Network Access Protection in Windows Server 2008

[November 2007]
Network Access Protection in Windows Server 2008
Verify computers’ security before allowing network access
By: Damir Dizdarevic
Solutions +
InstantDoc #95617
From the November 2007 edition of Windows IT Pro

To configure the Health Policy option, double- click the Policies node in the NPS console, right-click Health Policies, and select New. In the window that Figure 3 shows, enter the policy name and select what the System Health Validator (SHV) component will check.

First, let’s create a policy for compliant clients. Enter compliant for the policy name, and select Client passes all SHV checks from the drop-down menu. Selecting this option means that, for a client to be considered healthy, it must pass all the requirements you configured in SHV (which in the example was only the firewall requirement). Next, select the Windows Security Health Validator check box and click OK. Your first policy is now configured.

Next, let’s create a policy for noncompliant computers. Follow the same steps to create a new health policy, perhaps called noncompliant. In the drop-down menu, select Client fails one or more SHV checks, which means that if a client fails to correctly report one or more required components from SHV, it will be considered unhealthy. Finally, select the Windows Security Health Validator check box and click OK.

Create Network Policies for NAP
After you configure the SHV and Health Policy options, you can configure network policies. In the NPS console’s Policies node, click Network Policies and disable the default policies. By default, the two default policies are Connections to Microsoft Routing and Remote Access Server and Connections to other access servers. Right-click each policy and select Disable from the drop-down menu. Then, right-click the Network Policies folder and select New. A wizard for creating a new policy will start. Enter a policy name (e.g., “noncompliant- restricted” for a policy for unhealthy clients). Then, select from the drop-down list the type of network access server that will apply the policy to clients. The default is Unspecified; for our purposes, select DHCP Server.

Click Next to proceed to the Conditions page, and click Add to select conditions for the policy. From the list of available conditions that displays, select Health Policies from the Network Access Protection group. In the window that opens, select the “noncompliant” health policy that you created earlier.

Follow the same procedure to add the NAPCapable condition, which Figure 4 shows, to the policy. This condition limits application of the policy only to computers that are NAP capable.

Click Next to launch the Specify Access Permission window. In this window, you must specify what to do with clients that meet the policy. Although denying access to unhealthy clients might seem logical, you don’t want to completely deny access to those clients. Instead, you should provide them with limited access only to hosts that can help them improve their security state (i.e., remediation servers). Select Access Granted and click Next.

In the Configure Authentication Methods window, select the Perform machine health check only option, and clear the other check boxes, as Figure 5 shows. Because you’re configuring a policy for checking clients’ security health state via DHCP and because DHCP clients don’t authenticate to the DHCP server, you don’t need to configure authentication methods. Just click Next in the Configure Constraints window—none of the options apply to our example.

In the Configure Settings window, select NAP Enforcement in the Network Access Protection section, as Figure 6 shows. For this policy, you should select the Allow limited access NAP enforcement method. This setting will put clients in quarantine and give them access only to remediation servers. You can also configure those servers from this window: Simply click Configure to create a Remediation Server Group, and enter IP addresses for the hosts. Also select the Enable auto-remediation of client computers check box. Enabling both these settings causes the NAP Enforcement client component to automatically attempt to update the computer security state (e.g., if you turn the firewall off, it will be turned on automatically).

After you create a policy for incompliant clients, you must create a policy for compliant clients. Follow the same steps to create another new network policy, this time naming the policy “compliant full.” On the Conditions page, select the “compliant” health policy. Then, select the Allow full network access check box on the NAP Enforcement Settings tab. All other settings are the same as for the incompliant client policy.

Finally, you can configure a policy for NAP non-capable clients, to provide them with or deny them network access. This policy should grant or deny access to clients that aren’t NAP capable, by implementing only the NAPCapable condition, with the Only computers that are not NAP-capable option selected. (Note that this policy isn’t necessary in a test environment.)

Figure 7 shows the NPS console after you’ve created the necessary policies. Next, you need to configure DHCP.

Configure DHCP for NAP
You need to configure DHCP, so that DHCP can use NPS and the policies you created. First, you must create a scope on the DHCP server. Our intention is to configure the DHCP server to distribute a different group of scope options to compliant and incompliant NAP clients. After you create a scope, right-click it in the DHCP console. Select Properties, and go to the Network Access Protection tab. Then, select the Enable for this scope check box, as Figure 8 shows, and use the default NAP profile.

Another thing you can configure from the Network Access Protection tab in IPv4’s properties is DHCP behavior, in case DHCP can’t contact the network policy server. The default setting is to give clients full access, but you can also select the Restricted Access or Drop Client Packet options. In addition, you can enable and disable NAP on the server level.

Finally, you must configure additional options for NAP-capable clients. Right-click Scope Options, and select Configure Options. In the Configure Scope Options dialog box, select the Advanced tab. Select Default Network Access Protection Class as a User class, and define specific DHCP options for this class of clients (e.g., different DNS domain name, different gateway).

Prev. page 1 [2] 3 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard: Fast, easy real-time performance monitoring.

FEATURED LINKS

Coming in December –SQL Live Event Series: Join independent experts to discover about if or when you should make the critical upgrade decision about SQL Server 2008

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technology Resource Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

SQL Server Magazine

Search

Learning Path

Windows IT Pro Resources

Related Articles

Related Events

Related Resources

SQL JOB OPENINGSSPONSORED LINKS

Free SQL Server Performance Dashboard

FEATURED LINKS

Coming in December –SQL Live Event Series