Problem solve Get help with specific problems with your technologies, process and projects.

Step 2: Create quarantined resources

Windows Server 2003's Network Access Quarantine Control (NAQC) prevents remote users from connecting to your network with machines that aren't secure.

You need to create resources that actually can be accessed while the quarantine packet filters are in place for a remote client. Examples of such resources include DNS servers and DHCP servers, so that IP address and other connection information such as suffix addresses, DNS server addresses, and the like can be retrieved; fileservers to download appropriate software to update out-of-compliance machines; and Web servers that can describe the quarantining process or allow a remote user to contact IT support via e-mail if any problems occur.

You can specify and use a quarantined resource in two ways. The first is to identify certain servers, which can be spread across your network, as these quarantine resources. This allows you to use an existing machine to host the quarantined resources, but you also have to create individual packet filters for quarantined sessions for each existing machine. For performance and overhead reasons, it's best to limit the number of individual packet filters for a session.

If you decide to go this route, you'll need to enable the packet filters shown in the following table:

Table 1. Packet filters for distributed quarantine resources
Traffic Type Source Port Destination Port Alternatives (instead of specifying port information)
Quarantine Notifier None TCP 7250 None
DHCP UDP 68 UDP 67 None
DNS None UDP 53 You also can specify the IP address of any DNS server.
WINS None UDP 137 You also can specify the IP address of any WINS server.
HTTP None TCP 80 You also can specify the IP address of any web server.
NetBIOS None TCP 139 You also can specify the IP address of any file server.
Direct Hosting None TCP 445 You also can specify the IP address of any file server.

You also can configure any other packet filters that are particular to your organization.

The other approach is to limit your quarantined resources to a particular IP subnet. This way, you need just one packet filter to quarantine traffic to a remote user, but you might need to readdress machines and, in most cases, take them out of their existing service or buy new ones.

Using this method, the packet filter requirements are much simpler. You just need to open one for notifier traffic on destination TCP port 7250, one for DHCP traffic on source UDP port 68 and destination IDP port 67, and for all other traffic, the address range of the dedicated quarantine resource subnet. And again, you can configure any other packet filters that are particular to your organization.

Step-by-Step Guide to Network Access Quarantine Control

 Home: Introduction
 Step 1: Learn how it works
 Step 2: Create quarantined resources
 Step 3: Write the baselining script
 Step 4: Install the listening components
 Step 5: Creating a quarantined connection profile
 Step 6: Distribute the profile to remote users
 Step 7: Configuring the quarantine policy

Jonathan Hassell is author of Hardening Windows (Apress LP) and is a site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.
Copyright 2006 TechTarget

Dig Deeper on Windows administration tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.