Lesson 2: Firewalls and Network Access Protection
You deploy NAP on your network as a method of ensuring that computers accessing important resources meet certain client health benchmarks. These benchmarks include (but are not limited to) having the most recent updates applied, having antivirus and anti-spyware software up to date, and having important security technologies such as Windows Firewall configured and functional. In this lesson, you will learn how to plan and deploy an appropriate NAP infrastructure and enforcement method for your organization.
Windows Firewall with Advanced Security
The simplest method of enforcing a standardized firewall configuration across an organization is to use Group Policy. You can configure inbound and outbound rules, as well as enable and disable Windows Firewall with Advanced Security for specific profiles, through the Computer Configuration/Policies/Windows Settings/Windows Firewall With Advance Security node of Group Policy.
You can configure new rules based on a specific program, port, or predefined rule. Rules can be applied to inbound and outbound traffic. In many domain environments, administrators use outbound rules as a way of blocking the use of specific programs such as file sharing or instant messaging programs. Although the best way to block this sort of traffic is to stop the software from being installed in the first place or restricting its use with AppLocker policies, many domain environments have users with laptops that are taken on and off the network. In some cases, laptop users are given local administrative control over their computers. Applying firewall rules to each computer through Group Policy allows administrators to block programs that may use SSL tunnels to get around perimeter firewall configuration.
Windows Firewall with Advanced Security can be used to create connection security rules that secure traffic by using IPsec. Domain isolation uses an AD DS domain, domain membership, and Windows Firewall with Advanced Security Group Policy settings to enforce a policy that forces domain member computers to accept incoming communication requests only from other computers that are members of the same domain. When enforced, computers that are members of the domain are isolated from computers that are not members of the domain. It is important to remember that in domain isolation scenarios, isolated computers can initiate communication with hosts outside the domain, such as web servers on the Internet. However, they will not respond when network communication is initiated from a host outside the domain.
Domain isolation policies are applied through the Computer Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security node of a GPO by accessing the Connection Security Rules item.
Server isolation works in a similar way to domain isolation except that instead of applying to all computers within a domain, a server isolation policy applies only to a specific set of servers in a domain. You do this by placing the computer accounts of the servers that will be isolated in a specific OU and then applying a GPO that has an appropriately configured connection security rule to that OU. When enforced, only computers that are members of the domain are able to communicate with the isolated servers. This can be an effective way of protecting servers when you must grant network access to third-party computers. The third-party computers are able to access some network resources, such as intranet web and DNS servers, but you can isolate specific network resources, such as file servers and databases, by configuring server isolation policies.
Forefront Threat Management Gateway
While Windows Firewall with Advanced Security is an appropriate solution to protect individual servers, you should look toward a more fully featured firewall, such as Microsoft Forefront Threat Management Gateway (TMG) 2010, as a solution between your organization’s perimeter network and the Internet. Perimeter networks are networks that exist between the Internet and an organization’s internal network. Organizations host resources that need to be available to the Internet on perimeter networks. This allows them to provide an external firewall to protect the resource and then also to provide a firewall between the perimeter network and the internal network as a second layer of protection. In most configurations, traffic can pass from the Internet to the perimeter network and back, or from the internal network to the perimeter network and back, but never directly from the internal network to the Internet without passing in some way across the perimeter network.
Forefront TMG 2010 includes the following advanced features:
Packet inspection and application filtering
Intrusion Prevention System (IPS)
Web filtering based on URL or URL category (for example, filtering sports or entertainment websites)
Web traffic monitoring
Publish reverse proxy services to the Internet, such as websites, Microsoft Outlook Web Access, and Microsoft SharePoint sites including SSL bridge functionality
Create site-to-site VPNs
The ability to publish VPN servers to the Internet
You can install Forefront TMG 2010 on computers running Windows Server 2008 with SP2 or Windows Server 2008 R2. When you install Forefront TMG 2010, the installation routine automatically installs the Network Policy Server, RRAS, and Active Directory Lightweight Directory Services (AD LDS) roles and role services.
Usually, you would install Forefront TMG on a computer that has two network cards, with one computer connected to the Internet and the other network adapter connected to your perimeter or internal network. It is possible to deploy Forefront TMG on a computer with a single network adapter, but in general, you would do this only when you have deployed an additional perimeter firewall solution. ForeFront TMG is the latest version of the product once known as Microsoft Internet Security and Acceleration (ISA) Server. You manage Forefront TMG using the Forefront TMG console, shown in Figure 9-10.
Figure 9-10 The Forefront TMG console
Network Access Protection
Network Access Protection (NAP) is a technology that allows you to restrict network access on the basis of a client’s health. System Health Agents (SHAs) and System Health Validators (SHVs) are the components that validate a computer’s health against a configured set of benchmarks. The SHV specifies which benchmarks the client must meet. The SHA is the component against which those benchmarks are tested. The SHVs in Windows 7, Windows Vista, and Windows XP can be configured through the System Health Validators node under NAP in the NPS. Figure 9-11 shows the settings that you can configure for the SHV in Windows 7 and Windows Vista.
Figure 9-11 An SHV in Windows 7 and Windows Vista
Third-party organizations can provide SHAs and SHVs that you can use with their own products and NAP. Deploying third-party SHAs and SHVs involves installing the SHA components on all clients and the SHV on the computer running Windows Server 2008 or Windows Server 2008 R2 that hosts the Network Policy Server server role. Once installed, you create a new health policy that uses the new SHV as a compliance benchmark. A health policy can call on multiple SHVs. For example, you might create a health policy that requires all conditions on the SHV on Windows 7 or Windows Vista and the Fabrikam SHV to be met before a client is granted access to all network resources.
NAP Enforcement Methods
When a computer is found to be noncompliant with the enforced health policy, NAP enforces limited network access. This is done through an Enforcement Client (EC). Windows 7, Windows Vista, Windows XP SP3, Windows Server 2008, and Windows Server 2008 R2 include NAP EC support for IPsec, IEEE 802.1X, Remote Access VPN, and DHCP enforcement methods. Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 also support NAP enforcement for RD Gateway connections.
NAP enforcement methods can be used either individually or in conjunction with each other to limit the network access of computers that are found not to be in compliance with configured health policies. Hence, you can apply the remote access VPN and IPsec enforcement methods to ensure that internal clients and clients coming in from the Internet are granted access to resources only if they meet the appropriate client health benchmarks.
IPsec NAP Enforcement
IPsec enforcement works by applying IPsec rules. Only computers that meet health compliance requirements are able to communicate with each other. IPsec enforcement can be applied on a per-IP address, per-TCP port number, or per-UDP port number basis. For example: You can use IPsec enforcement to block RDP access to a web server so that only computers that are healthy can connect to manage that server but allow clients that do not meet health requirements to connect to view Web pages hosted by the same web server.
IPsec enforcement applies after computers have received a valid IP address, either from DHCP or through static configuration. IPsec is the strongest method of limiting network access communication through NAP. Where it might be possible to subvert other methods by applying static addresses or switching ports, the IPsec certificate used for encryption can be obtained by a host only when it passes the health check. No IPsec certificate means that communication with other hosts that encrypt their communications using a certificate issued from the same CA is impossible.
To deploy IPsec enforcement, a network environment must have a Windows Server 2008 or 2008 R2 Health Registration Authority (HRA) and a Windows Server 2008 or Windows Server 2008 R2 CA. Clients must be running Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2, or Windows XP SP3, all of which include the IPsec EC.
802.1X NAP Enforcement
802.1X enforcement uses authenticating Ethernet switches or IEEE 802.11 Wireless Access Points. These compliant switches and access points grant unlimited network access only to computers that meet the compliance requirement. Computers that do not meet the compliance requirement are limited in their communication by a restricted access profile. Restricted access profiles work by applying IP packet filters or virtual local area network (VLAN) identifiers. This means that hosts that have the restricted access profile are allowed only limited network communication. This limited network communication generally allows access to remediation servers. You will learn more about remediation servers later in this lesson.
An advantage of 802.1X enforcement is that the health status of clients is assessed constantly. Connected clients that become noncompliant will be placed under the restricted access profile automatically. Clients under the restricted access profile that become compliant will have that profile removed and will be able to communicate with other hosts on the network in an unrestricted manner. For example, suppose that a new antivirus update comes out. Clients that have not checked the update server recently are put under a restricted access profile until they check the server and retrieve the update. Once the check has been performed successfully, the clients are returned to full network access.
A computer running Windows Server 2008 or Windows Server 2008 R2 with the Network Policy Server role is necessary to support 802.1X NAP enforcement. It is also necessary to have switch or Wireless Access Point hardware that is 801.1X-compliant. Clients must be running Windows 7, Windows Vista, Windows Server 2008 R2, Windows Server 2008, or Windows XP SP3 because only these operating systems include the EAPHost EC.
VPN NAP Enforcement
VPN enforcement is used on connecting VPN clients as a method of ensuring that clients granted access to the internal network meet system health compliance requirements. VPN enforcement works by restricting network access to noncompliant clients through the use of packet filters. Rather than being able to access the entire network, incoming VPN clients that are noncompliant have access only to the remediation server group.
As is the case with 802.1X enforcement, the health status of a connected client is monitored continuously. If a client becomes noncompliant, packet filters restricting network access will be applied. If a noncompliant client becomes compliant, packet filters restricting network access will be removed. VPN enforcement requires an existing remote access infrastructure and an NPS server. The enforcement method uses the VPN EC, which is included with Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows XP SP3.
DHCP NAP Enforcement
DHCP NAP enforcement works by providing unlimited-access IPv4 address information to compliant computers and limited-access IPv4 address information to noncompliant computers. Unlike VPN and 802.1X enforcement methods, DHCP NAP enforcement is applied only when a client lease is obtained or renewed. Organizations using this method of NAP enforcement should avoid configuring long DHCP leases because this will reduce the frequency at which compliance checks are made.
To deploy DHCP NAP enforcement, you must use a DHCP server running Windows Server 2008 or Windows Server 2008 R2 because this includes the DHCP Enforcement Service (ES). The DHCP EC is included in the DHCP Client service on Windows 7, Windows Vista, Windows Server 2008, Windows Server 2008 R2, and Windows XP SP3.
The drawback of DHCP NAP enforcement is that you can get around it by configuring a client’s IP address statically. Only users with local administrator access can configure a manual IP, but if your organization gives users local administrator access, DHCP NAP enforcement may not be the most effective method of keeping these computers off the network until they are compliant.
RD Gateway NAP Enforcement
RD Gateway NAP enforcement ensures that clients running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 located on the Internet that are connecting to an RD Gateway meet health compliance requirements before the RD Gateway allows connections to RDP servers on the internal network. To configure RD Gateway for NAP, you must perform the following basic steps:
Enable NAP health policy checking on the RD Gateway server by configuring the RD Gateway server to request that clients send a statement of health.
Remove any existing RD-CAPs. It is not necessary to remove existing RD-RAPs.
Configure a Windows SHV on the RD Gateway server by editing the properties of the Windows SHV in the Network Policy Server console on the RD Gateway server.
Create NAP Policies on the RD Gateway server using the Configure NAP Wizard. You will need to create two health policies (one for compliant and one for noncompliant computers), a connection request policy, and three network policies (compliant, noncompliant, and non-NAP-capable).
DirectAccess NAP Enforcement
You can incorporate NAP into your DirectAccess infrastructure as a way of ensuring that clients that are attempting to connect using DirectAccess from remote networks will be successful only if they meet network health requirements. Using NAP with DirectAccess requires similar infrastructure to the NAP IPsec enforcement method. It is necessary to ensure that your organization has at least one HRA as well as CAs that are configured to support NAP, NAP health policy servers, and necessary remediation servers. If your remediation and HRA servers are on the Intranet, you’ll need to perform the following steps:
Add the IPv6 addresses of the HRA and remediation servers to the list of management servers when running the DirectAccess Setup Wizard.
Configure the intranet tunnel rule in the DirectAccess server GPO to require health certificates.
Remediation servers generally host software updates and antivirus and anti-spyware definition files and are used to bring a client that has not passed a health check up to date. Remediation servers are accessible from the restricted networks that noncompliant clients are relegated to when they do not pass system health checks. Remediation servers allow these clients to be brought into compliance so that they can have unrestricted access to the network. Remediation server groups are added through the Remediation Server Group node of the Network Policy Server console, as shown in Figure 9-12.
Figure 9-12 Remediation Server Group node
While you usually use NAP to restrict access to noncompliant clients, when you deploy NAP for the first time, you should use NAP in monitoring-only mode. This is because when you start out, you are likely to have a large number of noncompliant clients and if you enforce NAP policies right at the start, a large number of the computers that you are responsible for managing will be unable to access the network. By using monitoring-only mode, you can get a good idea about how many clients in your organization do not comply with current health policies. You can then take steps to correct these problems on the clients so that when you do enforce NAP, only a small number of clients will be forced into remediation.
An SHV is a set of conditions that a computer must meet to be considered healthy. An SHA is what the NPS server checks with to determine whether a connecting client meets all the conditions of the SHV.
The four methods of NAP enforcement that can be applied to Windows Server 2008 R2, Windows Server 2008, Windows 7, Windows Vista, and Windows XP SP3 clients are IPsec, DHCP, VPN, and 802.1X enforcement. You can use RD Gateway NAP only with Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2.
NPS servers are installed as a part of the Network Policy And Access Services role. These servers are where you configure health policies and SHVs that dictate the health compliance benchmark.
Domain isolation allows you to use IPsec to limit network communication to computers that are members of a specific domain.
Forefront TMG 2010 is an advanced firewall application that can be installed on servers running Windows Server 2008 and Windows Server 2008 R2. It is often installed between a perimeter network and the Internet.
You can use the following questions to test your knowledge of the information in Lesson 2, “Planning Windows Server 2008 R2 Storage.” The questions are also available on the companion CD if you prefer to review them in electronic form.
You want only healthy computers on your network to be able to connect to a computer running Windows Server 2008 used as an intranet web server role for management tasks, but you want to allow all clients, healthy or unhealthy, to be able to access Web pages on the same servers. Which of the following NAP enforcement methods should you implement without having to configure the firewall or IP address restrictions on the intranet server running Windows Server 2008?
Your network contains a mixture of Windows Vista SP1 and Windows XP SP3 clients. You want to enable NAP enforcements for the clients running Windows Vista SP1. Clients running Windows XP SP3 should not be subjected to NAP enforcement. Which of the following strategies should you pursue? (Each answer forms a part of the solution. Choose two.)
Create a network policy that specifies the operating system as a condition.
Create a VLAN for all clients running Windows XP.
Configure the network policy to allow computers running Windows Vista to bypass the health check.
Configure the network policy to allow computers running Windows XP to bypass the health check.
Your organization has one domain controller running Windows Server 2003, named 2K3DC, and one domain controller running Windows Server 2008, named 2K8DC. The domain functional level is Windows Server 2003. DNS is installed on a stand-alone computer named DNS1 running Windows Server 2003 R2. DHCP is installed on a stand-alone computer named DHCP1 running Windows Server 2003 R2. NPS is installed on a computer named NPS1 running Windows Server 2008. Which of the following computers must you upgrade if you want to use DHCP NAP enforcement?
Which of the following server roles must be available on your network if you plan to configure IPsec rules so that only healthy computers can connect to each other? (Each answer forms a part of the solution. Choose two.)
Windows Server 2008 CA
Windows Server 2008 DHCP server
Other than 802.1X-compatible switches, which of the following components must be deployed in your network environment to support 802.1X NAP enforcement? (Choose two; each solution forms a complete answer.)
The NPS server role on a computer running Windows Server 2008
A RADIUS proxy server
EAPHost EC on clients
The HCAP server role on a computer running Windows Server 2008
Practice Installing and Configuring NAP with DHCP Enforcement
In this set of practices, you will configure Windows Server 2008 R2 with the Network Policy Server role to support NAP with the DHCP.
EXERCISE 1 Network Policy Server Installation and DHCP Configuration
In this exercise, you will install the NPS server role on server VAN-DC1. To complete this practice, perform the following steps:
Log on to server VAN-DC1 with the Kim_Akers user account.
Open an elevated PowerShell session and issue the following commands to ensure that the DHCP and NPS role services, if installed, are removed from the server. If these roles are present, it will be necessary to reboot the server, log in, restart PowerShell, and import the ServerManager module again.
Import-Module ServerManager Remove-WindowsFeature DHCP, NPAS
From the elevated PowerShell session, issue the following commands to install DHCP and the NPS server roles:
Add-WindowsFeature DHCP, NPAS
From the Administrative Tools menu, click DHCP. The DHCP console will open. Right-click the DHCP node and then click Manage Authorized Servers. Click Authorize. In the Authorize DHCP Server dialog box, enter the name VAN-DC1 and then click OK. Verify that the IP address of the DHCP server matches 10.10.0.10, and then click OK. Highlight VAN-DC and then click OK.
Open the Services console. Set the properties of the DHCP Server service to start automatically. Start the service.
In the DHCP console, expand the IPv4 node under van-dc.adatum.com and then delete the scope Alpha Scope.
Select and right-click the IPv4 node under van-dc.adatum.com, and then click New Scope. This will start the New Scope Wizard. Click Next.
On the Scope Name page, enter the scope name NAP_Scope. Click Next.
Set the start IP address as 10.100.0.1 and the end IP address as 10.100.0.254. Set the Subnet Mask Length at 24. Click Next three times.
On the Configure DHCP Options page, select the No, I Will Configure These Options Later option, and then click Next. Click Finish.
EXERCISE 2 Configure NPS
In this exercise, you will configure NPS. To complete this practice, perform the following steps:
From the Administrative Tools menu, click Network Policy Server. The Network Policy Server console will open.
On the Getting Started page, shown in Figure 9-13, click Configure NAP.
Figure 9-13 NPS NAP Getting Started page
On the Select Network Connection Method For Use With NAP page, use the drop-down menu to select Dynamic Host Configuration Protocol (DHCP), and then click Next.
On the RADIUS Clients page, click Next.
On the DHCP Scopes page, click Add. In the Specify The Profile Name That Identifies Your DHCP Scope box, type NAP_Scope and click OK. Click Next.
On the Configure Machine Groups page, click Next.
On the Specify A NAP Remediation Server Group And URL page, click Next.
On the Define NAP Health Policy page, clear the Enable Auto-Remediation Of Client Computers option and select Allow Full Network Access To NAP-Ineligible Client Computers, as shown in Figure 9-14. Click Next, and then click Finish.
EXERCISE 3 Configure SHV
In this exercise, you will configure an SHV to support your NAP DHCP deployment. To complete this practice, perform the following steps:
In the Network Policy Server console, navigate to the Network Access Protection/System Health Validators/Windows Security Health Validator/Settings node. In the details pane, right-click Default Configuration and then click Properties. This will open the Windows Security Health Validator dialog box.
Figure 9-14 NAP Health Policy
In the details pane of the Windows Security Health Validator dialog box, scroll down to the Security Updates Settings section. Enable the Restrict Access For Clients That Do Not Have All Available Security Updates Installed option and change the severity level to Moderate And Above, as shown in Figure 9-15.
Figure 9-15 Configuring severity level