Getting Clients Hotfixes
One way to make non-compliant
clients compliant is to use a forced
WSUS update. You can force WSUS
updates by calling the command
wuauclt.exe /detectnow (included in Listing 1). When you run this command, all updates on the WSUS
server’s approved list are downloaded
and installed.
Because clients are granted only a
short time in quarantine, it makes little sense to download updates over
the VPN connection. You can configure quarantined VPN clients to get
their approved update list from the
protected network, and you can configure the WSUS server to force the
remote clients to download these
updates from the Internet.
Longhorn NAP
Longhorn Server introduces Network
Access Protection (NAP), a technology
that appears similar to NAQC but that
enforces system health requirements
differently. NAP is policy-based rather
than script-based and applies to all
network connections—not just those
mediated by a remote-access server.
NAP will replace NAQC in the next
version of Windows. It isn’t reliant on
the deployment of scripts to clients, so
Longhorn’s NAP is also likely to be
simpler to implement than Windows
2003’s NAQC.
Remote Challenge
Remote-access clients have always
challenged administrators. Although
NAQC reduces the chance that an
infected remote-access client will get
access to a protected network, it
won’t eliminate the possibility. At
this stage, the technology is
complicated to implement; most
organizations won’t implement
it until it becomes simpler.