Most security professionals find that remote access clients represent one of the weakest parts of any enterprise network. Despite the modern convenience of remote connectivity across a seemingly endless supply of fast broadband connections, enforcing minimum corporate standards that include technologies such as antivirus software and personal firewalls isn't easy. Even in well-managed networks with centralized administration, remote users who use their personal PCs to connect to the office often aren't subject to the corporate security standards designed to protect crucial corporate assets. Hence, the remote Access Points (APs) tend to be the culprit when new viruses hit the network.
Companies often address these problems by issuing a company policy that requires antivirus software and personal firewalls for any machine used to connect to the network. But a policy without a basic means of enforcement and subsequent consequences for violations is rarely successful.
To solve this problem, remote access vendors such as Check Point Software Technologies and Cisco Systems have begun to offer products that make sure remote clients meet minimal requirements before letting the clients connect to the corporate network. Microsoft now offers similar functionality in Windows Server 2003. Using Windows 2003's Network Access Quarantine Control feature, you can quarantine remote access clients while a customized script runs on the remote client. This script can include a variety of queries. For example, the script might check the client for the existence of a certain file, antivirus software, or an Internet Connection Firewall (ICF).
You can use the Network Access Quarantine Control feature with Windows 2003, Windows XP, Windows 2000, Windows Me, and Windows 98 Second Edition (Win98SE). To take advantage of the Network Access Quarantine Control feature, you must use Windows 2003's Connection Manager Administration Kit (CMAK) to create a special connection profile that contains the script you want to run on the remote clients.
Before I show you how to set up a quarantine, let's look at the RRAS quarantine environment. Figure 1 shows a sample network diagram. Both the IAS1 and VPN1 servers are running Windows 2003. IAS1 is a domain controller (DC) that's already running the Internet Authentication Service (IAS). VPN1 is a VPN server. You must configure the VPN server to use Remote Authentication Dial-In User Service (RADIUS) and not domain credentials to authenticate users.
In Figure 1, notice the existence of two networks. The 172.16.0.x network is the intranet, and the 10.0.0.x network connects to the Internet. The test client is running XP and is a remote client that connects through the Internet. To expedite the testing process of the quarantine feature, you should set up your test network similar to this diagram. For detailed instructions about how to set up such a test network, see the Microsoft article "Step-by-Step Guide for Setting Up VPN-Based Remote Access in a Test Lab" (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/rmotevpn.asp).
Note that in the network numbering used in this test setup, test networks are set aside as part of Internet Engineering Task Force (IETF) Request for Comments (RFC) 1918, which calls for allocating certain IPv4 address space for private networks. These networks might or might not already be a part of your existing network, so be sure to perform your tests in a lab that's isolated from your production resources. If you decide to move your test setup into production, you'll have to renumber one or both networks in your quarantine test setup to support the address space already assigned by your ISP and your existing intranet.
How the Quarantine Works
The new quarantine feature depends on CMAK, which has the ability to run scripts before or after dialing or connecting. After creating a Connection Manager profile, you'll have a single distributable .exe file that allows the distribution of the necessary script, optional phone books for dialing, and other associated files you need to enforce the quarantine function. The quarantine script uses the Remote Access Quarantine Client utility (rqc.exe), which is a Microsoft Windows Server 2003 Resource Kit tool.
When a new client attempts to connect to a VPN server that's running RRAS and has the Network Access Quarantine Control feature enabled, the VPN server (VPN1 in Figure 1) passes the user-provided credentials received from the remote client to the IAS server (IAS1 in Figure 1) for authentication. The credentials take the form of RADIUS Access-Request messages. The IAS server validates the credentials against the associated remote access policy. The remote access policy specifies which users can log on, when they can log on, and the connection types to allow. In addition, a remote access policy can require a client to be quarantined until a quarantine script successfully executes on the client.
When a remote access policy requires the quarantine of clients, the IAS server uses two RADIUS attributes to create the quarantine: MS-Quarantine-IPFilter, which defines the IP restrictions to be applied to the clients in quarantine, and MS-Quarantine-Session-Timeout, which limits the time that a client spends in quarantine.
After the quarantine script runs successfully, rqc.exe returns a message to the VPN server, which executes a listener component called Remote Access Quarantine Agent (rqs.exe). After rqs.exe verifies that the message is from rqc.exe, rqs.exe makes sure that the quarantine script executed successfully and that the client met all the requirements. If the script ran successfully and the client met the requirements, the RAS server lifts the quarantine and the user has access to the resources that the remote access policy defines. If the client fails to meet the requirements, the client remains in quarantine until either the user disconnects the client or the time specified by the MS-Quarantine-Session-Timeout attribute elapses, in which case the VPN server drops the client.
You need to make special resources available to clients that fail to meet your requirements. When deciding which resources to make available, consider whether you want to give these clients a simple Web page that explains why they're in quarantine and what corrective actions users can take to remedy the problems. If you require remote clients to have antivirus software and clients are in quarantine because they don't have it, consider making the antivirus installation software (or its updates) available to them. Your corporate security policy and licensing will guide you through making such decisions.
Setting Up the Quarantine
Setting up a quarantine for the first time is a four-stage process. First, you need to install rqs.exe on the VPN server. Second, you need to obtain the quarantine script for the clients to execute. Third, you need to use CMAK to create a Connection Manager (CM) profile. Finally, you need to set a remote access policy on your IAS server.
The first task is to install rqs.exe on the VPN server. You can download the Windows Server 2003 Resource Kit Tools, which contains rqs.exe as well as rqc.exe, from http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7- 96ee-b18c4790cffd&displaylang=en. Then follow these steps:
- Select Run on the Start menu. Type
- Set C:\Program Files\Windows Resource Kits\Tools as the current directory. Assuming that the current drive is C:, you can use the command
- Run the command
- Open the registry editor and navigate to the HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\ServicesRQS registry subkey. Create a new Multi-String value called AllowedSet. Add the version numbers of the scripts you'll run against your clients. For this example, you need to add only one value: Version1, which is the version number for the quarantine script CheckFile.bat, which Listing 1 shows. I'll discuss what this script does shortly. For now, look at the line that callout A highlights. Notice that the last parameter contains the version number of this script. This version number, passed to rqc.exe as a variable, must match this registry entry to successfully connect. The version number lets you upgrade the script at some point and ensure that intruders can't use old scripts to successfully get past the quarantine.
and click OK to open a command prompt window.
(Although this command appears on two lines here, enter it all on one line at the command line.)
to execute the installation script for rqs.exe. This installation script copies the appropriate files and creates the Remote Access Quarantine Agent Service. This service has a dependency on the Routing and Remote Access Service, so when you restart RRAS, you must remember to also start the Remote Access Quarantine Agent Service. This service is set to automatically start, except for right after installation. If you try to start this service immediately after installation, it would fail because a script isn't yet available for clients.
Obtaining the Quarantine Script
As I mentioned previously, the quarantine script can include a variety of client queries. The sample script CheckFile.bat checks for the existence of a file called access.txt in the \Windows\System32 directory. If the script finds the file, the script runs rqc.exe. Rqc.exe, in turn, calls rqs.exe on the VPN server, notes that the script has run successfully and the client has met the file requirement, and asks for the removal of the quarantine. The script must run rqc.exe within the timeout period (which you'll specify later) to have your VPN server lift the quarantine restrictions; otherwise, the VPN server will terminate the connection.
You can download CheckFile.bat from Windows & .NET Magazine's Web site (http://www.winnetmag.com) by entering 40047 in the InstantDoc ID text box and downloading the 40047.zip. Or, if you're adept at writing scripts, you can create a custom quarantine script.
Creating the CM Profile
With rqs.exe installed and the quarantine script in hand, you need to install CMAK on any server running Windows 2003 and configure a CM profile. To do so, follow these steps:
- Open the Control Panel Add or Remove Programs applet.
- Click Add/Remove Windows Components in the Add or Remove Programs dialog box to launch the Windows Components Wizard.
- In the Components section of the Windows Components Wizard dialog box, select the Management and Monitoring Tools check box. Click Details.
- Select the Connection Manager Administration Kit check box in the Subcomponents of Management and Monitoring Tools list box in the Management and Monitoring Tools dialog box. Click OK, then Next. The Windows Components Wizard will likely ask you to insert the original Windows 2003 media to complete the installation.
- Select All Programs, Administrative Tools, Connection Manager Administration Kit on the Start menu to launch the CMAK wizard. Click Next. Click Next again.
- In the Service name field, enter a creative name for your CM profile. For this example, type hotcert.com. Press the Tab key.
- In the File Name field, enter a name for the executable that you want to distribute to your users. The executable's filename can't be longer than eight characters. You don't need to include the file extension. The wizard will append the .exe file extension later. For this example, type hotcert. Click Next three times.
- In the VPN Support dialog box, the CMAK wizard offers the feature of distributing phone books to users. Phone books let you distribute and update changes to multiple dial-up and VPN servers. The phone books also let you list multiple phone numbers to reach dial-up and VPN servers, which gives users several connection options if a RAS server becomes unavailable. To use the phone book feature, you need an external-facing Web server to provide the necessary updates to the clients.
- In the Phone Book dialog box, clear the Automatically download phone book updates check box. For this test environment, you won't be making changes to the phone book. Before applying this quarantine to a production environment, you'll want to revisit the creation of phone books for automatically updating remote clients. The CMAK reference in the "Testing the Quarantine" section covers how to create phone books. Click Next four times to open the Custom Actions dialog box.
- Click New in the Custom Actions dialog box to open the New Custom Action dialog box, which Figure 2 shows. You'll make most of the quarantine configurations in this dialog box.
- In the Description field of the New Custom Action dialog box, type Quarantine Script.
- In the Program to run field of the New Custom Action dialog box, type the name of the quarantine script that you want the remote client to run. You can specify any type of executable file, such as a .dll, .exe, .bat, or .cmd file.
- In the Parameters field of the New Custom Action dialog box, you need to pass the variables that the script needs to run. You can also specify CMAK variables in this field. (You can learn about these variables in CMAK's online Help file. Search for the Incorporating custom actions page, and scroll down to the How to specify a custom action section for a full listing of variables you can pass.) Add the following five entries to the Parameters field:
For this example, you have only one VPN server, so you need to provide only one IP address for that server. Select the Phone Book from this profile check box and the Always use the same VPN Server check box. Supply the VPN server's external IP address. For this example, type 10.0.0.2. Click Next two times.
- %DialRasEntry% (whose value is the service name or remote access entry name for the dial-up connection)
- %TunnelRasEntry% (whose value is the service name or remote access entry name for the tunnel connection)
- %Domain% (whose value is the remote user's domain for the connection)
- %UserName% (whose value is the remote user's name)
- %ServiceDir% (whose value is the path to the profile directory)
Be sure to put a space between each variable, as Figure 2 shows.
The directory you create in this step is hidden to resist tampering of the script and its contents. However, if the possibility still exists that technically adept users might unhide the directory and alter this script on their client, you might consider using a new feature in Windows 2003 and XP: software restriction policies. If you implement these policies, the OS won't run batch files (and many other types of files) that have been modified. Or you might use an encoded Windows Script Host (WSH) script instead of a simple batch file. For more information about software restriction policies, see the Microsoft article "Using Software Restriction Policies to Protect Against Unauthorized Software" (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/maintain/rstrplcy.asp). For more information about encoding WSH scripts, see "Scripting Solutions with WSH and COM: Encoding Your Scripts," November 2001, http://www .winscriptingsolutions.com, InstantDoc ID 22713).
If you want to see the CM profile you just created, open Windows Explorer and navigate to the %SYSTEMDRIVE%\Program Files\CMAK\Profiles directory. You should see a subdirectory with the CM profile name you specified in Step 6. If you open the subdirectory, you'll see several files present, including an .exe file that has the name you specified in Step 7. This file is the executable you want to distribute to your remote users so that they can install it on their clients.
Configuring the Remote Access Policy
Up to this point, the quarantine hasn't been enforced. That's about to change. Although your VPN server will be enforcing the quarantine, your IAS server has to ask the VPN server for the quarantine during authentication. Here are the steps you take to configure the IAS server so that it asks for the quarantine:
- On the IAS server's Start menu, select All Programs, Internet Authentication Service.
- Right-click Remote Access Policies, and select New Remote Access Policy to launch the New Remote Access Policy Wizard. Click Next to bypass the Welcome page.
- In the opening dialog box, type Quarantine Policy in the Policy Name field. Click Next. Ensure that the VPN radio button is selected and click Next again. (If you want to create separate quarantines for dial-up and wireless clients, you can repeat this wizard for the other connection types.)
- In the User or Group Access dialog box that appears, you need to specify which groups you want the remote access policy to affect. Optionally, you can create a group of users you want to subject to quarantine. For this example, click Add and type Domain Users in the Object Names field to require all domain users be subjected to quarantine. Click OK, then click Next twice.
- You want your remote access clients to always use the strongest encryption method that's practical, so make sure that only the Strongest Encryption check box is selected in the Policy Encryption Level dialog box. However, don't select this option if you have older clients that require older encryption methods. Click Next and Finish. You now have a new remote access policy called Quarantine Policy.
- To configure the specific attributes that will create the quarantined environment, right-click the newly created Quarantine Policy and select Properties. Click Edit Profile, and select the Advanced tab. In the Add Attribute dialog box, scroll down to the section that lists Microsoft in the Vendor column, as Figure 3 shows. You'll see several attributes here, but you need to be concerned about only two of them: MS-Quarantine-Session-Timeout (which lets you specify the number of seconds you want to permit clients to run the script) and MS-Quarantine-IPFilter (which lets you add multiple inbound and outbound filters).
- Select the MS-Quarantine-Session-Timeout attribute and click Add to bring up the Attribute Information dialog box. (Alternatively, you can double-click the attribute's name.) You should set the MS-Quarantine-Session-Timeout attribute value to a time period that gives clients ample time to run the quarantine script. For this example, enter 60 in the Attribute value field, which specifies that you want to allow 60 seconds for the quarantine script to run. Click OK.
- Select the MS-Quarantine-IPFilter attribute and click Add. Click Input Filters in the IP Filter Attribute Information dialog box to bring up the Inbound Filters dialog box. At a minimum, you need two inbound filters: one inbound filter for the communication between rqc.exe and rqs.exe and one inbound filter for DHCP communication. So, for this example, let's configure inbound filters for TCP port 7250, which is the default port on which rqs.exe listens for communication from rqc.exe, and UDP ports 67 and 68, which DHCP uses. Optionally, you might consider allowing DNS communication on UDP port 53 and WINS communication on UDP port 137, if your networking needs require it. If you want to let users connect to a Web server, you can always add a filter to TCP port 80.
- In the Inbound Filters dialog box, click New. In the Add IP Filter dialog box that appears, select TCP in the Protocol drop-down list box. In the Destination Port field, enter the value 7250. Leave the other fields blank and click OK.
- To add the second filter for DHCP, again click New in the Inbound Filters dialog box. In the Protocol drop-down list box, select UDP. In the Destination Port field, enter the value 67. In the Source Port field, enter the value 68. Click OK. You've now created the quarantined environment. Click OK twice to close the Inbound Filters dialog box and the IP Filter Attribute Information dialog box. Click Close to close the Add Attribute dialog box.
- Click Apply once and OK twice to apply the new remote access policy. Any connecting clients must now run CheckFile.bat and remain quarantined while the script is running. As the client connects, the VPN server will apply the appropriate IP filters to the new connection.
Testing the Quarantine
You're probably anxious to test the new Network Access Quarantine Control feature. Before you can test it, though, you need to install on your test client the executable you created with CMAK in Step 7 of the "Creating the Quarantine-Compatible Profile" section. Copy the executable from the VPN server to a client workstation and run the executable. Using the parameters you specified in CMAK, the executable creates a dial-up networking connectoid.
After you've installed the executable, try connecting to the test network. If the connection fails, check your work closely and use the event logs on the VPN and IAS servers to troubleshoot the problem. You might want to also check out the following resources for more information about CMAK and the Network Access Quarantine Control feature:
- "Deploying Remote Access Clients Using Connection Manager" (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/ deployguide/dnsbg_rac_overview.asp)
- "Network Access Quarantine Control in Windows Server 2003" (http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx)
- The Cable Guy, "Network Access Quarantine Control" (http://www.microsoft.com/technet/columns/cableguy/cg0203.asp)
- TechNet Webcast: "Secure Mobile Access Using Wireless and VPN Technologies in Windows Server 2003" (http://www.microsoft.com/usa/webcasts/ondemand/1767.asp)
A Secure Network
After you have the quarantine script running, you can adapt it to make other client queries. However, note that if you change the script, you need to use CMAK to recompile the profile and redistribute and reinstall the executable on each client. An alternative is to directly edit the script on each client. With this approach, you don't need to recompile the script after you've edited it. With a little customization, you'll soon see just how powerful the quarantine feature is in Windows 2003 and how you can use it to better secure your network.