Arrest Suspect Clients with Windows 2003’s New Quarantine Feature

If you want to see the CM profile you just created, open Windows Explorer and navigate to the %SYSTEMDRIVE%\Program Files\CMAK\Profiles directory. You should see a subdirectory with the CM profile name you specified in Step 6. If you open the subdirectory, you'll see several files present, including an .exe file that has the name you specified in Step 7. This file is the executable you want to distribute to your remote users so that they can install it on their clients.

Configuring the Remote Access Policy
Up to this point, the quarantine hasn't been enforced. That's about to change. Although your VPN server will be enforcing the quarantine, your IAS server has to ask the VPN server for the quarantine during authentication. Here are the steps you take to configure the IAS server so that it asks for the quarantine:

1. On the IAS server's Start menu, select All Programs, Internet Authentication Service.
2. Right-click Remote Access Policies, and select New Remote Access Policy to launch the New Remote Access Policy Wizard. Click Next to bypass the Welcome page.
3. In the opening dialog box, type Quarantine Policy in the Policy Name field. Click Next. Ensure that the VPN radio button is selected and click Next again. (If you want to create separate quarantines for dial-up and wireless clients, you can repeat this wizard for the other connection types.)
4. In the User or Group Access dialog box that appears, you need to specify which groups you want the remote access policy to affect. Optionally, you can create a group of users you want to subject to quarantine. For this example, click Add and type Domain Users in the Object Names field to require all domain users be subjected to quarantine. Click OK, then click Next twice.
5. You want your remote access clients to always use the strongest encryption method that's practical, so make sure that only the Strongest Encryption check box is selected in the Policy Encryption Level dialog box. However, don't select this option if you have older clients that require older encryption methods. Click Next and Finish. You now have a new remote access policy called Quarantine Policy.
6. To configure the specific attributes that will create the quarantined environment, right-click the newly created Quarantine Policy and select Properties. Click Edit Profile, and select the Advanced tab. In the Add Attribute dialog box, scroll down to the section that lists Microsoft in the Vendor column, as Figure 3 shows. You'll see several attributes here, but you need to be concerned about only two of them: MS-Quarantine-Session-Timeout (which lets you specify the number of seconds you want to permit clients to run the script) and MS-Quarantine-IPFilter (which lets you add multiple inbound and outbound filters).
7. Select the MS-Quarantine-Session-Timeout attribute and click Add to bring up the Attribute Information dialog box. (Alternatively, you can double-click the attribute's name.) You should set the MS-Quarantine-Session-Timeout attribute value to a time period that gives clients ample time to run the quarantine script. For this example, enter 60 in the Attribute value field, which specifies that you want to allow 60 seconds for the quarantine script to run. Click OK.
8. Select the MS-Quarantine-IPFilter attribute and click Add. Click Input Filters in the IP Filter Attribute Information dialog box to bring up the Inbound Filters dialog box. At a minimum, you need two inbound filters: one inbound filter for the communication between rqc.exe and rqs.exe and one inbound filter for DHCP communication. So, for this example, let's configure inbound filters for TCP port 7250, which is the default port on which rqs.exe listens for communication from rqc.exe, and UDP ports 67 and 68, which DHCP uses. Optionally, you might consider allowing DNS communication on UDP port 53 and WINS communication on UDP port 137, if your networking needs require it. If you want to let users connect to a Web server, you can always add a filter to TCP port 80.
9. In the Inbound Filters dialog box, click New. In the Add IP Filter dialog box that appears, select TCP in the Protocol drop-down list box. In the Destination Port field, enter the value 7250. Leave the other fields blank and click OK.
10. To add the second filter for DHCP, again click New in the Inbound Filters dialog box. In the Protocol drop-down list box, select UDP. In the Destination Port field, enter the value 67. In the Source Port field, enter the value 68. Click OK. You've now created the quarantined environment. Click OK twice to close the Inbound Filters dialog box and the IP Filter Attribute Information dialog box. Click Close to close the Add Attribute dialog box.
11. Click Apply once and OK twice to apply the new remote access policy. Any connecting clients must now run CheckFile.bat and remain quarantined while the script is running. As the client connects, the VPN server will apply the appropriate IP filters to the new connection.

Testing the Quarantine
You're probably anxious to test the new Network Access Quarantine Control feature. Before you can test it, though, you need to install on your test client the executable you created with CMAK in Step 7 of the "Creating the Quarantine-Compatible Profile" section. Copy the executable from the VPN server to a client workstation and run the executable. Using the parameters you specified in CMAK, the executable creates a dial-up networking connectoid.

After you've installed the executable, try connecting to the test network. If the connection fails, check your work closely and use the event logs on the VPN and IAS servers to troubleshoot the problem. You might want to also check out the following resources for more information about CMAK and the Network Access Quarantine Control feature:

• "Deploying Remote Access Clients Using Connection Manager" (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/ deployguide/dnsbg_rac_overview.asp)
• "Network Access Quarantine Control in Windows Server 2003" (http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx)
• The Cable Guy, "Network Access Quarantine Control" (http://www.microsoft.com/technet/columns/cableguy/cg0203.asp)
• TechNet Webcast: "Secure Mobile Access Using Wireless and VPN Technologies in Windows Server 2003" (http://www.microsoft.com/usa/webcasts/ondemand/1767.asp)

A Secure Network
After you have the quarantine script running, you can adapt it to make other client queries. However, note that if you change the script, you need to use CMAK to recompile the profile and redistribute and reinstall the executable on each client. An alternative is to directly edit the script on each client. With this approach, you don't need to recompile the script after you've edited it. With a little customization, you'll soon see just how powerful the quarantine feature is in Windows 2003 and how you can use it to better secure your network.