http://www.ISAserver.org ------------------------------------------------------- Yep, its not a security feature, it's a client health checking feature for non-malicous connections. While I would like a toaster to also be massage chair and a cigar boat, the toaster just wasn't designed for those capabilities. There are VPN-Q add-ins such as Fred Esnouf's QSS and Winfrasoft's VPN-Q 2006 which do make it a security feature, but out of the box it ain't. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Tuesday, May 23, 2006 10:50 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] FW: Circumventing quarantine control in > Windows 2003 and ISA 2004 > > http://www.ISAserver.org > ------------------------------------------------------- > > > Fyi... > > ------ Forwarded Message > From: Memet Anwar <mmta.gm@xxxxxxxxx> > Date: Thu, 18 May 2006 16:49:59 +0700 > To: <bugtraq@xxxxxxxxxxxxxxxxx> > Subject: Circumventing quarantine control in Windows 2003 and ISA 2004 > > For those unfamiliar with MS quarantine control, you can read > Jon Hassel's > tutorial on Windows 2003 Network Access Quarantine Control (NAQC) > [http://www.securityfocus.com/infocus/1794], and the ISA 2004 > VPN Quarantine > (ISAQ) feature [http://www.securityfocus.com/infocus/1799]. > > A simplistic mechanism used in both NAQC and ISAQ enable > users to bypass the > requirement set by administrators (such as XP must run SP2, > should have > latest virus-def, etc.). The problem is due to how the > requirements are > validated, it is trivial for users to trick RRAS/ISA into > believing that the > client's system are always aligned with the requirements, > regardless the > actual condition. > > To illustrate my point, I will use Jon's article part-1 > mentioned above, > because it is much the same with Microsoft description on the > subject that I > see on MOC-2824B training material. Please refer to 'A > Step-by-Step Overview > of NAQC'-part of the article. > > There, step 1-7 will put the client connection into > quarantine mode, which > is fine. Step 8-9 shows that the CMAK profile will execute a > client-side > script to validate client's configuration based on the preconfigured > baseline. If the client meets the requirement, the script should call > rqc.exe with appropriate parameter. In Step 10-14, rqc.exe in > the client > send its result status to rqs.exe (the listener) on the > server, along with > its script version string. The listener then compare the > script version > string with its reference, before reconfiguring the session > to a normal > access. > > Now I see two weaknesses there. > > First, it is trivial for users to ensure that rqc.exe will > always report > success back to rqs.exe, regardless the actual condition of > his/her system. > The script (or any executables used) can be modified or > replaced, and it > will always work as long as the replacement knows what > parameter must be > obtained from CMAK, and what should be passed to rqc.exe. > > Second, in step 12, rqs.exe only performs string comparison > of the script > version to verify wether the correct script is in use by client. > > For example, if the admin-supplied script is a .cmd file, a > user can replace > the content with something like the following. Note that .vbs > or .exe files > can also be replaced, as long the same functionality is provided. > > @echo off > @rem Use %ServiceDir% to locate rqc.exe. > SET RQCLOC=%1\rqc.exe > SET REMOVAL=get_this_from_the_orig_script > %RQCLOC% %2 %3 7250 %4 %5 %REMOVAL% > > I've reported this issue to MSRC as a design flaw that could > allow what they > call 'ungranted trust' [1]. Part of their response was: > > ========== > 1) Regardless of whether the Quarantine Control returns > success or not, the > actual "authentication and authorization" is handled > correctly. You are > correct, the Quarantine Control could be circumvented, > however it is not a > "security" feature. It is merely a tool to help > administrators ensure the > vast majority of their users will be held to a standard. In > the worst case > scenario, a user with an "infected" or "unpatched" machine > could be allowed > access. A malicious user would still be able to connect to > the network with > a "clean" machine and subsequently do something malicious. > > 2) <From ISA.chm::/FW_VPNSecurity.htm:> > Security recommendations for a VPN > * Use the ISA Server Quarantine Control feature, to provide > phased network > access for remote VPN clients. With Quarantine Control, clients are > restricted to a quarantine mode before allowed access to the network. > Although Quarantine Control does not protect against > attackers, computer > configurations for authorized users can be verified and, if necessary, > corrected before they can access the network. For more > information, see VPN > and Quarantine > <MS-ITS:ISA.chm::/FW_QuarantineOver.htm> . > * The quarantine feature does not protect against malicious > users on the VPN > Clients network. > ========== > > MSRC repeatedly stressed that according to ISA 2004 online help, the > quarantine control 'is not a security feature'. And since this is not > vulnerability, they may not provide a fix or advice against the use of > rqs.exe and rqc.exe on Windows 2003 RRAS or ISA 2004 VPN quarantine. > > Security feature or not, it certainly not working as many admins would > expect. What's the purpose of having a quarantine control, if > by-design, it > can be circumvented ? ;) > > Regards, > Memet > > [1] Definition of a Security Vulnerability, > http://www.microsoft.com/technet/archive/community/columns/sec > urity/essays/v > ulnrbl.mspx > > > > > > > ------ End of Forwarded Message > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx