Updating Remote Computers Before They Get In Through VPN.

Posted on 2004-12-01
Last Modified: 2013-11-16
My scenerio is I have 1-100 users and they connect remotely to my network through VPN.
They all run Windows 2000 or latest and I want a software that should check there computer for all the missing patches, Virus Definations and security settings before they actually get into the my network.
Can anybody help me how can I achieve this?
Question by:amishbatra
    LVL 11

    Expert Comment

    What VPN solution are you currently running?

    Soon, Cisco's VPN concentrators would be able to do that with the NAC solution. Google for 'Cisco Network Admission control'
    LVL 26

    Expert Comment

    by:Leon Fester
    Have you tried looking at SUS? It's a MS product...Software Update Services. It check the PC's on your network and can be configured to automatically install any updates. SUS works like the MS update page from their site. Your SUS server will download header info. for all new patches that have been release by MS, and then you approve the patches and it gets downloaded onto your SUS server. You can then specify the settings in your Group Policy to ensure that the incoming PC's automatically download the patches and install and reboot. Only problem is they would have to be on your network for SUS to see them. So that doesn't really answer your question. Oh yes, and your need Windows 2K SP4, Windows XP SP1 or Windows 2K3.
    LVL 4

    Expert Comment

    Microsoft will offer a complementary technology, dubbed "NAP", in the next year or so as well:

    Until then, the next best thing would be to use the RQS & RQC technologies that shipped with the Windows Server 2003 Resource Kit.  Start your reading here:

    Then check out the W2K3 documentation here:

    RQS download:

    ISA integration with RQS:

    [There's lots of resources at MS - just go to and search for "rqs".]

    I won't tell you that this is an easy deployment, but then the problem you're trying to solve isn't easy to solve.  Most organizations I've worked with spend a ton of money trying to battle this, and no one gets it perfect.  Best you can hope for is to make a significant reduction on the number of infections that get into your network through the VPN channel.

    To make a *real* impact on keeping your organization from being completely wiped out by the next infection, you should *also* focus a significant amount of attention on configuring your network, hosts and applications to protect your business critical data and services from *anything* bad on your network:
    - Treat your network like it's as hostile as the Internet - don't assume that *any* other computer couldn't become infected and try to "attack" your critical servers
    - ensure that you have a solid backup strategy for all your critical servers and data (and make sure that the backups can actually be used to recover your servers/data in case of a disaster)
    - don't let any more than the necessary subnets communicate with the critical servers, and when VLANs or firewalls are already available, limit the protocols allowed as well.
    - for Windows 2000 or later servers, configure IPSec "block" policies to only allow the ports (and IPs) you really need into the servers
    - keep your servers up to date on their darned patches!  [SUS server is cheap insurance for this problem]
    - lockdown the logon rights on the servers to just the groups that are needed to access these servers
    - make *sure* that all users with logon rights are configured with strong passwords
    - make *darned* sure that any service accounts configured on these critical servers are *not* used on the workstations, laptops, or physically insecure servers in your network

    There's lots of other little things you can do, but these alone with *significantly* reduce the damage TO YOUR BUSINESS from worms on your network.  A few workstations infected won't (usually) take the company down, but your key database taken out for three days COULD.

    Author Comment

    I have novel authenticaton for windows so I cannot use SUS or any other windows stuff.
    I will be using PIX for my firewall and VPN.
    Can I use NAC from Cisco if yes do I need ACS and Radius server ???????
    Other than the above scenerio do we have anything else to fill the same.
    LVL 11

    Accepted Solution

    Sure you do need a policy server (ACS server)
    Right now the only ACS server which works is Cisco's TACACS. Freeware ACS servers wouldn't do.

    Cisco's NAC is available on routers at the moment and in the 2nd phase, it would be available on other devices too.

    Read more about it here:

    LVL 1

    Assisted Solution

    You should be able to do this with a Login script.

    Please be careful about what you force your users to download in the process of logging in.  As the not so ancient Novell admin's saying goes "he with unhappy users may have secure network and no job".

    I think it's always important to keep in mind that security is a balance between safety and immobility.  You may save more headaches to build a login scrip that checks for required components and installs them one at a time.  If I connect with 3 things missing it would take 3 connections to get all 3 things.  After installing one, the login script would just process normally.

    This gets me secure but lets me do my work and keeps me from blaming IT for my connection issues.  You may be technically correct and still be hung out to dry if you can be blamed for sales people not hitting their numbers.  Novell is generally only found in conservative organizations that are risk averse and politically challenging.

    I also seem to recall that Novell had some really bulletproof management stuff built in to the client.  It's been ages since I took my CNA/CNE exams.  But I seem to recall having been "captured" by client policies once or twice and had all sorts of crap installed on my workstation/laptop.  

    I realize you want to secure them outside the fence, but you may find it substantially easier to secure them in the doorway instead so to speak.  I would suggest going that route because it probably is an incremental improvement over your current situation (i'll guess lax build control currently).

    Windows Policies can also be an extremely effective tool to deploy to workstations.  The files are generally small and will lockdown all the but the most determined user.  Again, beware of being technically correct and political roadkill.

    Whatever you do, I'd be sure to get complete buy-in from management before you do it.  Make sure you let them "choose" your option so it won't be your fault when users complain about stuff being installed.  Any time we make ourselves safer, we restrict our clients ability to work.  That invevitably brings complaints from the users.  A few emails announcing the change and explaining it's benefits might also go a long way towards setting expectations.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now