Problem solve Get help with specific problems with your technologies, process and projects.

Step 3: Write the baselining script

Windows Server 2003's Network Access Quarantine Control (NAQC) prevents remote users from connecting to your network with machines that aren't secure.

The next step is to write a baselining script that will be run on the client. You can write this script in any...

scripting environment supported by your Windows clients, or even as a compiled EXE program. This script can check whatever you want -- there is no standard level of baseline, as it's only what you feel comfortable with letting onto your network. You also can use any sort of interaction with any program that your scripting environment will allow. The baseline script is very flexible and can use whatever software resources you have available.

Here is an example batch file script:


 @echo off echo Your remote connection is %1 echo Your tunnel connection %2 echo Your Windows domain is %3 echo Your username is %4 set MYSTATUS= REM Baselining checks begin here REM Verify Internet Connection Firewall is enabled. Set CHECKFIRE to 1-pass, 2-fail. 
   REM Verify virus checker installed and sig file up. CHECKVIRUS is 1-pass, 2-fail. 
    REM Pass results to notifier or fail out with message to user. if "%CHECKFIRE%" = = "2" goto :NONCOMPLIANT if "%CHECKVIRUS%" = = "2" goto :NONCOMPLIANT rqc.exe %1 %2 7250 %3 %4 Version1-0 REM These variables correspond to arguments and switches for RQC.EXE REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM RQS on backend listens on port 7250 REM %3 = %Domain% REM %4 = %UserName% REM The version of the baselining script is "Version1-0" REM Print out the status if "%ERRORLEVEL%" = = "0" ( set ERRORMSG=Successful baseline check. ) else if "%ERRORLEVEL%" = = "1" ( set ERRORMSG=Can't contact the RRAS server at the corporate network. Contact a system administration. ) else if "%ERRORLEVEL%" = = "2" ( set ERRORMSG=Access is denied. Please install the Connection Manager profile from http://location and attempt a connection again. ) else ( set ERRORMSG=Unknown failure. You will remain in quarantine mode until the session timeout is reached. ) echo %ERRORMSG% goto :EOF :NONCOMPLIANT echo echo Your computer has failed a baseline check for updates on echo your machine. It is against corporate policy to allow out of echo date machines to access the network remotely. Currently echo you must have Internet Connection Firewall enabled and echo an updated virus scanning software package with the echo latest virus signature files. For information about how to echo install or configure these components, surf to echo http://location. Echo You will be permitted to access only that location until Echo your computer passes the baselining check. :EOF


Of course, this batch file is simple. I've added the necessary comments throughout the script so that you can follow the action. It's important to keep in mind that you can make the script as complex as you want; you even can compile a special program because the post-connect script option in CMAK allows an .exe file to be run.

The one requirement of every baseline script is that it must run rqc.exe if the baselining compliance check was successful and included the following parameters:


 rqc ConnName TunnelConnName TCPPort Domain Username ScriptVersion

The switches and arguments are explained in the following list:

  • The ConnName argument is the name of the connectoid on the remote machine, most often inherited from the dial-in profile variable %DialRasEntry%.
  • The TunnelConnName argument is the name of the tunnel connectoid on the remote machine, most often inherited from the dial-in profile variable %TunnelRasEntry%.
  • The TCPPort argument is, obviously, the port used by the notifier to send a success message. This default is 7250.
  • The Domain argument is the Windows security domain name of the remote user, most often inherited from the dial-in profile variable %Domain%.
  • The Username argument is, as you might guess, the username of the remote user, most often inherited from the dial-in profile %UserName%.

The ScriptVersion argument is a text string that contains the script version that will be matched on the RRAS server. You can use any keyboard characters except /0 in a consecutive sequence.


Step-by-Step Guide to Network Access Quarantine Control

 Home: Introduction
 Step 1: Learn how it works
 Step 2: Create quarantined resources
 Step 3: Write the baselining script
 Step 4: Install the listening components
 Step 5: Creating a quarantined connection profile
 Step 6: Distribute the profile to remote users
 Step 7: Configuring the quarantine policy

Jonathan Hassell is author of Hardening Windows (Apress LP) and is a site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget

This was last published in January 2006

Dig Deeper on Windows Server Virtualization and Microsoft Hyper-V



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.