Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.

Slides:



Advertisements
Similar presentations
Tech·Ed North America /6/2017 9:33 AM
Advertisements

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Planning Server Deployments
Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Information Security in Real Business
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Windows 2003 and 802.1x Secure Wireless Deployments.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Clinic Security and Policy Enforcement in Windows Server 2008.
Test Review. What is the main advantage to using shadow copies?
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Hands-On Microsoft Windows Server 2008 Chapter 10 Securing Windows Server 2008.
Windows Server 2008 Chapter 10 Last Update
Welcome Thank you for taking our training. Collection 6421: Configure and Troubleshoot Windows Server® 2008 Network Course 6690 – 6709 at
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
Hands-On Microsoft Windows Server 2008
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 1: Installing and Upgrading to Exchange Server 2003.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 11: Remote Access Fundamentals
Module 8: Configuring Network Access Protection
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Two Installing and Configuring Exchange Server 2003.
5.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 5: Planning.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Securing Your Network – End to End Connectivity Pat Fetty Senior Program Manager Windows Customer Advisory.
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Getting it Done: Understanding the Security Features of Windows Vista Kai Axford, CISSP, MCSE-Security.
Understand Server Protection LESSON Security Fundamentals.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Module 6: Network Policies and Access Protection.
Module 5: Network Policies and Access Protection
Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.
D-Link Wireless AP with NAP 802.1x solution
Basharat Institute of Higher Education
Introduction to Windows Server 2008
Implementing Network Access Protection
Configuring and Troubleshooting Routing and Remote Access
Security and identity (Network Access Protection, Parental Controls)
Designing IIS Security (IIS – Internet Information Service)
NAP / PWG Discussion August 17, 2009.
Presentation transcript:

Managing Network Access Protection

Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of remote computers  Administrators does not have any idea what type of condition a remote user’s computer would be in  A remote user with inadequate protection would infect files on the network with a virus, or would inadvertently disclose sensitive information because their PC was infected with some kind of Trojan

Policy Based Network Access Protection  Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy  Network Restriction Restricts network access to computers based on their health  Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed  Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions

NAP The Network Access Protection feature’s purpose is to make sure that remote user’s computers comply with your organization’s security requirements. Network Access Protection does nothing to prevent unauthorized access to your network. If an intruder has a PC that complies with your corporate security policy, then Network Access Protection will do nothing to try to stop that intruder. Network Access Protection is simply designed to prevent legitimate users from logging on to your network using insecure PCs

NAP Components DHCP v 6.0 DNS: Requires Microsoft or third-party Active Directory: Requires Active Directory Services 2003 at a minimum Group Policy: Allows consistent configuration of NAP settings RADIUS and VPN: Requires Windows Server 2008 role access Servers must be Windows Server 2008 Agents: Microsoft and third party support Network Infrastructure check:

10 things you should know about NAP 10. The technologies required are built into Windows Server 2008, Windows Vista and XPSP 3 9. There are no additional licenses required to deploy NAP if you own CAL 8. The NAP “agent” isn’t really an agent, it is a service that runs on the box and can be managed via Group Policy 7. The agent for XP is shipping as part of Service Pack 3 for XP. 6. NAP is NOT a security solution, it is a network health solution 5. There is no NAP agent for Server Microsoft is not developing a NAP agent for any platform older than Windows XP Service Pack 3 4. NAP interoperates with Cisco’s Network Admission Control framework 3. NAP uses industry standard protocols 2. NAP is currently deployed to thousands of desktops both inside and outside of Microsoft 1. The NAP Statement of Health protocol has been accepted as a TNC/TCG standard

Access requested Authentication Information including ID and health status NPS validates against health policy If compliant, access granted If not compliant, restricted network access and remediation Not policy complia nt Policy complia nt

NAP Components NAP Server Health policyUpdates Health Statements Network Access Requests Health Certificate 802.1x Switches Policy Firewalls SSL VPN Gateways Certificate Servers System Health Validator NAP Agent (SHA) MS SHA, SMS (EC) ( DHCP, IPsec, 802.1X, VPN) (SHA) 3rd Parties (EC) 3rd Party EAP VPN’s

Product/ServiceNAP Integration Windows Server 2008Built-in NAP server roles Windows Vista (also included in XPSP3) Built-in NAP client including 802.1x, IPsec, VPN and DHCP support SCCM 2007SCCM integrates with NAP to report patch state and update systems Forefront Client ServicesFCS provides anti-virus compliance remediation (via separate download) Terminal Server 2008 GatewayProvides conditional access to Terminal Servers based on NAP

Policy validation System health validators (SHVs) are used by NPS to analyze the health status of client computers. SHVs are incorporated into network polices that determine actions to be taken based on client health status, such as the granting of full network access or the restricting of network access. Health status is monitored by client-side NAP components called system health agents (SHAs). NAP uses SHAs and SHVs to monitor, enforce, and remediate client computer configurations.

WSHA and WSHV Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) are included with the Windows Vista and Windows Server 2008 operating systems It enforce the following settings for NAP-capable computers:  The client computer has firewall software installed and enabled.  The client computer has antivirus software installed and running.  The client computer has current antivirus updates installed.  The client computer has antispyware software installed and running.  The client computer has current antispyware updates installed.  Microsoft Update Services is enabled on the client computer

NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available:  Allow full network access.  Allow limited access.  Allow full network access for a limited time.

Remediation Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. If a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures. You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant.

Ongoing monitoring to ensure compliance NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health of client computers change. Client computers are monitored when they initiate requests for network resources.

Enforcing NAP with DHCP Version 6 NAP client must be compliant with the current system health policy to receive an unlimited IP version 4 address Non-compliant NAP client will receive a IP version 4 address that allows access to the restricted network for remediation Current System Health Policy is enforced every time an IP version 4 address is leased or renewed Security groups can used for NAP exceptions using the Windows Groups condition Recommended lease time when DHCP enforcement is deployed is eight hours:  A NAP client will then renew its IP version 4 address and be re- evaluated every four hours

Upgrading your Active Directory to Windows Server 2008 In-place upgrading Transitioning Restructuring

Upgrading your Active Directory to Windows Server 2008 In-place upgrading is good when:  You worked hard to get your Active Directory in the shape it's in.  Your servers are in tip-top shape.  There's really no budget to buy new servers.

Reasons not to upgrade in-place  Your servers do not meet the required patchlevel for in- place upgrading (The Windows Server 2003 patchlevel should be at least Service Pack 1)  You want to upgrade across architectures (between x86, x64 and/or Itanium)  You're running Windows Small Business Server 2003  Standard Edition can be upgraded to both Standard and Enterprise Edition  You want your Windows Server 2008 Domain Controllers to be Server Core installations of Windows Server 2008.

Commands adprep.exe /forestprep Schema Master adprep.exe /domainprepInfrastructure Master adprep.exe /domainprep /gpprepInfrastructure Master adprep.exe /rodcprep *Domain Naming Master

Planning for Windows Server 2008 High Availability Planning for Network Load Balancing Overview of Failover Clustering in Windows Server 2008 Creating Clusters in Windows Server 2008

Lesson: Planning for Network Load Balancing Features of Network Load Balancing Improvements in Network Load Balancing for Windows Server 2008 Troubleshooting Network Load Balancing

Network Load Balancing: Features of Network Load Balancing Distributes traffic across two or more nodes Uses standard hardware Improves scalability Does not synchronize nodes

Lesson: Overview of Failover Clustering in Windows Server 2008 Clustering Features in Windows Server 2008 Failover Clustering Enhancements in Windows Server 2008 Validating a Failover Clustering Solution in Windows Server 2008 Tools to Manage Failover Clustering in Windows Server 2008

Clustering Features in Windows Server 2008 Clustering features: Failover support Scalability Versions Multiple models:  Shared quorum disk  Majority node set Geographically dispersed clusters Storage Windows versions supporting clusters

Failover Clustering Enhancements in Windows Server 2008 Security Storage Networking Management enhancements Quorum model

Tools to Manage Failover Clustering in Windows Server 2008 Management tools: Clusprep.exe Cluster.exe Cluster migration tool

Lesson: Creating Clusters in Windows Server 2008 Hardware Requirements for Failover Clustering Planning Failover Clusters in Windows Server 2008 Managing Failover Clustering in Windows Server 2008

Cluster.exe Failover Cluster Management MMC snap-in