Leveraging the Capabilities of the Quarantine Policy Check Tool

The most significant tool in the Windows 2003 Resource Kit for remote access environments is the Quarantine Policy Check add-in. This is one of those hidden gems buried in the Resource Kit that would otherwise be overlooked if not brought to your attention. The Quarantine Policy Check tool enables an administrator to stop a VPN user from directly accessing a network by first checking to make sure the user's system meets minimum network requirements before accessing the network. The policy check can confirm whether the remote system has the latest security patches applied, or that the system has been recently scanned for viruses and worms. If the system fails the validation, the system is quarantined and an additional policy can be initiated to conduct the appropriate patch updates and virus scan and cleaning before the remote system is connected to the production network. If the system passes the policy check, the remote user system is allowed connection to the network.

How the Quarantine Policy Check Works

The Quarantine Policy Check works in conjunction with the Connection Manager and is a post-connection action that initiates a network policy script immediately after a remote user properly authenticates into the network, but before the user is actually connected to the production network. The network policy script performs a validation check on the remote access client system to verify that the system conforms to the security policies for patch updates and virus-clean requirements of the organization. When the script has run successfully and the remote system has satisfied the requirements of the network policy, the system is allowed access to the network. If the script fails, the remote access user is denied access to the production network and is commonly redirected to an organization Web page that describes how users can make their systems comply with organizational policies. This may include redirecting the user to a script that performs the appropriate updates and virus-scan cleans necessary to get the remote system updated for a subsequent logon attempt to the production network.

The various files in the Windows 2003 Resource kit for the Quarantine Policy Check tool are rqc.exe, rqs.exe, and rqs_setup.bat. After RRAS is up and running on a Windows 2003 server for VPN and/or dial-up client access use, an administrator can run the rqs_setup batch file that "installs" the rqs server agent. The rqc agent is installed on remote systems and acts as the remote administrative control component for the quarantine check and validation processes.

Quarantine Control Components and System Requirements

To be able to use the Quarantine Policy Check tools, a network should be running Windows Active Directory so that group policies can be enabled to manage the quarantine checks. Although it is possible to put a Windows 2003 RRAS server on a Windows NT4 domain and use system policies to enable the Quarantine Policy Check functionality, for the purpose of this Windows 2003-focused book, it is assumed that the organization already has Active Directory enabled in the environment and that all policies will be group policies in Active Directory.

The components needed to enable Quarantine Policy Check include the following:

• Windows Active Directory Environment (so that group policies can be used for quarantine policy checks)

• Windows 2003 Routing and Remote Access (RRAS) Server

• Quarantine Policy Check policies created and enabled

• Quarantine-compatible RADIUS server (optional)

• Quarantine-compatible remote access clients

The remote access clients that are supported for the Quarantine Policy Check include the following:

• Windows Server 2003 systems

• Windows Server 2000 systems

• Windows XP Professional workstations

• Windows 2000 Professional workstations

• Windows Millennium edition and Windows 98 Second Edition workstations (with limitations)

Note

Although Windows Millennium and Windows 98 Second Edition systems are supported by the Quarantine Policy Check client tool, because these editions of Windows do not support Windows 2003 group policies, the quarantine policies cannot be enforced on these systems. Without the ability of forcing policies, the full benefits of Quarantine Policy Check enforcement are greatly limited. It is recommended that remote client systems use Windows 2000 or XP Professional, or Windows 2000/2003 Server at a minimum.

Installing the RQS.EXE Utility on an RRAS Server

To get the Quarantine Policy Check working, download and install the Windows 2003 Resource Kit on the Windows 2003 server that will be the RRAS server for the organization. The Windows 2003 Resource Kit can be downloaded at http://www.microsoft.com/windowsserver2003/downloads/default.mspx.

After the Resource Kit has been installed, three files will be needed to run the Quarantine Policy Check: RQS.EXE, RQC.EXE, and RQS_Setup.BAT. After confirming the files exist, do the following:

RQS_Setup /install installs all of the necessary files in the c:\system32\RAS folder on the server system.

Note

RQS_Setup/install does not start the Remote Access Quarantine Agent service, nor is the Remote Access Quarantine Agent service configured to start automatically. The agent requires the RRAS service to start before it starts.

After the RQS Registry settings have been set up and configured, a script file should be created and a CM Profile created and installed on remote client systems.

Note

To remove RQS.EXE, type RQS_Setup /remove and the setup file will remove the Registry settings added during the installation process.

Creating a Script File for Post-Connection Execution

During the Quarantine Policy check process, a script is run to check the status of system parameters on the remote client system. Dependent on the results of the script, the remote system either is logged on to the network or is quarantined for further system updates.

The script file can be set to look for specific system variables or parameters that indicate the status of patch installations, antivirus software checks and updates, and so on. A sample script file is shown here. The %1, %2, %3, and %4 variables will be passed to the batch file when the batch file is executed. The variables will be highlighted in the next section of this chapter, "Creating a Quarantine Connection Manager Profile."

@echo off REM This file should be saved as script.bat echo RAS Connection = %1 echo Tunnel Connection = %2 echo Domain = %3 echo User Name = %4 set MYSTATUS= REM REM Check if Internet Connection Firewall is enabled. REM Set ICFCHECK to 1 if it is (pass). REM Set ICFCHECK to 2 if it is not (fail). REM REM Check if Virus checker is running and has correct signature file installed. REM Set VIRCHECK to 1 if it is (pass). REM Set VIRCHECK to 2 if it is not (fail). REM REM Based on the test results, run Rqc.exe. REM if "%ICFCHECK%" == "2" goto :TESTFAIL if "%VIRCHECK%" == "2" goto :TESTFAIL rqc.exe %1 %2 7250 %3 %4 Version1 REM %1 = %DialRasEntry% REM %2 = %TunnelRasEntry% REM 7250 is the TCP port on which Rqs.exe is listening REM %3 = %Domain% REM %4 = %UserName% REM Version1 is the script version string if "%ERRORLEVEL%" == "0" (  set MYERRMSG=Success! ) else if "%ERRORLEVEL%" == "1" (  set MYERRMSG=Unable to contact remote access gateway.  Quarantine support may be disabled. ) else if "%ERRORLEVEL%" == "2" (  set MYERRMSG=Access denied. Please install the Connection Manager profile from http://www.companyabc.com/VPNDenied.htm and reconnect. ) else (  set MYERRMSG=Unknown failure. The client will remain in quarantine mode. ) echo %MYERRMSG% goto :EOF :TESTFAIL echo echo Your computer has failed network compliance tests. Either echo Internet Connection Firewall is not enabled or you do not echo have the correct virus-checking program with the current echo signature file loaded. For information about how to configure echo or install these components, see echo http://www.companyabc.com/remote_access_tshoot.htm. echo :EOF 

This is just a sample of what the script.bat file can screen for during the connect process. The batch file can be customized for the specific needs of the organization.

Creating a Quarantine Connection Manager Profile

After a script batch file has been created, a new quarantine Connection Manager (CM) profile needs to be created with the Windows 2003 Connection Manager Administration Kit (CMAK). The CM Profile will be part of the remote client access connection manager configuration that instructs the remote client system to launch the script.bat file and prepare information that the Quarantine Policy Check Server will be able to validate that the remote system can connect to the network.

The CMAK is a Windows component of Windows Server 2003. To install the CMAK, do the following:

After CMAK has been installed, a custom action needs to be configured in a profile that will be distributed to remote client systems. To configure the custom action, do the following:

1.	Launch the CMAK (Start, Programs, Administrative Tools, Connection Manager Administration Kit).
2.	At the Welcome screen, click Next.
3.	For Service Profile Selection, choose to create a New Profile, and click Next.
4.	For Service and File name, enter a description name for the server (such as CompanyABC Connection) and for the filename, name of a file (like cmprof), and then click on Next.
5.	If you have a realm name, enter it; otherwise just choose Do Not Add A Realm Name To The User Name and click Next.
6.	If you have an existing profile, choose to merge the profiles; otherwise just click Next.
7.	For VPN support, typically because the connection manager profiles are to secure VPN connections, choose the check box Phone Book From This Profile, and under VPN Server Name Or IP Address, enter the VPN name that the remote client will be accessing and click Next.
8.	Your newly created profile will appear at the VPN Entries screen. Choose to edit any settings at this point, or click Next to continue.
9.	If a static phone book will be used, enter it in the Phone Book File location; otherwise keep Automatically Download Phone Book Updates and click Next.
10.	If you did not enter a phone book filename in the previous screen, enter a phone book name such as pbook, and for the Connection Point server name, enter the URL for the server. Click Next to continue.
11.	At the Dial-up Networking entries screen, your newly created profile will appear. Choose to edit any settings at this point, or click Next to continue.
12.	If you plan to change routing tables, enter the routing file; otherwise click Next.
13.	If your remote connection requires a proxy setting, enter it in the Automatic Proxy Confirmation page; otherwise, click Next.
14.	Finally, to configure the Custom Actions for the Quarantine Policy Check, click the New button to bring up the New Custom Action page.
15.	Enter a description (such as Quarantine Policy Check), program to run (such as script.bat), parameters (%DialRasEntry% %TunnelRasEntry% %Domain% %UserName%). Choose Post-connect for the Action type, choose All Connections for the type of connection that the action will run, and make sure the two check boxes at the bottom of the page are selected. The configuration will look something similar to Figure 26.12. Click OK when this is completed. Figure 26.12. New custom action configuration for Quarantine Check.
16.	Click Next to get to the Logon Bitmap screen, and either enter a new graphic or leave it on the default and click Next to continue.
17.	For Phone Book Bitmap, either enter a new graphic or leave it on the default and click on Next.
18.	On the Icons page, choose new icons, or leave with the default icons and click on Next.
19.	Choose a new shortcut menu command, or leave the default and click Next.
20.	Select a new Help file or leave the default and click Next.
21.	Enter in a Support Information contact line, such as Call Corporate Helpdesk for Support (510) 555-1234 so that users with problems have a contact number for assistance. Click Next.
22.	If your users do not have the Connection Manager v1.3 installed on their system, by selecting the Installation option, Connection Manager 1.3 will be installed with the profile. Click Next.
23.	For any organization disclaimers, such as notices of privacy, security, appropriate use, or the like, a text file can be displayed at the time of logon. Enter the filename (or leave blank) and click Next.
24.	If you have additional files that need to be launched, click Add and specify rqc.exe in the \Program Files\Windows Resource Kits\Tools\ directory. Click Next.
25.	Choose Advanced customization and then Next to give the customization file a unique value. In the example used to create the RQS_Setup.bat, the authorized versions were Version 0, Version 1, and Test. If you plan to allow this connection manager to work, choose an option like Test for the "value" as shown in Figure 26.13. Click Apply and then click Next. You will notice a DOS session open that will configure the Connection Manager settings. Figure 26.13. Advanced Customization screen.
26.	Click Finished when done.

After creating the CM Profile, the files stored on the RRAS server in the \Program Files\Cmak\Profiles\cmprof directory need to be distributed to remote users accessing the network. Use any number of software distribution tools to deploy the CM Profile files, such as using a Group Policy, Logon Script installation, or Microsoft Systems Management Server (SMS).

Launching the CM Profile on Remote Access Client Systems

After the CM Profile has been created with the CMAK and distributed to remote access client systems, the executable file created (cmprof.exe in the case of the file created from the "Creating a Quarantine Connection Manager Profile" section) needs to be run. When executed, the file installs the connection manager system profile that creates a network connection icon on the remote system.

When remote users launch the network connection icon, they are prompted with the information entered into the CMAK configuration wizard. In the example in the "Creating a Quarantine Connection Manager Profile" section, the user will see a screen similar to the one in Figure 26.14.

If the remote access user settings do not comply with the settings defined in the script.bat file, the user logon will be halted, effectively quarantining the user session until action is taken. The action, dependent on what was noted in the CMAK, may be to send users to a Web site where they are prompted to call for help desk support or to install certain patches and updates, or the remote system may be scanned, cleaned, and updated automatically.