A few months ago, I wrote an article about a Windows Server
2003 feature called Quarantine
. In case you aren’t familiar with it, Quarantine Mode allows you to
verify that network clients are running an updated configuration prior to
allowing them access to the network. For example, when a client attempts to
access the network, you could run a check to make sure the client has the
latest operating system, service packs, hot fixes, and antivirus signatures. If
everything checks out okay with the client computer, it’s granted access to
the network in the usual manner. If the validation check fails, however, the
client is given access only to the network’s quarantine area. Typically, the
quarantine area won’t allow users to do anything except update their
computers. Once the update is complete, the workstation is allowed to
access the rest of the network. As I’ll explain in this article, Windows
Server 2003 R2 extends this concept a bit further.

Why quarantine?

Right now, you might be thinking that since you’re running SMS Server or the Windows update services, all of your workstations
are up to date, so there’s no need to use this technology. However, your
desktop computers aren’t really the problem. It’s relatively easy to keep a
desktop up to date. The problem lies with mobile and remote users. For example,
mobile users aren’t constantly connected to your network, so they might miss
the latest round of software updates. During that time, mobile users could
potentially plug their laptop into someone else’s network or into a home network
and expose it to a virus or other form of malware in the process.

Another risk is computers that don’t belong to the company.
For example, how many times has a consultant or an auditor brought in his own
laptop and asked to connect to the corporate network to get access to the
Internet? Likewise, how many users sometimes dial into your network or connect
to it through a VPN from a home machine? In both cases, you’re allowing people
to connect to your network using computers that you have no control over. Doing
so could greatly undermine your network’s integrity.

It would be really nice to be able to enforce a minimum security
configuration for everyone who wants to connect to your network, but this isn’t always practical. For example, if one of the things you’re checking
for is to make sure that workstations have the correct antivirus definitions,
think how many licenses you would burn through if you issued an antivirus
license to everyone who ever connected to your network. To get around this
problem, you’d typically define which computers do and do not belong to the
company. If a system does belong to the company, but fails a minimum security
requirement check, you’d go ahead and update that system. If a system
failed the check, but the machine didn’t belong to the company, you could
isolate that computer so that it couldn’t access anything but the Internet.

Simplifying Quarantine Mode

As you can see, Quarantine Mode technology can really help
you guarantee your network’s integrity. But if this technology is so great,
why isn’t everyone using it? Well, as it exists currently, implementing
Quarantine Mode is extremely complicated. It requires a lot of servers running
specialized roles, and it also requires your development team to custom-write a
lot of scripts that control the quarantine operations. This is where Network
Access Protection (NAP) comes in.

Microsoft will soon be releasing a revised version of
Windows Server 2003, currently code-named R2. In R2, Quarantine Mode has been
replaced by NAP. NAP is designed to make Quarantine Mode easier to implement.
Don’t let that statement fool you, though. Even NAP doesn’t offer a simple
point-and-click implementation. It does, however, greatly reduce the
complexities involved in deployment.

Some terms to know

Before I can explain exactly how NAP works, there are a few
terms and concepts that you need to know. First, there are two different Quarantine
Modes that NAP can use: DHCP quarantine and VPN quarantine. As the name
implies, a DHCP-based quarantine works by integrating a quarantine enforcement
component into a DHCP server. When clients try to lease or renew an IP address,
the DHCP server performs the check to see if the client needs to be
quarantined. The biggest advantage to using DHCP-based quarantine is that it’s easy
to check the security of every system on your network. The downside is that a
DHCP-based quarantine isolation is not as protected as a VPN-based quarantine.
A VPN-based quarantine provides much stronger protection than DHCP, but it’s
more complex to configure and applies only to machines requesting a VPN

Another concept that you need to be familiar with is that
NAP uses a hierarchical approach for determining whether a system needs
to be quarantined. As I explained earlier, there are typically a number of
criteria that you’ll test for when deciding whether to allow a machine
access to the network. For example, you might test for the operating system
version, the service pack version, and the version of the antivirus
definition file. There isn’t a single module that tests all of these different
aspects. Instead, NAP uses an individual System Health Agent (SHA) for each
component being checked.

The System Health Agent’s job is to send a Statement of
Health (SoH) to the appropriate System Health Validator (SHV). The SHV compares
the Statement of Health against the quarantine policy to see if that particular
aspect of the system’s configuration is compliant with the network security
policy. The System Health Validator then sends the yes / no verdict to the
quarantine server. It’s the quarantine server’s job to coordinate the responses
from each of the SHVs and determine whether the machine should be

A DHCP quarantine

Now that you know the basics of how a quarantine works,
let’s take a more detailed look at how a DHCP quarantine works. The process
begins when a client computer boots up and requests an IP address from a DHCP
server. If this is the first time that the client has attached to the network
since the quarantine server was put into place, the client will not have a
Statement of Health available, and will therefore be forced into Quarantine
Mode. The DHCP server implements Quarantine Mode by reserving a special subnet
for quarantined machines rather than assigning the machines an IP address
within the subnet used by the rest of the network.

The now quarantined client then uses a quarantine agent that
has been installed onto it to contact an SMS server that is accessible from
within the quarantine subnet. The SMS server then deploys the required updates
to the quarantined client, thus bringing it into compliance with the network
security policy. Once the client has been updated, the client’s Statement of
Health is created. If a Statement of Health had previously existed for the
client, it would simply be updated once the SMS server had deployed the
necessary software. Keep in mind that in a production environment, there would
likely be multiple Statements of Health that would need to be created or
updated, but for the sake of simplicity, this example assumes only one criterion
is being tested.

The newly updated client then sends a request for an IP
address to the DHCP server. The client incorporates its Statement of Health
into the request. The System Health Validator then confirms the validity of the
Statement of Health and passes a message to the DHCP quarantine server
indicating that the client meets network security requirements. The client is
then allowed to access the network in the normal manner.

A VPN quarantine

Now let’s look at how a VPN quarantine works. For
demonstration purposes, we’ll again assume that only a single criterion is
being tested. Although a VPN quarantine is more complex than a DHCP quarantine,
the basic concept remains the same.

The process starts when the client connects to the VPN
server. Next, the client would initiate the authentication process by passing
its authentication credentials to the VPN server via the Protected Extensible
Authentication Protocol (PEAP). Assuming that the user has entered valid
authentication credentials, the VPN server will then request a Statement of
Health from the client.

Just as in my previous example, if the client does not have
a Statement of Health, it is treated in the same way that it would be if the
Statement of Health were invalid. Such a machine would therefore be quarantined
from the rest of the network.

At this point, the agent on the client contacts an SMS server
that exists on the quarantine network, and tells the SMS server that it has
been quarantined. The SMS server then pushes the necessary updates to the
quarantined client. In doing so, the client’s Statement of Health is also
updated. Now the client uses the PEAP protocol to send its updated
Statement of Health to the VPN server. The VPN server will then use the System
Health Validator to validate the Statement of Health. Assuming that the
Statement of Health is up to par, the VPN server grants the client access to
the network.

A few misconceptions

Now that I’ve shown you how the various types of
quarantines work, I want to clear up a couple of common misconceptions about
Quarantine Mode. First, a lot of people assume that Quarantine Mode protects
the network against hackers. However, it does so only indirectly. If a hacker
has an approved configuration and a valid set of logon credentials, Quarantine
Mode won’t stop the hacker from logging onto the network.

Another common misconception is that the quarantine is some
sort of empty black hole in cyberspace. The fact is that the quarantine network
is anything but empty. While an SMS server must be accessible from within
Quarantine Mode, there are other components that must be accessible from
Quarantine Mode as well. For starters, the quarantine network must have a DNS
server. Keep in mind, though, that this server can simply be a forwarding DNS
server; it doesn’t have to be the organization’s primary DNS server. Finally,
the DHCP server and IAS server (VPN Quarantine Mode only) must be accessible
whether a machine is quarantined or not. Otherwise, a client would never be
able to get out of Quarantine Mode after its Statement of Health has been