How to establish a Quarantine VPN connection using Least Privilege on Windows XP

Those of you who are taking advantage of the Remote Access Quarantine feature of Windows Server 2003 SP1 may be familiar with establishing a remote VPN connection via Connection Manager along the lines illustrated below.

The Quarantine feature is a great way of asserting that client machines are compliant with your policy BEFORE allowing them remote access to corporate resources. If you're new to the concept of Remote Access Quarantine then I recommend reading Steve Riley's recent article for TechNet Magazine.

Typical Connection Manager implementations (as configured by the Connection Manager Administration Toolkit - CMAK) require the user to have administrative rights. Unfortunately the option to provide administrative credentials does not present itself via the GUI.

A solution to this problem is to use "RunAs" from the command line to execute the remote access request whilst prompting the user to enter the credentials of an account that has sufficient privilege.

Here's the contents of a script I use to initiate remote connections:

@echo off
%windir%\System32\runas.exe /u:%COMPUTERNAME%\Administrator "rasphone.exe -d \"IT Connection Manager\""

Thanks to Aaron Margosis for providing the script. If you'd like to read more about why running with least privilege is important then click here to read more of Aaron's work.


Comments (0)

Skip to main content