Securing your organization's network is fundamentally simple: Secure the perimeter to limit incoming threats and keep internal systems patched to protect them from those threats that do get through. So diligent patching, virus scanning, and strong passwords should eliminate security incidents on your network—right?
In reality, network security isn't that simple. Although you might be able to protect your internal systems, defending the extended network is more difficult. Users working from their home machines and mobile users connecting while on the road blur the line between internal and external systems. Although you can't control these external systems, Microsoft has included a technology in Windows Server 2003 that will help you prevent noncompliant systems from connecting to your network. This technology, Network Access Quarantine Control, quarantines remote VPN connections until the VPN clients prove compliance with network policy. Let's look at how Network Access Quarantine Control works and how to configure and run the server-side and client-side components.
Network Access Quarantine Control Overview
Network Access Quarantine Control is a Microsoft Windows Server 2003 Resource Kit tool that provides a mechanism to run client-side scripts that perform functions such as verifying installed hotfixes, updating antivirus software, or checking firewall settings. Any task you can do by using a batch file, script, or executable, you can perform on connecting VPN clients.
A Network Access Quarantine Control implementation consists of one or more remote access clients running a client-connection profile that you create by using the Windows 2003 Connection Manager Administration Kit (CMAK); a connection point such as a Windows 2003 server running RRAS; and, if you require Remote Authentication Dial-In User Service (RADIUS) authentication, a Network Access Quarantine Controlcomplaint RADIUS server such as Windows 2003 running Internet Authentication Service (IAS). You'll also need to run a listener component, such as the Remote Access Quarantine Agent service (rqs.exe), on the RRAS server and a notifier component, such as the Remote Access Quarantine Client service (rqc.exe), on the remote client. Both tools are part of the Windows 2003 resource kit.
When a remote client authenticates to a quarantine-enabled RRAS server, RRAS sends a RADIUS Access-Request message to the IAS server. IAS verifies the user's credentials, and if the connection matches the remote access policy you've established, accepts the connection but with quarantine restrictions. IAS sends RRAS an Access-Accept message with the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes. RRAS completes the connection but allows the remote client only limited access to the network.
At this point, the remote client runs the quarantine script, which is part of the client-connection profile. The script checks the client configuration to verify that it complies with network security policy. If the client configuration is compliant, the script notifies the agent service on the RRAS server. The agent service then checks the script version that the client reports to make sure the client is running the most recent version. If the script version proves valid, RRAS removes all quarantine restrictions on the connection and the client can proceed to use the connection without the quarantine limitations.
However, if the client script reports that the machine isn't compliant with network policy or if the client reports an older version of the script, quarantine restrictions remain in place. The client will have access to only the network resources you designate, such as a Web page with instructions and downloads for bringing the client to compliance, until the time specified by the MS-Quarantine-Session-Timeout attribute elapses. After the time limit expires, the RRAS server disconnects the client. The script can also take measures to automatically bring the machine into compliance.
Setting Up Quarantine Control
To implement Network Access Quarantine Control on your network, you must first install and configure the necessary server components—IAS, RRAS, and the Remote Access Quarantine Agent service. To install the Remote Access Quarantine Agent service, you'll need to run the rqs_setup.bat file, which you'll find in the resource kit folder. This batch file copies the files that are necessary to run rqs.exe as a system service.
Before you run rqs_setup.bat, you must first edit it to record the script version string you want to use. To do this, open the batch file in Notepad and locate the following line of code:
REM REG ADD %ServicePath% /v AllowedSet /t REG_MULTI_SZ /d Version1\0Version1a\0Test
Remove REM from the beginning of the line and change the
Version1\0Version1a\0Test
string to reflect the script version you want to use. Note that you can include multiple versions by separating each value with \0. After you make these changes, save and execute the batch file to install the service. To start the service, use the command
net start rqs