What is Network Access Control (NAC) for Managed Endpoints?

What is Network Access Control?

Network Access Control is the process of filtering access to corporate data, by allowing only legit endpoints to access the data. With Endpoint Central's Network Access Control (NAC) policies, IT administrators can configure settings to quarantine an endpoint from their network when it is found susceptible/doesn't fall under your organization's compliance policy.

The network access control module is available for product build versions 10.0.595 and above

Advantages of Network Access Control policy

1. Isolating devices help management to prevent the lateral movement of threat actors inside their network.
2. Increases the security postures while accessing corporate data.
3. Perceive better visibility on the security standards of your endpoint network.
4. Regulate access while your endpoints use untrusted/open network.
5. Proactive measure to eliminate threats.

Workflow of NAC

Network Access Control in Endpoint Central can be achieved by the following flow:

How to implement a Network Access Control policy?

• IT administrators can define a compliance policy in the server tool - 'TrustAgent'.
• This tool will probe the endpoints to check for the compliance policy standards defined in 'Quarantine policy generator'.
• Once identified as a non-compliant device, this endpoint will be quarantined from the network and all its networking resources will be taken down.
• IT administration team can remediate the problem by analyzing the cause and error and adhere to the policies defined.
• The quarantine policy scan will take place during agent refresh cycle or when an IP address change is detected on endpoints.

How to deploy a NAC policy to endpoints?

1. Download the TrustAgent file from this link and extract it's contents.
2. Open the Quarantine Policy Generator tool (QuarantinePolicyGenerator.exe) and create policies according to your organization's rules. The policy can be created based on:- software checks, service checks, custom checks, patch checks, Reg path checks. File path checks, and File version checks.
3. Once the policy is defined, click on 'Generate New Policy' and save the file as quarantine.json.
4. You can automatically add this file to the TrustAgent_x86.zip and TrustAgent_x64.zip files by clicking 'Yes' (as shown in image) or do it manually.
5. You can deploy this file to endpoints using custom script configuration. To do so, save a script under the name TADeployer.exe and add TrustAgent_x86.zip and TrustAgent_x64.zip as dependency files during deployment.
6. When an endpoint is found non-compliant (based on rules defined in quarantine.json), that endpoint will be isolated from the network by the restriction policies defined under quarantine settings.
7. You can modify the policy using 'Load existing policy', if required.
8. To generate the reports of the quarantine status, you can deploy a script with EPStatusTester.exe. This will show if an endpoint is quarantined or not along with the remarks.
9. Note: You can quarantine an endpoint irrespective of the compliance status. To do so, include the -ondemand switch while deploying the above configuration. Though policies are not configured, ensure to upload the quarantine.json for the endpoints to be quarantined.

How to create a compliance policy?

IT admins can create a compliance policy according to various standards supported by Endpoint Central. A policy can be defined when:

• A device installs/contains any susceptible software
• A device is missing some important patches
• A device is running with system level customized problems

Adding Software checks:-

1. Navigate to Control panel -> Programs and Features
2. Select an application and choose a keyword to name that application. Ensure the name chosen is a distinct value
3. Use this keyword in the policy generator tool. (note: Enter the value in lowercase)
4. Select the type as 'Software' and status either as 'Exists' or 'NotExists'

Adding Patch criteria checks:-

1. In the tool console, specify the patch details, which includes PatchType, SeverityType, and the number of patches violated the rule. Any endpoint, falling under this criteria will be quarantined.

Adding PatchID checks:-

1. You can quarantine an endpoint when it is missing important security patches. To do so, define the PatchID in the patch column (In the policy generator tool). An endpoint which is missing the specified patch will be quarantined.

Adding Service checks:-

1. Open services.msc and select a service
2. Copy the full name of the service from the 'Name' column
3. Paste the same in the Name/keyword column in the policy generator
4. Select the type as 'service' and status as per your requirement.

Adding custom checks:-

1. Custom tags are used to name/identify the conditions that are checked. These tags can be named according to the user's convenience
2. The custom tags are treated as individual checks and the system is considered non-compliant even if one of these tags is satisfied
3. If you wish to run a group check, then specify the various conditions under a single tag

Registry Value Check:

• Name the custom tag as per your convenience.
• Check Type : Registry Value
• Check Path : Registry path (ex: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AdventNet\DesktopCentral\DCAgent)
• Applicable Check Mode : value equals / Value not Equals / Value Lesser Than / Value Greater Than / Exist / Not Exist
• Value : Reg Value.

Registry Path Check

• Name the custom tag as per your convenience.
• Check Type : Registry Path
• Check Path : Registry Path (ex: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\AdventNet\DesktopCentral\DCAgent)
• Applicable Check Mode : Exist / Not Exist

File Path Check

• Name the custom tag as needed
• Check Type : File path
• Check Path : File path (ex : C:\Program Files (x86)\DesktopCentral_Agent) if you are using Endpoint Central below 11.2.2309.01 and file path( ex : C:\Program Files (x86)\UEMS_Agent)if you are using Endpoint Central 11.2.2309.01 and above
• Applicable Check Mode : Exist / Not Exist

File Version Check

• Name the custom tag as needed.
• Check Type : File Version
• Check Path : file Path (ex: C:\Program Files (x86)\DesktopCentral_Agent\dcconfig.exe) if you are using Endpoint Central below 11.2.2309.01 and file Path (ex: C:\Program Files (x86)\UEMS_Agent\dcconfig.exe) if you are using Endpoint Central 11.2.23090.1 and above
• Applicable Check Mode : Value equals / Value not Equals / Value Lesser Than / Value Greater Than
• value : File Version

Quarantine Settings

If the system is found non-compliant, the following quarantine measures can be undertaken.

• You can choose to block all network access (Internet/Intranet) or choose to block the Intranet access in the range that you desire.
• You can also set the domains or IP addresses that you wish to allow the quarantined machine to access.
• Further you can also set to automatically revoke the quarantine, when the quarantined machine loses connectivity to all the heartbeat machines (Machines that establish connectivity and forms a network).

How to revoke a quarantine policy created?

• Create a new configuration with the script TAUninstaller.exe
• Deploy it to the machines that have been quarantined
• The remarks section in the configuration will show the results of revoking the quarantine.

Points to remember:-

• This feature is supported for Windows 7 and above versions of the OS. Windows 7 should be up-to-date or should at least have KB3033929 installed.
• If you are running this module on Windows Server 2016 systems, it should have 'secure boot' disabled.
• If a request to a URL shortener service is made, via proxy, it is blocked.
• System wide proxy settings are automatically applied.
• Any application-specific proxy that is to be allowed must be added to the list.

Due to privacy reasons, Endpoint Central will not fetch the Personally Identifiable Information (PII) or browsing data by default.