Remote Access Quarantine
Applies To: Windows Server 2003 with SP1
What does Remote Access Quarantine do?
Remote Access Quarantine control provides network administrators the ability to validate the configuration of remote client computers before they are permitted to access the corporate network. Typical remote access connections only validate the credentials of the remote access user. Therefore, the computer used to connect to a private network can often access network resources even when its configuration does not comply with organization network policy. For example, a remote access user with valid credentials could connect to a network with a computer that does not have the following:
The correct service pack or the latest security patches installed.
The correct antivirus software and signature files installed.
Routing disabled. A remote access client computer with routing enabled might pose a security risk, providing an opportunity for a malicious user to access corporate network resources through the client computer, which has an authenticated connection to the private network.
Firewall software installed and active on the Internet interface.
A password-protected screensaver with an adequate wait time.
Despite the efforts made within organizations to ensure that computers used internally comply with network policy, those used from employees' homes for remote access can still present significant risk to the network.
Remote Access Quarantine, a new feature in Windows Server 2003 Service Pack 1, delays normal remote access to a private network until the configuration of the remote access computer has been examined and validated by an administrator-configured script (included in the connection settings). When a remote access computer initiates a connection to a remote access server, the user is authenticated and the remote access computer is assigned an IP address. However, the connection is placed in quarantine mode, in which network access is limited. The administrator-configured script is run on the remote access computer. When the script notifies the remote access server that it has successfully run and the remote access computer complies with current network policies, quarantine mode access restrictions are removed and the remote access computer is granted normal remote access.
The quarantine restrictions placed on individual remote access connections can consist of the following:
A set of quarantine packet filters that restrict the traffic that can be sent to and from a quarantined remote access client.
A quarantine session timer that restricts the amount of time the client can remain connected in quarantine mode before being disconnected.
You can use either restriction, or both, as needed. The administrator also has the option to help the client to remedy the configuration, by say updating the signature file for the antivirus software, through the validation script.
The components required for this Remote Access Quarantine solution include the following:
The Remote Access Quarantine Service (RQS or Listener) to be run on the routing and remote access (RRAS) server that listens for requests from the remote clients for removal of quarantine restrictions.
A RADIUS server (or the RRAS server itself) where a quarantine policy can be defined for applying IP filters or session timeouts to remote connections.
A configuration validation script that performs the validation checks to verify that the remote access client computer conforms to the minimum security guidelines required to access the corporate network.
A Connection Manager profile configured to run the Remote Access Quarantine Client (RQC) as a Post-Connect action on the remote client computer. The Quarantine CM profile will update the validation scripts from an administrator-specified share path and run the validation scripts. If the minimum requirements are verified by the scripts to have been met, RQC will notify RQS and request removal of the quarantine restrictions.
Remote access clients configured to run the Remote Access Quarantine Client and the validation script (distributed through the Connection Manager Profile).
Warning
Remote Access Quarantine is not a security solution. It is designed to help prevent computers with unsafe configurations from connecting to a private network; not to protect a private network from malicious users who have obtained a valid set of credentials.
Who does this feature apply to?
This feature applies to:
Remote access servers, running Windows Server 2003 with Service Pack 1.
Remote access client computers connecting to the corporate network from remote locations, running Windows 2000 or Windows XP.
Network Administrators who want to validate configuration of client computers before they are allowed access to the corporate network.
Why is this change important?
Remote Access Quarantine provides network administrators with a mechanism to quarantine remote access clients by providing VPN access to limited parts of the private network, and allowing administrators to validate that the computer meets the minimum security requirements. After the computers have been verified to meet the guidelines for accessing the network, quarantine restrictions can be lifted allowing the client computers to have normal access to the network resources.
This mitigates the threat to a private or corporate network from vulnerable client computers that are at remote locations or are not domain-joined and thus outside the administrator’s purview.
What settings are added or changed in Windows Server 2003 Service Pack 1?
| Setting name | Location | Previous default value | Default value | Possible values |
|---|---|---|---|---|
AllowedSet, REG_MULTI_SZ |
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services\Rqs |
N/A |
RASQuarantineConfigPassed |
N/A |
Port, REG_DWORD |
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services\Rqs |
N/A |
Not set When this key is not set the server listens for client notification on port 7250 |
port number to listen to |
Authenticator, REG_SZ |
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services\Rqs |
N/A |
Not set |
NULL |
Verifier, REG_SZ |
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services\Rqs |
N/A |
Not set |
NULL |