9.1. Deployment Scenarios and Topologies
Depending upon the security needs of an organization, it can choose to implement various NAC-like components to address specific scenarios. The related technologies and scenarios discussed in this section will be the following:
Network Access Quarantine Control (NAQC) — Controlling the security posture of remote clients as they attempt to connect to the corporate LAN remote
Microsoft 802.1x — Controlling unwanted access
Microsoft NAP — Full-fledged NAC/NAP solution
9.1.1. Network Access Quarantine Control
Network Access Quarantine Control (NAQC) is a remote access inspection tool that shipped with Windows Server 2003. The purpose of this technology was to assess devices as they attempted remote connectivity to the corporate LAN. If you take a look at Microsoft's documentation on NAQC and NAP, it is very clear that Microsoft does not want any confusion between NAQC and NAP. Microsoft specifically states the following:
Network Access Quarantine Control is not the same as Network Access Protection, which is a new policy enforcement platform that is being considered for inclusion in Windows Server "Longhorn," the next version of the Windows Server operating system. Network Access Quarantine Control only provides added protection for remote access connections. Network Access Protection provides added protection for virtual private network (VPN) connections, Dynamic Host Configuration Protocol (DHCP) configuration, and Internet Protocol security (IPsec)-based communication....NAP is essentially the replacement for Network Access Quarantine Control and the long-term solution for customers.
NAQC consists of the following components:
Quarantine Compatible Remote Access Client — These are computers running operating systems that support this function, such as Windows XP, Windows Millennium Edition, and so on.
Remote Access Server — This is running the Routing and Remote Access service and listener component.
Remote Access Policy — This runs on the Remote Access Server.
NAQC utilizes custom-written scripts to analyze a system. Once the script is run successfully, the information is passed to a notifier component, which then communicates with a listener service on the Remote Access Server. If all is OK, then the Remote Access Server releases any restrictions on the connection. NAQC comes with a number of components, including a notifier component called rqc.exe and a listener service-Remote Access Quarantine Agent service (Rqs.exe). A custom notifier agent and listener service pair can be created using the Windows Server 2003 Resource Kit tools.
NOTE
The notification sent by rqc.exe is not encrypted or authenticated and can be spoofed by a malicious client.
Microsoft includes a number of sample scripts. These are the scripts that would be run to assess the client. Sample scripts include the following:
AV.bat — Checks if ETrust antivirus is the latest version, and all the latest virus signature files are installed on the machine.
CheckhotFixes.vbs — Finds if any critical operating system updates are missing on the client machine. (An administrator must provide a list of hotfixes mandated to be installed on the client machine in order to remove it from quarantine.)
ICS.vbs — Checks for Internet Connection Sharing (ICS) on each configured interface. If ICS is enabled on any of the interfaces, it is disabled.
Passwd.vbs — Checks the password strength against configured values.
Scrsaver.vbs — Checks for screen saver settings. This must be enabled and password-protected. If it is not active or password-protected, it is enabled and made password-protected.
WF.vbs — Checks for a Windows firewall on all profiles and on each of the interfaces configured. If the firewall is disabled on any interfaces, it is enabled.
By looking at the description of the scripts, you can see that there are some remediation components. For example, if ICS is enabled, it can be disabled. If the Windows Firewall is disabled, it can be enabled.
Following are the contents of the ICS.vbs sample script:
************************************************************************
' SAMPLE SCRIPT - ICS.vbs '
'
************************************************************************
' Description - This Script checks for Internet Connection
Sharing (ICS) on each
' of the interfaces configured.
' Based on the user configuration, if ICS is
enabled on any of the
' interfaces, it is Disabled.
' *** REQUIRES ADMIN PRIVILEGES TO DISABLE ICS
'
' Supported Operating Systems -
' Windows Server 2003
' Windows XP
' Windows XP Service Pack 2
'
' Usage - ICS.vbs
'
' Returns - 0 - If ICS is Disabled on all interfaces
' 1 - If ICS is Enabled on one or more interface
' 2 - If unable to query ICS settings on any interface' 3 - If unable to disable Connection sharing on an interface
'
' Copyright © Microsoft Corporation. All rights reserved
'
************************************************************************
Option Explicit
' *** Configuration Option
' 0 - Only check ICS status on all interfaces
' 1 - Disable if ICS is Enabled on any interface
Const DISABLE ICS = 1
'
************************************************************************
' Function - CheckPerInterfaceICSSetting
' Description - Checks the ICS setting on each of the interfaces and if
' it is Enabled and DISABLE ICS = 1, diables it.
' Note: Disabling ICS on an interface require Admin
privileges
' Returns - Exits from the script with the following errorlevel
' 0 - If ICS is disabled on all the interfaces
' 1 - If ICS is enabled on any interface
' 2 - If unable to query ICS setting on interface due to
' COM object not being initialized etc.
' 3 - If unable to disabled ICS on any interface
'
***********************************************************************
Sub CheckPerInterfaceICSSetting()
On Error Resume Next
Dim objShare
Dim objEveryColl
Dim objShell
Set objShare = Wscript.CreateObject("HNetCfg.HNetShare")
If (IsObject(objShare) = FALSE ) Then
WScript.Echo("Unable to create object : HNetCfg.HNetShare")
WScript.Quit (2)
End If
Set objEveryColl = objShare.EnumEveryConnection
If (IsObject(objEveryColl) = FALSE) Then
WScript.Echo("Unable to Enumerate Connections")
WScript.Quit (2)
END IF
Dim objNetConn
For each objNetConn in objEveryColl
Dim objShareCfg, ConnectionProps
Set objShareCfg =objShare.INetSharingConfigurationForINetConnection(objNetConn)
If (IsObject(objShareCfg) = FALSE) Then
WScript.Echo("Unable to retrieve Sharing Cfg Object")
WScript.Quit (2)
End If
Set ConnectionProps = objShare.NetConnectionProps(objNetConn)
If (IsObject(ConnectionProps) = FALSE) Then
WSCript.Echo("Unable to retrieve ConnectionProps object")
WScript.Quit (2)
End If
WScript.Echo "Connection : " & ConnectionProps.Name
If (objShareCfg.SharingEnabled) Then
WScript.Echo("ICS is Enabled on this Interface")
'Disable Connection Sharing on this interface if config-
ured to do so
If (DISABLE ICS = 1) Then
DisableICS(objShareCfg)
Else
WScript.Echo("Connection Sharing is Enabled on a interface. Val-
idation Failed")
WScript.Quit (1)
End If
Else
WScript.Echo("ICS is Disabled on this Interface")
End If
Next
Set objShare = Nothing
Set objEveryColl = Nothing
Set objShell = Nothing
WScript.Echo("Connection Sharing is Disabled on all interfaces. Val-
idation Passed")
WScript.Quit (0)
End Sub
'
************************************************************************
' Function - DisableICS
' Description - Checks for Admin privileges and Disables ICS on the
interface
' passed
' Returns - Nothing
'
************************************************************************Sub DisableICS(objShareCfg)
On Error Resume Next
WScript.Echo("Disabling Connection Sharing...")
objShareCfg.DisableSharing
If (Err.Number <> 0) Then
WScript.Echo("Unable to Disable ICS on the Interface")
WSCript.Quit (3)
End If
End Sub
'
************************************************************************
' Function - Main
' Description - Invokes routines to validate the ICS
setting on all the interfaces
' Returns - Nothing
'
************************************************************************
Sub Main()
CheckPerInterfaceICSSetting()
End Sub
Main()