Deploying Network Access Quarantine Control, Part 1
One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep onto your network is not through holes in your firewall, or brute force password attacks, or anything else that might occur at your corporate headquarters or campus. It's through your mobile users, when they try to connect to your business network while on the road.
Consider why that is the case. Most remote users are only authenticated on the basis of their identity; no effort is made to verify that their hardware and software meets a certain baseline requirement. Remote users could, and do everyday, fail any or all of the following guidelines:
You would expect your business desktops to follow policy, but in the past, mobile users have traditionally been forgotten or grudgingly accepted as exceptions to the rule. However, Windows Server 2003 includes a new feature in its Resource Kit, called "Network Access Quarantine Control," which allows you to prevent remote users from connecting to your network with machines that aren't up-to-date and secure.
How Network Access Quarantine Works
Network Access Quarantine Control, or NAQC, prevents unhindered, free access to a network from a remote location until after the destination computer has verified the remote computer's configuration meets certain requirements and standards as outlined in a script.
To use NAQC, your remote access computers must be running any one of Windows 98 Second Edition, Windows Millennium Edition, Windows 2000, or Windows XP Home or Professional. These versions of Windows support a connectoid, containing the connection information, the baselining script, and a notifier component, that can be created using the Connection Manager Administration Kit (CMAK) in Server 2003. Additionally, you'll need at least one Windows Server 2003 machine on the backend running an approved listening component; for the purposes of our exercise, I'll assume you're running the Remote Access Quarantine Agent service (called RQS.EXE) from the Windows Server 2003 Resource Kit. Finally, you'll need a NAQC-compliant RADIUS server, such as the Internet Authentication Service in Server 2003, so that network access can be restricted.
A Step-by-Step Overview of NAQC
Here is a detailed outline of how the connection and quarantining process works, assuming you're using RQC.EXE on the client end from the CMAK and RQS.EXE on the back end from the Resource Kit.
In this section, I'll look at the actual deployment of NQAC on your network. There are six steps, each outlined in separate subsections ahead.
Creating Quarantined Resources
The first step is to create resources that actually can be accessed while the quarantine packet filters are in place for a remote client. Examples of such resources include DNS servers and DHCP servers so IP address and connection information can be retrieved, file servers to download appropriate software to update out-of-compliance machines, and web servers that may describe the quarantining process or allow a remote user to contact IT support via e-mail if any problems occur.
There are two ways you can specify and use quarantined resources. The first is to identify certain servers on your network as quarantine resources, without regard to their physical or network location. This allows you to use existing machine to host the quarantined resources, but you also have to create individual packet filters for quarantined sessions for each of these existing machines. For performance and overhead reasons, it's best to limit the number of individual packet filters for a session.
The other approach is to limit your quarantined resources to a particular IP subnet. This way, you just need one packet filter to quarantine traffic to a remote user, but you have to re-address these machines and, in most cases, take them out of their existing service or buy new ones. Using this method, however, the packet filter requirements are much simpler. You simply need to open one for notifier traffic on destination TCP port 7250, one for DHCP traffic on source UDP port 68 and destination UDP port 67, and for all other traffic, the address range of the dedicated quarantine resource subnet. And again, you can also configure any other packet filters peculiar to your organization
Writing the Baselining Script
The next step is to actually write a baselining script that will be run on the client. This is really independent and unique to your organization, but all scripts must run RQC.EXE if the baselining compliance check was successful and include the following parameters:
rqc ConnName TunnelConnName TCPPort Domain Username ScriptVersion
The switches and arguments are explained in the following list.
Installing the Listening Components
The Remote Access Quarantine Agent service, known otherwise as RQS.EXE, must be installed on the Server 2003 machines accepting incoming calls using RRAS. RQS is found in the Windows Server 2003 Resource Kit Tools download, as found on the Microsoft web site. Once you've run the installer for the tools, select the Command Shell option from the program group on the Start menu, and run RQS_SETUP /INSTALL from that shell. This batch file will copy the appropriate binaries to the WindowsRoot\System32\RAS folder on your system and modify service and registry settings so that the listener starts automatically when the server boots up.
There is a bit of manual intervention required, however: you need to specify the version string for the baselining script. The listener service will match the version reported by the remote computer to the value stored on the RRAS computer to make sure the client is using the latest acceptable version of a script. To make this change manually after you've run RQS_SETUP from the Tools download:
Alternatively, you can modify the RQS_SETUP batch file, so this step can be automated for future deployments. To do so:
Two notes: RQS is set as a dependency of RRAS. However, when RRAS is restarted, RQS doesn't automatically restart, so you'll need to manually restart it if you ever stop RRAS manually. Also, by default, RQS.EXE listens on TCP port 7250. To change the default TCP port, navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rqs\ key, create a new REG_DWORD value called Port and set it to the desired port.
Creating a Quarantined Connection Profile
The next step is to create a quarantine Connection Manager profile, which happens to be a plain-vanilla profile with a few modifications. For one, you need to add a post-connect action so that your baselining script will run and return a success or failure message to the RRAS machine. You also need to add the notifier to the profile as well.
In this section, I'll assume you're familiar with creating custom connectoids with the CMAK Wizard, since the whole process is beyond the scope of this article. Where the process begins to differ is at the Custom Actions screen, and I'll begin this procedural outline there.
In the next installment of this article, I'll look at distributing this new profile to remote users, configuring the policy that actually performs the quarantining, how to except users from certain quarantine configurations, and how this technology is implemented in Microsoft's new ISA Server 2004. Stay tuned.
About the author
Jonathan Hassell is an author and consultant specializing in Windows administration and security. He is the author of Managing Windows Server 2003 and RADIUS, both published by O'Reilly & Associates, and Hardening Windows, published by Apress. He also holds periodic public seminars; see www.hardeningwin.com for details. He has written for Windows & .NET Magazine and WindowsITSecurity.COM and is a contributor to PC Pro, a leading computer magazine in the United Kingdom.
- Deploying Network Access Quarantine Control, Part 2
- Giới thiệu về Network Access Protection (NAP) cho Windows Server 2008
- Network Access Protection - Phần 4
- Giới thiệu bổ sung về Network Access Protection – Phần 6
- Giới thiệu bổ sung về Network Access Protection – Phần 7
- Giới thiệu bổ sung về Network Access Protection – Phần 8
- Kiểm tra mạng bằng Network Monitor 3.4 – Phần 1
- Cảnh báo: iOS 14 liên tục gặp lỗi
- Xiaomi Redmi 9i ra mắt: RAM 4GB, bộ nhớ trong 128GB, pin 5000mAh, giá chỉ từ 2,6 triệu đồng
- Facebook ra mắt kính thực tế ảo Oculus Quest 2: Nhiều cải tiến mới, giá "yêu thương"
- Cách sử dụng Raspberry Pi Imager
- Cách nhận biết bạn đã bị chặn trên Zalo
- Đây là cách Microsoft theo dõi "nhất cử nhất động" của các hacker trên toàn cầu