IAS Network Access Quarantine Control

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IAS Network Access Quarantine Control

IAS Network Access Quarantine Control provides phased network access for remote client computers by restricting them to a quarantine mode. After the client computer configuration is either brought into or determined to be in accordance with your organization’s network policy, quarantine restrictions, which consist of Quarantine IP-Filters and Session Timers, are removed and standard remote access policy is applied to the connection.

Network Access Quarantine Control provides protection when users in your organization accidentally reconfigure key settings and do not restore them before connecting to your network. For example, a user might disable antivirus software that is required while connected to your network. Although Network Access Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements.

You can use the Routing and Remote Access service to process the specific RADIUS options sent by IAS, complete any required client configuration work, and remove the quarantine condition (or drop the connection) based on success or failure.

Quarantine mode

Quarantine mode is a set of network restrictions that are configured in IAS and implemented by the remote access server for each connection. You can use a Quarantine IP Filter to restrict access to a specific set of servers (for example, servers on a specified virtual Local Area Network) and a Quarantine Session Timer to restrict the amount of time the client can remain connected in quarantine mode. You can set these filters in the IAS console.

Configuring Network Access Quarantine Control

You can implement Network Access Quarantine Control with one or more servers running Windows Server 2003 and remote access, one or more servers running Windows Server 2003 and IAS, a Connection Manager (CM) profile created with Connection Manager Administration Kit (CMAK), an administrator-provided script, and two additional components: the notifier component and the listener component.

The notifier component is included in the CM profile and installed on the client computer. The notifier component sends notification to the remote access server when the administrator-provided script has run successfully on the client.

The listener component is installed on the remote access server, and receives notification from the notifier component that the script on the client has successfully performed all configuration checks. After the listener component receives notification, it removes the client from quarantine mode, and the remote access server applies standard remote access policy to the client.

You can create your own notifier and listener components, or you can use Rqs.exe (a listener component also called the Remote Access Quarantine Service) and Rqc.exe (a notifier component), which are available in the Windows Deployment and Resource Kits. For more information, see Windows Resource Kit Tools Help.

If you are running Windows Server 2003 with Service Pack 1, you can install the Remote Access Quarantine Service (Rqs.exe) using the Windows Components Wizard. In the wizard, the Remote Access Quarantine Service is available in Networking Services. In addition, you can use the Windows Components Wizard to install CMAK. After you install CMAK, Rqc.exe is located on your hard drive at %systemroot%\Program Files\cmak\support.

When you create the CM profile, you can include the administrator-provided script and Rqc.exe, which are distributed to and installed on remote access client computers. This profile can be installed on the following client operating systems:

  • Windows XP Professional

  • Windows XP Home Edition

  • Windows 2000 Professional

  • Windows Millennium Edition

  • Windows 98 Second Edition

For more information about CMAK, see Connection Manager Administration Kit.

Caution

  • Placing all remote access clients in quarantine mode without a way to remove quarantine policy and apply full access policy might prevent all remote access clients from establishing network connections.

Before you implement a remote access policy with Quarantine IP-Filters and Session Timers on your network, you must complete the following steps:

  1. Create a client-side script that validates client configuration information.

  2. Create a notification component that provides verification to the remote access server that the script has successfully run. If you do not want to create a notification component, you can use Rqc.exe.

  3. Create a listener component to install on remote access servers (that can receive information from the notification component), and then remove the client from quarantine mode, applying the full access policy. If you do not want to create a listener component, you can use Rqs.exe.

  4. Create a CM profile with CMAK. Include the client-side script and the notification component in the profile.

  5. Distribute the CM profile for installation on remote access client computers.

Configure two remote access policies on remote access or IAS servers

On your remote access servers or IAS servers, use the New Remote Access Policy Wizard to create these remote access policies:

  • A full access policy

  • A quarantine policy

The notification and listener components of Network Access Quarantine Control use port 7250 by default. When you create the quarantine policy, you must configure Inbound Filters (also called Input Filters) to allow network traffic on port 7250, or the notification component (Rqc.exe), which runs on client computers, cannot notify the remote access server listener component (Rqs.exe) that the script has run successfully. You can specify another port, but you must also configure the listener and notification components to use this new port.

When you use the New Remote Access Policy Wizard to create quarantine policy, do the following to add quarantine IP filters and session timers:

  1. On the profile page, click Edit profile.

  2. In Edit Dial-In profile, click the Advanced tab, and then click Add.

To add a quarantine IP filter

  1. In Attribute, select MS-Quarantine-IPFilter, and then click Add.

  2. In IP Filter Attribute Information, click Input Filters.

  3. In Inbound Filters, click New.

  4. In Add IP Filter, click Destination network, and then type values in IP address and Subnet mask that match your network configuration.

  5. In protocol, select TCP.

  6. In Source port, type 7250.

  7. In Destination port, type 7250, and then click OK.

  8. In Inbound Filters, for Filter action, click Permit only the packets listed below, and then click OK.

To add a quarantine session timer

  • In Attribute, select MS-Quarantine-Session-Timeout, and then click Add.

  • In Attribute value, type the number of seconds that represents the maximum amount of time (in seconds) that you want client computers to remain connected in quarantine mode, and then click OK.

After you have configured both the full access and quarantine policies, make sure that the quarantine policy is first in the list of remote access policies.

For more information about the New Remote Access Policy Wizard, see Add a remote access policy.

Notes

  • IAS Network Access Quarantine Control must be used in combination with remote access policy (user-based authentication and access control) to provide security for your network. The quarantine filters and timers can be defined in a remote access policy on either the remote access server or the IAS server. When the connection is made, the access server implements the restrictions (Quarantine IP Filters and Quarantine Session Timers) that are returned by IAS.

  • Notification by the client (to the server) that the administrator-provided script has successfully run is not secure and can be spoofed by a malicious user or attacker. Network Access Quarantine Control is only intended to help verify a managed client computer configuration.

  • You can configure IAS in Windows Server 2003, Standard Edition, with a maximum of 50 RADIUS clients and a maximum of 2 remote RADIUS server groups. You can define a RADIUS client using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the IAS server uses the first IP address returned in the DNS query. With IAS in Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure RADIUS clients by specifying an IP address range.