[isalist] Re: FW: Circumventing quarantine control in Windows 2003 and ISA 2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 23 May 2006 11:59:52 -0500
http://www.ISAserver.org
-------------------------------------------------------
Yep, its not a security feature, it's a client health checking feature
for non-malicous connections.
While I would like a toaster to also be massage chair and a cigar boat,
the toaster just wasn't designed for those capabilities.
There are VPN-Q add-ins such as Fred Esnouf's QSS and Winfrasoft's VPN-Q
2006 which do make it a security feature, but out of the box it ain't.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Tuesday, May 23, 2006 10:50 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] FW: Circumventing quarantine control in
> Windows 2003 and ISA 2004
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
>
> Fyi...
>
> ------ Forwarded Message
> From: Memet Anwar <mmta.gm@xxxxxxxxx>
> Date: Thu, 18 May 2006 16:49:59 +0700
> To: <bugtraq@xxxxxxxxxxxxxxxxx>
> Subject: Circumventing quarantine control in Windows 2003 and ISA 2004
>
> For those unfamiliar with MS quarantine control, you can read
> Jon Hassel's
> tutorial on Windows 2003 Network Access Quarantine Control (NAQC)
> [http://www.securityfocus.com/infocus/1794], and the ISA 2004
> VPN Quarantine
> (ISAQ) feature [http://www.securityfocus.com/infocus/1799].
>
> A simplistic mechanism used in both NAQC and ISAQ enable
> users to bypass the
> requirement set by administrators (such as XP must run SP2,
> should have
> latest virus-def, etc.). The problem is due to how the
> requirements are
> validated, it is trivial for users to trick RRAS/ISA into
> believing that the
> client's system are always aligned with the requirements,
> regardless the
> actual condition.
>
> To illustrate my point, I will use Jon's article part-1
> mentioned above,
> because it is much the same with Microsoft description on the
> subject that I
> see on MOC-2824B training material. Please refer to 'A
> Step-by-Step Overview
> of NAQC'-part of the article.
>
> There, step 1-7 will put the client connection into
> quarantine mode, which
> is fine. Step 8-9 shows that the CMAK profile will execute a
> client-side
> script to validate client's configuration based on the preconfigured
> baseline. If the client meets the requirement, the script should call
> rqc.exe with appropriate parameter. In Step 10-14, rqc.exe in
> the client
> send its result status to rqs.exe (the listener) on the
> server, along with
> its script version string. The listener then compare the
> script version
> string with its reference, before reconfiguring the session
> to a normal
> access.
>
> Now I see two weaknesses there.
>
> First, it is trivial for users to ensure that rqc.exe will
> always report
> success back to rqs.exe, regardless the actual condition of
> his/her system.
> The script (or any executables used) can be modified or
> replaced, and it
> will always work as long as the replacement knows what
> parameter must be
> obtained from CMAK, and what should be passed to rqc.exe.
>
> Second, in step 12, rqs.exe only performs string comparison
> of the script
> version to verify wether the correct script is in use by client.
>
> For example, if the admin-supplied script is a .cmd file, a
> user can replace
> the content with something like the following. Note that .vbs
> or .exe files
> can also be replaced, as long the same functionality is provided.
>
> @echo off
> @rem Use %ServiceDir% to locate rqc.exe.
> SET RQCLOC=%1\rqc.exe
> SET REMOVAL=get_this_from_the_orig_script
> %RQCLOC% %2 %3 7250 %4 %5 %REMOVAL%
>
> I've reported this issue to MSRC as a design flaw that could
> allow what they
> call 'ungranted trust' [1]. Part of their response was:
>
> ==========
> 1) Regardless of whether the Quarantine Control returns
> success or not, the
> actual "authentication and authorization" is handled
> correctly. You are
> correct, the Quarantine Control could be circumvented,
> however it is not a
> "security" feature. It is merely a tool to help
> administrators ensure the
> vast majority of their users will be held to a standard. In
> the worst case
> scenario, a user with an "infected" or "unpatched" machine
> could be allowed
> access. A malicious user would still be able to connect to
> the network with
> a "clean" machine and subsequently do something malicious.
>
> 2) <From ISA.chm::/FW_VPNSecurity.htm:>
> Security recommendations for a VPN
> * Use the ISA Server Quarantine Control feature, to provide
> phased network
> access for remote VPN clients. With Quarantine Control, clients are
> restricted to a quarantine mode before allowed access to the network.
> Although Quarantine Control does not protect against
> attackers, computer
> configurations for authorized users can be verified and, if necessary,
> corrected before they can access the network. For more
> information, see VPN
> and Quarantine
> <MS-ITS:ISA.chm::/FW_QuarantineOver.htm> .
> * The quarantine feature does not protect against malicious
> users on the VPN
> Clients network.
> ==========
>
> MSRC repeatedly stressed that according to ISA 2004 online help, the
> quarantine control 'is not a security feature'. And since this is not
> vulnerability, they may not provide a fix or advice against the use of
> rqs.exe and rqc.exe on Windows 2003 RRAS or ISA 2004 VPN quarantine.
>
> Security feature or not, it certainly not working as many admins would
> expect. What's the purpose of having a quarantine control, if
> by-design, it
> can be circumvented ? ;)
>
> Regards,
> Memet
>
> [1] Definition of a Security Vulnerability,
> http://www.microsoft.com/technet/archive/community/columns/sec
> urity/essays/v
> ulnrbl.mspx
>
>
>
>
>
>
> ------ End of Forwarded Message
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
