SolutionBase: Making telecommuting safer with Quarantine Mode

Roaming users present additional security challenges for a network administrator. Windows Server 2003 introduces Quarantine Mode, which you can use to make sure a remote computer is properly configured before it can access the network.

A few months ago, I was visiting a friend who was telling me about some of the remote access problems on his network. He had worked diligently to insure that the network was as secure and stable as possible. Unfortunately, there were several users who would frequently dial into the network's remote access server while away from the office. Although the server was secure, the users would often connect from machines that were anything but secure. In one incident, a woman dialing into the network had a machine that was infected with viruses because her computer wasn't running any antivirus software. Although no harm came to my friend's network, he wished there was a way to make sure that remote users were dialing in using machines that were as safe and secure as those that were physically attached to the network.

One of the nice new features in Windows Server 2003 is something called Quarantine Mode. Quarantine Mode is a mechanism by which remote users' computer configurations can be verified prior to giving them access to the corporate network.

For example, suppose for a moment that users didn't have antivirus software loaded on their machines. They could dial into the network and be authenticated. Once they are authenticated, their connection would be quarantined until Windows Server 2003 could verify that the necessary antivirus software were installed. In this case, since no antivirus software exists, the software could be pushed to the user's machine and, only after the software was installed, would the remote user ever be given access to the corporate network.

What Quarantine Mode isn't
As you can see, Quarantine Mode offers a way of protecting your network against legitimate users who have poorly configured PCs. It is not, however, a mechanism for securing the network against malicious users who have obtained a set of valid credentials.

The normal method of remote access
In order to fully understand how Quarantine Mode differs from a normal remote access session, let's briefly recap how remote access occurs in a Windows/RADIUS environment. You'd configure a remote access server based on Windows 2000 Server or Windows 2003 Server running the Routing and Remote Access Service (RRAS) to use RADIUS for authentication.

The process begins when a Windows client connects to the remote access server by using either a dial-up or a VPN session. The remote access server would then hand the user's credentials off to a Windows 2000 or 2003 server running IAS (Internet Authentication Service). IAS is the Windows equivalent to RADIUS. The IAS Server would validate the authentication and pass the user's remote access policy back to the remote access server. At this point, authentication is complete and the user is given access to the private network as specified by the Active Directory.

How quarantine control works
There are several differences when you use Quarantine Mode. The first major difference is with the remote access client. The client computer must be quarantine compatible. Only the following operating systems are quarantine compatible:
  • Windows 98 Second Edition
  • Windows Me
  • Windows 2000
  • Windows XP (both Home and Professional)
  • Windows Server 2003

The client machine must also have a Connection Manager Profile installed, and the profile must be configured to connect with the remote access server. I will talk more about the Connection Manager Profile later on.

As with a normal remote access session, the remote client initially makes a connection to a remote access server. The difference here, though, is that the remote access server must be running Windows Server 2003. Furthermore, the remote access server must be equipped with a component called a listener. A listener is a component that listens for script-related messages from the remote clients.

Although it is possible to create your own custom listener and notifier components, Microsoft provides these components for you in the Windows Server 2003 Resource Kit. The listener is included in the resource kit as the Remote Access Quarantine Agent Service (RQS.EXE).

Once the connection has been established, clients enter their authentication credentials. These credentials are then passed on to a RADIUS server. In this case, though, the Radius server is a Windows 2003 Server running the IAS service. Windows Server 2003 is required because the RADIUS server needs to be quarantine aware.

After the RADIUS server validates the remote user's credentials, it checks the user's remote access policy. The quarantine policy is actually a part of the remote access policy. This means that when the RADIUS server accepts the connection, it can also pass the various quarantine attributes back to the remote access server. Specifically, this means that the IAS Service passes a RADIUS Access-Accept message back to the remote access server and the message also has the MS-Quarantine-IPFilter and the MS-Quarantine-Session Timeout attributes set.

When the remote access server has received the OK from the RADIUS server, it completes the connection with the client. This means that it assigns the client an IP address and other TCP/IP configuration if necessary. Of course, if the remote client is attaching through a VPN connection, then the client would not need to be assigned an IP address, so this step would not apply.

The next step in the process is that the remote access server will act on the two quarantine-related attributes that the RADIUS server has sent to it. The MS-Quarantine-IPFilter attribute prevents the client from being able to send any unauthorized types of packets to the remote access server while in quarantine. The MS-Quarantine-Session-Timeout attribute tells the remote access server how many seconds the client has in which to report that the script has completed successfully.

Once these two attributes have been issued, the Connection Manager profile launches the network policy compliance script. This script serves as a post connection audit. Remember that the remote user has already been authenticated. Therefore, this script isn't to verify the user's identity, but, rather, to make sure that the user's computer complies with the network security policy.

After the network policy compliance script finishes running, it executes a file named RQC.EXE. This file causes the client to send an acknowledgment to the server indicating that the script has run successfully. The acknowledgement is picked up by the listener on the server (RQS.EXE).

Keep in mind that, up to this point, the remote access server is still blocking most types of packets from the client. The only reason that the client is able to send an acknowledgement to the listener is because the quarantine filter is configured to allow this packet to pass through.

When the listener receives the acknowledgement packet, it informs the remote access server. The remote access server then removes the MS-Quarantine-IPFilter and the MS-Quarantine-Session-Timeout attributes. Now that these attributes have been removed, the connection is released from quarantine and the connection functions just like any other remote access connection.

If the script fails to validate the client's configuration, RQC.EXE would never be run, because the script was unable to complete successfully. In this case, the client would remain in Quarantine Mode until the session timeout counter expired, at which point the session would be disconnected.

Deploying a quarantine
The actual process of deploying Quarantine Mode is fairly straightforward. The process basically involves installing RQS.EXE on the server and then creating a script that the clients will run to validate their configuration. The script should be designed in such a way that when the script completes and confirms that the client computer is configured correctly, the script would call the RQC.EXE file. You must then create a Connection Manager profile that forces your remote clients to run the script upon connection to the remote access server.

The RQC.EXE and RQS.EXE files are both included in the Windows Server 2003 Resource Kit tools. You can download these tools directly from Microsoft. Although scripting is beyond the scope of this article, the next section explains how to create the Connection Manager profile for your remote clients.]

The Connection Manager
In order for Quarantine Mode to work, you must have a Connection Manager profile installed on all of your remote access computers. You can create this profile through the Connection Manager Administration Kit. This kit is part of Windows Server 2003.

To install the CMAK, open the Control Panel and double-click the Add/Remove Programs icon. When you do, you will see the Add/Remove Programs dialog box. Click the Add/Remove Windows Components button to open the Windows Components Wizard. Select Management And Monitoring Tools from the list of components, and click the Details button. Now, select the Connection Manager Administration Kit option and click OK, followed by Next. Windows will install the necessary files, which consume just over 6 MB of disk space. When installation completes, click Finish to close the wizard.

Now, you must use the CMAK to create a Connection Manager profile for your remote users. You can access the CMAK from the Administrative Tools menu. When you select the Connection Manager Administration Kit menu option, Windows will launch the CMAK Wizard. Click Next to bypass the wizard's Welcome screen.

At this point, the wizard will ask you if you want to create a new profile or use an existing profile. Select the New Profile option, and click Next. The wizard will prompt you to enter a Service Name and a file name. The Service Name is just the friendly name of the profile. For example, you might use the name of your company. The file name is the name that the files and folders making up the profile will use. Enter this information, and click Next.

The next screen asks you if a realm name will be required. A realm name is a prefix or a suffix that is appended to the connection. For example, POSEY/ or would be examples of realm names. In many cases, though, a realm name is unnecessary. Enter a realm name if necessary, and click Next.

The following screen asks you if you want to merge an existing profile into the new profile. This allows you to copy access phone numbers from another profile. Since this is the first profile that we've created, there is nothing to merge. Click Next to continue.

The following screen asks if you want the connection to automatically establish a VPN connection after a phone number is dialed. For our purposes, just click Next. Windows will now ask you for the name of a phone book file that contains all of the various access numbers. Since we haven't created a phone book, just clear the Automatically Download Phonebook Updates check box, and click Next.

At this point, you will see the Dial Up Networking Entries screen. This screen should list the service name that you specified earlier. By default, the Connection Manager is configured to obtain an IP address for the connection from a DHCP server. If that isn't the desired operation, then just select the service name and click the Edit button. Otherwise, just click Next.

You will now see a screen that asks if you want to modify the routing table. Make sure that Do Not Change The Routing Table is selected, and click Next. The next screen will ask if you need to configure proxy settings. Unless you have a Proxy Server to pass through, select Do Not Configure Proxy Settings, and click Next.

The next screen that you will see is the Custom Actions screen. Here, you must click the New button to create a new custom action. When you do, you will see a screen that asks for the description of the action, the program to run, and the action type. Enter a description and then enter the name of your client validation script, along with any necessary parameters. You must set the Action Type to Post-Connect, and you must deselect the Program Interacts With The User check box. You can see an example of this screen shown in Figure A.

Figure A
Enter the information pertaining to your quarantine script.

Click OK, followed by Next, and you will see a screen asking for the Logon Bitmap. Although you can create a custom bitmap, just accept the default for now, and click Next. You will now be asked which phonebook graphic you want to use. Again, select the default, and click Next. You are now given the option of specifying a custom icon. Accept the default, and click Next.

You will now see a screen that you can use to create a shortcut menu item for the profile that you are creating. Just click Next to bypass this option, and click Next again to use the Default Help file. The next screen asks for the information that you want displayed in the Support section. Enter the phone number for your help desk, and click Next.

The following screen asks if you want Connection Manager 1.3 installed along with the profile. This version of Connection Manager is required for Quarantine Mode to work properly, so make sure that the check box is selected before clicking Next.

On the following screen, enter the name of the text file containing the license agreement that you want to display (if any), and click Next. Windows will now ask you for any additional files that you want to include in the profile. Add the RQC.EXE file to the profile, and click Next. Click Next, followed by Finish to create the profile.

Your new profile is now created in the \Program Files\CMAK\Profiles folder. You must distribute this profile to all remote access clients who will be using Quarantine Mode.