Hardening Windows School: Advanced checklist on network access quarantining

The following is one of three checklists to accompany Jonathan Hassell's Hardening Windows School, a series of six 10-minute webcasts designed to help you quickly and correctly lock down Windows systems. Lesson #6, Applying network access quarantine options, premieres Thursday, June 22. Click for the course outline.

One of the easiest and arguably most prevalent ways for nefarious software or Internet users to creep into your network is not through firewall holes or brute-force attacks -- nor is it any means that might occur at your campus or corporate headquarters. It's through mobile users trying to connect to your business network while on the road.

Consider why that is the case: Most remote users are authenticated only on the basis of their identities, and no effort is made to verify that their hardware and software meets certain baseline requirements. It is not uncommon for remote users to fail any or all of the following guidelines:

You would expect business desktops to follow policy, but mobile users have traditionally been forgotten or grudgingly accepted as exceptions to the rule. Therefore, they become an active port for malware to enter and infect your network. That's why I'm going to explain why you need to use a security feature introduced in Windows Server 2003, Network Access Quarantine Control (NAQC), which gives you a chance to vet computers trying to access your network remotely, effectively closing ports.

Sound like a decent idea? Browse through the checklist below to learn more about quarantining. (Click here for the printable version.)

Hardening Windows School Checklist: Know your network access quarantine options

Understand how Network Access Quarantine Control (NAQC) works

Here's basically how NAQC works: Under NAQC, when a client establishes a connection to a remote network's endpoint -- a machine running the Routing and Remote Access Service

(RRAS) -- the destination Dynamic Host Configuration Protocol (DHCP) server gives the remote, connecting computer an IP address, but an Internet Authentication Service (IAS)

server establishes a "quarantine mode." In quarantine mode, a set of packet filters restricts the traffic sent to and received from a remote access client, and a session

timer limits the duration of a remote client's connection in quarantine mode before being terminated. Once the remote computer is in quarantine mode, the client computer

automatically executes the baseline script. Windows runs the script and, if satisfied with the result, contacts the listening service running on the Windows Server 2003 back-end

machine to report it. Quarantine mode is then removed and normal network access is restored. If Windows is not satisfied with the result, the client is eventually disconnected

when the session timer reaches the configured limit as described above.

Decide on your preferred criteria for allowing regular access to your network

What would you like to check when remote users try to connect? Here are some ideas: The latest approved operating system service packs installed

Antivirus software installed, working and updated with the latest signature files Firewall protections enabled

Internet routing disabled

Begin planning your resource areas for users in quarantine mode

Under NAQC, you can establish a limited set of resources within the quarantine area where users can download information and software to help them rectify any issues that prevent

them from accessing the unrestricted network. Consider posting a Web page explaining the quarantine process. Include information on how to get help from the help desk.

You might also include a link to the latest service pack, a copy of your corporate antivirus software and individual links to hotfixes that you require. Give your users the

power to self-correct their problems while still enhancing security on your network.

Explore the Routing and Remote Access Service (RRAS) policy functionality

A great guide to RRAS can be found at ServerWatch.com, and Chapter 11 of my book Learning Windows Server 2003 explains how to set up RRAS, and teaches you how to use

policies and quarantining.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure. E-mail the editor to suggest additional checklist topics.

More from Hardening Windows School

ABOUT THE AUTHOR:   Go back to Checklists

Jonathan Hassell is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration. Click to ask Jon a question or purchase his book here. Copyright 2005

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Security Mobile security threats Two-factor authentication: Mobile security at your fingertips Securing your Windows Mobile devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Is malware coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device Mobile Authentication and Encryption Sybase offers enterprise-ready iPhone solution on the App Store Two-factor authentication: Mobile security at your fingertips RIM makes hostile takeover bid for encryption vendor Certicom In-the-cloud defenses for mobile malware Podcast: The truth about network security and mobile device access iPhone encryption is a must for the security-conscious enterprise Sybase iAnywhere launches productivity suite that tunnels critical business apps through email Mobile voice encryption gets cheaper, easier to do Avoiding data breaches through mobile encryption Mobile device security: Improving mobile authentication Mobile Authentication and Encryption Research Mobile Policies and Procedures Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security: Asserting control over mobile devices Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CCMP  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) LEAP (Lightweight Extensible Authentication Protocol)  (SearchMobileComputing.com) Open System Authentication (OSA)  (SearchMobileComputing.com) SIM card  (SearchMobileComputing.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.