Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 306
  • Last Modified:

Updating Remote Computers Before They Get In Through VPN.

My scenerio is I have 1-100 users and they connect remotely to my network through VPN.
They all run Windows 2000 or latest and I want a software that should check there computer for all the missing patches, Virus Definations and security settings before they actually get into the my network.
Can anybody help me how can I achieve this?
0
amishbatra
Asked:
amishbatra
2 Solutions
 
billwhartonCommented:
What VPN solution are you currently running?

Soon, Cisco's VPN concentrators would be able to do that with the NAC solution. Google for 'Cisco Network Admission control'
0
 
Leon FesterCommented:
Have you tried looking at SUS? It's a MS product...Software Update Services. It check the PC's on your network and can be configured to automatically install any updates. SUS works like the MS update page from their site. Your SUS server will download header info. for all new patches that have been release by MS, and then you approve the patches and it gets downloaded onto your SUS server. You can then specify the settings in your Group Policy to ensure that the incoming PC's automatically download the patches and install and reboot. Only problem is they would have to be on your network for SUS to see them. So that doesn't really answer your question. Oh yes, and your need Windows 2K SP4, Windows XP SP1 or Windows 2K3.
0
 
poseidoncanuckCommented:
Microsoft will offer a complementary technology, dubbed "NAP", in the next year or so as well:
http://www.microsoft.com/nap

Until then, the next best thing would be to use the RQS & RQC technologies that shipped with the Windows Server 2003 Resource Kit.  Start your reading here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0203.mspx

Then check out the W2K3 documentation here:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbf_vpn_aosh.asp

RQS download: http://www.microsoft.com/downloads/details.aspx?FamilyID=D4EC94B2-1C9D-4E98-BA02-B18AB07FED4E&displaylang=en

ISA integration with RQS: http://www.microsoft.com/downloads/details.aspx?FamilyId=3396C852-717F-4B2E-AB4D-1C44356CE37A&displaylang=en

[There's lots of resources at MS - just go to http://search.microsoft.com and search for "rqs".]

I won't tell you that this is an easy deployment, but then the problem you're trying to solve isn't easy to solve.  Most organizations I've worked with spend a ton of money trying to battle this, and no one gets it perfect.  Best you can hope for is to make a significant reduction on the number of infections that get into your network through the VPN channel.

To make a *real* impact on keeping your organization from being completely wiped out by the next infection, you should *also* focus a significant amount of attention on configuring your network, hosts and applications to protect your business critical data and services from *anything* bad on your network:
- Treat your network like it's as hostile as the Internet - don't assume that *any* other computer couldn't become infected and try to "attack" your critical servers
- ensure that you have a solid backup strategy for all your critical servers and data (and make sure that the backups can actually be used to recover your servers/data in case of a disaster)
- don't let any more than the necessary subnets communicate with the critical servers, and when VLANs or firewalls are already available, limit the protocols allowed as well.
- for Windows 2000 or later servers, configure IPSec "block" policies to only allow the ports (and IPs) you really need into the servers
- keep your servers up to date on their darned patches!  [SUS server is cheap insurance for this problem]
- lockdown the logon rights on the servers to just the groups that are needed to access these servers
- make *sure* that all users with logon rights are configured with strong passwords
- make *darned* sure that any service accounts configured on these critical servers are *not* used on the workstations, laptops, or physically insecure servers in your network

There's lots of other little things you can do, but these alone with *significantly* reduce the damage TO YOUR BUSINESS from worms on your network.  A few workstations infected won't (usually) take the company down, but your key database taken out for three days COULD.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
amishbatraAuthor Commented:
I have novel authenticaton for windows so I cannot use SUS or any other windows stuff.
I will be using PIX for my firewall and VPN.
Can I use NAC from Cisco if yes do I need ACS and Radius server ???????
Other than the above scenerio do we have anything else to fill the same.
0
 
billwhartonCommented:
Sure you do need a policy server (ACS server)
Right now the only ACS server which works is Cisco's TACACS. Freeware ACS servers wouldn't do.

Cisco's NAC is available on routers at the moment and in the 2nd phase, it would be available on other devices too.

Read more about it here:
http://www.cisco.com/warp/public/cc/so/neso/sqso/csdni_wp.htm

0
 
NTJOCKCommented:
You should be able to do this with a Login script.

Please be careful about what you force your users to download in the process of logging in.  As the not so ancient Novell admin's saying goes "he with unhappy users may have secure network and no job".

I think it's always important to keep in mind that security is a balance between safety and immobility.  You may save more headaches to build a login scrip that checks for required components and installs them one at a time.  If I connect with 3 things missing it would take 3 connections to get all 3 things.  After installing one, the login script would just process normally.

This gets me secure but lets me do my work and keeps me from blaming IT for my connection issues.  You may be technically correct and still be hung out to dry if you can be blamed for sales people not hitting their numbers.  Novell is generally only found in conservative organizations that are risk averse and politically challenging.

I also seem to recall that Novell had some really bulletproof management stuff built in to the client.  It's been ages since I took my CNA/CNE exams.  But I seem to recall having been "captured" by client policies once or twice and had all sorts of crap installed on my workstation/laptop.  

I realize you want to secure them outside the fence, but you may find it substantially easier to secure them in the doorway instead so to speak.  I would suggest going that route because it probably is an incremental improvement over your current situation (i'll guess lax build control currently).

Windows Policies can also be an extremely effective tool to deploy to workstations.  The files are generally small and will lockdown all the but the most determined user.  Again, beware of being technically correct and political roadkill.

Whatever you do, I'd be sure to get complete buy-in from management before you do it.  Make sure you let them "choose" your option so it won't be your fault when users complain about stuff being installed.  Any time we make ourselves safer, we restrict our clients ability to work.  That invevitably brings complaints from the users.  A few emails announcing the change and explaining it's benefits might also go a long way towards setting expectations.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now