Welcome to Sign in | Join | Help
in
Home Blog Forums

The Lazy Admin

Introduction to Remote Access Quarantine

Sponsor

Windows Server 2003 SP1 includes a new feature called Remote Access Quarantine. With RAQ you can specify a set of requirements that VPN clients must meet before they are given access to the network. If the client does not meet the requirements you set out, they will be denied access to the network.

With network administrators scrambling to ensure that computers on the LAN are patched and secure, managing users home computers and traveling users laptops is usually left to the user. Not all users are keen on keeping their PCs up to date and they maybe accessing your network from vulnerable computers. This is turn can lead to vulnerabilities on your network. Typically a client only needs to provide proper credentials to gain access to the network. With a Remote Access Quarantine enabled, network administrators will be able to control access to VPN clients whose computers do not meet the specified requirements.

These requirements can include: 

  • Ensuring the latest service pack and/or security patches are installed. 
  • Ensuring the latest antivirus software and definitions are installed. 
  • Ensuring that a software firewall is installed and functional.

With RAQ configured, the logon is delayed until the configuration of the remote access computer has been examined and validated. Validation is performed with a script. When the remote computer initiates a connection to the VPN server, the user provides his/her credentials and is authenticated and the remote computer is assigned an IP address. At this point the remote computer is placed in the Remote Access Quarantine. While in the quarantine, network access is limited. Once the validation script is run on the remote computer, the script notifies the VPN server that the remote computer meets the specified requirements and it is removed from the quarantine.

While the remote computer is in the quarantine you can specify restrictions to place on the remote access connections. You can apply either of these restrictions: 

  • Packet filters to restrict the traffic that can be sent to and from the computers in the quarantine 
  • Session timer to restricts the length of time the quarantined clients can stay connected

In order to take advantage of this feature there are a few components required: 

  • The Remote Access Quarantine Service (RQS) running on the RRAS server that is listening for requests from the remote clients for removal of quarantine restrictions. 
  • A RADIUS server with a quarantine policy for applying IP filters or session timeouts to the remote connections. 
  • A configuration validation script to perform the validation checks to verify that the remote access client meets the minimum security guidelines specified for access the corporate network. 
  • A Connection Manager profile configured to run the Remote Access Quarantine Client (RQC) as a Post-Connect action on the remote client computer. 
  • Remote access clients configured to run the Remote Access Quarantine Client and the validation script.

For more information see:

Network Access Quarantine Control in Windows Server 2003





Published Wednesday, December 14, 2005 6:30 AM by rodney.buike

Comments

No Comments
Anonymous comments are disabled

This Blog

Powered By

 

Syndication

Sponsors

 
 
Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2008