The final step in this process is to configure the actual quarantine policy within RRAS. In this section, I'll...
create a quarantine policy within RRAS that assumes you've posted the profile installer on a web server that is functioning as a quarantined resource.
- Open the RRAS Manager.
- In the left-pane, right-click Remote Access Policies, and then select New Remote Access Policy from the context menu. Click Next through the introductory pages.
- The Policy Configuration Method page appears. Enter Quarantined VPN remote access connections for the name of this policy. Click Next when you're finished.
- The Access Method page appears next. Select VPN, and click Next.
- On the User or Group Access page, select Group, and click Add.
- Type in the group names that should be allowed to VPN into your network. If all domain users have this ability, enter Everyone or Authenticated Users. I'll assume this domain has a group called VPNUsers that has access to VPN capabilities. Click OK.
- You'll be returned to the User or Group Access page, and you'll see the group name you added appear in the list box. Click Next if it looks accurate.
- The Authentication Methods page appears. To keep this example simple, use the MS-CHAP v2 authentication protocol, which is selected by default. Click Next.
- On the Policy Encryption Level page, make sure the Strongest Encryption setting is the only option checked. Then, click Next.
- Finish out the wizard by clicking Finish.
- Back in RRAS Manager, right-click the new Quarantined VPN remote access connections policy, and select Properties from the context menu.
- Navigate to the Advanced tab, and click Add to include another attribute in the list.
- The Add Attribute dialog box is displayed.
- Click MS-Quarantine-Session-Timeout, and then click Add.
- In the Attribute Information dialog box, type the quarantine session time in the Attribute value box. Use a sample value of 60, which will be measured in seconds, for the purposes of this demonstration. Click OK, and then OK again to return to the Advanced tab.
- Click Add. In the Attribute list, click MS-Quarantine-IPFilter, and then click Add again. You'll see the IP Filter Attribute Information screen.
- Click the Input Filters button, which displays the Inbound Filters dialog box.
- Click New to add the first filter. The Add IP Filter dialog box is displayed. In the Protocol field, select TCP. In the Destination port field, enter 7250. Click OK.
- Now, back on the Inbound Filters screen, select the Permit only the packets listed below radio button.
- Click New and add the input filter for DHCP traffic, repeating the preceding steps and including the appropriate port number and type as described earlier. Follow the same directions to allow DNS and WINS traffic.
- Click New and add an input filter for a quarantine resource, such as a web server, where your profile installer is located. Specify the appropriate IP address for the resource in the Destination network part of the Add IP Filter screen.
- Finally, click OK on the Inbound Filters dialog box to save the filter list.
- On the Edit Dial-in Profile dialog box, click OK to save the changes to the profile settings.
- Then, to save the changes to the policy, click OK once more.
Step-by-Step Guide to Network Access Quarantine Control
Step 1: Learn how it works
Step 2: Create quarantined resources
Step 3: Write the baselining script
Step 4: Install the listening components
Step 5: Creating a quarantined connection profile
Step 6: Distribute the profile to remote users
Step 7: Configuring the quarantine policy
|ABOUT THE AUTHOR:|
| Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget