Configuring Windows Firewall and Network Access Protection
To further practice and reinforce the skills you learned in this chapter, you can perform the following tasks:
Review the chapter summary.
Review the list of key terms introduced in this chapter.
Complete the case scenarios. These scenarios set up real-world situations involving the topics of this chapter and ask you to create a solution.
Complete the suggested practices.
Take a practice test.
Windows Firewall is enabled by default to block most unwanted incoming connections. With additional configuration, you can limit the incoming connections that are allowed to specific subnets, user groups, or computer groups. Additionally, you can control which applications can initiate outgoing connections.
Network Access Protection (NAP) is not enabled by default and requires complex planning and configuration to implement. After you deploy it, however, NAP provides network-level protection by allowing only clients that pass a health check to connect to your network.
Do you know what these key terms mean? You can check your answers by looking up the terms in the glossary at the end of the book.
In the following case scenarios, you will apply what you’ve learned about how to plan and deploy Windows Firewall and NAP. You can find answers to these questions in the “Answers” section at the end of this book.
Case Scenario 1: Evaluating Firewall Settings
You are a systems administrator for Fabrikam, Inc. Recently, your IT development department created a new client/server application that uses a web service. Your manager asks you to interview key people and then come to his office to answer his questions about the changes you will need to make to the Windows Firewall configuration.
Following is a list of company personnel interviewed and their statements:
Developer “It’s a web service application, but it doesn’t use IIS. Instead, it’s its own service and listens for connections on TCP port 81. We need the server part of the application installed on Server1, and all client computers in the Accounting department should receive the client application. The client application just connects to the server on TCP port 81.”
Lead systems engineer “We use the default settings for Windows Firewall, so just let me know what I need to change.”
Answer the following questions for your manager:
What type of firewall rule will you need to create to Windows Firewall on Server1?
What type of firewall rule will you need to create on the Windows Vista client computers in the Accounting department?
Case Scenario 2: Planning NAP
You are a systems administrator at Contoso, Ltd., an enterprise that manufactures large-scale farm equipment. Last night the news carried a story of corporate espionage—and your organization was the victim. According to the story, an employee of your biggest competitor gained access to your internal network six months ago, stole confidential plans for new equipment, and used them to improve their own designs. Last week, a disgruntled employee contacted the media and told the entire story.
Apparently, your competitor’s employee waited patiently at a coffee shop near your offices. When he saw someone come in with a laptop and a Contoso badge, he waited for the employee to connect to the wireless network. He then exploited a known network vulnerability (which had been fixed several months earlier but had not been updated on the employee’s computer) in the user’s computer running Windows XP to install a tool that would automatically gather and forward documents from your company’s internal network.
Your Chief Executive Officer (CEO) blames your Chief Security Officer (CSO), who in turn holds your Chief Information Officer (CIO) responsible. The CIO blames your manager, and your manager needs your help to create a plan to prevent this from happening again.
Answer the following questions for your manager:
Why would the attacker have been able to exploit a network vulnerability? How can that be prevented?
Is there some way we could have prevented the malware application from transmitting the confidential documents to a server on the Internet?
We can never guarantee that mobile computers will receive updates and won’t be infected. After all, some of our staffers stay disconnected from the internal network for weeks at a time. So how can we keep these computers from connecting to our internal network and potentially doing damage?
If we suddenly turn on NAP, won’t that cause problems for many of our client computers? How can we prevent that?
Which NAP enforcement method should we use?
To help you successfully master the exam objectives presented in this chapter, complete the following tasks.
Configure Firewall Settings
For this task, you should complete all four practices to gain real-world experience working with Windows Firewall.
Practice 1 Configure outbound filtering to block requests by default. Then, create firewall rules to allow common applications, including Internet Explorer and Microsoft Office, to connect to the Internet. Verify that Windows Update can retrieve updates from Microsoft.
Practice 2 Using a computer that is connected to the public Internet, enable firewall logging. Wait several hours, and then examine the firewall log. What types of requests were dropped? What might have happened if the firewall were not enabled?
Practice 3 On your organization’s production network, examine the inbound firewall rules. How can you adjust the scope of these rules to minimize security risks?
Practice 4 Register for and watch the “Windows Vista Firewall And IPSec Enhancements” presentation by Steve Riley at https://msevents.microsoft.com/CUI/Register.aspx?EventID=1032298288.
Configure Network Access Protection
For this task, you should complete all six practices to gain experience using Network Access Protection in a variety of scenarios.
Practice 1 In a lab environment, deploy NAP using 802.1X, VPN, and IPsec. First, deploy NAP in monitoring-only mode. Then, switch to NAP enforcement.
Practice 2 Create a webpage that you could specify in the Troubleshooting URL, providing all the information the user of a noncompliant computer needs to remedy a problem and connect to the network.
Practice 3 Create a NAP test environment, including remediation servers. Using a noncompliant computer and any NAP enforcement technique, verify that you can bring the computer into compliance using just the resources provided by your remediation servers.
Practice 4 Watch the “Security and Policy Enforcement: Network Access Protection” presentation by Graziano Galante at http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=491.
Practice 5 Watch the “NAP using DHCP in Windows Server 2008 R2” presentation by Kunal D. Mehta at http://www.youtube.com/watch?v=iRtsj3BbwVs.
Practice 6 Watch the “NAP Network Access Protection Demo” at http://www.youtube.com/watch?v=DoO-x5MSsKw.
Take a Practice Test
The practice tests on this book’s companion CD offer many options. For example, you can test yourself on just the content covered in this chapter, or you can test yourself on all the 70-642 certification exam content. You can set up the test so that it closely simulates the experience of taking a certification exam, or you can set it up in study mode so that you can look at the correct answers and explanations after you answer each question.