Configuring Windows Firewall and Network Access Protection

  • 5/15/2011

Lesson 2: Configuring Network Access Protection

Consider this common scenario: an enterprise has thousands of computers on a private network. Perimeter firewalls protect the network from Internet threats, including network attacks from worms. Suddenly, someone creates a worm that can exploit a vulnerability in computers running Windows that do not have the latest security updates installed. The worm spreads quickly across the Internet, but the private network’s perimeter firewalls protect the vulnerable computers on the internal network. A traveling salesperson then returns to the office with his mobile computer. While on his trip, he connected his computer to the wireless network at the hotel, where another guest’s computer transmitted a worm across the network. When he connects to the private network, the worm immediately begins spreading to the vulnerable computers, completely bypassing the perimeter security. In a few hours, most of the computers on the internal network are infected.

This exact scenario has happened to many organizations and resulted in countless financial losses. NAP can prevent this scenario. When computers connect to your local area network (LAN), they must meet specific health requirements, such as having recent updates installed. If they can’t meet those health requirements, they can be quarantined to a network where they can download updates, install antivirus software, and obtain more information about how to meet the requirements of the LAN. This lesson describes NAP and how you can deploy it on your network.

Network Access Protection Concepts

As shown in Figure 8-3, NAP is designed to connect hosts to different network resources depending on their current health state. This division of network resources can be implemented using virtual LANs (VLANs, as Figure 8-3 illustrates), IP filters, IP subnet assignment, static routes, or IPsec enforcement.

Figure 8-3

Figure 8-3 A typical NAP VLAN architecture

If you choose to provide a remediation network (rather than simply denying network access), you might need additional infrastructure servers for it. For example, if you configure an Active Directory domain controller on the remediation network, you should use a read-only domain controller to limit the risk if the domain controller is attacked. Similarly, you should provide separate DHCP and DNS servers from your infrastructure servers to reduce the risk that a noncompliant computer might spread malware to the production server.

Enforcement Types

For NAP to work, a network component must enforce NAP by either allowing or denying network access. The sections that follow describe the different NAP enforcement types you can use: IPsec connection security, 802.1X access points, VPN servers, DHCP servers, and Remote Desktop Gateways (RD Gateway).

IPsec Connection Security

The IPsec connection security enforcement type requires clients to perform a NAP health check before they can receive a health certificate. In turn, this health certificate is required for IPsec connection security before the client can connect to IPsec-protected hosts. IPsec enforcement allows you to require health compliance on a per-IP address or a per-TCP/UDP port number basis. For example, you could allow noncompliant computers to connect to a web server but allow only compliant computers to connect to a file server—even if the two services are running on a single computer.

You can also use IPsec connection security to allow healthy computers to communicate only with other healthy computers. IPsec enforcement requires a CA running Windows Server 2008 (or Windows Server 2008 R2) Certificate Services and NAP to support health certificates. In production environments, you will need at least two CAs for redundancy. Other public key infrastructures (PKIs) will not work. IPsec enforcement provides a very high level of security, but it can protect only computers that are configured to support IPsec.

802.1X Access Points

The 802.1X access points enforcement type uses Ethernet switches or wireless access points that support 802.1X authentication. Compliant computers are granted full network access, and noncompliant computers are connected to a remediation network or completely prevented from connecting to the network. If a computer falls out of compliance after connecting to the 802.1X network, the 802.1X network access device can change the computer’s network access. This provides some assurance of compliance for desktop computers, which might remain connected to the network indefinitely.

802.1X enforcement uses one of two methods to control which level of access compliant, noncompliant, and unauthenticated computers receive:

  • An access control list (ACL) A set of Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) packet filters configured on the 802.1X access point. The 802.1X access point applies the ACL to the connection and drops all packets that are not allowed by the ACL. Typically, you apply an ACL to noncompliant computer connections and allow compliant computers to connect without an ACL (thus granting them unlimited network access). ACLs allow you to prevent noncompliant computers from connecting to one another, thus limiting the ability of a worm to spread, even among noncompliant computers.

  • A virtual local area network (VLAN) A group of ports on the switch that are grouped together to create a separate network. VLANs cannot communicate with one another unless you connect them using a router. VLANs are identified using a VLAN identifier, which must be configured on the switch itself. You can then use NAP to specify in which VLAN the compliant, noncompliant, and unauthenticated computers are placed. When you place noncompliant computers into a VLAN, they can communicate with one another. This can allow a noncompliant computer infected with a worm to attack, and possibly infect, other noncompliant computers. Another disadvantage of using VLANs is that the client’s network configuration must change when transitioning from being a noncompliant NAP client to being a compliant NAP client (for example, if they are able to successfully apply updates). Changing the network configuration during system startup and user logon can cause Group Policy updates or other boot processes to fail.

Your 802.1X access points may support ACLs, VLANs, or both. If they support both and you’re already using either ACLs or VLANs for other purposes, use the same technique for 802.1X enforcement. If your 802.1X access point supports both ACLs and VLANs and you are not currently using either, use ACLs for 802.1X enforcement so that you can take advantage of their ability to limit network access between noncompliant clients.

VPN Servers

The VPN servers type enforces NAP for remote access connections using a VPN server running Windows Server 2008 or Windows Server 2008 R2 and Routing and Remote Access (other VPN servers do not support NAP). With VPN server enforcement enabled, only compliant client computers are granted unlimited network access. The VPN server can apply a set of packet filters to connections for noncompliant computers, limiting their access to a remediation server group that you define. You can also define IPv4 and IPv6 packet filters, exactly as you would when configuring a standard VPN connection.

DHCP Servers

The DHCP servers enforcement type uses a computer running Windows Server 2008 or Windows Server 2008 R2 and the Dynamic Host Configuration Protocol (DHCP) Server service that provides IP addresses to intranet clients. Only compliant computers receive an IP address that grants full network access; noncompliant computers are granted an IP address with a subnet mask of 255.255.255.255 and no default gateway.

Additionally, noncompliant hosts receive a list of host routes (routes that direct traffic to a single IP address) for network resources in a remediation server group that you can use to allow the client to apply any updates required to become compliant. This IP configuration prevents noncompliant computers from communicating with network resources other than those you configure as part of a remediation server group.

If the health state of a NAP client changes (for example, if Windows Firewall is disabled), the NAP client performs a new health evaluation using a DHCP renewal. This allows clients that become noncompliant after successfully authenticating to the network to be blocked from further network access. If you change the health policy on NAP servers, the changes will not be enforced until the client’s DHCP lease is renewed.

Although 802.1X network access devices and VPN servers are capable of disconnecting computers from the network and IPsec enforcement can allow connections only from healthy computers, DHCP server enforcement points can be bypassed by an attacker who manually configures an IP address. Nonetheless, DHCP server enforcement can reduce the risk from nonmalicious users who might attempt to connect to your network with a noncompliant computer.

Remote Desktop Gateways

If you use RD Gateway (called Terminal Services Gateway in Windows Server 2008) to allow users to control their desktops from remote computers across the Internet, you can use the RD Gateway enforcement type to block access using RD Gateway unless the client computer passes a health check. RD Gateway enforcement does not provide remediation.

System Health Agents and System Health Validators

NAP health validation takes place between two components:

  • System Health Agents (SHAs) The client components that create a Statement of Health (SoH) containing a description of the health of the client computer. Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows XP with Service Pack 3 include an SHA that monitors Windows Security Center settings. Microsoft and third-party developers can create custom SHAs that provide more complex reporting.

  • System Health Validators (SHVs) The server components that analyze the SoH generated by the SHA and create an SoH Response (SoHR). The NAP health policy server uses the SoHR to determine the level of access the client computer should have and whether any remediation is necessary. Windows Server 2008 and Windows Server 2008 R2 include an SHV that corresponds to the SHA built into Windows 7, Windows Vista, and Windows XP with Service Pack 3.

The NAP connection process is as follows:

  1. The NAP client connects to a network that requires NAP.

  2. Each SHA on the NAP client validates its system health and generates an SoH. The NAP client combines the SoHs from multiple SHAs into a System Statement of Health (SSoH), which includes version information for the NAP client and the set of SoHs for the installed SHAs.

  3. The NAP client sends the SSoH to the NAP health policy server through the NAP enforcement point.

  4. The NAP health policy server uses its installed SHVs and the health requirement policies that you have configured to determine whether the NAP client meets health requirements. Each SHV produces a Statement of Health Response (SoHR), which can contain remediation instructions (such as the version number of an antivirus signature file) if the client doesn’t meet that SHV’s health requirements.

  5. The NAP health policy server combines the SoHRs from the multiple SHVs into a System Statement of Health Response (SSoHR).

  6. The NAP health policy server sends the SSoHR back to the NAP client through the NAP enforcement point. The NAP enforcement point can now connect a compliant computer to the network or connect a noncompliant computer to a remediation network.

  7. Each SHA on the NAP client processes the SoHR created by the corresponding SHV. If possible, any noncompliant SHAs can attempt to come into compliance (for example, by downloading updated antivirus signatures).

  8. If any noncompliant SHAs were able to meet the requirements specified by the SHV, the entire process starts over again—hopefully with a successful result.

Planning a NAP Deployment

NAP has the potential to prevent legitimate users from accessing the network. Any security mechanism that reduces productivity will be quickly removed, so you must carefully plan a NAP deployment to minimize user impact.

Typically, a NAP deployment occurs in three phases:

  • Testing Test the NAP using examples of each different operating system, client computer configuration, and enforcement points in your environment.

  • Monitoring Deploy NAP in a monitoring-only mode that notifies administrators if a computer fails to meet health requirements but does not prevent the user from connecting to the network. This allows you to identify computers that are not meeting health requirements and to bring them into compliance. You could bring computers into compliance manually or by using automated tools, such as Microsoft System Center Configuration Manager 2007. For more information, read the section entitled “Configuring NAP for Monitoring Only” later in this chapter.

  • Limited access If, during the monitoring phase, you reach a point where almost all of your computers are compliant, you can enable NAP enforcement to prevent noncompliant computers from connecting to your production network. Users can then use resources on the remediation network to bring their computers into compliance, if necessary. Typically, you will need to configure exceptions for computers that are not NAP-compliant.

Installing and Configuring the Network Policy Server

NAP depends on a Windows Server 2008 or Windows Server 2008 R2 NAP health policy server, which acts as a RADIUS server, to evaluate the health of client computers. If you have existing RADIUS servers that are running Windows Server 2003 or Windows 2000 Server and Internet Authentication Service (IAS), you can upgrade them to Windows Server 2008 or Windows Server 2008 R2 and configure them as NAP health policy servers. If you have RADIUS servers running any other operating system, you will need to configure new Windows Server 2008 or Windows Server 2008 R2 NAP health policy servers, configure the health policy, and then migrate your existing RADIUS clients to the NAP health policy servers.

Typically, you will need to deploy at least two NAP health policy servers for fault tolerance. If you have only a single NAP health policy server, clients will be unable to connect to the network if it is offline. As described in Chapter 7, you can use connection request policies to allow a single RADIUS server to act as a NAP health policy server and authenticate requests from other RADIUS clients.

Installing NAP

To install NAP, follow these steps:

  1. In the console tree of Server Manager, select Roles. In the details pane, click Add Roles. The Add Roles Wizard appears.

  2. If the Before You Begin page appears, click Next.

  3. On the Select Server Roles page, select the Network Policy And Access Services check box. Click Next.

  4. On the Network Policy And Access Services page, click Next.

  5. On the Select Role Services page, select the Network Policy Server check box. Click Next.

  6. On the Confirmation page, click Install.

  7. On the Results page, click Close.

This installs the core NPS service, which is sufficient for using the Windows Server 2008 computer as a RADIUS server for 802.1X, VPN, or DHCP enforcement.

Using the Configure NAP Wizard

After installing the Network Policy And Access Services role, follow these steps to configure NAP:

  1. In Server Manager, select Roles\Network Policy And Access Services\NPS. You might need to close and reopen Server Manager if you recently installed the Network Policy And Access Services role.

  2. In the details pane, select Network Access Protection, and then click Configure NAP. The Configure NAP Wizard appears.

  3. On the Select Network Connection Method For Use With NAP page, choose your enforcement method. Then, click Next.

  4. On the next page (whose title depends on the previously selected network connection method), you need to add any HRA servers (other than the local computer) and RADIUS clients, for example:

    • If you are using 802.1X enforcement, add the IP address of each switch.

    • If you are using VPN enforcement, add the IP address of each VPN server.

    • If you are configuring DHCP servers, add each of your NAP-capable DHCP servers.

    Click Add for each host and configure a friendly name, address, and shared secret. Then click OK. After you have configured any external HRA servers and RADIUS clients, click Next.

  5. Depending on the network method you chose, you might be presented with additional page options, such as DHCP scopes or RD gateway redirection options. Configure these options appropriately.

  6. On the Configure User Groups And Machines page, click the Add buttons to allow computers or groups to connect. Click Next.

  7. The pages that follow vary depending on your NAP enforcement method:

    • For the 802.1X or VPN enforcement methods, you use the Configure An Authentication Method page (shown in Figure 8-4) to specify the NAP health policy server certificate and the EAP types to use for user or computer-level authentication.

    • For the 802.1X enforcement method, you use the Configure Traffic Controls page to configure the unlimited VLAN and the restricted network VLAN.

    Figure 8-4

    Figure 8-4 Configuring an 802.1X enforcement authentication method

  8. On the Define NAP Health Policy page, you can select from the installed SHVs. By default, only the Windows Security Health Validator is installed. As shown in Figure 8-5, you should leave autoremediation enabled for enforcement types that support it to allow client computers to automatically change settings to meet health requirements. During initial production deployments, select Allow Full Network Access To NAP-Ineligible Client Computers to configure NAP in monitoring-only mode. Noncompliant computers will generate an event in the event log, allowing you to fix noncompliant computers before they are prevented from connecting to the network. Click Next.

    Figure 8-5

    Figure 8-5 Defining NAP health policy

  9. On the Completing NAP Enforcement Policy And RADIUS Client Configuration page, click Finish.

The Configure NAP Wizard creates the following policies:

  • A connection request policy with the name specified on the Select Network Connection Method For Use With NAP page

  • Compliant and noncompliant health policies, based on the name specified on the Select Network Connection Method For Use With NAP page

  • Compliant and noncompliant network policies, based on the same name as the health policies

Configuring NAP Enforcement

After you have installed and configured NAP, you must perform additional steps to enable NAP enforcement. The steps you follow vary depending on whether you are using IPsec, 802.1X, DHCP, VPN, or RD Gateway enforcement. The sections that follow describe how to configure each of these enforcement types at a high level, cross-referencing other sections in this lesson that have more detailed instructions.

Configuring IPsec Enforcement

Configuring IPsec enforcement requires the following high-level steps:

  1. Install the Health Registration Authority (HRA) role service and the Active Directory Certificate Services role (if it’s not already present).

  2. Use the Configure NAP Wizard to configure the connection request policy, network policy, and NAP health policy, as described earlier in this chapter in the section titled “Using the Configure NAP Wizard.” Although you can configure these elements individually, using the wizard is much easier.

  3. Configure HRA, as described in the sections that follow.

  4. Enable the NAP IPsec Relying Party enforcement client and start the NAP service on NAP-capable client computers, as described later in this chapter in the sections entitled “Configuring Client Computers for IPsec Enforcement” and “Configuring NAP Clients.”

  5. Require IPsec connection security using health certificates for computers that should communicate only with other healthy computers, as described in the sections that follow.

The following sections describe these steps in more detail.

Step 1: Installing the HRA Role Service

If you plan to use IPsec enforcement, you will also need to install the HRA role service. In production environments, you should always configure at least two HRAs for fault tolerance. Large networks might require additional HRAs to meet the performance requirements.

Installing the HRA role service configures the following:

  • A certification authority (if one does not already exist) HRA requires a certification authority running Windows Server 2008 or Windows Server 2008 R2 Certificate Services, which can be an existing CA or a new CA. For a Windows Server 2003–based CA, you must manually create a System Health Authentication certificate template so that members of the IPsec exemption group can autoenroll a long-lived health certificate.

  • A web application The Add Role Services Wizard creates a web application named DomainHRA under the default website in Internet Information Services (IIS).

You can install the HRA role service using the Add Roles Wizard by selecting the Health Registration Authority check box on the Select Role Services page and following the prompts that appear, or you can install the role service after installing the Network Policy And Access Services role by following these steps:

  1. In Server Manager, right-click Roles\Network Policy and Access Services, and then choose Add Role Services. The Add Role Services Wizard appears.

  2. On the Select Role Services page, select the Health Registration Authority check box. When prompted, click Add Required Role Services. Click Next.

  3. On the Choose The Certification Authority To Use With The Health Registration Authority page, choose to install a CA, use the local CA, specify a remote CA, or defer the decision until later. Then, click Next.

  4. On the Choose Authentication Requirements For The Health Registration Authority page, select Yes if all client computers are members of a trusted domain. If some computers are not members of a domain, you can select No—but you must accept slightly weaker security. Click Next.

  5. If the Server Authentication Certificate page appears, you can select an SSL certificate to encrypt communications with the HRA server using one of the following three options. After you select an option, click Next.

    • Choose An Existing Certificate For SSL Encryption If you have an SSL certificate, select this option, and then select the certificate you want to use. If your certificate does not appear in the list, click Import.

    • Create A Self-Signed Certificate For SSL Encryption Clients do not trust self-signed certificates by default, which means you will need to manually configure the certificate on every client computer. For this reason, it is not a practical option in most circumstances.

    • Don’t Use SSL Or Choose A Certificate For SSL Encryption Later If you are installing Certificate Services as part of this wizard, select this option so that you can manually add an SSL certificate after you have completed the Certificate Services installation.

  6. If you are installing the Windows Server 2008 Certificate Services role at this time, the Active Directory Certificate Services page appears. If it does not appear, skip to step 15. On this page, click Next.

  7. On the Role Services page, click Next.

  8. On the Setup Type page, select whether to configure an enterprise or stand-alone CA. In Active Directory environments, configuring an Enterprise CA is much easier because you can automatically issue certificates to client computers. Click Next.

  9. On the CA Type page, select Root CA if this is your first CA. If you have an existing PKI, select Subordinate CA. The remainder of these steps apply to configuring a root CA; some pages are different if you configure a subordinate CA. Click Next.

  10. On the Private Key page, click Next.

  11. On the Cryptography page, click Next.

  12. On the CA Name page, you can type a new common name for the CA. This name must be the name clients will use to connect to the server. The default will typically work. Click Next.

  13. On the Validity Period page, click Next.

  14. On the Certificate Database page, click Next.

  15. If you are installing IIS role services at this time, the Web Server page appears. If it does not appear, skip to step 17. Otherwise, Click Next.

  16. On the Role Services page, click Next.

  17. On the Confirmation page, click Install.

  18. On the Results page, click Close.

Step 2: Configuring the NAP Wizard

Follow the steps in “Using The Configure NAP Wizard” and, on the Select Network Connection Method For Use With NAP page, select IPsec With Health Registration Authority. Completing the wizard creates the following:

  • A connection request policy named NAP IPsec With HRA (at Roles\Network Policy And Access Server\NPS\Policies\Connection Request Policies in Server Manager). This connection request policy configures the local server to process NAP IPsec requests using the HRA.

  • A health policy named NAP IPsec With HRA Compliant (at Roles\Network Policy And Access Server\NPS\Policies\Health Policies in Server Manager). This health policy applies to compliant computers that pass all SHV checks.

  • A network policy named NAP IPsec With HRA Compliant (at Roles\Network Policy And Access Server\NPS\Policies\Network Policies in Server Manager). This network policy grants access to compliant computers.

  • A health policy named NAP IPsec With HRA Noncompliant (at Roles\Network Policy And Access Server\NPS\Policies\Heath Policies in Server Manager). This health policy applies to noncompliant computers that fail one or more SHV checks.

  • A network policy named NAP IPsec With HRA Noncompliant (at Roles\Network Policy And Access Server\NPS\Policies\Network Policies in Server Manager). This network policy grants limited network access to noncompliant computers. Specifically, noncompliant computers will be able to access only remediation servers. You should never set the Access Permission to Deny Access, because doing so prevents the health check from being performed.

Step 3: Configuring HRA

Now you can configure HRA settings using Server Manager by selecting the Roles\Network Policy And Access Services\NPS\Health Registration Authority node. Before you can use IPsec enforcement, you must configure a CA (such as Windows Server 2008 R2 Certificate Services) that will issue health certificates. If you didn’t configure the CA while installing HRA, you can install it afterward.

To configure the CA that will be used to issue health certificates for IPsec enforcements, follow these steps:

  1. In Server Manager, right-click Roles\Network Policy And Access services\Health Registration Authority\Certification Authority, and then choose Add Certification Authority.

  2. In the Add Certification Authority dialog box, click Browse to select an enterprise CA. Select the appropriate server, and then click OK. Alternatively, you can type the fully qualified domain name (FQDN) of your CA. Figure 8-6 shows the Add Certification Authority dialog box with an enterprise CA selected.

    Figure 8-6

    Figure 8-6 Selecting a CA for IPsec enforcement

  3. Click OK.

  4. Right-click Roles\Network Policy And Access Services\Health Registration Authority\Certification Authority, and then click Properties. The Certification Authorities Properties dialog box appears.

  5. If you are using an enterprise CA, select Use Enterprise Certification Authority. Then click OK.

The CA appears in the details pane when you select the Roles\Network Policy And Access Services\Health Registration Authority\Certification Authority node in Server Manager. You can repeat the previous steps to add CAs, which allows for fault tolerance. If you have only a single CA and it goes offline, clients will be unable to undergo a NAP health check. If you have NAP enforcement enabled, this means clients will be unable to connect to the network.

You can also configure the mechanisms used for IPsec enforcement using the Roles\Network Policy And Access Services\Health Registration Authority\Certification Authority node in Server Manager. However, the default settings are typically sufficient.

Step 4: Configuring Client Computers for IPsec Enforcement

After configuring the NPS server for IPsec enforcement, you must configure client computers for IPsec enforcement. First, configure clients to use IPsec, as described in Chapter 6, “Protecting Network Traffic with IPsec.” Then, configure the client by following these steps:

  1. Use the Group Policy Management Editor to open the GPO you want to use to apply the NAP enforcement client settings.

  2. Right-click the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Health Registration Settings\Trusted Server Groups node, and then choose New. The New Trusted Server Group Wizard appears.

  3. On the Group Name page, type a name that describes the group of HRA servers you will use for IPsec enforcement. Click Next.

  4. On the Add Servers page, type the URL for each HRA. If you have an SSL certificate (that clients trust) installed on the server, type the URL as https://<servername>, where <servername> matches the common name on the SSL certificate. If you do not have an SSL certificate, clear the Require Server Verification check box and type the URL as https://<servername>. Click Add and repeat the process for any additional HRAs. NAP clients always start with the first HRA and continue through the list until an HRA can be contacted. Click Finish.

Now that you have configured clients to trust your HRAs, you should enable IPsec enforcement.

  1. Select the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients node.

  2. In the details pane, double-click IPsec Relying Party.

  3. In the IPsec Relying Party Properties dialog box, select the Enable This Enforcement Client check box. Then, click OK.

Additionally, follow the steps described in the section “Configuring NAP Clients” later in this chapter.

Step 5: Configuring IPsec Connection Security Rules

Next, configure any servers that should be accessed only by compliant computers to require IPsec for inbound (but not outbound) connections. Note that this will prevent network communications from all computers that are not NAP-compliant or NAP-capable. In the Windows Firewall With Advanced Security snap-in (which you can access within the Configuration node of Server Manager), follow these steps:

  1. Click Connection Security Rules. Then, right-click Connection Security Rules, and then choose New Rule. The New Connection Security Rule Wizard page appears.

  2. On the Rule Type page, select Isolation. Then, click Next.

  3. On the Requirements page, select Require Authentication For Inbound Connections And Request Authentication For Outbound Connections. Click Next.

  4. On the Authentication Method page, select Advanced. Then, click Customize. In the First Authentication Group, click Add. In the Add First Authentication Method dialog box, shown in Figure 8-7, click Computer Certificate From This Certification Authority (CA). Click Browse and select the CA used to generate the certificate for your HRA. Click OK. Select the Accept Only Health Certificates and Enable Certificate To Account Mapping check boxes and then click OK. When you return to the wizard, click Next.

    Figure 8-7

    Figure 8-7 Requiring health certificates for a server

  5. On the Profile page, click Next.

  6. On the Name page, type a name, and then click Finish.

After the policy is applied to computers, only clients with a valid health certificate will be able to communicate. For this reason, you can’t require health certificates for your HRA server, or clients would be unable to retrieve their health certificates.

For the HRA server, remediation servers, and any other computer that should be accessible by either noncompliant or non-NAP–capable computers, configure an IPsec connection security rule to request, but not require, security for inbound connections. For more information, read Chapter 6.

For NAP clients running Windows XP SP3, you will need to configure the equivalent policies using the IP Security Polices snap-in, available in Group Policy at Computer Configuration \Policies\Windows Settings\IP Security Policies. To configure a Windows XP SP3–based NAP client to use its health certificate for IPsec authentication, you must set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley \IKEFlags registry value to 0x1c.

Configuring 802.1X Enforcement

Configuring 802.1X enforcement requires the following high-level steps:

  1. Use the Configure NAP Wizard to configure the connection request policy, network policy, and NAP health policy, as described in the section of this chapter entitled “Using the Configure NAP Wizard.” Although you can configure these elements individually, using the wizard is much easier. On the Virtual LAN (VLAN) Configuration page, you will need to specify the ACLs or VLANs for both compliant and noncompliant NAP clients, as shown in Figure 8-8. Refer to your switch documentation for information about which RADIUS attributes to use to specify the VLAN or ACL.

    Figure 8-8

    Figure 8-8 Configuring the VLAN for unrestricted network access

  2. Configure your 802.1X authenticating switches to perform Protected Extensible Authentication Protocol (PEAP)-based authentication (either PEAP-MS-CHAP v2 or PEAP-TLS) and submit RADIUS requests to your NAP server. Additionally, configure a reauthentication interval to require authenticated client computers that remain connected to the network to be reauthenticated regularly. Microsoft suggests a reauthentication interval of four hours. Refer to your switch documentation for instructions.

  3. If you plan to use certificates for authentication (using either PEAP-TLS or EAP-TLS), deploy a PKI such as the Certificate Services role and distribute certificates to client computers using a mechanism such as Active Directory autoenrollment. For more information, refer to Chapter 7. If you plan to use PEAP-MS-CHAP v2 domain authentication, use a PKI to issue server certificates to the NAP server.

  4. Create NAP exemptions for computers that cannot complete a NAP health evaluation by creating a network policy that grants wireless or wired access and uses the Windows Groups condition set to the security group for the exempted computers but does not use the Health Policy condition. For more information, read “Configuring Network Policies” later in this lesson.

  5. Enable the NAP EAP Quarantine Enforcement Client and start the NAP service on NAP-capable client computers. For more information, read “Configuring NAP Clients” later in this lesson.

Configuring DHCP Enforcement

Configuring DHCP enforcement requires the following high-level steps:

  1. Use the Configure NAP Wizard to configure the connection request policy, network policy, and NAP health policy, as described in the section of this chapter entitled “Using the Configure NAP Wizard.” Although you can configure these elements individually, it’s much easier to use the wizard.

  2. Configure remediation servers to define the computers that noncompliant clients can access. For more information, read “Configuring Remediation” later in this lesson.

  3. Configure a DHCP server. For more information, refer to Chapter 4, “Creating a DHCP Infrastructure.” NPS must be installed on the DHCP server. If your DHCP and primary NPS servers are different computers, configure NPS on the remote DHCP NPS server as a RADIUS proxy to forward connection requests to the primary NPS server. For more information about configuring RADIUS proxies, refer to Chapter 7.

  4. In the DHCP console, enable NAP for individual scopes or for all scopes on the DHCP server, as described in the sections that follow.

  5. Enable the NAP DHCP Quarantine Enforcement Client and start the NAP service on NAP-capable client computers. For more information, read “Configuring NAP Clients” later in this chapter.

Enabling NAP on All DHCP Scopes

To enable NAP for all DHCP scopes on a DHCP server, follow these steps:

  1. In Server Manager, right-click Roles\DHCP Server\<Computer Name>\IPv4, and then choose Properties.

  2. In the Network Access Protection tab (as shown in Figure 8-9), click Enable On All Scopes. Confirm your choice, and then select one of the following options:

    • Full Access Enables NAP for monitoring only. Noncompliant clients will be granted full network access.

    • Restricted Access Enables NAP enforcement. Noncompliant clients will be assigned an IP address configuration that grants access only to servers listed in the remediation server group.

    • Drop Client Packet Ignores DHCP requests from noncompliant clients. Windows clients will then automatically assign themselves an Automatic Private IP Addressing (APIPA) address in the 169.254.0.0/16 network, where they will be able to communicate only with other APIPA computers.

    Figure 8-9

    Figure 8-9 Configuring NAP on a DHCP server

  3. Click OK.

Enabling NAP on a Single DHCP Scope

To enable NAP for a single DHCP scope, follow these steps:

  1. In Server Manager, right-click Roles\DHCP Server\<Computer Name>\IPv4\<Scope Name>, and then choose Properties.

  2. In the Network Access Protection tab, select Enable For This Scope. Then, click OK.

Repeat these steps for each scope that you want to protect using NAP. For more information, read Chapter 4.

Configuring VPN Enforcement

Configuring VPN enforcement requires the following high-level steps:

  1. Use the Configure NAP Wizard to configure the connection request policy, network policy, and NAP health policy, as described in the section of this chapter entitled “Using the Configure NAP Wizard.” Although you can configure these elements individually, it is much easier to use the wizard.

  2. Configure remediation servers to define the computers that noncompliant clients can access. For more information, read “Configuring Remediation” later in this lesson.

  3. Configure your VPN servers to perform PEAP-based authentication (either PEAP-MS-CHAP v2 or PEAP-TLS) and submit RADIUS requests to your NAP server. For more information, refer to Chapter 7.

  4. If you plan to use certificates for authentication (using either PEAP-TLS or EAP-TLS), deploy a PKI such as the Certificate Services role and distribute certificates to client computers using a mechanism such as Active Directory autoenrollment. For more information, refer to Chapter 7. If you plan to use PEAP-MS-CHAP v2 domain authentication, use a PKI to issue server certificates to the NAP server.

  5. Enable the NAP Remote Access Quarantine Enforcement Client and start the NAP service on NAP-capable client computers. For more information, read “Configuring NAP Clients” later in this chapter.

Configuring RD Gateway Enforcement

Configuring RD Gateway enforcement requires the following high-level steps:

  1. Use the Configure NAP Wizard to configure the connection request policy, network policy, and NAP health policy, as described in the section of this chapter entitled “Using the Configure NAP Wizard.” Although you can configure these elements individually, it is much easier to use the wizard.

  2. If you plan to use certificates for authentication (using either PEAP-TLS or EAP-TLS), deploy a PKI such as the Certificate Services role and distribute certificates to client computers using a mechanism such as Active Directory autoenrollment. For more information, refer to Chapter 7. If you plan to use PEAP-MS-CHAP v2 domain authentication, use a PKI to issue server certificates to the NAP server.

  3. Enable NAP health policy checks on your RD Gateway server using the RD Gateway Manager snap-in. In Server Manager, right-click Roles\Remote Desktop Services\RD Gateway Manager\<computer_name>, and then click Properties. On the RD CAP Store tab, verify that the Request Clients To Send A Statement Of Health check box is selected, which it is by default. If NPS is running on a different server, select the Central Server Running NPS check box, and then select your NPS server.

  4. On NAP-capable client computers, enable the NAP RD Gateway Enforcement Client and the EAP Enforcement Client. Then, start the NAP service. For more information, read “Configuring NAP Clients” later in this chapter.

Configuring NAP Components

Depending on the NAP enforcement type and your organization’s specific requirements, you will need to configure SHVs, NAP client settings, and health requirement policies. Additionally, during the initial deployment phase, you will need to configure NAP for monitoring only. The sections that follow describe these tasks in detail.

Configuring NAP Clients

After configuring the NPS server, you must configure client computers for NAP. The easiest way to do this is to use GPO settings in the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration node. You can configure client NAP settings using the three subnodes:

  • Enforcement Clients You must enable one policy to configure clients to use that enforcement type.

  • User Interface Settings Configure the User Interface Settings policy to provide customized text (and, optionally, an image) that users will see as part of the NAP client interface.

  • Health Registration Settings Use the Request Policy subnode to configure cryptographic settings for NAP clients (the default settings are typically fine). Use the Trusted Server Group subnode to configure an HRA for IPsec NAP clients to use.

Additionally, you must start the Network Access Protection Agent service on all client computers. You can do this manually, but it is easiest to use Group Policy settings. In your GPO, select the Computer Configuration\Policies\Windows Settings\Security Settings\System Services node. Then, double-click the Network Access Protection Agent service. Define the policy in the properties dialog box, and set it to start automatically, as shown in Figure 8-10.

Figure 8-10

Figure 8-10 Starting the Network Access Protection Agent service automatically

Finally, to allow managed clients to use the default Windows SHV, you must enable Security Center by enabling the Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center\Turn On Security Center policy.

You can quickly verify a client’s configuration by running the following command at a command prompt:

netsh nap client show state

The following output shows a client that has the Network Access Protection Agent service started and only the IPsec enforcement agent enabled:

Client state:
----------------------------------------------------
Name                   = Network Access Protection Client
Description            = Microsoft Network Access Protection Client
Protocol version       = 1.0
Status                 = Enabled
Restriction state      = Not restricted
Troubleshooting URL    =
Restriction start time =

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79618
Name                   = Remote Access Quarantine Enforcement Client
Description            = Provides the quarantine enforcement for RAS Client
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPSec Relying Party
Description            = Provides IPSec based enforcement for Network Access Protection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = Yes

Id                     = 79621
Name                   = TS Gateway Quarantine Enforcement Client
Description            = Provides TS Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides EAP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

System health agent (SHA) state:
----------------------------------------------------
Id                     = 79744
Name                   = Windows Security Health Agent

Description            = The Windows Security Health Agent checks the compliance of a
computer with an administrator-defined policy.

Version                = 1.0

Vendor name            = Microsoft Corporation

Registration date      =
Initialized            = Yes
Failure category       = None
Remediation state      = Success
Remediation percentage = 0
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished
updating its security state.

Compliance results     =
Remediation results    =

Ok.

If applying Group Policy settings is not convenient, you can use the SHA ID numbers to enable a NAP client at the command line (or from within a script). For example, to enable the DHCP Quarantine enforcement client (which has an ID of 79617), run the following command:

netsh nap client set enforcement 79617 enable

Configuring a Health Requirement Policy

Health requirement policies determine which clients must meet health requirements, what those health requirements are, and what happens if a client cannot comply. A health requirement policy is a combination of the following:

  • Connection request policy Determines whether a request should be processed by NPS.

  • System health validators Define which health checks a client must meet to be considered compliant. For example, with the default Windows SHV, you can configure whether not having a firewall enabled makes a client noncompliant.

  • Remediation server group A group of servers that noncompliant clients can access. These servers should provide clients with DNS and Active Directory services, as well as access to resources that will allow the client to become compliant, such as an update server.

  • Health policy Defines health requirements using SHV settings. Separate health policies must exist for both compliant and noncompliant clients.

  • Network policy Defines the level of network access clients get based on which health policy they match. You also use network policies to define the remediation servers that clients with limited access can connect to. As shown in Figure 8-11, you can specify network policy conditions that cause the network policy to apply to a client based on matching a specific health policy, operating system, or whether the client supports NAP.

Figure 8-11

Figure 8-11 Configuring conditions for a network policy

Configuring SHVs

Windows Server 2008 R2 includes only the Windows Security Health Validator SHV. Either Microsoft or third parties can supply additional SHVs that you would need to install on every NPS server.

After installing SHVs, configure the defaults (including the Windows SHV, described in the next section, “Configuring the Windows Security Health Validator”) by following these steps:

  1. In Server Manager, select the Roles\Network Policy And Access Services\NPS\Network Access Protection\System Health Validators node.

  2. In the details pane, right-click the SHV, and then choose Properties.

  3. First, configure the error code resolution settings, as shown in Figure 8-12. In Server Manager, right-click Roles\Network Policy And Access Services\NPS\Network Access Protection\System Health Validators\<SHV_Name>\Error Codes, and then click Properties. For each of the five settings, you can define whether clients are compliant or noncompliant. Leave these set to Noncompliant for best security. However, if you experience a problem with clients receiving an error code when they should be compliant (for example, if an SHV or SHA needs to contact external services and cannot because of intermittent connectivity problems), you can change the error code resolution to Compliant. This could allow clients who would otherwise fail a health check to connect to your network, however.

    Figure 8-12

    Figure 8-12 Configuring SHV error code resolution

  4. Select the Roles\Network Policy And Access Services\NPS\Network Access Protection\System Health Validators\<SHV_Name>\Settings node in Server Manager to configure settings specific to that SHV, and then click OK. This dialog box is different for every SHV.

Configuring the Windows Security Health Validator

By default, Windows Server 2008 R2 includes a single SHV: the Windows SHV. The Windows SHV performs many of the same checks as the Security Center:

  • Verifies that a firewall (such as Windows Firewall) is enabled for all network connections. Windows XP, Windows Vista, and Windows 7 include Windows Firewall, which fulfills this requirement.

  • Verifies that antivirus software is present and that the signatures are up to date. Because Windows does not include antivirus software, this check will cause Windows computers to fail by default.

  • For Windows Vista and Windows 7 computers, verifies that antispyware software is present and the signatures are up to date. Windows Vista and Windows 7 include Windows Defender, which fulfills this requirement. You can also install Windows Defender on Windows XP computers, but the Windows Security Health Validator does not support checking antispyware software for computers running Windows XP.

  • Automatic Updating is enabled.

Additionally, you can restrict access for clients that do not have all recent security updates installed and establish what level of security updates are required: Critical Only, Important And Above, Moderate And Above, Low And Above, or All. Figure 8-13 shows the Windows Security Health Validator properties with its default settings. The Windows XP node applies only to Windows XP clients with Service Pack 3 installed.

Figure 8-13

Figure 8-13 Editing the Windows SHV properties

To configure the Windows SHV, select NPS\Network Access Protection\System Health Validators\Windows Security Health Validator\Settings in the Network Policy And Access Services snap-in. Then, in the details pane, double-click Default Configuration. Alternatively, you can create additional configurations by clicking New in the Actions pane.

Configuring Remediation

Although NPS is designed to improve security by preventing noncompliant computers from connecting to your network, when it does detect a problem, it prevents legitimate users from their jobs. Therefore, you need resources so that those users can quickly and easily bring their computers into compliance and once again be productive.

To provide assistance to users of noncompliant computers when requiring NAP health enforcement, you can configure a remediation server group and troubleshooting URL that will be available to users if they fail the compliance check. The remediation server group is used only for DHCP and VPN enforcement types; 802.1X and IPsec enforcement use different technologies to limit network access. Remediation servers are not required if you are using reporting mode, because computers that fail the health check will still be allowed to connect to the network.

Although your exact remediation servers will vary depending on the requirements of your SHVs (the remediation servers should allow a noncompliant computer to enter compliance), remediation servers typically consist of the following:

  • DHCP servers to provide IP configuration

  • DNS servers, and optionally WINS servers, to provide name resolution

  • Active Directory domain controllers, preferably configured as read-only, to minimize security risks

  • Internet proxy servers so that noncompliant NAP clients can access the Internet

  • HRAs so that noncompliant NAP clients can obtain a health certificate for the IPsec enforcement method

  • A troubleshooting URL server, which provides a webpage users can access to view more information about the problem

  • Antivirus update servers to retrieve updated antivirus signatures (if required by the health policy)

  • Antispyware update servers to retrieve updated antispyware signatures (if required by the health policy)

  • Software update servers

To configure these settings, follow these steps:

  1. In Server Manager, select Roles\Network Policy And Access Services\NPS\Policies\Network Policies.

  2. In the details pane, double-click the compliance policy that applies to noncompliant computers.

  3. In the properties dialog box, click the Settings tab. In the Settings list, select NAP Enforcement. Then, click the Configure button.

  4. In the Remediation Servers And Troubleshooting URL dialog box, do one or both of the following:

    • Use the Remediation Server Group list to select a remediation server group. If you haven’t created a remediation server group, click the New Group button. Name the group, and then click the Add button to add each server that should be accessible to clients who fail the compliance check. One remediation server group might be enough, but you can create separate remediation server groups for noncompliant NAP clients and non-NAP–capable clients. Click OK.

    • In the Troubleshooting URL group, type the internal URL to a webpage that provides users with more information about why they can’t connect to the network, how they can bring their computers into compliance, and whom they can call for assistance. A noncompliant computer visits this URL when a user clicks More Information in the Network Access Protection dialog box, which appears when a user attempts to troubleshoot a failed connection, as shown in Figure 8-14. On the webpage, you should provide information that the user can employ either to determine how to update the computer so that it is compliant or to troubleshoot network access. This URL is also visible when a user runs the netsh nap client show state command. The web server you specify in the URL should be part of the Remediation Server Group list so that the client computer can access it.

    Figure 8-14

    Figure 8-14 Information provided to a noncompliant NAP client

  5. Click OK.

Configuring Network Policies

Network policies determine whether a connection request matches specific conditions (such as a health policy or a client operating system, or whether a computer is NAP-capable). They then grant full or limited network access to the client.

To add a network policy, follow these steps:

  1. In Server Manager, right-click Roles\Network Policy And Access Services\NPS\Policies\Network Policies, and then choose New. The New Network Policy Wizard appears.

  2. On the Specify Network Policy Name And Connection Type page, type a policy name, and then select a network access server type. For IPsec enforcement, select Health Registration Authority. For 802.1X or VPN enforcement, select Remote Access Server. If you plan to use the Health Credential Authorization Protocol (HCAP) to integrate with Cisco Network Access Control, select HCAP Server. Click Next.

  3. On the Specify Conditions page, click the Add button to create any conditions you require, as shown in Figure 8-15, and then click Next. The most useful conditions for NAP are the following:

    • Health Policies Specifies that a client must meet the conditions specified in a health policy.

    • NAP-Capable Computers Allows you to match either computers that support NAP or computers that do not support NAP.

    • Operating System Allows you to apply the network policy to NAP-capable computers with specific operating system version numbers or computer architectures (such as 32-bit or 64-bit computers). This condition is not used as frequently as Health Policies and NAP-Capable Computers.

    • Policy Expiration Use this to apply different conditions based on the current date and time. For example, if you are creating a temporary policy that applies only for the next week, you would add the Policy Expiration condition. You should create a second network policy to apply after the Policy Expiration condition expires.

    • Windows Groups, Machine Groups, And User Groups These conditions determine the computer or user’s Active Directory group membership.

    Figure 8-15

    Figure 8-15 Specifying network policy conditions

  4. On the Specify Access Permission page, select Access Granted. You should never select Access Denied for NPS policies because doing so prevents the health check from occurring. Click Next.

  5. On the Configure Authentication Methods page, click Next. For NAP, authentication methods are selected in the Connection Request Policy.

  6. On the Configure Constraints page, click Next. NAP rarely uses constraints, although you could use the Day And Time Restrictions constraints to apply the network policy at only specific times.

  7. On the Configure Settings page, select NAP Enforcement. Then, select one of the following options and click Next:

    • Allow Full Network Access Grants full access. Use this option if you are creating a network policy for healthy computers.

    • Allow Full Network Access For A Limited Time Grants full access up to a specific date and then restricts access to the selected Remediation Server Group. Use this option during the initial NAP deployment if you want to offer a grace period for noncompliant computers. When selecting this option, click the Configure button to select a remediation server group and specify a troubleshooting URL. If you select this option when using VPN enforcement, VPN clients are disconnected when the expiration time is reached.

    • Allow Limited Access Limits access to the servers specified in the selected remediation server group. Use this option when creating a network policy for noncompliant computers. When selecting this option, click the Configure button to select a remediation server group and specify a troubleshooting URL.

  8. On the Completing New Network Policy Wizard page, click Finish.

  9. Right-click the network policy and choose Move Up or Move Down to prioritize it. Higher network policies are evaluated first, and the first network policy with criteria that match a client is applied.

Configuring NAP for Monitoring Only

During your initial NAP deployment, you should allow noncompliant computers to connect to all network resources, even if they fail the NAP health check. To do this, modify the noncompliant health policy to allow full network access by following these steps.

  1. In Server Manager, select Roles\Network Policy And Access Services\NPS\Policies\Network Policies. In the details pane, double-click the noncompliant policy. For example, if you specified “NAP IPsec with HRA” as the name on the Select Network Connection Method For Use With NAP page of the NAP Wizard, the network policy for noncompliant NAP clients would have the name “NAP IPsec with HRA Noncompliant.”

  2. Click the Settings tab, and then select NAP Enforcement.

  3. In the network policy properties dialog box, in the details pane, select Allow Full Network Access, and then click OK.

To re-enable NAP enforcement, change the setting to Allow Limited Access.

NAP Logging

NAP logging allows you to identify noncompliant computers. This is particularly important during the initial stages of a NAP deployment, when you will be using NAP only to gather information about the compliance level of the computers on your network. Using NAP logging, you can identify computers that are not compliant and resolve the problem before you enable NAP enforcement and prevent the computer from connecting to your network. NAP logging also enables you to identify computers that would be unable to connect to the network if NAP enforcement were enabled.

To configure NAP logging, right-click Roles\Network Policy And Access Services\NPS, and then choose Properties. On the General tab, select or clear the Rejected Authentication Requests and Successful Authentication Requests check boxes, as shown in Figure 8-16.

Figure 8-16

Figure 8-16 Configuring NPS logging

On the NAP server, you can use the Windows Logs\Security event log, available in Server Manager at Diagnostics\Event Viewer\Windows Logs\Security, to view NPS events. These events will reveal which NAP clients are not compliant. Figure 8-17 shows an event that indicates a computer that failed to pass the NAP health check. Figure 8-18 shows a computer that passed the NAP health check.

On clients running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 NAP, use the Event Viewer console to examine the Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational log. On NAP clients running Windows XP With Service Pack 3, use the Event Viewer console to examine the System event log.

Figure 8-17

Figure 8-17 A failed NAP health check

Figure 8-18

Figure 8-18 A successful NAP health check

Additionally, you can enable tracing for the Network Access Protection Agent service to gather extremely detailed information, which is typically required only when troubleshooting complex network problems. To enable tracing, run the following command:

netsh nap client set tracing enable level=verbose

The trace log files are stored in the %SystemRoot%\Tracing folder.

For more information about NAP logging, refer to Chapter 7. (NAP performs the same logging when used as a RADIUS server.)

Practice: Configuring DHCP NAP Enforcement

In this practice, you configure DHCP NAP enforcement and test it with both a compliant and noncompliant NAP client. Although DHCP NAP enforcement is the least secure, it is used as an example here because the configuration is the easiest to demonstrate. To prepare for the exam, you should configure each of the different NAP enforcement types in a lab environment.

Configuring NAP DHCP enforcement is a common scenario for networks with hardware that does not support 802.1X and where IPsec is not available. Although DHCP enforcement does not prevent knowledgeable attackers from connecting to your network, it does inform users who are unaware that their computers do not meet your security requirements of the problem. In production environments, you would typically implement NAP for monitoring only before enabling NAP enforcement.

EXERCISE 1 Adding the NPS and DHCP Server Roles

In this exercise, you add the Network Policy And Access Services and DHCP Server roles to Dcsrv1. If either of these roles already exists (for example, if you added one or both in a previous exercise), remove the roles before continuing.

  1. Configure Dcsrv1 with a static IP address of 192.168.1.2, a subnet mask of 255.255.255.0, and a DNS server address of 192.168.1.2. You can use a different IP address for Dcsrv1 as long as you replace all instances of 192.168.1.2 in this practice with Dcsrv1’s IP address. Start Hartford, and verify that it is a member of the domain and can communicate with Dcsrv1.

  2. In Server Manager, on Dcsrv1, select Roles. In the details pane, click Add Roles. The Add Roles Wizard appears.

  3. If the Before You Begin page appears, click Next.

  4. On the Select Server Roles page, select the Network Policy And Access Services and DHCP Server check boxes. If the roles are already installed, remove them first, and then return to this step. Click Next.

  5. On the Network Policy And Access Services page, click Next.

  6. On the Select Role Services page, select the Network Policy Server check box. Click Next.

  7. On the DHCP Server page, click Next.

  8. On the Network Connection Bindings page, click Next.

  9. On the IPv4 DNS Settings page, click Next.

  10. On the IPv4 WINS Settings page, click Next.

  11. On the DHCP Scopes page, click Add. Complete the Add Scope dialog box, as shown in Figure 8-19. Name the scope NAP Clients. Provide an IP address range of 192.168.1.10 to 192.168.1.100. If you are using a different IP address for Dcsrv1, specify an IP address range on the same subnet. In the Subnet Mask box, type 255.255.255.0. In the Default Gateway box, type 192.168.1.1 (even though that IP address does not exist). In the Subnet Type list, select Wireless. Selecting Wireless simply specifies a shorter lease duration, which requires NAP clients to process any health policy updates more regularly. Click OK, and then click Next.

    Figure 8-19

    Figure 8-19 Configuring a DHCP scope

  12. On the Configure DHCPv6 Stateless Mode page, click Next.

  13. On the IPv6 DNS Settings page, click Next.

  14. On the Authorize DHCP Server page, click Next.

  15. On the Confirmation page, click Install.

  16. On the Results page, click Close.

The DHCP and core NPS service are installed.

EXERCISE 2 Configuring NAP on the DHCP Server

In this exercise, you must configure NAP on the DHCP server to enforce health checks before assigning client computers an IP address that provides unlimited network access.

  1. In Server Manager on Dcsrv1, select Roles\Network Policy And Access Services\NPS. If the node does not appear, close and re-open Server Manager.

  2. In the details pane, under Standard Configuration, in the drop-down list, select Network Access Protection (NAP), and then click Configure NAP.

  3. On the Select Network Connection Method For Use With NAP page, under Network Connection Method, select Dynamic Host Configuration Protocol (DHCP). Click Next.

  4. On the Specify NAP Enforcement Servers Running DHCP Server page, click Add. In the New RADIUS Client dialog box, type Dcsrv1 in the Friendly Name box and type Dcsrv1’s IPv4 address (192.168.1.2) in the Address box. Click OK, and then click Next.

  5. On the Specify DHCP Scopes page, click Next to apply NAP to all DHCP scopes.

  6. On the Configure Machine Groups page, click Next to apply the policy to all users.

  7. On the Specify A NAP Remediation Server Group And URL page, click New Group. In the New Remediation Server Group dialog box, type a Group Name of DHCP Remediation Servers. Then, click Add and provide a Friendly Name of NAP and Dcsrv1’s IPv4 address (192.168.1.2). Click OK twice. Notice that you can also type a troubleshooting URL in this dialog box if you had set up a webpage for this purpose and added that server to the remediation server group. For now, type a troubleshooting URL of http://contoso/help. Although this URL will not work, it will allow you to see how the troubleshooting URL is used. Click Next.

  8. On the Define NAP Health Policy page, click Next to accept the default settings.

  9. On the Completing NAP Enforcement Policy And RADIUS Client Configuration page, click Finish.

  10. In Server Manager, select Roles\Network Policy And Access Services\NPS\Policies\Connection Request Policies. Verify that the NAP DHCP policy exists and that it is the first policy listed. If other NAP connection request policies exist, remove them. Similarly, if other network policies exist, you should remove them, too.

Now you need to enable NAP enforcement on the DHCP server:

  1. In Server Manager, select Roles\DHCP Server\<Computer Name>\IPv4. Then right-click the node, and choose Properties.

  2. In the Network Access Protection tab, click Enable On All Scopes, and then click Yes. Then select Restricted Access, and click OK.

EXERCISE 3 Configuring NAP Client Group Policy Settings

After configuring the NPS server, you must configure client computers for NAP by following these steps:

  1. Click Start, Administrative Tools, and then Group Policy Management. The Group Policy Management console appears.

  2. Right-click Group Policy Management\Forest\Domains\<Domain Name>\Default Domain Policy, and then click Edit. The Group Policy Management Editor console appears.

  3. Select the Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients node.

  4. In the details pane, double-click DHCP Quarantine Enforcement Client. Select the Enable This Enforcement Client check box, and then click OK.

  5. Select the Computer Configuration\Policies\Windows Settings\Security Settings\System Services node. Then, in the details pane, double-click Network Access Protection Agent. Select the Define This Policy Setting check box, and then select Automatic. Click OK.

  6. Select the Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center node. In the details pane, double-click Turn On Security Center. Select Enabled, and then click OK.

EXERCISE 4 Testing a Noncompliant Client

In this exercise, you connect a noncompliant computer to the network and determine whether it receives an IP address intended for compliant or noncompliant computers.

  1. On Hartford, open a command prompt with administrative credentials and run the command gpupdate /force. This retrieves the updated Group Policy settings from the domain controller, verifying that the changes you made for NAP clients are applied correctly. Verify that the Network Access Protection Agent service is started.

  2. On Hartford, run the command netsh nap client show state to verify that the DHCP Quarantine enforcement agent is enabled. If it is not, run the command netsh nap client set enforcement 79617 enable to manually enable it.

  3. Disable any DHCP servers other than Dcsrv1. If you are using virtual machines, you can create a virtual network and connect both Dcsrv1 and Hartford to the virtual network.

  4. Connect Hartford to the same network as Dcsrv1.

  5. On Hartford, open a command prompt with administrative privileges. Then, run the following commands to retrieve new IP address settings from the DHCP server:

    ipconfig /release
    ipconfig /renew
  6. The client computer should display a new IP address configuration, with an IP address of 192.168.1.10 and a subnet mask of 255.255.255.255. Because the subnet mask is invalid (it should be 255.255.255.0), this indicates that the client computer failed the NAP health check.

  7. At a command prompt, run the command route print. In the IPv4 Route Table, you should see a route with a Network Destination of 192.168.1.2. This address corresponds to the remediation server you configured.

  8. At a command prompt, run the command ping 192.168.1.2 (the IP address of Dcsrv1). Dcsrv1 should respond to the ping, verifying that the remediation server is accessible.

  9. At a command prompt, run the command ping 192.168.1.1. The command fails with a Transmit Failed error because there is no valid route to the destination.

  10. Notice that a notification bubble appears in the system tray, indicating that there was a problem. Click the link to view the details of the error. Notice that the error specifies that Windows did not detect an antivirus program. Click the More Information button to attempt to open the http://contoso/help page. Click Close.

  11. On Dcsrv1, check the System event log. Find the event indicating that the client computer failed the NAP health check. If you had implemented NAP in monitoring-only mode, this would be the only sign that a computer did not meet the health requirements.

EXERCISE 5 Updating a Health Policy

In this exercise, you change the health policy to allow the client computer to pass the health check.

  1. On Dcsrv1, in Server Manager, select Roles\Network Policy And Access Services\NPS\Network Access Protection\System Health Validators\Windows Security Health Validator\Settings. In the details pane, double-click Default Configuration.

  2. On the Windows 7/Windows Vista tab, clear the An Antivirus Application Is On check box. Then, clear the Automatic Updating Is Enabled check box. Click OK.

The Hartford client computer will be able to pass the remaining health validation tests.

EXERCISE 6 Testing a Compliant Client

In this exercise, you connect a compliant computer to the network and determine whether it receives an IP address intended for compliant or noncompliant computers.

  1. On Hartford, open a command prompt with administrative privileges. Then, run the following commands to retrieve new IP address settings from the DHCP server:

    ipconfig /release
    ipconfig /renew

    The client computer should display a new IP address configuration, with an IP address of 192.168.1.10, a subnet mask of 255.255.255.0 and a default gateway of 192.168.1.1. Because the subnet mask is now valid, it will be able to connect to other computers on the subnet (if any were available). A notification bubble will also appear, indicating that you have met the network’s requirements.

  2. On Hartford, open Event Viewer and view the Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational log. Examine the events for both the unsuccessful and successful NAP health checks.

  3. On Dcsrv1, open Event Viewer and view the Windows Logs\Security log. Examine the events for both the unsuccessful and successful NAP health checks.

You can now remove NAP from Dcsrv1 and remove the DHCP enforcement client configuration from Hartford.

Lesson Summary

  • Network Access Protection (NAP) allows you to verify that computers meet specific health requirements before granting them unlimited access to your internal network. You can enforce NAP by using IPsec, 802.1X access points, VPN servers, or DHCP servers.

  • When deploying NAP, plan to implement it in monitoring-only mode first. This will allow you to identify and fix noncompliant computers before preventing them from connecting to your network.

  • You can use Server Manager to install and configure Network Policy Server.

  • Although the Configure NAP Wizard performs much of the configuration, each of the different NAP enforcement methods requires customized configuration steps.

  • Before NAP takes effect, you must configure NAP clients. Additionally, when using IPsec enforcement, you must configure a health requirement policy.

  • By default, NAP adds events to the Security event log on the NAP server each time a computer passes or fails a NAP health check. You can use the Security event log for auditing and to identify noncompliant computers that require manual configuration to become compliant.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 2, “Configuring Network Access Protection.” The questions are also available on the companion CD if you prefer to review them in electronic form.

  1. You are currently configuring NAP enforcement in a lab environment. You need to create a network policy that prevents noncompliant computers from connecting to the network. How should you configure the network policy properties?

    1. On the Settings tab, set NAP Enforcement to Allow Limited Access.

    2. On the Overview tab, set Access Permission to Deny Access.

    3. On the Constraints tab, set the Session Timeout to 0.

    4. On the Settings tab, create an IP filter that drops all traffic.

  2. You are a systems engineer developing NAP scenarios for future deployment within your organization. You want to configure a set of remediation servers that should be accessible for clients that do not support NAP. Which of the following do you need to do? (Choose all that apply.)

    1. Create a health policy and set it to Client Fails All SHV Checks.

    2. Create a network policy with a Condition type of NAP-Capable Computers.

    3. Create a remediation server group with the servers that should be accessible.

    4. Create a connection request policy with a Condition type of NAP-Capable Computers.

  3. You are a systems administrator configuring NAP using DHCP enforcement. You plan to run NPS and DHCP on separate computers. Which of the following requirements do you need to fulfill? (Choose all that apply.)

    1. Configure a RADIUS proxy on the DHCP server.

    2. Install NPS on the DHCP server.

    3. Install HRA on the DHCP Server.

    4. Configure Certificate Services on the DHCP server.