Server 2003’s Network Access Quarantine Control: What is it and How Does it Enhance Security?

by [Published on 26 May 2004 / Last Updated on 26 May 2004]

Windows Server 2003 includes many new features designed to make your servers and networks more secure. One of the least understood is the new network access quarantine control feature, even if you’ve heard of it, you might not know what it is or how it can be used to enhance your network’s security. Quarantine control is perhaps Server 2003’s least documented great new feature.

Despite its somewhat esoteric name, quarantine control works in a fairly straightforward manner and provides administrators a way to exert the same sort of controls over remote access clients that they have over computers on the internal LAN. In this article, we’ll take a look at exactly what network access quarantine control does, how it does it, and an overview of how you can use it to increase the security of your Windows remote access server and network.

What Does Quarantine Control Do?

Network Access Quarantine Control (NAQC) allows you to specify configuration conditions that computers accessing the network remotely must meet, and ensure that remote systems will not be given access until they’ve been checked to determine that they meet those conditions. What kind of conditions are we talking about? The same ones that can be enforced by policy on the internal network; for example, remote computers can be required to have a specific service pack level or updated security patches installed before being allowed access. Other conditions might include provisions that specific antivirus programs must be installed and virus definitions be up to date, that firewall software be enabled, that routing be disabled, and so forth.

How Does Quarantine Control Work?

When a remote computer dials in or connects via VPN to the Windows Server 2003 remote access server, by default only the user’s credentials (account name and password) are checked to determine whether access is granted. This means a computer that does not meet the network’s policy requirements could still connect to the RAS server and the network from a remote location. When quarantine control is deployed, after the user’s credentials are authenticated the connection is “quarantined.” In quarantine mode, the computer has an IP address and has limited access to some network resources (called quarantine resources) such as a DNS server and perhaps a file server or web server from which it can download files necessary to comply with the policies or where the user can get more information, but cannot access the rest of the network.

In order to use quarantine control, the Windows Server 2003 RAS server has to be configured with a “listener” component (typically the Rqs.exe file from the Windows Server 2003 Resource Kit) and the MS-Quarantine-IPFilter and MS-Quarantine-Session-Timeout vendor-specific attributes. A RADIUS server is optional. A quarantine remote access policy must be configured with the conditions that remote clients are required to meet.

In addition, the remote clients must be running one of the following operating systems: Server 2003, XP Professional or Home, Windows 2000 Pro or Server, Windows 98SE or Windows ME. The client must connect using a Connection Manager profile that is specially configured to run a script (as a post-connection action) that checks the computer’s configuration for policy compliance. The script is an .exe or batch file. The CM profile also contains a “notifier” (typically the Rqc.exe file from the Windows Server 2003 Resource Kit). This program notifies the Windows Server 2003 remote access server’s listener component that the script has run and found the client to be in compliance. The remote access server then grants full access.

NOTE: If you have remote clients that are not able to use Connection Manager (for example, Windows 95 clients) or that you want to exempt from the quarantine policy, you’ll need to create separate groups for quarantine and non-quarantine clients. You can then configure a remote access policy that doesn’t use quarantine restrictions and apply it to the non-quarantine group. Also note that wireless clients can’t be quarantine clients.

If the client is not in compliance, the script can send the user to a web page that contains instructions on how to come into compliance, and the user can access the file server that has been made a quarantine resource for the files needed to comply. These quarantine resources (DNS, WINS, web and/or file servers that are available to quarantined computers) are specified by configuring separate packet filters in the quarantine remote access policy, or by placing all quarantine resources on their own subnet and configuring one input or output filter for all the resources.

How Do You Use It?

Beware – deploying NAQC is not for the faint of heart. You’ll need a good understanding of remote access services, you’ll need to know how to use the Connection Manager Administration Kit (CMAK) to create client connection profiles, and you’ll need some knowledge of scripting to create the scripts or batch files that run to check for compliance with your policies. Here are the steps required to use quarantine control:

  1. First, you need to create the quarantine resources that will be available to your remote clients that are in a quarantined state and configure packet filters to allow access.
  2. Create the script that will be run by the Connection Manager profile to verify that the remote clients meet the policy conditions.
  3. Configure the Windows Server 2003 RAS servers by installing the Rqs.exe listener (or your own listener component), using Rqs_setup.bat from the Resource Kit.
  4. Configure a profile for Connection Manager (using CMAK) that runs the script as a post-connect action and contains the notifier (Rqc.exe or your own) as an additional file.
  5. Install the CM profile (which is an executable file) on the remote client systems that will be quarantine clients. You should also place the profile on the web site that is a quarantine resource so clients that are quarantined can download the latest profile.
  6. Create a quarantine remote access policy, using the RRAS console (or the IAS console for RADIUS/IAS servers). The policy needs to have the MS-Quarantine-Session-Timeout and MS-Quarantine-IPFilter attributes added on the Advanced properties sheet of the policy profile.

The above is an overview of the steps required to set up NAQC. For more detailed instructions, see the white paper (a downloadable Word document) on the Microsoft web site at: http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx. The paper contains a sample script and instructions for alternate configurations.

Summary

Network Access Quarantine Control is a powerful new tool for your security arsenal, but deployment is not a matter of just clicking a few checkboxes. It’s a complex process that involves creating quarantine resources, writing a script to check the configuration of the remote machines, installing a listener on the Windows Server 2003 remote access server, using the CMAK to create a Connection Manager profile that includes the script and notifier and installing it on the client computers, and creating a quarantine remote access policy. However, if you can get through all the steps, NAQC can give you more control than ever over your remote access systems, ensuring that they comply with policies governing the condition of computers allowed to connect to your network.

Advertisement

Featured Links