Question

Updating Remote Computers Before They Get In Through VPN.

Asked by: amishbatra

My scenerio is I have 1-100 users and they connect remotely to my network through VPN.
They all run Windows 2000 or latest and I want a software that should check there computer for all the missing patches, Virus Definations and security settings before they actually get into the my network.
Can anybody help me how can I achieve this?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-12-01 at 11:00:28ID21226574
Topics

Miscellaneous Security

,

IPSec Security Protocol

,

Enterprise Firewalls

Participating Experts
4
Points
250
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VPN
    How do you setup VPN client on Win 98? I have a problem setting up a VPN client on a new laptop. The problem is that only my user account can logon to the server. All other user account is access denied including Domain Administrator. I know there is something wrong with the ...
  2. How to secure remote access via VPN
    I understand that perhaps the weakest link in VPN is the remote machine coming in via an ISP, if that machine itself has been compromised. What are some good ways to handle this problem? Thanks!
  3. Universal Remote VPN Software
    Hi experts I'm faced with the difficult task ti obtain a remote VPN software, which will allow us to log in to different types of firewalls, especially the following: - Checkpoint - Sonic Wall - InstaGate EX - Zywall I am aware that each of those manufacturers sel...
  4. VPN
    I would like to be able to connect to my workstation here at work from a VPN connection at home. I am currently using a VPN connection to connect to my various servers, but if I enter the IP address for my workstation (W2K Pro) it says: "The client could not connect to t...
  5. Anti-Virus over VPN
    I am currently using checkpoint firewall-1 for my firewall and VPN solution. Either with checkpoint or another product is there anything that will scan for malicious activity over a VPN tunnel? For example an employees machine at home has secureclient (checkpoints VPN client)...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: billwhartonPosted on 2004-12-01 at 15:46:02ID: 12721848

What VPN solution are you currently running?

Soon, Cisco's VPN concentrators would be able to do that with the NAC solution. Google for 'Cisco Network Admission control'

 

by: dvt_localboyPosted on 2004-12-01 at 23:56:30ID: 12723755

Have you tried looking at SUS? It's a MS product...Software Update Services. It check the PC's on your network and can be configured to automatically install any updates. SUS works like the MS update page from their site. Your SUS server will download header info. for all new patches that have been release by MS, and then you approve the patches and it gets downloaded onto your SUS server. You can then specify the settings in your Group Policy to ensure that the incoming PC's automatically download the patches and install and reboot. Only problem is they would have to be on your network for SUS to see them. So that doesn't really answer your question. Oh yes, and your need Windows 2K SP4, Windows XP SP1 or Windows 2K3.

 

by: poseidoncanuckPosted on 2004-12-02 at 00:14:05ID: 12723817

Microsoft will offer a complementary technology, dubbed "NAP", in the next year or so as well:
http://www.microsoft.com/nap

Until then, the next best thing would be to use the RQS & RQC technologies that shipped with the Windows Server 2003 Resource Kit.  Start your reading here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0203.mspx

Then check out the W2K3 documentation here:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_aosh.asp

RQS download: http://www.microsoft.com/downloads/details.aspx?FamilyID=D4EC94B2-1C9D-4E98-BA02-B18AB07FED4E&displaylang=en

ISA integration with RQS: http://www.microsoft.com/downloads/details.aspx?FamilyId=3396C852-717F-4B2E-AB4D-1C44356CE37A&displaylang=en

[There's lots of resources at MS - just go to http://search.microsoft.com and search for "rqs".]

I won't tell you that this is an easy deployment, but then the problem you're trying to solve isn't easy to solve.  Most organizations I've worked with spend a ton of money trying to battle this, and no one gets it perfect.  Best you can hope for is to make a significant reduction on the number of infections that get into your network through the VPN channel.

To make a *real* impact on keeping your organization from being completely wiped out by the next infection, you should *also* focus a significant amount of attention on configuring your network, hosts and applications to protect your business critical data and services from *anything* bad on your network:
- Treat your network like it's as hostile as the Internet - don't assume that *any* other computer couldn't become infected and try to "attack" your critical servers
- ensure that you have a solid backup strategy for all your critical servers and data (and make sure that the backups can actually be used to recover your servers/data in case of a disaster)
- don't let any more than the necessary subnets communicate with the critical servers, and when VLANs or firewalls are already available, limit the protocols allowed as well.
- for Windows 2000 or later servers, configure IPSec "block" policies to only allow the ports (and IPs) you really need into the servers
- keep your servers up to date on their darned patches!  [SUS server is cheap insurance for this problem]
- lockdown the logon rights on the servers to just the groups that are needed to access these servers
- make *sure* that all users with logon rights are configured with strong passwords
- make *darned* sure that any service accounts configured on these critical servers are *not* used on the workstations, laptops, or physically insecure servers in your network

There's lots of other little things you can do, but these alone with *significantly* reduce the damage TO YOUR BUSINESS from worms on your network.  A few workstations infected won't (usually) take the company down, but your key database taken out for three days COULD.

 

by: amishbatraPosted on 2004-12-06 at 12:15:32ID: 12757748

I have novel authenticaton for windows so I cannot use SUS or any other windows stuff.
I will be using PIX for my firewall and VPN.
Can I use NAC from Cisco if yes do I need ACS and Radius server ???????
Other than the above scenerio do we have anything else to fill the same.

 

by: billwhartonPosted on 2004-12-06 at 12:23:08ID: 12757826

Sure you do need a policy server (ACS server)
Right now the only ACS server which works is Cisco's TACACS. Freeware ACS servers wouldn't do.

Cisco's NAC is available on routers at the moment and in the 2nd phase, it would be available on other devices too.

Read more about it here:
http://www.cisco.com/warp/public/cc/so/neso/sqso/csdni_wp.htm

 

by: NTJOCKPosted on 2004-12-10 at 12:06:04ID: 12795761

You should be able to do this with a Login script.

Please be careful about what you force your users to download in the process of logging in.  As the not so ancient Novell admin's saying goes "he with unhappy users may have secure network and no job".

I think it's always important to keep in mind that security is a balance between safety and immobility.  You may save more headaches to build a login scrip that checks for required components and installs them one at a time.  If I connect with 3 things missing it would take 3 connections to get all 3 things.  After installing one, the login script would just process normally.

This gets me secure but lets me do my work and keeps me from blaming IT for my connection issues.  You may be technically correct and still be hung out to dry if you can be blamed for sales people not hitting their numbers.  Novell is generally only found in conservative organizations that are risk averse and politically challenging.

I also seem to recall that Novell had some really bulletproof management stuff built in to the client.  It's been ages since I took my CNA/CNE exams.  But I seem to recall having been "captured" by client policies once or twice and had all sorts of crap installed on my workstation/laptop.  

I realize you want to secure them outside the fence, but you may find it substantially easier to secure them in the doorway instead so to speak.  I would suggest going that route because it probably is an incremental improvement over your current situation (i'll guess lax build control currently).

Windows Policies can also be an extremely effective tool to deploy to workstations.  The files are generally small and will lockdown all the but the most determined user.  Again, beware of being technically correct and political roadkill.

Whatever you do, I'd be sure to get complete buy-in from management before you do it.  Make sure you let them "choose" your option so it won't be your fault when users complain about stuff being installed.  Any time we make ourselves safer, we restrict our clients ability to work.  That invevitably brings complaints from the users.  A few emails announcing the change and explaining it's benefits might also go a long way towards setting expectations.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...