Managing Network Access Protection
Introduction to NAP Issues Although corporate networks are highly secured, no control over the configuration of remote computers Administrators does not have any idea what type of condition a remote user’s computer would be in A remote user with inadequate protection would infect files on the network with a virus, or would inadvertently disclose sensitive information because their PC was infected with some kind of Trojan
Policy Based Network Access Protection Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy Network Restriction Restricts network access to computers based on their health Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions
NAP The Network Access Protection feature’s purpose is to make sure that remote user’s computers comply with your organization’s security requirements. Network Access Protection does nothing to prevent unauthorized access to your network. If an intruder has a PC that complies with your corporate security policy, then Network Access Protection will do nothing to try to stop that intruder. Network Access Protection is simply designed to prevent legitimate users from logging on to your network using insecure PCs
NAP Components DHCP v 6.0 DNS: Requires Microsoft or third-party Active Directory: Requires Active Directory Services 2003 at a minimum Group Policy: Allows consistent configuration of NAP settings RADIUS and VPN: Requires Windows Server 2008 role access Servers must be Windows Server 2008 Agents: Microsoft and third party support Network Infrastructure check:
10 things you should know about NAP 10. The technologies required are built into Windows Server 2008, Windows Vista and XPSP 3 9. There are no additional licenses required to deploy NAP if you own CAL 8. The NAP “agent” isn’t really an agent, it is a service that runs on the box and can be managed via Group Policy 7. The agent for XP is shipping as part of Service Pack 3 for XP. 6. NAP is NOT a security solution, it is a network health solution 5. There is no NAP agent for Server Microsoft is not developing a NAP agent for any platform older than Windows XP Service Pack 3 4. NAP interoperates with Cisco’s Network Admission Control framework 3. NAP uses industry standard protocols 2. NAP is currently deployed to thousands of desktops both inside and outside of Microsoft 1. The NAP Statement of Health protocol has been accepted as a TNC/TCG standard
Access requested Authentication Information including ID and health status NPS validates against health policy If compliant, access granted If not compliant, restricted network access and remediation Not policy complia nt Policy complia nt
NAP Components NAP Server Health policyUpdates Health Statements Network Access Requests Health Certificate 802.1x Switches Policy Firewalls SSL VPN Gateways Certificate Servers System Health Validator NAP Agent (SHA) MS SHA, SMS (EC) ( DHCP, IPsec, 802.1X, VPN) (SHA) 3rd Parties (EC) 3rd Party EAP VPN’s
Product/ServiceNAP Integration Windows Server 2008Built-in NAP server roles Windows Vista (also included in XPSP3) Built-in NAP client including 802.1x, IPsec, VPN and DHCP support SCCM 2007SCCM integrates with NAP to report patch state and update systems Forefront Client ServicesFCS provides anti-virus compliance remediation (via separate download) Terminal Server 2008 GatewayProvides conditional access to Terminal Servers based on NAP
Policy validation System health validators (SHVs) are used by NPS to analyze the health status of client computers. SHVs are incorporated into network polices that determine actions to be taken based on client health status, such as the granting of full network access or the restricting of network access. Health status is monitored by client-side NAP components called system health agents (SHAs). NAP uses SHAs and SHVs to monitor, enforce, and remediate client computer configurations.
WSHA and WSHV Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) are included with the Windows Vista and Windows Server 2008 operating systems It enforce the following settings for NAP-capable computers: The client computer has firewall software installed and enabled. The client computer has antivirus software installed and running. The client computer has current antivirus updates installed. The client computer has antispyware software installed and running. The client computer has current antispyware updates installed. Microsoft Update Services is enabled on the client computer
NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available: Allow full network access. Allow limited access. Allow full network access for a limited time.
Remediation Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. If a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures. You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant.
Ongoing monitoring to ensure compliance NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health of client computers change. Client computers are monitored when they initiate requests for network resources.
Enforcing NAP with DHCP Version 6 NAP client must be compliant with the current system health policy to receive an unlimited IP version 4 address Non-compliant NAP client will receive a IP version 4 address that allows access to the restricted network for remediation Current System Health Policy is enforced every time an IP version 4 address is leased or renewed Security groups can used for NAP exceptions using the Windows Groups condition Recommended lease time when DHCP enforcement is deployed is eight hours: A NAP client will then renew its IP version 4 address and be re- evaluated every four hours
Upgrading your Active Directory to Windows Server 2008 In-place upgrading Transitioning Restructuring
Upgrading your Active Directory to Windows Server 2008 In-place upgrading is good when: You worked hard to get your Active Directory in the shape it's in. Your servers are in tip-top shape. There's really no budget to buy new servers.
Reasons not to upgrade in-place Your servers do not meet the required patchlevel for in- place upgrading (The Windows Server 2003 patchlevel should be at least Service Pack 1) You want to upgrade across architectures (between x86, x64 and/or Itanium) You're running Windows Small Business Server 2003 Standard Edition can be upgraded to both Standard and Enterprise Edition You want your Windows Server 2008 Domain Controllers to be Server Core installations of Windows Server 2008.
Commands adprep.exe /forestprep Schema Master adprep.exe /domainprepInfrastructure Master adprep.exe /domainprep /gpprepInfrastructure Master adprep.exe /rodcprep *Domain Naming Master
Planning for Windows Server 2008 High Availability Planning for Network Load Balancing Overview of Failover Clustering in Windows Server 2008 Creating Clusters in Windows Server 2008
Lesson: Planning for Network Load Balancing Features of Network Load Balancing Improvements in Network Load Balancing for Windows Server 2008 Troubleshooting Network Load Balancing
Network Load Balancing: Features of Network Load Balancing Distributes traffic across two or more nodes Uses standard hardware Improves scalability Does not synchronize nodes
Lesson: Overview of Failover Clustering in Windows Server 2008 Clustering Features in Windows Server 2008 Failover Clustering Enhancements in Windows Server 2008 Validating a Failover Clustering Solution in Windows Server 2008 Tools to Manage Failover Clustering in Windows Server 2008
Clustering Features in Windows Server 2008 Clustering features: Failover support Scalability Versions Multiple models: Shared quorum disk Majority node set Geographically dispersed clusters Storage Windows versions supporting clusters
Failover Clustering Enhancements in Windows Server 2008 Security Storage Networking Management enhancements Quorum model
Tools to Manage Failover Clustering in Windows Server 2008 Management tools: Clusprep.exe Cluster.exe Cluster migration tool
Lesson: Creating Clusters in Windows Server 2008 Hardware Requirements for Failover Clustering Planning Failover Clusters in Windows Server 2008 Managing Failover Clustering in Windows Server 2008
Cluster.exe Failover Cluster Management MMC snap-in