Step 3: Write the baselining script

Step 3: Write the baselining script

The next step is to write a baselining script that will be run on the client. You can write this script in any scripting environment supported by your Windows clients, or even as a compiled EXE program. This script can check whatever you want -- there is no standard level of baseline, as it's only what you feel comfortable with letting onto your network. You also can use any sort of interaction with any program that your scripting environment will allow. The baseline script is very flexible and can use whatever software resources you have available.

Here is an example batch file script:

 

 @echo off echo Your remote connection is %1 echo Your tunnel connection %2 echo Your Windows domain is %3 echo Your username is %4 set MYSTATUS= REM Baselining checks begin here REM Verify Internet Connection Firewall is enabled. Set CHECKFIRE to 1-pass, 2-fail.  REM Verify virus checker installed and sig file up. CHECKVIRUS is 1-pass, 2-fail.  REM Pass results to notifier or fail out with message to user. if "%CHECKFIRE%" = = "2" goto :NONCOMPLIANT if "%CHECKVIRUS%" = = "2" goto :NONCOMPLIANT rqc.exe %1 %2 7250 %3 %4 Version1-0 REM These variables correspond to arguments and switches for RQC.EXE REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM RQS on backend listens on port 7250 REM %3 = %Domain% REM %4 =

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchWindowsServer.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchWindowsServer.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

 %UserName% REM The version of the baselining script is "Version1-0" REM Print out the status if "%ERRORLEVEL%" = = "0" ( set ERRORMSG=Successful baseline check. ) else if "%ERRORLEVEL%" = = "1" ( set ERRORMSG=Can't contact the RRAS server at the corporate network. Contact a system administration. ) else if "%ERRORLEVEL%" = = "2" ( set ERRORMSG=Access is denied. Please install the Connection Manager profile from http://location and attempt a connection again. ) else ( set ERRORMSG=Unknown failure. You will remain in quarantine mode until the session timeout is reached. ) echo %ERRORMSG% goto :EOF :NONCOMPLIANT echo echo Your computer has failed a baseline check for updates on echo your machine. It is against corporate policy to allow out of echo date machines to access the network remotely. Currently echo you must have Internet Connection Firewall enabled and echo an updated virus scanning software package with the echo latest virus signature files. For information about how to echo install or configure these components, surf to echo http://location. Echo You will be permitted to access only that location until Echo your computer passes the baselining check. :EOF

Of course, this batch file is simple. I've added the necessary comments throughout the script so that you can follow the action. It's important to keep in mind that you can make the script as complex as you want; you even can compile a special program because the post-connect script option in CMAK allows an .exe file to be run.

The one requirement of every baseline script is that it must run rqc.exe if the baselining compliance check was successful and included the following parameters:

 

 rqc ConnName TunnelConnName TCPPort Domain Username ScriptVersion

The switches and arguments are explained in the following list:

  • The ConnName argument is the name of the connectoid on the remote machine, most often inherited from the dial-in profile variable %DialRasEntry%.
  • The TunnelConnName argument is the name of the tunnel connectoid on the remote machine, most often inherited from the dial-in profile variable %TunnelRasEntry%.
  • The TCPPort argument is, obviously, the port used by the notifier to send a success message. This default is 7250.
  • The Domain argument is the Windows security domain name of the remote user, most often inherited from the dial-in profile variable %Domain%.
  • The Username argument is, as you might guess, the username of the remote user, most often inherited from the dial-in profile %UserName%.

The ScriptVersion argument is a text string that contains the script version that will be matched on the RRAS server. You can use any keyboard characters except /0 in a consecutive sequence.

 


Step-by-Step Guide to Network Access Quarantine Control

 Home: Introduction
 Step 1: Learn how it works
 Step 2: Create quarantined resources
 Step 3: Write the baselining script
 Step 4: Install the listening components
 Step 5: Creating a quarantined connection profile
 Step 6: Distribute the profile to remote users
 Step 7: Configuring the quarantine policy

ABOUT THE AUTHOR:
 
Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget
 

This was first published in January 2006

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top