Configuring Windows Firewall and Network Access Protection

By their nature, networks can allow healthy computers to communicate with unhealthy computers and malicious tools to attack legitimate applications. This can result in costly security compromises, such as a worm that spreads rapidly through an internal network or a sophisticated attacker who steals confidential data across the network.

Windows Server 2008 R2 supports two technologies that are useful for improving network security: Windows Firewall and Network Access Protection (NAP). Windows Firewall can filter incoming and outgoing traffic, using complex criteria to distinguish between legitimate and potentially malicious communications. NAP requires computers to complete a health check before allowing unrestricted access to your network and facilitates resolving problems with computers that do not meet health requirements.

This lesson describes how to plan and implement Windows Firewall and NAP using Windows Server 2008 R2.

Exam objectives in this chapter:

• Configure Windows Firewall with Advanced Security.

• Configure Network Access Protection (NAP).

Lessons in this chapter:

• Lesson 1: Configuring Windows Firewall

• Lesson 2: Configuring Network Access Protection

Before You Begin

To complete the lessons in this chapter, you should be familiar with Windows networking and be comfortable with the following tasks:

• Adding roles to a computer running Windows Server 2008 R2

• Configuring Active Directory domain controllers and joining computers to a domain

• Configuring a basic network, including configuring IP settings

You will also need the following nonproduction hardware connected to test networks:

• A computer named Dcsrv1 that is a domain controller in the Nwtraders.msft domain. This computer must have at least one network interface that you can connect to either the Internet or a private network.

  NOTE: Computer and Domain Names

  The computer and domain names you use will not affect these exercises. The practices in this chapter refer to these computer names for simplicity, however.

• A computer named Hartford that is running Windows 7 Professional, Enterprise, or Ultimate, and is a member of the Nwtraders.msft domain. You must use Windows 7 because Windows Server 2008 R2 does not support the Windows Security Health Validator.

Real World

Tony Northrup

Instead of absolutes, security can be measured only in degrees of risk. Although NAP can’t prevent a determined, skilled attacker from connecting to your network, NAP can improve your network security by helping keep computers up to date and ensuring that legitimate users do not accidentally connect to your internal network without meeting your security requirements.

When evaluating NAP as a way to protect against malicious attackers, remember that NAP trusts the System Health Agent (SHA) to report on the health of the client. The SHA is also running on the client computer. So it’s a bit like airport security merely asking people if they are carrying any banned substances—people without any malicious intent would happily volunteer anything they accidentally brought. People with malicious intent would simply lie.

It’s not quite as easy as simply lying, because the SHA signs the Statement of Health (SoH) to help prove that the health report is genuine. Additional security measures, such as requiring IPsec connection security, can help further reduce the opportunity for attackers. Nonetheless, with some time and effort, it’s entirely possible that someone will create a malicious SHA that impersonates a legitimate SHA.