Problem solve Get help with specific problems with your technologies, process and projects.

Hardening Windows School: Network access quarantining

Mobile desktops must meet security policy before accessing the Windows network. Learn about network access quarantining in this school.

The following is one of three checklists to accompany Jonathan Hassell's Hardening Windows School, a series of six 10-minute webcasts designed to help you quickly and correctly lock down Windows systems. Lesson #6, Applying network access quarantine options, premieres Thursday, June 22. Click for the course outline.

One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep into your network is not through firewall holes or brute-force attacks -- nor is it any means that might occur at your campus or corporate headquarters. It's through mobile users trying to connect to your business network while on the road.

Consider why that is the case: Most remote users are authenticated only on the basis of their identities, and no effort is made to verify that their hardware and software meets certain baseline requirements. It is not uncommon for remote users to fail any or all of the following guidelines:

  • The latest service pack and security hotfixes must be installed;
  • The company-standard antivirus software must be installed and running with the latest signature files;
  • Internet or network routing must be disabled;
  • Windows XP Internet Connection Firewall (ICF) (now named Windows Firewall) or any other approved firewall must be installed, enabled and actively protecting ports on the computer.
  • You would expect business desktops to follow policy, but mobile users have traditionally been forgotten or grudgingly accepted as exceptions to the rule. Therefore, they become an active port for malware to enter and infect your network. That's why I'm going to explain why you need to use a security feature introduced in Windows Server 2003, Network Access Quarantine Control (NAQC), which gives you a chance to vet computers trying to access your network remotely, effectively closing ports.

    Sound like a decent idea? Browse through the checklist below to learn more about quarantining. (Click here for the printable version.)

     Hardening Windows School Checklist: Know your network access quarantine options
    Understand how Network Access Quarantine Control (NAQC) works
    Here's basically how NAQC works: Under NAQC, when a client establishes a connection to a remote network's endpoint -- a machine running the Routing and Remote Access Service
    (RRAS) -- the destination Dynamic Host Configuration Protocol (DHCP) server gives the remote, connecting computer an IP address, but an Internet Authentication Service (IAS)
    server establishes a "quarantine mode." In quarantine mode, a set of packet filters restricts the traffic sent to and received from a remote access client, and a session
    timer limits the duration of a remote client's connection in quarantine mode before being terminated. Once the remote computer is in quarantine mode, the client computer
    automatically executes the baseline script. Windows runs the script and, if satisfied with the result, contacts the listening service running on the Windows Server 2003 back-end
    machine to report it. Quarantine mode is then removed and normal network access is restored. If Windows is not satisfied with the result, the client is eventually disconnected
    when the session timer reaches the configured limit as described above.
    Decide on your preferred criteria for allowing regular access to your network
    What would you like to check when remote users try to connect? Here are some ideas:
  • The latest approved operating system service packs installed
  • Antivirus software installed, working and updated with the latest signature files
  • Firewall protections enabled
  • Internet routing disabled
  • Begin planning your resource areas for users in quarantine mode
    Under NAQC, you can establish a limited set of resources within the quarantine area where users can download information and software to help them rectify any issues that prevent
    them from accessing the unrestricted network. Consider posting a Web page explaining the quarantine process. Include information on how to get help from the help desk.
    You might also include a link to the latest service pack, a copy of your corporate antivirus software and individual links to hotfixes that you require. Give your users the
    power to self-correct their problems while still enhancing security on your network.
    Explore the Routing and Remote Access Service (RRAS) policy functionality
    A great guide to RRAS can be found at, and Chapter 11 of my book Learning Windows Server 2003 explains how to set up RRAS, and teaches you how to use
    policies and quarantining.

    Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.

    More from Hardening Windows School

  • Course outline: Pick and choose which courses you'd like to take
  • Lesson 6: How to apply network access quarantine options
  • Intermediate checklist: Secure Group Policy design

  • ABOUT THE AUTHOR:   Go back to Checklists
    Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.

    Click to ask Jon a question or purchase his book here. Copyright 2005

    Dig Deeper on Windows Server troubleshooting

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.