Adding “Kick” to Your Remote Access Security Policies with Intelligent Application Gateway 2007

  • Article

By Uri Lichtenfeld, IAG Product Manager, Microsoft Corporation

See other Security Tip of the Month columns

The market is awash these days in remote access solutions, and organizations are adopting a variety of tools to enable access to their resources for employees, partners, and customers. In some cases, companies use combinations of technologies (firewall, proxies, VPNs) to provide access to Web-based and other applications from virtually any location and from computers that are generally unmanaged, such as home computers and computer kiosks. One of the key concerns network administrators face is how to ensure the security of an application and its data when the administrators no longer control, and therefore cannot trust, all of the computers that are used to gain access.

Microsoft Intelligent Application Gateway 2007 (IAG) is designed specifically for this scenario and provides:

  • Intelligent Application Optimizers that are specifically designed around the popular applications that most organizations are publishing today (such as Microsoft Office SharePoint Server, Microsoft Exchange Server, Terminal Services, and a host of third-party applications including Lotus Notes, SAP Portal, and IBM WebSphere).

  • SSL VPN (Strong Secure Socket Layer Virtual Private Network) tunneling capabilities to connect users at various networking levels and to accommodate the needs of applications that are not Web-based.

These features provide a comprehensive and secure way to publish applications to users from virtually any location, and they alleviate the need to combine technologies and operating environments that are difficult to manage and that can create a complex and unfriendly user experience.

The Missing Ingredient

So while administrators can now publish applications from any location, it’s important to keep in mind that “any location” includes computers that may not, for example, have any antivirus, firewall or security software installed. This requires the ability to scan a user’s computer and assess the level of threat that computer may pose.

Some of the choices that are available in the market today allow the administrator to check for the existence of a registry key or executable file, which is usually enough to scan for a specific and known piece of software.

This now allows the administrator to choose between two bad choices:

  1. Allow any user who successfully authenticates to have complete access to all resources.

  2. Deny access to all applications from un-trusted or unmanaged computers.

Option 1 leaves the network exposed and option 2 leaves the user unproductive (and unhappy).

Another factor to consider is the variety of potential antivirus and security software that may be installed on these unmanaged PCs. A home PC could be running a non-enterprise version and a kiosk might be using a different vendor. While they may not all conform to an organization’s standard/approved build, they can provide equal protection and should certainly be rated higher than PCs running no security software at all.

Therefore, it is crucial that any end-point detection solution be able to recognize a variety of software solutions and metrics to determine the true state of a computer’s health and the subsequent level of threat it presents.

IAG’s built-in detection solution is designed to scan a client computer and report back on a very wide variety of metrics including: antivirus, antispyware, anti-malicious software, and workstation security solutions. Having these profiles built in, and knowing that IAG will update and add new profiles as the market evolves helps ensure that end-point health detection is feasible and manageable.

Figure 2

Clockwise from top left: From within an IAG Session - System Information window, which displays the user's current status; From within the IAG administrative console - the Policy Editor window, in which the administrator can choose which antivirus packages to detect and can define the acceptable age of signature files; From within the IAG administrative console - a menu of policy selection for an application.

So Now You Know - Here’s What You Can Do About It!

Having the information about a client computer is critical, but no less important is the ability to take action based on this data. As mentioned earlier, most solutions on the market today arrive at a yes or no decision to allow access. In some cases, solutions are capable of opening the main door and then allowing or denying access to specific applications based on their endpoint policy. In this case a trusted computer or one that is running the latest and acceptable security software will be allowed access to all applications, while an unmanaged computer or one that is missing any of the required components will either be denied access entirely or will be allowed access only to a subset of applications.

IAG takes this concept a few steps further by giving administrators the ability to distinguish between different levels of failure (for example, a computer that has outdated antivirus software won’t be treated the same as a computer that has no antivirus protection at all). Most importantly however, IAG allows administrators to go beyond just allowing or denying access to applications, but rather allowing or denying access to specific transactions within the applications.

For example, an employee who wants to access e-mail from a hotel business center kiosk may fail the corporate security policy because the computer the employee is using is running outdated antivirus software or perhaps has no antivirus protection at all. With other solutions the employee would either be denied network access entirely or would be allowed access only to applications that aren’t susceptible to virus threats. However, with IAG, the user would still be able to access e-mail through Office Outlook Web Access (OWA) or Lotus iNotes, but would be blocked from being able to upload attachments to e-mail messages, because doing so is the true threat of accessing e-mail without up-to-date antivirus protection.

This helps administrators to provide functionality from many more locations, without sacrificing security.

Figure 2

The error message a user sees when attempting to attach a file to an outbound OWA message.

Setting Up Endpoint Policies

(excerpt from the Intelligent Application Gateway User Guide, Version 3.7, December 2006)

The IAG is equipped with technology that identifies the security level of the endpoint computer, and can allow or deny access accordingly. You can use endpoint security policies to create tiers of access, by determining whether or not endpoint computers are allowed to access internal sites and applications, depending on their security settings.

For example, you can set up your endpoint policies so that access to internal applications is allowed as follows:

  • From corporate laptops: all applications are allowed.

  • From home computers: all web applications are allowed.

  • From an Internet kiosk: only Webmail applications are allowed.

When you define an endpoint policy, you determine which security components must be installed on the endpoint computer, in order for it to comply with the policy. Security components include options such as whether a compliant anti-virus program or a personal firewall is installed on the computer, whether the Attachment Wiper is launched on it, and more.

You can use the IAG’s pre-defined policies, or define as many additional policies as you wish. You can view the values of the default policies and edit their definitions, as well as create new policies, using one of the Policy Editors, as follows:

  • The Policy Editor is an easy-to-use, basic editor for creating simple policies, without the need for defining variables and entering complex Boolean expressions. The basic editor can check the existence of the most commonly used endpoint security tools, such as anti-virus and personal firewall, as well as client configuration settings such as IAG Client Components, operating system, and user privilege level.

  • Use the Advanced Policy Editor for more complex policies or attributes that are not presented in the basic editor. Once you edit a policy in the Advanced Policy Editor, you will only be able to open it for further editing in the Advanced Policy Editor; you will not be able to revert to editing in the basic Policy Editor.

Basic Policy Configuration

To configure policies and expressions in Basic mode:

  1. In an area where you assign policies, click Edit Policies.

  2. Do one of the following:

    1. To edit an existing policy that was previously created and edited in Basic mode, select the policy and click Edit.

    2. To edit an existing expression, click the + sign to expand the Expressions group, select the expression you wish to edit, then click Edit.

    3. To create a new policy or expression, click Add.

  3. Enter general information about the policy or expression in the General Policy Settings screen. Once general information is defined, use the tree on the left to select and configure groups of pre-defined variables, which will compose the policy or expression. You can select as many groups and group-items as required in order to define the policy or expression.

  4. When you finish editing the policy, click OK to close the Policy Editor, then click Close to close the Policies dialog box.

Advanced Policy Configuration

To use the Advanced Policy Editor to edit and create policies and expressions in Script mode:

  1. Access the Policies dialog box, as described in “Basic Policy Configuration.”

  2. Do one of the following:

    1. To edit an existing policy, select the policy and click Edit.

    2. To edit an existing expression, click the + sign to expand the Expressions group, select the expression you wish to edit, then click Edit.

    3. To create a new policy or expression, click Add. In this case, the basic Policy Editor is displayed. To access the Advanced Policy Editor, click CreateAsScript.

  3. For new policies and expressions:

    1. In the “Name” field, at the top right, assign a name.

    2. In the “Category” field, select “Policies” or “Expressions” accordingly.
      You do not need to edit those fields for existing policies and expressions.

  4. Define the rules of the policy or expression:

    1. From the Components list, at the left of the Policy Editor, select a component to add it to the “Rules” area on the right.

    2. Use the AND, OR, NOT, and parenthesis operators to create a combination of as many components as you require, or to combine VBScript-syntax free text with expressions and variables.

    3. The “Rules” area is a free text area; you can edit and delete rules and rule-components in this area as required.

  5. At the bottom right of the Advanced Policy Editor, you can enter text that will be displayed to users in the message they receive if their computer does not comply with the policy, and access is denied.

  6. When you finish editing the policy, click [OK] to close the Advanced Policy Editor, then click [Close] to close the Policies dialog box.

For more in-depth information about IAG's functionality and how to use its various components and options, please download the Intelligent Application Gateway User Guide.

Summary

While access from anywhere can drive productivity, it is challenging for organizations to create a remote access user experience that is both easy to manage and comprehensive enough to leverage the vast population of unmanaged PCs. Microsoft’s Intelligent Application Gateway 2007 provides tools to help companies publish applications and achieve a better balance between access and security.