Network access quarantine control
Keeping dirty PCs off your network.
By Jonathan Hassell, Computerworld | Computerworld UK | Published: 00:00, 22 May 2006
Network access quarantine control, or NAQC, is a set of services and utilities available in Windows Server 2003 with the Resource Kit or with Service Pack 1. It allows you to prevent remote users from connecting to your network with machines that aren't up-to-date and secure by quarantining them in a secured area before permitting unfettered access.
It's long been known to expert network administrators that most nefarious software and malware infiltrate your production network not through holes in your firewall, or brute-force password attacks or anything else that might occur at your corporate headquarters or campus.
Rather, they gain access to your wires through your mobile users when they try to connect to your business network while on the road. There's a big problem with remote users, and it hinges on the unpredictability of the machines from which they're connecting.
Most remote users are authenticated and allowed access to your network only on the basis of their identity. They can prove that they are who they say they are, and that's good enough for a lot of deployments. But problematically, no effort is made to verify that their hardware and software on their machines meets a certain baseline requirement. Remote users could, and do every day, fail any or all of the following common-sense guidelines for very basic computer security:
But mobile users have typically been either overlooked or grudgingly accepted as exceptions to the rule. Luckily, Windows Server 2003 includes a new feature in its Resource Kit, or with Service Pack 1, known as Network Access Quarantine Control (NAQC). In a nutshell, NAQC prevents unhindered access to a network for a remote user connecting to a secured endpoint until after the machine at the endpoint has verified the connecting computer's configuration meets certain requirements and standards.
Under NAQC, when a client establishes a connection to a remote network's endpoint (a machine running the Routing and Remote Access Service included in Windows Server 2003), the destination DHCP server gives the remote, connecting computer an IP address, but a server running Microsoft's Internet Authentication Service (also included in Windows Server 2003) establishes a "quarantine mode." In quarantine mode, the following restrictions are in effect:
To use NAQC, the remote machines connecting to your NAQC-enabled endpoint need to be running Windows 98 SE, Windows ME, Windows 2000 Pro or Server, or Windows XP Home or Pro. These versions of Windows support a Connection Manager "connectoid" or profile, located in the Network Connections element in the user interface. The profile enables dial-up or VPN connectivity and contains three essential elements:
There are six steps to a proper deployment of NAQC:
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Windows Small Business Server 2003 and Learning Windows Server 2003. He is currently an editor for Apress, a publishing company specialising in books for programmers and IT professionals.
Comments
Mitchell said: I think that people never actually worry about their computers when engaging in connections via a lta hrefhttpwwwproxynetworkscomgtremote control softwareltagt application Its like software pirates they never think they will get a virus because they think they are somehow on the inside looking out We need to always consider security even if we are on what we think is a trusted andor secure connection