Network Access Control (NAC) for managed endpoints

Network Access Control (NAC) is used to bolster the network security by restricting the availability of network resources to managed endpoints that don't satisfy the compliance requirements of the Organization. NAC's quarantine settings achieve the same by enabling system administrators to allow/restrict access to the Organization's network resources for endpoints that fail to conform to the compliance settings fixed by them. The NAC module works as follows.

The network access control module is available for Desktop Central build versions 10.0.595 and above

Workflow

The basic workflow of the module is illustrated in the image given below

Quarantine settings

  • Admin creates the policies that define the compliance status of the machines in his organization.
  • The TrustAgent is the executable that checks the compliance status of the systems based on the policies defined in the Quarantine policy generator by the Admin.
  • If a system is found to be non-compliant, that system's network resources are restricted or that system is said to be quarantined.
  • The user can remedy the problem causing the non-compliance and recheck the status of the system manually.
  • By default, the compliance status of all systems are checked automatically during every refresh cycle.
  • Compliance status of unquarantined machines to which compliance policies have been deployed, will be checked every time there is an IP change (i.e, when the machine is connected/disconnected from the network).
  • If compliance has been achieved or if the Agent has been uninstalled, the quarantine on those systems is revoked.

Steps to install and run NAC module

  1. Download the TrustAgent from the link given: EMS Trust Agent V1.0.0
  2. Unzip the contents of TrustAgent.zip to the directory of your preference.
  3. Open the Quarantine Policy Generator tool (QuarantinePolicyGenerator.exe). This tool requires .NET 4.0 to be installed.
  4. Following that, define policies according to your Organization's requirements. Your policy can include software checks, service checks, and custom checks. Step by step instructions on how to add these checks are also available on the console, click on Help > Getting started.
  5. Once you have defined the policies for the endpoint, Click on Generate new policy and save the file as quarantine.json. It needs to be saved as quarantine.json for the TrustAgent to recognise it.
  6. When prompted to update zips, give 'yes' to update zips automatically, otherwise you will have to manually add quarantine.json in TrustAgent_x86.zip and TrustAgent_x64.zip.
  7. Quarantine settings

  8. Add a script in the DC server repository with the file name TADeployer.exe
  9. Create a new script configuration with this script and add both TrustAgent_x86.zip and TrustAgent_x64.zip as dependency files.
  10. Enable logging and deploy this configuration.
  11. If a machine is found to be non-compliant (based on quarantine.json) the machine's network communication will be restricted.
  12. The system administrator can set the communication restrictions by choosing to allow/restrict access to the Internet/Intranet, under Quarantine settings.
  13. The remarks section of the deployment will indicate if the machine has been quarantined or not.
  14. Similarly by clicking on 'Load existing policy', you can modify the existing policy, if needed, save it and use it accordingly.
  15. To know the quarantine status of the managed endpoints, add the executable EPStatusTester.exe as a script in the DC server repository. Create a configuration with this script and deploy it to all managed endpoints. The configuration status will show 'Success' if the system is quarantined and the reason for quarantining the system will be shown in the 'Remarks' section. If the configuration status shows 'Failed', that automatically means that the system is not quarantined.

If you would like to quarantine a machine regardless of its compliance status, include the -ondemand switch, while deploying the above configuration. Even though there won't be any policies to process in this case, make sure to give the quarantine settings as the Trust Agent would require it (valid quarantine.json) to operate.

Setting up compliance policies

Adding Software checks

    For software checks, the software in question must be listed in the "Add or Remove programs" page.

    1. Navigate to Control panel -> Programs and Features.
    2. Select the application that you need to form your policy.
    3. Choose a keyword to specify the application, from the 'Name' column. This keyword should uniquely identify the application and must not clash with the name of another application.
    4. Fill this keyword in the 'Name' column, in the policy generator, in lowercase.
    5. Select the type as 'Software'.
    6. Select the status as 'Exists' or 'NotExists'.

    The machine will be quarantined if the given condition is satisfied.

    Adding Service checks

    For service checks, the service in question must be listed in "services.msc"

    1. Open services.msc in the Run window.
    2. Select the service that you need for your policy.
    3. Copy the full name of the service from the 'Name'column.
    4. Paste the same in the Name/keyword column in the policy generator.
    5. Select the type as 'service'.
    6. Select the status as per your requirement.

    The machine will be quarantined if the conditions are satisfied.

    Adding Custom Checks

    You can also add custom checks based on Registry path, Registry value, File path, and File value.

    1. Custom tags are used to name/identify the conditions that are checked. These tags can be named according to the user's convenience.
    2. The custom tags are treated as individual checks and the system is considered non-compliant even if one of these tags is satisfied.
    3. If you wish to run a group check, then specify the various conditions under a single tag.

    Quarantine settings

    If the system is found non-compliant, the following quarantine measures can be undertaken.

    1. You can choose to block all network access (Internet/Intranet) or choose to block the Intranet access in the range that you desire.
    2. You can also set the domains or IP addresses that you wish to allow the quarantined machine to access.
    3. Further you can also set to automatically revoke the quarantine, when the quarantined machine loses connectivity to all the heartbeat machines (Machines that establish connectivity and forms a network).

    Steps to revoke quarantine

    Follow the steps given below to revoke the quarantine on machines.

    1. Create a new configuration with the script TAUninstaller.exe
    2. Deploy it to the machines that have been quarantined.
    3. The remarks section in the configuration will show the results of revoking the quarantine.

    Notes

    1. This feature is supported for Windows 7 and above versions of the OS. Windows 7 should be up-to-date or should atleast have KB3033929 installed.
    2. If you are running this module on Windows Server 2016 systems, it should have 'secure boot' disabled.
    3. If a request to a URL shortener service is made, via proxy, it is blocked.
    4. System wide proxy settings are automatically applied.
    5. Any application-specific proxy that is to be allowed must be added to the list.

We respect your security and privacy concerns, hence no Personally Identifiable Information (PII) or browsing data is collected or logged by default.