Remote Access Quarantine

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Remote Access Quarantine

Viewing 0 reply threads
  • Author
    • #2215

      Applies To:Windows Server 2003 with SP1
      What does Remote Access Quarantine do?
      Remote Access Quarantinecontrol provides network administrators theability to validatetheconfiguration of remoteclient
      computers beforethey are permitted to access thecorporate network.Typical remoteaccess connections only validatethe
      credentials of theremoteaccess user.Therefore, thecomputer used to connect to a private network can often access network
      resources even when its configuration does not comply with organization network policy.For example,a remoteaccess user
      with valid credentials could connect to a network with a computer that does not havethefollowing:
      Thecorrect service pack or thelatest security patches installed.
      Thecorrectantivirus softwareand signaturefiles installed.
      Routing disabled. A remoteaccess client computer with routing enabled might posea security risk, providing an
      opportunity for a malicious user to access corporate network resources through theclient computer, which has an
      authenticated connection to the private network.
      Firewall softwareinstalled and active on theInternet interface.
      A password-protected screensaver with an adequate wait time.
      Despitetheefforts made within organizations to ensurethat computers used internally comply with network policy, those used
      from employees’ homes for remoteaccess can still present significant risk to the network.
      Remote Access Quarantine,a new featurein Windows Server 2003 Service Pack 1, delays normal remoteaccess to a private
      network until theconfiguration of theremoteaccess computer has been examined and validated by an administratorconfigured
      script (included in theconnection settings).When a remoteaccess computer initiates a connection to a remote
      access server, the user is authenticated and theremoteaccess computer is assigned an IP address. However, theconnection is
      placed in quarantine mode, in which network access is limited.Theadministrator-configured script is run on theremoteaccess
      computer.When thescript notifies theremoteaccess server that it has successfully run and theremoteaccess computer
      complies with current network policies, quarantine modeaccess restrictions areremoved and theremoteaccess computer is
      granted normal remoteaccess.
      The quarantinerestrictions placed on individual remoteaccess connections can consist of thefollowing:
      A set of quarantine packet filters that restrict thetraffic that can besent to and from a quarantined remoteaccess client.
      A quarantinesession timer that restricts theamount of timetheclient can remain connected in quarantine mode before
      being disconnected.
      You can useeither restriction, or both,as needed.Theadministrator also has the option to help theclient to remedy the
      configuration, by say updating thesignaturefilefor theantivirus software, through thevalidation script.
      Thecomponents required for this Remote Access Quarantinesolution includethefollowing:
      The Remote Access QuarantineService(RQS or Listener) to berun on therouting and remoteaccess (RRAS) server that
      listens for requests from theremoteclients for removal of quarantinerestrictions.
      A RADIUS server (or the RRAS server itself) wherea quarantine policy can be defined for applying IP filters or session
      timeouts to remoteconnections.
      A configuration validation script that performs thevalidation checks to verify that theremoteaccess client computer
      conforms to the minimum security guidelines required to access thecorporate network.
      A Connection Manager profileconfigured to run the Remote Access Quarantine Client (RQC) as a Post-Connectaction on
      theremoteclient computer.The Quarantine CM profile will updatethevalidation scripts from an administrator-specified
      share path and run thevalidation scripts. If the minimum requirements areverified by thescripts to have been met, RQC
      will notify RQS and request removal of the quarantinerestrictions.
      Remoteaccess clients configured to run the Remote Access Quarantine Clientand thevalidation script (distributed
      through the Connection Manager Profile).
      Remote Access Quarantineis nota security solution. It is designed to help prevent computers with unsafeconfigurations
      from connecting to a private network; not to protecta private network from malicious users who have obtained a valid set of
      Who does this feature apply to?
      This featureapplies to:
      Remoteaccess servers, running Windows Server 2003 with Service Pack 1.
      Remoteaccess client computers connecting to thecorporate network from remotelocations, running Windows 2000 or
      Windows XP.
      Network Administrators who want to validateconfiguration of client computers beforethey areallowed access to the
      corporate network.
      Why is this change important?
      Remote Access Quarantine provides network administrators with a mechanism to quarantineremoteaccess clients by
      providing VPN access to limited parts of the private network,and allowing administrators to validatethat thecomputer meets
      the minimum security requirements. After thecomputers have been verified to meet the guidelines for accessing the network,
      quarantinerestrictions can belifted allowing theclient computers to have normal access to the network resources.
      This mitigates thethreat to a private or corporate network from vulnerableclient computers thatareat remotelocations or are
      not domain-joined and thus outsidetheadministrator’s purview.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      Setting name Location Previous
      Default value Possible
      \CurrentControlSet \Services\Rqs
      N/A RASQuarantineConfigPassed N/A
      \CurrentControlSet \Services\Rqs
      N/A Not set
      When this key is not set theserver listens
      for client notification on port 7250
      port number
      to listen to
      \CurrentControlSet \Services\Rqs
      N/A Not set NULL
      \CurrentControlSet \Services\Rqs
      N/A Not set NULL

Viewing 0 reply threads
  • You must be logged in to reply to this topic.