Windows Tip Sheet
Welcome to Win2003 SP1, Part 4
Quarantine unfit clients before they log into your network with RAS.
This week’s tip is last in a four-part series of Win2003
Service Pack 1 tips.
I know, I know: Nobody (well, not many bodies) use Windows’ built-in
RAS server to allow users to dial in or VPN into the network. Lots of companies
use dedicated remote access gateways and whatnot, which is fine; but Win2003
SP1 offers a new RAS Quarantine feature that is way cool. Simply put, it allows
you to verify certain conditions for client connections before they’re
allowed on the network. Normally, RAS only cares about simplistic criteria like
time of day and credentials; with quarantine you can also write a script to
check (for example) virus definition versions, firewall status or whatever.
Only clients up to your spec are allowed in.
The Win2003 Resource Kit includes components for pre-SP1 machines: Rqc.exe
is the notifier component and Rqs.exe is the listener component. Rqs.exe is
the Remote Access Quarantine Service; note that it isn’t configured to
start automatically upon installation, so you might want to make that change
if you’re using it. Rqs.exe listens on TCP port 7250 by default; you can
change that with a registry key.
Configuring the quarantine service isn’t the easiest thing in the world—you
do have to write scripts which determine whether or not clients are going to
be allowed in—but it isn’t impossible, either. A few well-placed
WMI queries, for example, can quickly determine things like whether or not a
given hotfix is installed, the file date on a virus definitions file, and so
forth. I’ve linked to some Microsoft sample scripts below.
If you are using Windows’ built-in RAS, look
into quarantine. It’s a great way to keep clients off the network when
they’re in a vulnerable (e.g., less protected than they could be) state.
If you’re not using Windows’ built-in RAS … well, you’re
probably not going to switch. But read up on quarantine, anyway, because it’s
a concept that most third-party remote access vendors are getting into.
More Resources:
- Read Professor Windows’ brief
on RAS Quarantine.
- More details on quarantine and how it works here.
- Get sample quarantine scripts here.
- Read everything Microsoft’s written to date on SP1 here.
- Access updated Win2003 help (including SP1-related changes) here.
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.