Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 8: Configuring Network Access Protection

Similar presentations


Presentation on theme: "Module 8: Configuring Network Access Protection"— Presentation transcript:

1 Module 8: Configuring Network Access Protection
Course 6421A Module 8: Configuring Network Access Protection Presentation: 60 minutes Lab: 120 minutes Module 8: Configuring Network Access Protection This module helps students to configure and manage Network Access Protection (NAP) for Dynamic Host Configuration Protocol (DHCP), a virtual private network (VPN), and Institute of Electrical and Electronics Engineers (IEEE) 802.1X authentication. After completing this module, students will be able to: Describe Network Access Protection. Describe how NAP works. Configure NAP. Monitor and troubleshoot NAP. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file6421A_08.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional information and resources for the module on the Course Companion CD.

2 Module 8: Configuring Network Access Protection
Course 6421A Module Overview Module 8: Configuring Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP

3 Lesson 1: Overview of Network Access Protection
Course 6421A Lesson 1: Overview of Network Access Protection Module 8: Configuring Network Access Protection What Is Network Access Protection? NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture Interactions NAP Client Infrastructure NAP Server-Side Infrastructure Communication Between NAP Platform Components

4 What Is Network Access Protection?
Course 6421A What Is Network Access Protection? Module 8: Configuring Network Access Protection Network Access Protection can: Enforce health-requirement policies on client computers Describe Network Access Protection (NAP) capabilities and characteristics by expanding on the information on the slide. What NAP can do: Enforce health-requirement policies on client computers that are running Windows® XP Service Pack 2 (SP2) and Windows Vista™. Ensure that client computers remain compliant with existing policies. Offer remediation support for computers that do not meet the health requirements for full network access. What NAP cannot do: Prevent authorized users with compliant computers from performing malicious activity on the network. Restrict network access for computers that are running Windows versions previous to Windows XP SP2 when exception rules are configured for those computers. NAP has three important and distinct aspects: Health state validation. Validates a computer’s health against health policies. Health policy compliance. Updates client computers that do not meet the requirements. Limited access enforcement. Isolates noncompliant computers onto a remediation network with limited access. Emphasize that NAP is a compliance tool, not a security tool. NAP provides an extra security layer, but it is not a complete security solution. NAP is enforced and supported by the following methods, which will be discussed in detail later: Internet Protocol Security (IPsec)-protected traffic IEEE 802.1X-authenticated connections Virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) address configurations Explain that unlike Network Access Quarantine Control (NAQC), NAP offers continuous health-state monitoring of connected computers. You can configure exception rules to not limit access to computers that are not NAP capable, to computers that are running Windows versions previous to Windows XP SP2, and to computers that are running other vendors’ client-operating systems. References Network Access Protection Ensure client computers are compliant with policies Offer remediation support for computers that do not meet health requirements Network Access Protection cannot: Prevent authorized users with compliant computers from performing malicious activity Restrict network access for computers that are running Windows versions previous to Windows XP SP2

5 Module 8: Configuring Network Access Protection
Course 6421A NAP Scenarios Module 8: Configuring Network Access Protection NAP benefits the network infrastructure by verifying the health state of: Explain the benefits that NAP provides to the network infrastructure. NAP verifies the health state of: Roaming laptops. The NAP-capable operating system reports the health state, through remote access, or wireless or physical connections. Desktop computers. NAP ensures that the latest updates and required software are installed to mitigate threats to these computers. Visiting laptops. NAP determines whether laptops of visiting consultants, business partners, and guests meets the network’s health requirements. Unmanaged home computers. When a user uses an unmanaged computer to initiate a remote access connection, NAP verifies the health state of the initiating computer against the health policy and may grant the computer limited network access if it is not in compliance. You can deploy NAP for one or all of the scenarios listed on the slide, depending on the company’s needs. Rather than a written or electronic policy that states the requirements for allowing network connectivity, NAP can limit network access automatically for any NAP- capable client-operating system. When used in conjunction with other security layers, NAP offers enforcement of health policies to help maintain a healthy network environment. References Network Access Protection Roaming laptops Desktop computers Visiting laptops Unmanaged home computers

6 NAP Enforcement Methods
Course 6421A NAP Enforcement Methods Module 8: Configuring Network Access Protection Method Key Points IPsec enforcement for IPsec- protected communications Computer must be compliant to communicate with other compliant computers The strongest NAP enforcement type, and can be applied per IP address or protocol port number 802.1X enforcement for IEEE X-authenticated wired or wireless connections Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point) VPN enforcement for remote access connections Computer must be compliant to obtain unlimited access through a RAS connection DHCP enforcement for DHCP- based address configuration Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP This is the weakest form of NAP enforcement Describe the four available NAP enforcement methods for client computers running Windows Server® 2008, Windows Vista, and Windows XP SP2 (with NAP Client for XP). Refer to the information on the slide to provide each method’s key points. Explain that Windows Server 2008 and Windows Vista also include a NAP enforcement method for connections to a Terminal Services Gateway (TSG) server, but do no support remediation: IPsec enforcement is the strongest NAP enforcement method available, but it has additional requirements. 802.1X and VPN enforcement are both strong enforcement methods, though not as strong as IPsec. DHCP is the weakest enforcement method, because it relies on the client having a DHCP configuration in the TCP/IP Properties. Anyone with administrative rights can change it to static and bypass DHCP health enforcement. Terminal Services Gateway enforcement affects the client computer from which the Terminal Services session has been launched, such as a home computer or a computer in a hotel business center. References Terminal Services Network Access Protection

7 NAP Platform Architecture
Course 6421A NAP Platform Architecture Module 8: Configuring Network Access Protection Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Use the components of a NAP-enabled network infrastructure and an example of an intranet configuration on the slide to describe the interactions between NAP platform components. The example intranet on the slide is configured for the following: Health-state validation, health policy compliance, and limited network access for noncompliant NAP clients IPsec enforcement, 802.1X enforcement, VPN enforcement, and DHCP enforcement When obtaining a health certificate, making an 802.1X-authenticated or VPN connection to the intranet, or leasing or renewing an IPv4 address configuration from the DHCP server, each NAP client receives one of the following classifications: NAP clients that meet the health policy requirements are classified as compliant and are allowed unlimited access or normal communication. NAP clients that do not meet the health policy requirements are classified as noncompliant, and their access is limited to the restricted network until they meet the requirements. A noncompliant NAP client does not necessarily have a virus or some other active threat to the intranet, but it does not have the software updates or configuration settings that the health policy requires. Therefore, noncompliant NAP clients pose health risks to the intranet. The system health agents (SHAs) on NAP clients can update computers automatically with limited access using the software or configuration settings required for unlimited access. The student CD contains detailed information on the components that make up a NAP deployment and on the interaction between the components. Ensure that you reference the student CD when presenting this information. References Network Access Protection

8 NAP Architecture Interactions
Course 6421A NAP Architecture Interactions Module 8: Configuring Network Access Protection HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates HTTP or HTTP over SSL Messages Requirement Queries DHCP Messages PEAP Messages over PPP PEAP Messages over EAPOL The interactions for the computers and devices of a NAP-enabled network infrastructure depend on the NAP enforcement methods chosen for unlimited network connectivity. The architecture’s client side and server side have processes that enable policy validation for the client, or remediation network access to help the client become compliant with the requirements for unrestricted network access. The student CD contains detailed information on the components that make up a NAP deployment and on the interaction between the components. Ensure that you reference the student CD when presenting this information. References Network Access Protection Platform Architecture

9 NAP Client Infrastructure
Course 6421A NAP Client Infrastructure Module 8: Configuring Network Access Protection NAP Client Remediation Server 2 Remediation Server 1 NAP Agent NAP EC API NAP EC_A NAP EC_B NAP EC_C SHA API SHA_1 SHA_2 SHA_3 . . . The NAP client architecture consists of the following: A layer of NAP enforcement client (EC) components. Each NAP EC is defined for a different type of network access or communication. For example, there is a NAP EC for remote access VPN connections and a NAP EC for DHCP configuration. The NAP EC can be matched to a specific type of NAP enforcement point. For example, the DHCP NAP EC is designed to work with a DHCP-based NAP enforcement point. The NAP platform provides some NAP ECs, and third-party software vendors or Microsoft can provide others. A layer of system health agent (SHA) components. A component that maintains and reports one or multiple elements of system health. For example, there might be an SHA for antivirus signatures and an SHA for operating-system updates. An SHA can be matched to a remediation server. For example, an SHA for checking antivirus signatures is matched to the server that contains the latest antivirus signature file. SHAs do not need a corresponding remediation server. For example, an SHA can check local system settings to ensure that a host-based firewall is enabled. Windows Vista and Windows XP with SP2 (with the NAP Client for Windows XP) include a Windows Security Health Validator SHA that monitors the settings of the Windows Security Center. Third-party software vendors or Microsoft can provide additional SHAs. NAP Agent. This maintains the NAP client’s current health-state information and facilitates communication between the NAP EC and SHA layers. The NAP platform provides the NAP Agent. SHA application programming interface (API). Provides a set of function calls that allow SHAs to register with the NAP Agent, to indicate system health status, respond to queries for system health status from the NAP Agent, and for the NAP Agent to pass system health remediation information to an SHA. The SHA API allows vendors to create and install additional SHAs. The NAP platform provides the SHA API, which is documented in the NAP Platform Software Development Kit (SDK). NAP EC API. This provides a set of function calls that allow NAP ECs to register with the NAP Agent, to request system health status, and pass system health-remediation information to the NAP Agent. The NAP EC API allows vendors to create and install additional NAP ECs. The NAP platform provides the NAP EC API, which is documented in the NAP Platform SDK. References Network Access Protection Platform Architecture Network Access Protection

10 NAP Server-Side Infrastructure
Course 6421A NAP Server-Side Infrastructure Module 8: Configuring Network Access Protection Health Requirement Server 2 Health Requirement Server 1 NAP Administration Server SHV API SHV_1 SHV_2 SHV_3 . . . NPS Service NAP Health Policy Server NAP ES_A NAP ES_B NAP ES_C Windows-based NAP Enforcement Point RADIUS The NAP health policy server has the following components: Network Policy Server (NPS) service. Receives the Remove Access Dial-In User Service (RADIUS) Access-Request message, extracts the system statement of health (SSoH), and passes it to the NAP Administration Server component. Windows Server provides the NPS service. NAP Administration Server. Facilitates communication between the NPS service and the SHVs. The NAP platform provides the NAP Administration Server component. A layer of System Health Validator (SHV) components. Each SHV is defined for one or multiple types of system-health elements and can be matched to an SHA. SHV API. Provides a set of function calls that allow SHVs to register with the NAP Administration Server component, receive statements of health (SoHs) from the NAP Administration Server component, and send (statement of health responses) SoHRs to the NAP Administration Server component. References Network Access Protection Platform Architecture

11 Communication Between NAP Platform Components
Course 6421A Communication Between NAP Platform Components Module 8: Configuring Network Access Protection NAP Health Policy Server Windows-based NAP Enforcement Point NAP Administration Server SHV API SHV_1 SHV_2 NPS Service RADIUS Health Requirement Server 1 Health Requirement Server 2 NAP Agent NAP EC API NAP EC_A NAP EC_B SHA API SHA1 SHA2 NAP Client Remediation Server 1 Remediation Server 2 NAP ES_B NAP ES_A The NAP Agent component can communicate with the NAP Administration Server component through the following process: The NAP Agent passes the SSoH to the NAP EC. The NAP EC passes the SSoH to the NAP Enforcement Server (ES). The NAP ES passes the SSoH to the NPS service. The NPS service passes the SSoH to the NAP Administration Server. The NAP Administration Server can communicate with the NAP Agent through the following process: The NAP Administration Server passes the statement of health response SoHRs to the NPS service. The NPS service passes the system statement of health response (SSoHR) to the NAP ES. The NAP ES passes the SSoHR to the NAP EC. The NAP EC passes the SSoHR to the NAP Agent. An SHA can communicate with its corresponding SHV through the following process: The SHA passes its SoH to the NAP Agent. The NAP Agent passes the SoH, contained within the SSoH, to the NAP EC. The NAP EC passes the SoH to the NAP ES. The NAP ES passes the SoH to the NAP Administration Server. The NAP Administration Server passes the SoH to the SHV. The SHV can communicate with its corresponding SHA through the following process: The SHV passes its SoHR to the NAP Administration Server. The NAP Administration Server passes the SoHR to the NPS service. The NPS service passes the SoHR, contained within the SSoHR, to the NAP ES. The NAP ES passes the SoHR to the NAP EC. The NAP EC passes the SoHR to the NAP Agent. The NAP Agent passes the SoHR to the SHA. References Network Access Protection Platform Architecture

12 Module 8: Configuring Network Access Protection
Course 6421A Lesson 2: How NAP Works Module 8: Configuring Network Access Protection NAP Enforcement Processes How IPsec Enforcement Works How 802.1X Enforcement Works How VPN Enforcement Works How DHCP Enforcement Works

13 NAP Enforcement Processes
Course 6421A NAP Enforcement Processes Module 8: Configuring Network Access Protection To validate network access based on system health, a network infrastructure must provide the following functionality: Health policy validation: Determines whether computers are compliant with health policy requirements Network access limitation: Limits access for noncompliant computers Automatic remediation: Provides necessary updates to allow a noncompliant computer to become compliant Ongoing compliance: Automatically updates compliant computers so that they adhere to ongoing changes in health policy requirements NAP Health Policy Server Windows-based NAP Enforcement Point NAP Administration Server SHV API SHV_1 SHV_2 NPS Service RADIUS Health Requirement Server 1 Health Requirement Server 2 NAP Agent NAP EC API NAP EC_A NAP EC_B SHA API SHA1 SHA2 NAP Client Remediation Server 1 Remediation Server 2 NAP ES_B NAP ES_A The slide for this topic is animated and consists of two parts. Use the slide to describe the following: A network infrastructure’s necessary functionality for validating network access based on system health. The relationships between NAP platform components. Explain that NAP is a policy-enforcement platform built into the Windows Vista, Windows XP, and the Windows Server 2008 operating systems. NAP allows you to better protect network assets by enforcing compliance with system-health requirements. You can use NAP to can create customized health policies to: Validate computer health before allowing access or communication. Automatically update compliant computers to ensure ongoing compliance. Opt to confine noncompliant computers to a restricted network until they become compliant. References Security and Policy Enforcement

14 How IPsec Enforcement Works
Course 6421A How IPsec Enforcement Works Module 8: Configuring Network Access Protection Key Points of IPsec NAP Enforcement: Comprised of a health certificate server and an IPsec NAP EC Health certificate server issues X.509 certificates to quarantine clients when they are verified as compliant Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet IPsec Enforcement confines the communication on a network to those nodes that are considered compliant You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port number basis Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network The slide for this topic is animated and consists of two parts. Refer to the slide’s first part to list the key points of IPsec NAP enforcement. Use the diagram on the slide’s second part as you describe the IPsec enforcement process. Note that this is the same diagram that appears in the “NAP Platform Architecture” topic in Lesson 1. You also may wish to use the whiteboard or use the PowerPoint pen. IPsec enforcement process: The IPsec EC component sends its current health state to the HRA. The HRA sends the NAP client’s health state information to the NAP health policy server. The NAP health policy server evaluates the NAP client’s health-state information, determines whether the NAP client is compliant, and sends the results to the HRA. If the NAP client is not compliant, the results include health-remediation instructions. If the health state is compliant, the HRA obtains a health certificate for the NAP client. The NAP client now can initiate IPsec-protected communication with other compliant computers using its health certificate for IPsec authentication, and then respond to communications initiated from other compliant computers that authenticate using their own health certificate. If the health state is not compliant, the HRA informs the NAP client how to correct its health state and does not issue a health certificate. The NAP client cannot initiate communication with other computers that require a health certificate for IPsec authentication. However, the NAP client can initiate communications with remediation servers to correct its health state. The NAP client sends update requests to the appropriate remediation servers. The remediation servers provide the NAP client with the required updates for compliance with health requirements. The NAP client updates its health-state information. The NAP client sends its updated health-state information to the HRA, and the HRA sends the updated health-state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and sends that result to the HRA. The HRA obtains a health certificate for the NAP client. The NAP client now can initiate IPsec-protected communication with other compliant computers. References Network Access Protection

15 How 802.1X Enforcement Works
Course 6421A How 802.1X Enforcement Works Module 8: Configuring Network Access Protection Key Points of 802.1X Wired or Wireless NAP Enforcement: Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP place on the connection Restricted access profiles can specify IP packet filters or a virtual LAN (VLAN) identifier (ID) that corresponds to the restricted network 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant 802.1X enforcement consists of NPS in Windows Server 2008 and an EAPHost EC in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008 Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network The slide for this topic is animated and consists of two parts. Refer to the slide’s first part to list the key points of 802.1X wired or wireless NAP enforcement. Use the diagram on the second part of the slide as you describe the 802.1X enforcement process. You also may wish to use the whiteboard or use the PowerPoint pen. The following process describes how 802.1X enforcement works for a NAP client that is initiating an 802.1X-authenticated connection on the intranet: The NAP client and the Ethernet switch or wireless AP begins 802.1X authentication. The NAP client sends its user or computer authentication credentials to the NAP health policy server, which also is acting as a authentication, authorization, and accounting (AAA) server. If the authentication credentials are not valid, the connection attempt is terminated. If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client. The NAP client sends its health-state information to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the Ethernet switch or wireless AP. If the NAP client is not compliant, the results include a limited-access profile for the Ethernet switch or wireless AP, and health-remediation instructions for the NAP client. If the health state is compliant, the Ethernet switch or wireless AP completes the 802.1X authentication, and the NAP client has unlimited intranet access. If the health state is not compliant, the Ethernet switch or wireless AP completes the 802.1X authentication but limits the client’s access to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provision the NAP client with the required updates for compliance with health policy. The NAP client updates its health-state information. The NAP client restarts 802.1X authentication and sends its updated health-state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the Ethernet switch or wireless AP to allow unlimited access. The Ethernet switch or wireless AP completes the 802.1X authentication, and the NAP client has unlimited intranet access. References Network Access Protection

16 How VPN Enforcement Works
Course 6421A How VPN Enforcement Works Module 8: Configuring Network Access Protection Key Points of VPN NAP Enforcement: Computer must be compliant to obtain unlimited network access through a remote access VPN connection Noncompliant computers have network access limited through a set of IP packet filters that are applied to the VPN connection by the VPN server VPN enforcement actively monitors the health status of the NAP client and applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC as part of the remote access client in Windows Vista, Windows XP with SP2 (with the NAP Client for Windows XP), and Windows Server 2008 Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network The slide for this topic is animated and has two parts. Refer to the slide’s first part to list the key points of VPN NAP enforcement. Use the diagram on the second part of the slide as you describe the VPN enforcement process. You also may wish to use the whiteboard or use the PowerPoint pen. The following process describes how VPN enforcement works for a NAP client that is initiating a VPN connection to the intranet: The NAP client initiates a connection to the VPN server. The NAP client sends its user authentication credentials to the NAP health policy server, which also is acting as an AAA server. If the authentication credentials are not valid, the VPN connection attempt is terminated. If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client. The NAP client sends its health-state information to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the VPN server. If the NAP client is not compliant, the results include a set of packet filters for the VPN server and health-remediation instructions for the NAP client. If the health state is compliant, the VPN server completes the VPN connection, and the NAP client has unlimited intranet access. If the health state is not compliant, the VPN server completes the VPN connection but, based on the packet filters, limits the access of the NAP client to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provide the NAP client with the required updates for health policy compliance. The NAP client updates its health-state information. The NAP client restarts authentication with the VPN server and sends its updated health- state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the VPN server to allow unlimited access. The VPN server completes the VPN connection, and the NAP client has unlimited intranet access. References Network Access Protection

17 How DHCP Enforcement Works
Course 6421A How DHCP Enforcement Works Module 8: Configuring Network Access Protection Key Points of DHCP NAP Enforcement: Computer must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server Noncompliant computers have network access limited by an IPv4 address configuration that allows access only to the restricted network DHCP enforcement actively monitors the health status of the NAP client and renews the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant DHCP enforcement consist of a DHCP ES that is part of the DHCP Server service in Windows Server 2008 and a DHCP EC that is part of the DHCP Client service in Windows Vista, Windows XP with SP2 (with NAP Client for Windows XP), and Windows Server 2008 Intranet Remediation Servers Internet NAP Health Policy Server DHCP Server Health Registration Authority IEEE 802.1X Devices Active Directory VPN Server Restricted Network NAP Client with limited access Perimeter Network Emphasize that because DHCP enforcement relies on a limited IPv4 address configuration that a user with administrator-level access can override, it is the weakest form of NAP limited network access. The slide for this topic is animated and has two parts. Refer to the slide’s first part to list the key points of DHCP NAP enforcement. Use the diagram on the second part of the slide as you describe the DHCP enforcement process. You also may wish to use the whiteboard or use the pen in PowerPoint. The following process describes how DHCP enforcement works for a NAP client that is attempting an initial DHCP configuration on the intranet: The NAP client sends a DHCP request message containing its health-state information to the DHCP server. The DHCP server sends the health-state information of the NAP client to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the DHCP server. If the NAP client is not compliant, the results include a limited-access configuration for the DHCP server and health-remediation instructions for the NAP client. If the health state is compliant, the DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client and completes the DHCP message exchange. If the health state is not compliant, the DHCP server assigns an IPv4 address configuration for limited access to the restricted network to the NAP client and completes the DHCP message exchange. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provides the NAP client with the required updates for compliance with health policy. The NAP client updates its health-state information. The NAP client sends a new DHCP request message containing its updated health-state information to the DHCP server. The DHCP server sends the updated health-state information of the NAP client to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant and instructs the DHCP server to assign an IPv4 address configuration for unlimited intranet access. The DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client and completes the DHCP message exchange. References Network Access Protection

18 Lesson 3: Configuring NAP
Course 6421A Lesson 3: Configuring NAP Module 8: Configuring Network Access Protection What Are System Health Validators? What Is a Health Policy? What Are Remediation Server Groups? NAP Client Configuration Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies

19 What Are System Health Validators?
Course 6421A What Are System Health Validators? Module 8: Configuring Network Access Protection System Health Validators are server software counterparts to system health agents Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers Notice that the System Health Validator (SHV) has two tabs, one for Windows Vista and another for Windows XP SP2. The Spyware Protection section is not included in the Windows XP SP2 settings. Consider opening the NPS console, and under Network Access Protection in the console tree, select System Health Validators, and then in the details pane, double-click Windows Security Health Validator. In the Settings section, point out to the students the lower section of the dialog box, which states how to resolve error codes that may be returned. The default is to configure the client as noncompliant, but you can change this setting. Click Configure in the dialog box, and click both the Windows Vista and Windows XP SP2 tabs. Describe some of the options that are available to create a health policy with which client computers must comply. References Help Topic: System Health Validators

20 Module 8: Configuring Network Access Protection
Course 6421A What Is a Health Policy? Module 8: Configuring Network Access Protection To make use of the Windows Security Health Validator, you must configure a Health Policy and assign the SHV to it Consider demonstrating how to configure health policy and assign the SHV. To create a health policy and apply an SHV to it: Open the Network Policy Server console from the Administration Tools menu. Expand Policies, right-click Health Policies, and then click New. In the Policy Name box, type a name for the policy, specify the Client SHV checks drop-down list, assign the SHV that you want the policy to use in the SHVs used in this policy section, and then select the Windows Security Health Validator check box. To add the health policy to a network policy: Open or create a network policy and on the Conditions tab, click Add, and then specify health policies from the available options. To enable NAP in the policy: On the Settings tab, select NAP Enforcement, and specify the Remediation servers, auto-remediation, and range of access to the network. References Help Topic: Health Policies Help Topic: Create a Health Policy Help Topic: Understanding How to Configure Health Policy Health policies consist of one or more SHVs and other settings that allow you to define client computer configuration requirements for NAP-capable computers that attempt to connect to your network You can define client health policies in NPS by adding one or more SHVs to the health policy NAP enforcement is accomplished by NPS on a per-network policy basis After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy and enable NAP enforcement in the policy

21 What Are Remediation Server Groups?
Course 6421A What Are Remediation Server Groups? Module 8: Configuring Network Access Protection With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance Consider demonstrating how to use the NPS console to configure remediation server groups. To create a new remediation server group: Open the NPS console, and in the console tree, double-click Network Access Protection, right-click Remediation Server Groups, and then click New. Under Group Name, type a name for the group, and then click Next. Under Add Servers, click Add, specify the friendly name and IP address or FQDN for the server, select Resolve, and then click OK. Repeat this step to specify additional Remediation servers for the group. Once you have created one or more Remediation server groups, go to the Settings tab of the network policies that contain the health policies to specify the Remediation server groups to which noncompliant clients will connect. References Help Topic: Configure Remediation Groups Help Topic: Remediation Server Groups A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates

22 NAP Client Configuration
Course 6421A NAP Client Configuration Module 8: Configuring Network Access Protection Some NAP deployments that use Windows Security Health Validator require that you enable Security Center Expand on the slide’s information when describing the NAP client-configuration requirements: Some NAP deployments that use Windows Security Health Validator require that you enable Security Center: Enable the Turn on Security Center (Domain PCs only) setting in the Computer Configuration, Administrative Templates, Windows Components, and Security Center sections of Group Policy. The Network Access Protection service is required when you deploy NAP to NAP-capable client computers: Open Services from the Administrative Tools menu. Change the startup type to Automatic for the Network Access Protection service in the agent properties. You also must configure the NAP enforcement clients on the NAP-capable computers: Create a custom Microsoft Management Consoles (MMC) console with the NAP Client Configuration snap-in. Expand NAP Client Configuration, and select Enforcement Clients from the console tree. In the details pane, double-click the EC that you want to enable, and select Enable this enforcement client from the Properties sheet. You can use the NAP Client Management snap-in to enable, disable, add, and delete NAP ECs. The NAP EC is responsible for requesting network access, communicating the health status to the NAP server that is authorizing the access, and communicating the connection status of the client computer to other NAP client architecture components. You also can use the Netsh command to enable or disable ECs. Use the following command to enable the DHCP EC on the client: Netsh nap client set enforcement dhcp = enable References Help Topic: Enable Security Center in Group Policy Help Topic: Enable the Network Access Protection Service on Clients Help Topic: Configure NAP Enforcement Clients The Network Access Protection service is required when you deploy NAP to NAP-capable client computers You also must configure the NAP enforcement clients on the NAP-capable computers

23 Module 8: Configuring Network Access Protection
Course 6421A Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies Module 8: Configuring Network Access Protection In this demonstration, you will see how to: Create DHCP NAP policies Configure DHCP enforcement on the DHCP server Use the NAP Client Management snap-in to enable EC Demonstrate the procedure for using the Configure NAP Wizard to apply network-access policies. Explain to students that they can use this procedure to create the health policies, connection-request policies, and network policies required to deploy NAP with NPS. However, ensure that students understand that this is not a complete solution. Software and hardware requirements must be met to complete the NAP solution. Demonstration steps: Open Network Policy Server from the Administrative Tools menu, and then click NPS at the top of the console tree. In the Getting Started/Standard Configuration section of the details pane, click Network Access Protection (NAP) in the drop-down list, and then click Configure NAP. In the Network Connection Method dialog box, click DHCP in the drop-down list. Notice that the policy name defaults to NAP DHCP, and take note of the additional requirements (selecting this link opens NPS Help to the appropriate section that informs you what is required to make this NAP solution successful in implementation). Click Next. In the Specify NAP Enforcement Servers Running DHCP Server dialog box, either: Click Next if DHCP is installed locally on the server. Click Add and specify the information for the DHCP server, and then click Next. On the Specify DHCP Scopes page, add the DHCP scopes that are to be NAP enabled, and then click Next. On the Configure User Groups and Machine Groups page, grant or deny access to a group of computers, and then click Next. If no groups are specified, the policy applies to all users by default. On the Specify a NAP Remediation Server Group and URL page, use the drop-down list to specify the remediation group or click the New Group button to create one, and then click Next. You can use the URL text box if you created a Web site in the remediation network to instruct users with noncompliant PCs on how to perform remediation to allow access. On the Define NAP Health Policy page, the Windows Security Health Validator is selected by default, as are Enable Auto-remediation and Deny Full Access, and Allow Restricted Access Only. Make changes as needed, and then click Next. Review the settings and then click Finish to create the policies in NPS.

24 Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane.
Course 6421A Notes Page Over-flow Slide. Do Not Print Slide. See Notes pane. Module 8: Configuring Network Access Protection To enable a scope in DHCP for use by NAP: Open the DHCP console from the Administrative Tools menu, expand servername, expand IPv4, select and right-click the scope you wish to use with NAP, and then click Properties. Click the Network Access Protection tab, select Enable for this scope, and then click OK. Note: For the client configuration, use the information from the last topic to enable the EC for DHCP NAP, and set the service to Automatic. References Help Topic: Create NAP Policies with a Wizard Help Topic: Checklist: Configure NAP Enforcement for DHCP

25 Lesson 4: Monitoring and Troubleshooting NAP
Course 6421A Lesson 4: Monitoring and Troubleshooting NAP Module 8: Configuring Network Access Protection What Is NAP Tracing? Configuring NAP Tracing Demonstration: Configuring Tracing

26 Module 8: Configuring Network Access Protection
Course 6421A What Is NAP Tracing? Module 8: Configuring Network Access Protection NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: Basic Advanced Debug The students should be aware that logging is disabled by default and that they should enable it if they want to troubleshoot NAP-related problems or evaluate the overall health and security of their organization’s computers. References Help Topic: Configure NAP Tracing You can use tracing logs to: Evaluate the health and security of your network For troubleshooting and maintenance NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs

27 Configuring NAP Tracing
Course 6421A Configuring NAP Tracing Module 8: Configuring Network Access Protection You can configure NAP tracing by using one of the following tools: The NAP Client Management console The Netsh command-line tool Describe the two tools that are available for configuring NAP tracing. Emphasize that only members of the Local Administrators group can enable logging, and point out the location of trace logs to students. In the next topic, you will demonstrate how to enable logging, specify the details of the log, and how to view the log. References Help Topic: Enable and Disable NAP Tracing To enable logging functionality, you must be a member of the Local Administrators group Trace logs are located in the following directory: %systemroot%\tracing\nap

28 Demonstration: Configuring Tracing
Course 6421A Demonstration: Configuring Tracing Module 8: Configuring Network Access Protection In this demonstration, you will see how to: Configure tracing from the GUI Configure tracing from the command line View the log files Demonstrate how to configure tracing. Demonstration steps: To configure tracing from the graphical user interface (GUI): Open the NAP Client Configuration MMC console. Right-click NAP Client Configuration from the console tree, and then click Properties. On the General tab, specify whether to enable or disable tracing, and specify the level of logging from the drop-down list. To configure tracing from the command line: Open a command prompt with administrative permissions by using the RunAs command. Enable or disable NAP tracing by performing one of the following steps: To enable NAP tracing, type netsh nap client set tracing state = enable. To disable NAP tracing, type netsh nap client set tracing state = disable. To view the log files, navigate to the %systemroot%\tracing\nap directory, and open the particular trace log that you want to view. Note: You must be a member of the Local Administrators group or have been delegated the appropriate authority to perform these procedures. Use the reference to get step-by-step instructions on performing the tasks. Question: Of what group must you be a member to enable NAP tracing? Answer: You must be a member of Local Administrators. References Help Topic: Enable and Disable NAP Tracing Help Topic: Specify Level of Detail in the NAP Trace Log

29 Lab: Configuring NAP for DHCP and VPN
Course 6421A Lab: Configuring NAP for DHCP and VPN Module 8: Configuring Network Access Protection Exercise 1: Configuring NAP for DHCP Clients Exercise 2: Configuring NAP for VPN Clients Lab objectives: Configure NAP for DHCP clients Configure NAP for VPN clients Scenario: The Windows Infrastructure Services (WIS) technology specialist has been tasked with establishing a way to bring client computers automatically into compliance by using Network Policy Server, creating client compliance policies, and configuring a NAP server to check the current health of computers. Exercise 1: Configuring NAP for DHCP Clients Students will configure and test NAP for DHCP clients. Exercise 2: Configuring NAP for VPN Clients Students will configure and test NAP for VPN clients. Inputs: Virtual machines (One configured as a certificate authority [CA]) Virtual PC (VPC) structure should include a subnet for the remediation server Output: NAP is configured for both DHCP and VPN clients Logon information Virtual machine NYC-DC1, NYC-SVR1 and NYC-CL1 User name Administrator Password Pa$$w0rd Estimated time: 120 minutes

30 Module 8: Configuring Network Access Protection
Course 6421A Lab Review Module 8: Configuring Network Access Protection The DHCP NAP enforcement method is the weakest enforcement method in Microsoft Windows Server What makes it less preferable than other ways? Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would be realized by using such a scenario? Could you have used DHCP NAP enforcement for the client? Why or why not? Question: The DHCP NAP enforcement method is the weakest enforcement method in Microsoft Windows Server What makes it less preferable than other ways? Answer: It is less preferable because a manually assigned IP address on the client machine circumvents the DHCP NAP enforcement altogether. Question: Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would be realized by using such a scenario? Answer: Yes. You can use one or all of the NAP solutions in an environment. One benefit is that the communication on the intranet also would be secured with IPsec, not just the tunnel between the Internet host and the Routing and Remote Access server. Question: Could you have used DHCP NAP enforcement for the client? Why or why not? Answer: No. It would not have worked, because the IP addresses assigned to the Routing and Remote Access client are coming from a static pool on the Routing and Remote Access server itself.

31 Module Review and Takeaways
Course 6421A Module Review and Takeaways Module 8: Configuring Network Access Protection Review Questions Best Practices Tools Review Questions Question: What are the three main client configurations that need to be configured for most NAP deployments? Answer: Some NAP deployments that use Windows Security Health Validator require that you enable Security Center. The Network Access Protection service is required when you deploy NAP to NAP-capable client computers. You also must configure the NAP enforcement clients on the NAP-capable computers. Question: You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events? Answer: NAP trace logging is disabled by default and should be enabled if you want to troubleshoot NAP-related problems or evaluate the overall health and security of your organization’s computers. You can use the NAP Client Management console or the netsh command-line tool to enable logging functionality. Network Access Protection Best Practices Consider the following best practices when implementing NAP: Use strong enforcement methods (IPsec, 802.1x and VPN). Strong enforcement methods provide the most secure and effective NAP deployment. Do not rely on NAP to secure a network from malicious users. NAP is designed to help administrators maintain the health of the network’s computers, which in turn helps maintain the network’s overall integrity. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent. Use consistent NAP policies throughout the site hierarchy to minimize confusion. Configuring a NAP policy incorrectly may result in clients accessing the network when they should be restricted or in valid clients being erroneously restricted. The more complicated your NAP policy design, the higher the risk of incorrect configuration. Do not rely on NAP as an instantaneous or real-time enforcement mechanism. There are inherent delays in the NAP enforcement mechanism. While NAP helps keep computers compliant over the long run, typical enforcement delays may last several hours or more due to a variety of factors, including the settings of various configuration parameters.


Download ppt "Module 8: Configuring Network Access Protection"

Similar presentations


Ads by Google