Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of.

Published byIra Elliott Modified over 8 years ago

Similar presentations

Presentation on theme: "Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of."— Presentation transcript:

1 Managing Network Access Protection

2 Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of remote computers  Administrators does not have any idea what type of condition a remote user’s computer would be in  A remote user with inadequate protection would infect files on the network with a virus, or would inadvertently disclose sensitive information because their PC was infected with some kind of Trojan

3

4 Policy Based Network Access Protection  Policy Validation Determines whether the computers are compliant with the company’s security policy. Compliant computers are deemed “healthy  Network Restriction Restricts network access to computers based on their health  Remediation Provides necessary updates to allow the computer to “get healthy.” Once healthy, the network restrictions are removed  Ongoing Compliance Changes to the company’s security policy or to the computers’ health may dynamically result in network restrictions

5 NAP The Network Access Protection feature’s purpose is to make sure that remote user’s computers comply with your organization’s security requirements. Network Access Protection does nothing to prevent unauthorized access to your network. If an intruder has a PC that complies with your corporate security policy, then Network Access Protection will do nothing to try to stop that intruder. Network Access Protection is simply designed to prevent legitimate users from logging on to your network using insecure PCs

6 NAP Components DHCP v 6.0 DNS: Requires Microsoft or third-party Active Directory: Requires Active Directory Services 2003 at a minimum Group Policy: Allows consistent configuration of NAP settings RADIUS and VPN: Requires Windows Server 2008 role access Servers must be Windows Server 2008 Agents: Microsoft and third party support Network Infrastructure check:

7 10 things you should know about NAP 10. The technologies required are built into Windows Server 2008, Windows Vista and XPSP 3 9. There are no additional licenses required to deploy NAP if you own CAL 8. The NAP “agent” isn’t really an agent, it is a service that runs on the box and can be managed via Group Policy 7. The agent for XP is shipping as part of Service Pack 3 for XP. 6. NAP is NOT a security solution, it is a network health solution 5. There is no NAP agent for Server 2003 6. Microsoft is not developing a NAP agent for any platform older than Windows XP Service Pack 3 4. NAP interoperates with Cisco’s Network Admission Control framework 3. NAP uses industry standard protocols 2. NAP is currently deployed to thousands of desktops both inside and outside of Microsoft 1. The NAP Statement of Health protocol has been accepted as a TNC/TCG standard

8 Access requested Authentication Information including ID and health status NPS validates against health policy If compliant, access granted If not compliant, restricted network access and remediation Not policy complia nt Policy complia nt 11 33 55 44 11 33 44 55 22 22

9 NAP Components NAP Server Health policyUpdates Health Statements Network Access Requests Health Certificate 802.1x Switches Policy Firewalls SSL VPN Gateways Certificate Servers System Health Validator NAP Agent (SHA) MS SHA, SMS (EC) ( DHCP, IPsec, 802.1X, VPN) (SHA) 3rd Parties (EC) 3rd Party EAP VPN’s

10 Product/ServiceNAP Integration Windows Server 2008Built-in NAP server roles Windows Vista (also included in XPSP3) Built-in NAP client including 802.1x, IPsec, VPN and DHCP support SCCM 2007SCCM integrates with NAP to report patch state and update systems Forefront Client ServicesFCS provides anti-virus compliance remediation (via separate download) Terminal Server 2008 GatewayProvides conditional access to Terminal Servers based on NAP

11 Policy validation System health validators (SHVs) are used by NPS to analyze the health status of client computers. SHVs are incorporated into network polices that determine actions to be taken based on client health status, such as the granting of full network access or the restricting of network access. Health status is monitored by client-side NAP components called system health agents (SHAs). NAP uses SHAs and SHVs to monitor, enforce, and remediate client computer configurations.

12 WSHA and WSHV Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) are included with the Windows Vista and Windows Server 2008 operating systems It enforce the following settings for NAP-capable computers:  The client computer has firewall software installed and enabled.  The client computer has antivirus software installed and running.  The client computer has current antivirus updates installed.  The client computer has antispyware software installed and running.  The client computer has current antispyware updates installed.  Microsoft Update Services is enabled on the client computer

13 NAP enforcement and network restriction NAP enforcement settings allow you to limit network access of noncompliant clients to a restricted network, to defer restriction to a later date, or to merely observe and log the health status of NAP-capable client computers. The following settings are available:  Allow full network access.  Allow limited access.  Allow full network access for a limited time.

14 Remediation Noncompliant client computers that are placed on a restricted network might undergo remediation. Remediation is the process of updating a client computer so that it meets current health requirements. If additional resources are required for a noncompliant computer to update its health state, these resources must be provided on the restricted network. If a restricted network might contain a File Transfer Protocol (FTP) server that provides current virus signatures so that noncompliant client computers can update their outdated signatures. You can use NAP settings in NPS network policies to configure automatic remediation so that NAP client components automatically attempt to update the client computer when it is noncompliant.

15 Ongoing monitoring to ensure compliance NAP can enforce health compliance on compliant client computers that are already connected to the network. This functionality is useful for ensuring that a network is protected on an ongoing basis as health policies and the health of client computers change. Client computers are monitored when they initiate requests for network resources.

16 Enforcing NAP with DHCP Version 6 NAP client must be compliant with the current system health policy to receive an unlimited IP version 4 address Non-compliant NAP client will receive a IP version 4 address that allows access to the restricted network for remediation Current System Health Policy is enforced every time an IP version 4 address is leased or renewed Security groups can used for NAP exceptions using the Windows Groups condition Recommended lease time when DHCP enforcement is deployed is eight hours:  A NAP client will then renew its IP version 4 address and be re- evaluated every four hours

17 Upgrading your Active Directory to Windows Server 2008 In-place upgrading Transitioning Restructuring

18 Upgrading your Active Directory to Windows Server 2008 In-place upgrading is good when:  You worked hard to get your Active Directory in the shape it's in.  Your servers are in tip-top shape.  There's really no budget to buy new servers.

19 Reasons not to upgrade in-place  Your servers do not meet the required patchlevel for in- place upgrading (The Windows Server 2003 patchlevel should be at least Service Pack 1)  You want to upgrade across architectures (between x86, x64 and/or Itanium)  You're running Windows Small Business Server 2003  Standard Edition can be upgraded to both Standard and Enterprise Edition  You want your Windows Server 2008 Domain Controllers to be Server Core installations of Windows Server 2008.

20 Commands adprep.exe /forestprep Schema Master adprep.exe /domainprepInfrastructure Master adprep.exe /domainprep /gpprepInfrastructure Master adprep.exe /rodcprep *Domain Naming Master

21 Planning for Windows Server 2008 High Availability Planning for Network Load Balancing Overview of Failover Clustering in Windows Server 2008 Creating Clusters in Windows Server 2008

22 Lesson: Planning for Network Load Balancing Features of Network Load Balancing Improvements in Network Load Balancing for Windows Server 2008 Troubleshooting Network Load Balancing

23 Network Load Balancing: Features of Network Load Balancing Distributes traffic across two or more nodes Uses standard hardware Improves scalability Does not synchronize nodes

24 Lesson: Overview of Failover Clustering in Windows Server 2008 Clustering Features in Windows Server 2008 Failover Clustering Enhancements in Windows Server 2008 Validating a Failover Clustering Solution in Windows Server 2008 Tools to Manage Failover Clustering in Windows Server 2008

25 Clustering Features in Windows Server 2008 Clustering features: Failover support Scalability Versions Multiple models:  Shared quorum disk  Majority node set Geographically dispersed clusters Storage Windows versions supporting clusters

26 Failover Clustering Enhancements in Windows Server 2008 Security Storage Networking Management enhancements Quorum model

27 Tools to Manage Failover Clustering in Windows Server 2008 Management tools: Clusprep.exe Cluster.exe Cluster migration tool

28 Lesson: Creating Clusters in Windows Server 2008 Hardware Requirements for Failover Clustering Planning Failover Clusters in Windows Server 2008 Managing Failover Clustering in Windows Server 2008

29 Cluster.exe Failover Cluster Management MMC snap-in

Download ppt "Managing Network Access Protection. Introduction to NAP Issues  Although corporate networks are highly secured, no control over the configuration of."

Similar presentations

Tech·Ed North America /6/2017 9:33 AM

Tech·Ed North America /6/2017 9:33 AM
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Planning Server Deployments

Planning Server Deployments
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Jayson Ferron CIO Interactive Security Training WSV206.

Jayson Ferron CIO Interactive Security Training WSV206.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Information Security in Real Business

Information Security in Real Business
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Similar presentations

Ads by Google