Remote Access Quarantine

Applies To:Windows Server 2003 with SP1
What does Remote Access Quarantine do?
Remote Access Quarantinecontrol provides network administrators theability to validatetheconfiguration of remoteclient
computers beforethey are permitted to access thecorporate network.Typical remoteaccess connections only validatethe
credentials of theremoteaccess user.Therefore, thecomputer used to connect to a private network can often access network
resources even when its configuration does not comply with organization network policy.For example,a remoteaccess user
with valid credentials could connect to a network with a computer that does not havethefollowing:
Thecorrect service pack or thelatest security patches installed.
Thecorrectantivirus softwareand signaturefiles installed.
Routing disabled. A remoteaccess client computer with routing enabled might posea security risk, providing an
opportunity for a malicious user to access corporate network resources through theclient computer, which has an
authenticated connection to the private network.
Firewall softwareinstalled and active on theInternet interface.
A password-protected screensaver with an adequate wait time.
Despitetheefforts made within organizations to ensurethat computers used internally comply with network policy, those used
from employees’ homes for remoteaccess can still present significant risk to the network.
Remote Access Quarantine,a new featurein Windows Server 2003 Service Pack 1, delays normal remoteaccess to a private
network until theconfiguration of theremoteaccess computer has been examined and validated by an administratorconfigured
script (included in theconnection settings).When a remoteaccess computer initiates a connection to a remote
access server, the user is authenticated and theremoteaccess computer is assigned an IP address. However, theconnection is
placed in quarantine mode, in which network access is limited.Theadministrator-configured script is run on theremoteaccess
computer.When thescript notifies theremoteaccess server that it has successfully run and theremoteaccess computer
complies with current network policies, quarantine modeaccess restrictions areremoved and theremoteaccess computer is
granted normal remoteaccess.
The quarantinerestrictions placed on individual remoteaccess connections can consist of thefollowing:
A set of quarantine packet filters that restrict thetraffic that can besent to and from a quarantined remoteaccess client.
A quarantinesession timer that restricts theamount of timetheclient can remain connected in quarantine mode before
being disconnected.
You can useeither restriction, or both,as needed.Theadministrator also has the option to help theclient to remedy the
configuration, by say updating thesignaturefilefor theantivirus software, through thevalidation script.
Thecomponents required for this Remote Access Quarantinesolution includethefollowing:
The Remote Access QuarantineService(RQS or Listener) to berun on therouting and remoteaccess (RRAS) server that
listens for requests from theremoteclients for removal of quarantinerestrictions.
A RADIUS server (or the RRAS server itself) wherea quarantine policy can be defined for applying IP filters or session
timeouts to remoteconnections.
A configuration validation script that performs thevalidation checks to verify that theremoteaccess client computer
conforms to the minimum security guidelines required to access thecorporate network.
A Connection Manager profileconfigured to run the Remote Access Quarantine Client (RQC) as a Post-Connectaction on
theremoteclient computer.The Quarantine CM profile will updatethevalidation scripts from an administrator-specified
share path and run thevalidation scripts. If the minimum requirements areverified by thescripts to have been met, RQC
will notify RQS and request removal of the quarantinerestrictions.
Remoteaccess clients configured to run the Remote Access Quarantine Clientand thevalidation script (distributed
through the Connection Manager Profile).
Caution
Remote Access Quarantineis nota security solution. It is designed to help prevent computers with unsafeconfigurations
from connecting to a private network; not to protecta private network from malicious users who have obtained a valid set of
credentials.
Who does this feature apply to?
This featureapplies to:
Remoteaccess servers, running Windows Server 2003 with Service Pack 1.
Remoteaccess client computers connecting to thecorporate network from remotelocations, running Windows 2000 or
Windows XP.
Network Administrators who want to validateconfiguration of client computers beforethey areallowed access to the
corporate network.
Why is this change important?
Remote Access Quarantine provides network administrators with a mechanism to quarantineremoteaccess clients by
providing VPN access to limited parts of the private network,and allowing administrators to validatethat thecomputer meets
the minimum security requirements. After thecomputers have been verified to meet the guidelines for accessing the network,
quarantinerestrictions can belifted allowing theclient computers to have normal access to the network resources.
This mitigates thethreat to a private or corporate network from vulnerableclient computers thatareat remotelocations or are
not domain-joined and thus outsidetheadministrator’s purview.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Setting name Location Previous
default
value
Default value Possible
values
AllowedSet,
REG_MULTI_SZ
HKEY_LOCAL_MACHINE \System
\CurrentControlSet \Services\Rqs
N/A RASQuarantineConfigPassed N/A
Port,
REG_DWORD
HKEY_LOCAL_MACHINE \System
\CurrentControlSet \Services\Rqs
N/A Not set
When this key is not set theserver listens
for client notification on port 7250
port number
to listen to
Authenticator,
REG_SZ
HKEY_LOCAL_MACHINE \System
\CurrentControlSet \Services\Rqs
N/A Not set NULL
Verifier,
REG_SZ
HKEY_LOCAL_MACHINE \System
\CurrentControlSet \Services\Rqs
N/A Not set NULL