Upgrading Your Skills to MCSA Windows Server 2012 R2: Configure a Network Policy Server Infrastructure

  • 4/29/2014

Answers

This section contains the answers to the Objective Review and the Thought Experiment.

Objective 7.1: Review

  1. Correct answer: D

    1. Incorrect: An SHV configuration does not affect how a client request is handled. It is used only to perform health checks on a client.
    2. Incorrect: A new SHV would not determine whether a client connection is allowed or blocked. That behavior is determined by network policies.
    3. Incorrect: Connection request policies do not determine how noncompliant client requests are handled. They determine whether connection requests are evaluated by NAP.
    4. Correct: The Configure NAP Wizard creates a NAP DHCP Noncompliant policy that determines how noncompliant DHCP client requests are handled. To allow noncompliant DHCP clients to access the network and simply log the noncompliance, you need to modify the properties of this policy.
  2. Correct answer: A

    1. Correct: You can create an additional configuration for the SHV that performs only the desired checks on DHCP clients. You then need to assign this configuration to the health policies created for DHCP clients.
    2. Incorrect: You don’t need to install an additional SHV. The built-in SHV includes the health checks you need. You need only to create a second configuration of the built-in SHV.
    3. Incorrect: A connection request policy doesn’t determine which particular health checks are performed. It determines whether a connection request is evaluated by NAP.
    4. Incorrect: A network policy doesn’t allow you to specify particular health checks to be performed. It specifies a health policy that in turn specifies a SHV configuration. To modify which health checks are performed, you need to change the SHV configuration.
  3. Correct answer: B

    1. Incorrect: You don’t want to change how compliant VPN clients are handled. You want to change how noncompliant VPN clients are handled.
    2. Correct: A network policy determines how compliant or noncompliant connection requests are handled. In this case, you want to change how noncompliant VPN clients are handled. To achieve your goal, modify the NAP Enforcement setting on the Settings tab of the NAP VPN Noncompliant network policy. Change the setting from Allow Full Network Access to Allow Limited Access.
    3. Incorrect: A health policy doesn’t change how the connection requests from compliant or noncompliant clients are handled. It changes only how connection requests are evaluated.
    4. Incorrect: A health policy doesn’t change how the connection requests from compliant or noncompliant clients are handled. It changes only how connection requests are evaluated.

Thought experiment

  1. Modify the Windows Security Health Validator policy so that it verifies that a firewall is enabled for all network connections. Next, in the network policy that matches the VPN clients that are noncompliant, select the option on the Settings tab to enable auto-remediation of client computers.
  2. Create a new health policy that specifies the client SHV check as Client Reported As Infected By One Or More SHVs. Create a new network policy that specifies the new health policy as a condition, and configure the new network policy to deny access. Move the new network policy to the top of the list of network policies.
  3. First run the Configure NAP Wizard and specify VPN as the connection method and the Finance group as the user group to which the policy should apply. Next, create a second configuration for the Windows Security Health Validator that performs a check of security updates in the manner you wish. Finally, attach the new configuration of the Windows Security Health Validator to the new health policies just created by the Configure NAP Wizard.