection Manager (CM) Administration Kit (CMAK) in Windows Server 2003. Additionally, you'll need at least one Windows Server 2003 machine on the back end running an approved listening component; for the purposes of this guide, I'll assume you're running the Remote Access Quarantine Agent service (called rqs.exe) from the Windows Server 2003 Resource Kit, because that is the only agent available at press time. Finally, you'll need a NAQC-compliant RADIUS server, such as the Internet Authentication Service in Windows Server 2003, so that network access can be restricted using specific RADIUS attributes assigned during the connection process. Here is a detailed outline of how the connection and quarantining process works, assuming you're using rqc.exe on the client end from the CMAK and rqs.exe on the back end from the Resource Kit:
  1. The remote user connects his computer, using the quarantine CM connectoid to the quarantine-enabled connection point, which is a machine running RRAS.
  2. The remote user authenticates.
  3. RRAS sends a RADIUS Access-Request message to the RADIUS server -- in this case, a Windows Server 2003 machine running IAS.
  4. The IAS server verifies the remote user's credentials successfully and checks its remote access policies. The connection attempt matches the configured quarantine policy.
  5. The connection is accepted, but with quarantine restrictions in place. The IAS server sends a RADIUS Access-Accept message, including the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes, to RRAS.
  6. The remote user completes the remote access connection with the RRAS server, which includes leasing an IP address and establishing other network settings.
  7. RRAS configures the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings for the connection, now in quarantine mode. At this point, the remote user can only send traffic that matches the quarantine filters -- all other traffic is filtered -- and can only remain connected for the value, in seconds, of the MS-Quarantine-Session-Timeout attribute before the quarantine baselining script must be run and the result reported back to RRAS.
  8. The CMAK profile runs the quarantine script, currently defined as the "post-connect action."
  9. The quarantine script runs and verifies that the remote access client computer's configuration meets a baseline. If so, the script runs rqc.exe with its command-line parameters, including a text string representing the version of the quarantine script being used.
  10. rqc.exe sends a notification to RRAS, indicating that the script ended successfully.
  11. The notification is received by rqs.exe on the back end.
  12. The listener component on the RRAS server verifies the script version string in the notification message with those configured in the registry of the RRAS and returns a message indicating that the script version was either valid or invalid.
  13. If the script version was acceptable, the rqs.exe calls the MprAdminConnectionRemoveQuarantine API, which indicates to RRAS that it's time to remove the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings from the connection and reconfigure the session for normal network access.
  14. Once this is done, the remote user has normal access to the resources on the network.
  15. rqs.exe creates an event describing the quarantined connection in the System event log.

Step-by-Step Guide to Network Access Quarantine Control

 Home: Introduction
 Step 1: Learn how it works
 Step 2: Create quarantined resources
 Step 3: Write the baselining script
 Step 4: Install the listening components
 Step 5: Creating a quarantined connection profile
 Step 6: Distribute the profile to remote users
 Step 7: Configuring the quarantine policy

Jonathan Hassell is author of Hardening Windows (Apress LP) and is a site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget
This was last published in January 2006

Dig Deeper on Server Hardware for Windows



Find more PRO+ content and other member only offers, here.

This Content Component encountered an error