Creating the Quarantine Script
The quarantine script is an administrator-created script that runs on the client and verifies that the client meets the company's security policy requirements. A large shortcoming of Network Access Quarantine Control is that you must manually build these client-side scripts for your environment. Fortunately, Microsoft has provided some sample scripts you can use as a model. You can download the scripts from http://www.microsoft.com/downloads/details.aspx?familyid=a290f2ee-0b55-491e-bc4c-8161671b2462&displaylang=en.
The quarantine script contains one or more executables, DLL files, batch files, or scripts that you create to enforce your company quarantine policy. The script also contains the quarantine policy requirements that you want the client to meet to be allowed to connect to the network. Here are some requirements you might want to include:
The system is up-to-date with hotfixes and service packs.
Antivirus software has the most recent set of signatures.
The client has a personal firewall installed and properly configured.
The system isn't vulnerable to a specific 0-day exploit.
A specific application is installed or a certain executable is running.
Registry settings match recommended values.
The essential element of the quarantine script is the return call to the Remote Access Quarantine Agent service on the RRAS server. To execute the return call, run rqc.exe with the following code:
Rqc.exe <ConnName> <TunnelConnName> <TCPPort> <Domain> <Username> <Scriptversion>
where
ConnName is the name of the remote access connection on this host.
TunnelConnName is the name of the tunnel connection on this host.
TCPPort is the TCP port used to send the notification message. The default TCP port is 7250.
Domain is the domain of the connecting user.
Username is the username of the connecting user.
Scriptversion is a text string that contains the script version.
You also need to consider what actions a client might need to take while quarantined. For example, you might want to allow access to a Web or file server with instructions and files necessary for meeting policy requirements. You might also need to provide a way to download newer versions of the connection-profile script because failing the version check keeps the connection quarantined. For example, you could write your script to check an HTTP server to see whether a newer version of the script exists and update itself if necessary. You can add as many functions as you want to your script, depending on company policy.
Keep in mind that quarantine scripts simply verify client health and are by no means a strong security measure. Network Access Quarantine Control protects you from users who inadvertently cause problems such as spreading worms because their machines don't have the latest hotfixes but provides little protection from malicious users who have valid credentials on your network. You should assume that the client can modify the script or manipulate the results to falsely indicate compliance. Nevertheless, if you require compliance with network security policies, connecting users are less likely to be targets of malicious users.
Creating the Connection Profile
Next, you use CMAK to create the quarantine connection profile that clients will use to connect to your network. (See "Access Denied: Requiring VPN Users to Run Certain Software," August 2004, InstantDoc ID 43098, for information about installing CMAK.) The CMAK Wizard will walk you through the steps to create the profile. A quarantine connection profile is similar to any other client-connection profile, except that it contains a custom action to run a quarantine script after connection. You add this action when you get to the wizard's Custom Action page. For the Action type, select Post-connect, then click New. Figure 1 shows the New Custom Action dialog box in which you add the name and parameters for the quarantine script. You use the parameters to pass connection information that your script might need in the verification process. Table 1 shows a list of the connection variables that you can pass to the script. Some of these parameters are required because your script needs to pass this information back to the RRAS server. In particular, you'll need the %DialRasEntry%, %TunnelRasEntry%, %Domain%, and %UserName% variables to return as parameters to rqc.exe.
Select the Include the custom action program with this service profile check box to automatically include your script with the profile. If your client verification involves several files, you need to include the files in the Additional Files section of the wizard. When you finish creating the profile, the wizard compiles the profile as an executable that you can distribute and install on remote clients.
Configuring RRAS
RRAS enforces the quarantine based on a remote access policy that you create using the RRAS New Remote Access Policy Wizard. To make a remote access policy a quarantine policy, follow the steps to create a standard policy, then add the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes on the Advanced tab of the Policy Profile Properties page.
Next, you need to add an inbound RRAS filter to allow incoming connections on TCP port 7250, which you'll do through the wizard's IP Filter Attribute Information page. This filter lets the client component communicate with the Remote Access Quarantine Agent service. Depending on your network configuration, you might need to add additional filters to allow DNS, DHCP, WINS, HTTP, or file-sharing traffic.
Quarantine Limitations
Network Access Quarantine Control can be a great defense for keeping security threats out of your network, but it does have limitations. The most obvious limitation is that creating verification scripts is a manual and time-consuming process. Another problem is that Network Access Quarantine Control relies on a specific set of technology. It doesn't integrate with third-party products and requires that the client be running a Windows OS. You can, however, create policy exemptions to let certain users access the network and bypass the quarantine.
The most important Network Access Quarantine Control limitation is that it controls only RAS connections; it has no control over LAN, wireless, or other non-RAS connections. However, this situation will change in future versions of Windows, with the introduction of Network Access Protection (NAP).
NAP will be a feature in Longhorn, the next major Windows version. NAP improves on Network Access Quarantine Control by providing better GUI-based administration and interoperability with many other products from companies such as Cisco Systems, Citrix Systems, McAfee, Symantec, and others. NAP will also work with all types of network connections, including LAN and wireless connections.
Although NAP won't be available anytime soon, Network Access Quarantine Control is here now and better than nothing, especially for remote users with machines that you can't control. With careful planning and a solid quarantine strategy, Network Access Quarantine Control can be a formidable line of defense against the threats facing your network.