Introduction to Host Check

The host check function checks the security status of the hosts running SCVPN clients, and according to the checked result, the SCVPN server will determine the security level for each host and assign corresponding resource access right based on their security level. It a way to assure the security of SCVPN connection. The checked factors include the operating system, IE version, and the installation of some specific software.

Checked Factors

The factors to be checked by the SCVPN server are displayed in the list below:

Factor Description
Operating system
  • Operating system, e.g., Windows 2000, Windows 2003, Windows XP, Windows Vista, etc.
  • Service pack version, e.g., Service Pack 1
  • Windows patch, e.g., KB958215, etc.
  • Whether the Windows Security Center and Automatic Updates are enabled
  • Whether the installation of AV software is compulsory, and whether the real-time monitor and the auto update of signature database are enabled
  • Whether the installation of anti-spyware is compulsory, and whether the real-time monitor and the online update of signature database are enabled
  • Whether the personal firewall is installed, and whether the real-time protection is enabled
Whether the IE version and security level reach the specified requirements
Other configurations Whether the specified processes are running
Whether the specified services are installed
Whether the specified services are running
Whether the specified registry key values exist
Whether the specified files exist in the system

Role Based Access Control and Host Check Procedure

Role Based Access Control (RBAC) means that the permission of the user is not determined by his user name, but his role. The resources can be accessed by a user after the login is determined by his corresponding role. So role is the bridge connecting the user and permission.

The SCVPN host check function supports RBAC. And the concepts of primary role and guest role are introduced in the host check procedure. The primary role determines which host check profile (contains the host check contents and the security level) will be applied to the user and what access permission can the user have if he passes the host check. And the guest role determines the access permission for the users who failed in the host check.

The host check procedure is:

  1. The SCVPN client sends request for connection and passes the authentication.
  2. The SCVPN server sends host check profile to the client.
  3. The client checks the host security status according to the items in the host check profile. If it failed in the host check, the system will notify the check result.
  4. The client sends the check result back to the server.
  5. The server disconnects the connection for the failed client or gives the guest role's access permission to the failed client.

The host check function also supports dynamic access permission control. On one side, when the client's security status changes, the server will send a new host check profile to the client to make him re-check; on the other side, the client can perform the security check periodically, e.g., if the AV software is disabled and it is detected by the host check function, the assigned role to the client may changed, and so does the access permission.

Related Topic:

Configuring a Host Check Profile