Securing your organization's network is fundamentally simple: Secure the perimeter to limit incoming threats and keep internal systems patched to protect them from those threats that do get through. So diligent patching, virus scanning, and strong passwords should eliminate security incidents on your network—right?
In reality, network security isn't that simple. Although you might be able to protect your internal systems, defending the extended network is more difficult. Users working from their home machines and mobile users connecting while on the road blur the line between internal and external systems. Although you can't control these external systems, Microsoft has included a technology in Windows Server 2003 that will help you prevent noncompliant systems from connecting to your network. This technology, Network Access Quarantine Control, quarantines remote VPN connections until the VPN clients prove compliance with network policy. Let's look at how Network Access Quarantine Control works and how to configure and run the server-side and client-side components.
Network Access Quarantine Control Overview
Network Access Quarantine Control is a Microsoft Windows Server 2003 Resource Kit tool that provides a mechanism to run client-side scripts that perform functions such as verifying installed hotfixes, updating antivirus software, or checking firewall settings. Any task you can do by using a batch file, script, or executable, you can perform on connecting VPN clients.
A Network Access Quarantine Control implementation consists of one or more remote access clients running a client-connection profile that you create by using the Windows 2003 Connection Manager Administration Kit (CMAK); a connection point such as a Windows 2003 server running RRAS; and, if you require Remote Authentication Dial-In User Service (RADIUS) authentication, a Network Access Quarantine Controlcomplaint RADIUS server such as Windows 2003 running Internet Authentication Service (IAS). You'll also need to run a listener component, such as the Remote Access Quarantine Agent service (rqs.exe), on the RRAS server and a notifier component, such as the Remote Access Quarantine Client service (rqc.exe), on the remote client. Both tools are part of the Windows 2003 resource kit.
When a remote client authenticates to a quarantine-enabled RRAS server, RRAS sends a RADIUS Access-Request message to the IAS server. IAS verifies the user's credentials, and if the connection matches the remote access policy you've established, accepts the connection but with quarantine restrictions. IAS sends RRAS an Access-Accept message with the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes. RRAS completes the connection but allows the remote client only limited access to the network.
At this point, the remote client runs the quarantine script, which is part of the client-connection profile. The script checks the client configuration to verify that it complies with network security policy. If the client configuration is compliant, the script notifies the agent service on the RRAS server. The agent service then checks the script version that the client reports to make sure the client is running the most recent version. If the script version proves valid, RRAS removes all quarantine restrictions on the connection and the client can proceed to use the connection without the quarantine limitations.
However, if the client script reports that the machine isn't compliant with network policy or if the client reports an older version of the script, quarantine restrictions remain in place. The client will have access to only the network resources you designate, such as a Web page with instructions and downloads for bringing the client to compliance, until the time specified by the MS-Quarantine-Session-Timeout attribute elapses. After the time limit expires, the RRAS server disconnects the client. The script can also take measures to automatically bring the machine into compliance.
Setting Up Quarantine Control
To implement Network Access Quarantine Control on your network, you must first install and configure the necessary server components—IAS, RRAS, and the Remote Access Quarantine Agent service. To install the Remote Access Quarantine Agent service, you'll need to run the rqs_setup.bat file, which you'll find in the resource kit folder. This batch file copies the files that are necessary to run rqs.exe as a system service.
Before you run rqs_setup.bat, you must first edit it to record the script version string you want to use. To do this, open the batch file in Notepad and locate the following line of code:
REM REG ADD %ServicePath% /v AllowedSet /t REG_MULTI_SZ /d Version1\0Version1a\0Test
Remove REM from the beginning of the line and change the
string to reflect the script version you want to use. Note that you can include multiple versions by separating each value with \0. After you make these changes, save and execute the batch file to install the service. To start the service, use the command
net start rqs
Creating the Quarantine Script
The quarantine script is an administrator-created script that runs on the client and verifies that the client meets the company's security policy requirements. A large shortcoming of Network Access Quarantine Control is that you must manually build these client-side scripts for your environment. Fortunately, Microsoft has provided some sample scripts you can use as a model. You can download the scripts from http://www.microsoft.com/downloads/details.aspx?familyid=a290f2ee-0b55-491e-bc4c-8161671b2462&displaylang=en.
The quarantine script contains one or more executables, DLL files, batch files, or scripts that you create to enforce your company quarantine policy. The script also contains the quarantine policy requirements that you want the client to meet to be allowed to connect to the network. Here are some requirements you might want to include:
The essential element of the quarantine script is the return call to the Remote Access Quarantine Agent service on the RRAS server. To execute the return call, run rqc.exe with the following code:
You also need to consider what actions a client might need to take while quarantined. For example, you might want to allow access to a Web or file server with instructions and files necessary for meeting policy requirements. You might also need to provide a way to download newer versions of the connection-profile script because failing the version check keeps the connection quarantined. For example, you could write your script to check an HTTP server to see whether a newer version of the script exists and update itself if necessary. You can add as many functions as you want to your script, depending on company policy.
Keep in mind that quarantine scripts simply verify client health and are by no means a strong security measure. Network Access Quarantine Control protects you from users who inadvertently cause problems such as spreading worms because their machines don't have the latest hotfixes but provides little protection from malicious users who have valid credentials on your network. You should assume that the client can modify the script or manipulate the results to falsely indicate compliance. Nevertheless, if you require compliance with network security policies, connecting users are less likely to be targets of malicious users.
Creating the Connection Profile
Next, you use CMAK to create the quarantine connection profile that clients will use to connect to your network. (See "Access Denied: Requiring VPN Users to Run Certain Software," August 2004, InstantDoc ID 43098, for information about installing CMAK.) The CMAK Wizard will walk you through the steps to create the profile. A quarantine connection profile is similar to any other client-connection profile, except that it contains a custom action to run a quarantine script after connection. You add this action when you get to the wizard's Custom Action page. For the Action type, select Post-connect, then click New. Figure 1 shows the New Custom Action dialog box in which you add the name and parameters for the quarantine script. You use the parameters to pass connection information that your script might need in the verification process. Table 1 shows a list of the connection variables that you can pass to the script. Some of these parameters are required because your script needs to pass this information back to the RRAS server. In particular, you'll need the %DialRasEntry%, %TunnelRasEntry%, %Domain%, and %UserName% variables to return as parameters to rqc.exe.
Select the Include the custom action program with this service profile check box to automatically include your script with the profile. If your client verification involves several files, you need to include the files in the Additional Files section of the wizard. When you finish creating the profile, the wizard compiles the profile as an executable that you can distribute and install on remote clients.
RRAS enforces the quarantine based on a remote access policy that you create using the RRAS New Remote Access Policy Wizard. To make a remote access policy a quarantine policy, follow the steps to create a standard policy, then add the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes on the Advanced tab of the Policy Profile Properties page.
Next, you need to add an inbound RRAS filter to allow incoming connections on TCP port 7250, which you'll do through the wizard's IP Filter Attribute Information page. This filter lets the client component communicate with the Remote Access Quarantine Agent service. Depending on your network configuration, you might need to add additional filters to allow DNS, DHCP, WINS, HTTP, or file-sharing traffic.
Network Access Quarantine Control can be a great defense for keeping security threats out of your network, but it does have limitations. The most obvious limitation is that creating verification scripts is a manual and time-consuming process. Another problem is that Network Access Quarantine Control relies on a specific set of technology. It doesn't integrate with third-party products and requires that the client be running a Windows OS. You can, however, create policy exemptions to let certain users access the network and bypass the quarantine.
The most important Network Access Quarantine Control limitation is that it controls only RAS connections; it has no control over LAN, wireless, or other non-RAS connections. However, this situation will change in future versions of Windows, with the introduction of Network Access Protection (NAP).
NAP will be a feature in Longhorn, the next major Windows version. NAP improves on Network Access Quarantine Control by providing better GUI-based administration and interoperability with many other products from companies such as Cisco Systems, Citrix Systems, McAfee, Symantec, and others. NAP will also work with all types of network connections, including LAN and wireless connections.
Although NAP won't be available anytime soon, Network Access Quarantine Control is here now and better than nothing, especially for remote users with machines that you can't control. With careful planning and a solid quarantine strategy, Network Access Quarantine Control can be a formidable line of defense against the threats facing your network.