| UTORprotect |

Endpoint Security Policy Project

Computers which are not professionally managed are susceptible to being vulnerable to exploit due to missing or improperly configured OS patches, antivirus and firewalls. These include computers owned by individuals for personal use and are connected to the University network vis the wireless network, public docking stations and residences.

There are a number of solutions being proposed by commercial vendors to deal with this problem. Cisco's product is 'Security Agent' and Microsoft has 'Network Access Protection'. These products have the following functionality in common: quarantining - the ability to restrict network access to a device and policy compliance detection - the ability to detect whether a computer complies with some specified security policy. CNS has developed an in-house system using open-source software to provide this functionality.


The package is called the Endpoint Security Policy system (ESP) and is made up of a modified version of the Netreg open source computer registration system integrated with Microsoft's MBSA utility. It operates as follows:

  • the ESP server is connected via a singe network interface to the desired subnet. It provides all DHCP services to that subnet.
  • when a computer is connected to the subnet and tries to obtain an address via DHCP and is not "registered" with the ESP server, it is quarantined or given a network address which does not allow connection to the University network for most services.
  • during this time, the user is directed via a web interface to run the wizard-like MBSA wrapper utility which checks for all critical updates. The user may also be queried for authentication, be required to read an end user agreement, etc.
  • The MBSA utility communicates the result of the test to the ESP server. On the successful completion of this stage, the computer is registered and assigned a network address providing full access to the University network. Failure of the test results in the user being directed to run WindowsUpdate. The ESP system allows access to configured DNS domains to computers in the quarantine zone. The MBSA test must generate a 'pass' for the user to be registered by the ESP server. Subsequent network connections will not require the user to repeat the quarantine process due to the MAC address registration.


©2011 - University of Toronto Information + Technology Services, All Rights Reserved.