The Cable Guy - February 2003
Network Access Quarantine Control
Because typical remote access connections only validate the credentials of the remote access user, the computer used to connect to a private network can often access network resources even when its configuration does not comply with organization network policy. For example, a remote access user with valid credentials could connect to a network with a computer that does not have required anti-virus software installed on it. Or, a client computer with routing enabled might pose a security risk, providing an opportunity for a malicious user to access corporate network resources through the client computer, which has an authenticated connection to the private network. Despite the efforts made within organizations to ensure that computers used internally comply with network policy, those used from employee's homes for remote access can still present significant risk to the network.
Network Access Quarantine Control, a new feature in the Windows Server 2003 family, delays normal remote access to a private network until the configuration of the remote access computer has been examined and validated by an administrator-provided script. When a remote access computer initiates a connection to a remote access server, the user is authenticated and the remote access computer is assigned an IP address. However, the connection is placed in quarantine mode, with which network access is limited. The administrator-provided script is run on the remote access computer. When the script notifies the remote access server that it has successfully run and the remote access computer complies with current network policies, quarantine mode is removed and the remote access computer is granted normal remote access.
Network Access Quarantine Control is designed to prevent computers with unsafe configurations from connecting to a private network; not to protect a private network from malicious users who have obtained a valid set of credentials.
To understand the components of Network Access Quarantine Control and how it works, we will first review a normal Windows-based remote access configuration and then examine a quarantine configuration.
Components of Windows Remote Access
The following figure shows the components of Windows remote access when Remote Authentication Dial-In User Service (RADIUS) authentication is being used.
If your browser does not support inline frames, click here to view on a separate page.
This configuration consists of the following components:
Remote access clients
Computers running a Windows operating system that create either a dial-up or virtual private network connection to the remote access server. The remote access client can use either a manually-configured connection or a Connection Manager (CM) profile.
Remote access server
A computer running a member of the Windows 2000 or Windows Server 2003 families and the Routing and Remote Access service configured for the Windows or RADIUS authentication provider.
A computer running a member of the Windows 2000 or Windows Server 2003 families and the Internet Authentication Service (IAS).
For Windows 2000 or Windows Server 2003-based networks, Active Directory is used as the accounts database, which stores user accounts and their dial-in properties.
Remote access policy
On the remote access server running Routing and Remote Access or the IAS server, a remote access policy that provides authorization and connection constraints is configured for remote access connections.
Components of Network Access Quarantine Control
The following figure shows the components of Windows remote access for Network Access Quarantine Control when RADIUS is being used as the authentication provider.
If your browser does not support inline frames, click here to view on a separate page.
This configuration consists of the following components:
- Quarantine-compatible remote access clients
- Quarantine-compatible remote access server
- Quarantine-compatible RADIUS server (optional)
- Quarantine resources
- Accounts database
- Quarantine remote access policy
Quarantine-Compatible Remote Access Clients
The remote access client must be a computer running one of the following operating systems:
- Windows Server 2003
- Windows XP Professional
- Windows XP Home Edition
- Windows 2000
- Windows Millennium Edition
- Windows 98 Second Edition
These versions of Windows support CM profiles that are created with the Connection Manager Administration Kit (CMAK) provided in Windows Server 2003. The CM profile contains the following:
A post-connect action setting that runs a network policy requirements script.
This setting is configured when the CM profile is created with CMAK.
A network policy requirements script.
This script performs validation checks on the remote access client computer to verify that it conforms to network policies. It can be a custom executable file or as simple as a command file (also known as a batch file). When the script has run successfully and the connecting computer has satisfied all of the network policy requirements (as verified by the script), the script runs a notifier component (an executable) with the appropriate parameters and, optionally, copies the latest version of the script from a quarantine resource.
If the script does not run successfully, it should direct the remote access user to a quarantine resource such as an internal Web page, which describes how to install the components that are required for network policy compliance.
A notifier component
The notifier component sends a message that indicates a successful execution of the script to the quarantine-compatible remote access server. You can use your own notifier component or you can use Rqc.exe, which is provided with the Windows Server 2003 Resource Kit.
With these components installed, the remote access client computer uses the CM profile to perform its own network policy requirements check and indicate its success to the remote access server as part of the connection setup.
Note Because quarantine network access control introduces a delay in obtaining normal remote access, applications that run immediately after the connection is complete might encounter problems. One way to minimize the delay is to separate your script into two scripts: one that runs as a pre-connect action and one that runs as a post-connect action.
Quarantine-Compatible Remote Access Server
A quarantine-compatible remote access server requires the following:
A computer running a member of the Windows Server 2003 family and Routing and Remote Access, which support the use of a listener component and the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout RADIUS vendor-specific attributes (VSAs) to specify quarantine settings.
A listener component
This component listens for messages from quarantine-compatible remote access clients, which indicate that their scripts have been run successfully. You can create your own custom listener component (matched with your own custom notifier component), or you can install the Remote Access Quarantine Agent service (Rqs.exe) from the Windows Server 2003 Resource Kit.
With these components installed, the remote access server computer uses quarantine mode for connecting remote access clients and listens for notifier messages, indicating that they have satisfied network policy requirements and can be taken out of quarantine mode.
Routing and Remote Access can be configured with either the Windows or RADIUS authentication provider. If Routing and Remote Access is configured with the Windows authentication provider, then quarantine-compatible RADIUS servers are not required and you configure the quarantine attributes for a remote access policy that is stored on the remote access server. The configuration shown in Figure 2 assumes that Routing and Remote Access is configured with the RADIUS authentication provider.
Quarantine-Compatible RADIUS Server (Optional)
If Routing and Remote Access on the remote access server is configured with the RADIUS authentication provider, a quarantine-compatible RADIUS server requires a computer running Windows Server 2003 and IAS, which supports the configuration of the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout RADIUS vendor-specific attributes (VSAs) to specify quarantine settings for the quarantine-compatible remote access server.
Quarantine resources consists of servers that a remote access client in quarantine mode can access to perform name resolution (DNS servers) obtain the latest version of the script (file servers with anonymous access allowed) or instructions and components needed to make the remote access client comply with network policies (Web servers with anonymous access allowed).
Windows 2000 or Windows Server 2003-based networks, Active Directory is used as the accounts database to store user accounts and their dial-in properties. You can also use Windows NT 4.0 domains.
Quarantine Remote Access Policy
You need to configure a quarantine remote access policy with the required conditions for remote access connections, but with profile settings that can specify the MS-Quarantine-IPFilter or MS-Quarantine-Session-Timeout attributes (configured on the Advanced tab of the profile).
You can use the MS-Quarantine-IPFilter attribute to configure input and output packet filters to allow only the following:
- The traffic generated by the notifier component. If you are using Rqc.exe and its default port, then configure a single input packet filter to allow only traffic from TCP port 7250 and to TCP port 7250.
- The traffic needed to access the quarantine resources. This includes filters that allow the remote access client to access name resolution servers (such as Domain Name System [DNS]), file shares, or Web sites.
The packet filters configured for the MS-Quarantine-IPFilter attribute provide the quarantine of the remote access client traffic until the notifier component on the client indicates that the computer is in compliance with network policies.
You can use the MS-Quarantine-Session-Timeout attribute to specify how long the remote access server must wait to receive the notification that the script has run successfully before terminating the connection.
How Network Access Quarantine Control works
The following process describes how Network Access Quarantine Control works when the set of components in the previous figure are used:
- The user on the quarantine-compatible remote access client uses the installed CM profile to connect with the quarantine-compatible remote access server.
- The remote access computer passes its authentication credentials to the remote access server.
- The Routing and Remote Access service sends a RADIUS Access-Request message to the IAS server.
- The IAS server validates the authentication credentials of the remote access client and, assuming that the credentials are valid, checks its remote access policies. The connection attempt matches the quarantine policy.
- The connection is accepted with quarantine attributes. The IAS server sends a RADIUS Access-Accept message that contains the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout attributes.
- The remote access client and remote access server complete the remote access connection, which includes obtaining an IP address and other configuration settings.
- The Routing and Remote Access service configures the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings on the connection. At this point, the remote access client can only successfully send traffic that matches the quarantine filters and has up to the number of seconds specified in MS-Quarantine-Session-Timeout to notify the remote access server that the script has run successfully.
- The CM profile runs the network policy compliance script as the post-connect action.
- The administrator script runs and verifies that the remote access computer's configuration complies with network policy requirements. If the script runs successfully, it runs Rqc.exe, which sends a notification to the remote access server, indicating that the script was successfully run.
- The notification is received by the listener component (Rqs.exe). The notification traffic was allowed because it matched the traffic specified by the MS-Quarantine-IPFilter attribute.
- The listener component informs the Routing and Remote Access service, which removes the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout settings from the connection and configures the normal connection constraints. At this point, the remote access client has normal access to the intranet.
Note If the notification sent by the remote access computer is not protected, it can be spoofed by a malicious user. To prevent the determination of the notification message, use encryption for both dial-up and VPN connections.
How to Deploy Network Access Quarantine Control
To deploy Network Access Quarantine Control for your remote access solution, complete the following steps:
- Create a notification component that provides verification to the remote access server that the remote access client computer complies with network policy requirements. If you do not want to create your own notification component, you can use Rqc.exe.
- Create a script that validates client configuration. If all of the verification checks of the script are successful, the script runs the notification component with the appropriate parameters.
- Create a listener component that receives the network policy compliance notification from the notification component. If you do not want to create a listener component, you can use Rqs.exe. Notification with Rqs.exe is signed using an encryption key. If you use Rqs.exe, you must decide on an encryption key for the notification. Rqs.exe can be configured to accept notification from old and newer encryption keys.
- Create a new quarantine CM profile with CMAK in Windows Server 2003. Configure a post-connect action to run the script with the required parameters. Include the script and the notification component in the profile.
- Distribute the CM profile for installation on remote access client computers.
- After the CM profile has been installed on remote access client computers, configure a quarantine remote access policy on your Routing and Remote Access or IAS servers.
Note Remote access clients that do not install the new CM profile are unable to obtain a normal remote access connection. They are placed in quarantine mode, and because they do not run the script or send the notification, are left in quarantine mode until the quarantine timer expires, at which time they are automatically disconnected.
For More Information
For more information about Windows remote access, consult the following resources:
- Virtual Private Networks Web site
- Internet Authentication Service Web site
- Managed Remote Access with the Connection Manager Components of Windows 2000 (September 2001 Cable Guy article)
- Networking and Communications Services Web site
For a list of all The Cable Guy articles, click here.