The next step is to create a quarantined Connection Manager profile, which happens to be a normal profile you might create for any standard dial-up or VPN connection, with only a few modifications. For one, you need to add a post-connect action so that your baselining script will run and return a success or failure message to the RRAS machine. You also need to add the notifier to the profile.
Let's look at using the CMAK to create a custom connectoid including the necessary NAQC components.
- Open the CMAK from the Administrative Tools menu, and then click Next off the introductory screen.
- Select Create a new service profile, and then click Next.
- In the Service name box, type a name that you want to use for the connection. This should be something familiar to users, such as "Connect to Corpnet" or something similar.
- In the File name box, type a name that you want to use for the service profile. This name is used for the files that CMAK creates while building the service profile. Do not use any of the following characters in the filename:
< SPACE > ! , ; * = / : ? ' " < >
- Click Next.
- I'll assume here that you do not have an existing CM profile to merge, so simply click Next to bypass the screen that appears that asks you to merge profile information.
- If you want to add a line of support information to the logon dialog box, type it in the Support information box -- for example, "For customer support, e-mail firstname.lastname@example.org." This is optional. Click Next when you've finished.
- Specify whether the service requires a realm name, and then click Next.
- If you want to configure custom Dial-Up Networking entries, click Add. In the Phone-book Dial-Up Networking entry dialog box, type the phonebook Dial-Up Networking entry that you want. Click Next.
- Specify whether you want to assign specific DNS or WINS server addresses or a Dial-Up Networking script, and then click OK. Click Next.
- If you want to add VPN support to the service profile, click to select the This service profile checkbox, and then click Next. Specify the server in the Server address box, specify whether you want to assign specific DNS or WINS server addresses and whether to use the same user credentials that are used for a dial-up connection, and then click OK. Click Next.
- (Here is where the quarantine steps begin.) The Custom Actions screen appears.
- Select Post-Connect from the Action type drop-down box and then click the New button to add an action. The New Custom Action dialog box is displayed.
- Type a descriptive title for the post-connection action in the Description box. In Program to run, enter the name of your baselining script. You also can use the Browse button to look for it. Type the command-line switches and their arguments in the Parameters box. Finally, check the two bottom boxes, Include the custom action program with this service profile and Program interacts with the user.
- Click OK, and you should return to the Custom Actions screen. Click Next.
- Continue filling in the wizard screens as appropriate, until you come to the Additional Files screen.
- Click Add, and then enter rqc.exe in the dialog presented next. You can use the Browse button to search for it graphically. Once you're finished, click OK.
- You'll be returned to the Additional Files screen, where you'll see rqc.exe listed. Click Next.
- Complete the remainder of the wizard as appropriate.
Step-by-Step Guide to Network Access Quarantine Control
Step 1: Learn how it works
Step 2: Create quarantined resources
Step 3: Write the baselining script
Step 4: Install the listening components
Step 5: Creating a quarantined connection profile
Step 6: Distribute the profile to remote users
Step 7: Configuring the quarantine policy
|ABOUT THE AUTHOR:|
|Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget