Remote Access Quarantine

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Remote Access Quarantine

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 years ago.

  • Author
  • #2215


    Applies To:Windows Server 2003 with SP1
    What does Remote Access Quarantine do?
    Remote Access Quarantinecontrol provides network administrators theability to validatetheconfiguration of remoteclient
    computers beforethey are permitted to access thecorporate network.Typical remoteaccess connections only validatethe
    credentials of theremoteaccess user.Therefore, thecomputer used to connect to a private network can often access network
    resources even when its configuration does not comply with organization network policy.For example,a remoteaccess user
    with valid credentials could connect to a network with a computer that does not havethefollowing:
    Thecorrect service pack or thelatest security patches installed.
    Thecorrectantivirus softwareand signaturefiles installed.
    Routing disabled. A remoteaccess client computer with routing enabled might posea security risk, providing an
    opportunity for a malicious user to access corporate network resources through theclient computer, which has an
    authenticated connection to the private network.
    Firewall softwareinstalled and active on theInternet interface.
    A password-protected screensaver with an adequate wait time.
    Despitetheefforts made within organizations to ensurethat computers used internally comply with network policy, those used
    from employees’ homes for remoteaccess can still present significant risk to the network.
    Remote Access Quarantine,a new featurein Windows Server 2003 Service Pack 1, delays normal remoteaccess to a private
    network until theconfiguration of theremoteaccess computer has been examined and validated by an administratorconfigured
    script (included in theconnection settings).When a remoteaccess computer initiates a connection to a remote
    access server, the user is authenticated and theremoteaccess computer is assigned an IP address. However, theconnection is
    placed in quarantine mode, in which network access is limited.Theadministrator-configured script is run on theremoteaccess
    computer.When thescript notifies theremoteaccess server that it has successfully run and theremoteaccess computer
    complies with current network policies, quarantine modeaccess restrictions areremoved and theremoteaccess computer is
    granted normal remoteaccess.
    The quarantinerestrictions placed on individual remoteaccess connections can consist of thefollowing:
    A set of quarantine packet filters that restrict thetraffic that can besent to and from a quarantined remoteaccess client.
    A quarantinesession timer that restricts theamount of timetheclient can remain connected in quarantine mode before
    being disconnected.
    You can useeither restriction, or both,as needed.Theadministrator also has the option to help theclient to remedy the
    configuration, by say updating thesignaturefilefor theantivirus software, through thevalidation script.
    Thecomponents required for this Remote Access Quarantinesolution includethefollowing:
    The Remote Access QuarantineService(RQS or Listener) to berun on therouting and remoteaccess (RRAS) server that
    listens for requests from theremoteclients for removal of quarantinerestrictions.
    A RADIUS server (or the RRAS server itself) wherea quarantine policy can be defined for applying IP filters or session
    timeouts to remoteconnections.
    A configuration validation script that performs thevalidation checks to verify that theremoteaccess client computer
    conforms to the minimum security guidelines required to access thecorporate network.
    A Connection Manager profileconfigured to run the Remote Access Quarantine Client (RQC) as a Post-Connectaction on
    theremoteclient computer.The Quarantine CM profile will updatethevalidation scripts from an administrator-specified
    share path and run thevalidation scripts. If the minimum requirements areverified by thescripts to have been met, RQC
    will notify RQS and request removal of the quarantinerestrictions.
    Remoteaccess clients configured to run the Remote Access Quarantine Clientand thevalidation script (distributed
    through the Connection Manager Profile).
    Remote Access Quarantineis nota security solution. It is designed to help prevent computers with unsafeconfigurations
    from connecting to a private network; not to protecta private network from malicious users who have obtained a valid set of
    Who does this feature apply to?
    This featureapplies to:
    Remoteaccess servers, running Windows Server 2003 with Service Pack 1.
    Remoteaccess client computers connecting to thecorporate network from remotelocations, running Windows 2000 or
    Windows XP.
    Network Administrators who want to validateconfiguration of client computers beforethey areallowed access to the
    corporate network.
    Why is this change important?
    Remote Access Quarantine provides network administrators with a mechanism to quarantineremoteaccess clients by
    providing VPN access to limited parts of the private network,and allowing administrators to validatethat thecomputer meets
    the minimum security requirements. After thecomputers have been verified to meet the guidelines for accessing the network,
    quarantinerestrictions can belifted allowing theclient computers to have normal access to the network resources.
    This mitigates thethreat to a private or corporate network from vulnerableclient computers thatareat remotelocations or are
    not domain-joined and thus outsidetheadministrator’s purview.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    Setting name Location Previous
    Default value Possible
    \CurrentControlSet \Services\Rqs
    N/A RASQuarantineConfigPassed N/A
    \CurrentControlSet \Services\Rqs
    N/A Not set
    When this key is not set theserver listens
    for client notification on port 7250
    port number
    to listen to
    \CurrentControlSet \Services\Rqs
    N/A Not set NULL
    \CurrentControlSet \Services\Rqs
    N/A Not set NULL

You must be logged in to reply to this topic.