2eddb616-63a6-4682-b578-31f1bee106f2

89af7ff1-3899-4d7d-8f3d-77c33c4531b1
Step By Step Guide: Demonstrate DHCP NAP
Enforcement in a Test Lab
Microsoft Corporation
Published !ebruar" 2008
Abstract
#et$or% &ccess Protection '#&P( is a ne$ polic" enforce)ent technolo*" in the +indo$s ,ista-
and +indo$s .er/er- 2008 and +indo$s 0P $ith .er/ice Pac% 3 operatin* s"ste)s1 #&P
pro/ides co)ponents and an application pro*ra))in* interface '&P2( set that help ad)inistrators
enforce co)pliance $ith health re3uire)ents for net$or% access and co))unication1 4his paper
contains an introduction to #&P and instructions for settin* up a test lab to deplo" #&P $ith the
56CP enforce)ent )ethod1
f378c4f7-3ad7-4f6a-a215-b7fc87d1afe5
Copyrigt !nformation
4his docu)ent is pro/ided for infor)ational purposes onl" and Microsoft )a%es no $arranties7
either e8press or i)plied7 in this docu)ent1 2nfor)ation in this docu)ent7 includin* 9:; and other
2nternet +eb site references7 is sub<ect to chan*e $ithout notice1 4he entire ris% of the use or the
results fro) the use of this docu)ent re)ains $ith the user1 9nless other$ise noted7 the e8a)ple
co)panies7 or*ani=ations7 products7 do)ain na)es7 e-)ail addresses7 lo*os7 people7 places7 and
e/ents depicted herein are fictitious7 and no association $ith an" real co)pan"7 or*ani=ation7
product7 do)ain na)e7 e-)ail address7 lo*o7 person7 place7 or e/ent is intended or should be
inferred1 Co)pl"in* $ith all applicable cop"ri*ht la$s is the responsibilit" of the user1 +ithout
li)itin* the ri*hts under cop"ri*ht7 no part of this docu)ent )a" be reproduced7 stored in or
introduced into a retrie/al s"ste)7 or trans)itted in an" for) or b" an" )eans 'electronic7
)echanical7 photocop"in*7 recordin*7 or other$ise(7 or for an" purpose7 $ithout the e8press
$ritten per)ission of Microsoft Corporation1
Microsoft )a" ha/e patents7 patent applications7 trade)ar%s7 cop"ri*hts7 or other intellectual
propert" ri*hts co/erin* sub<ect )atter in this docu)ent1 >8cept as e8pressl" pro/ided in an"
$ritten license a*ree)ent fro) Microsoft7 the furnishin* of this docu)ent does not *i/e "ou an"
license to these patents7 trade)ar%s7 cop"ri*hts7 or other intellectual propert"1
? 2008 Microsoft Corporation1 &ll ri*hts reser/ed1
Microsoft7 M.-5@.7 +indo$s7 +indo$s #47 and +indo$s .er/er are either re*istered
trade)ar%s or trade)ar%s of Microsoft Corporation in the 9nited .tates andAor other countries1
&ll other trade)ar%s are propert" of their respecti/e o$ners1
Contents
.tep-b"-.tep Buide 5e)onstrate 56CP #&P >nforce)ent in a 4est ;ab1111111111111111111111111111111111115
2n this *uide111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 5
.cenario o/er/ie$11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 6
#&P enforce)ent processes1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 6
Polic" /alidation11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 6
#&P enforce)ent and net$or% restriction11111111111111111111111111111111111111111111111111111111111111111111111111111 7
:e)ediation11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 7
@n*oin* )onitorin* to ensure co)pliance1111111111111111111111111111111111111111111111111111111111111111111111111111 7
56CP #&P enforce)ent o/er/ie$1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 8
6ard$are and soft$are re3uire)ents111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 8
.teps for confi*urin* the test lab1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 8
Confi*ure 5C111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 9
2nstall the operatin* s"ste) on 5C11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 9
Confi*ure 4CPA2P on 5C1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 10
Confi*ure 5C1 as a do)ain controller and 5#. ser/er11111111111111111111111111111111111111111111111111111111110
Create a user account in &cti/e 5irector"1111111111111111111111111111111111111111111111111111111111111111111111111111111 11
&dd user1 to the 5o)ain &d)ins *roup111111111111111111111111111111111111111111111111111111111111111111111111111111111 11
Create a securit" *roup for #&P client co)puters1111111111111111111111111111111111111111111111111111111111111111112
Confi*ure #P.11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 12
2nstall +indo$s .er/er 2008 or +indo$s .er/er 2008 :2111111111111111111111111111111111111111111111111111112
Confi*ure 4CPA2P properties on #P.111111111111111111111111111111111111111111111111111111111111111111111111111111111111 13
Coin #P.1 to the contoso1co) do)ain111111111111111111111111111111111111111111111111111111111111111111111111111111111113
9ser &ccount Control1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 14
2nstall the #P. and 56CP ser/er roles1111111111111111111111111111111111111111111111111111111111111111111111111111111111 14
2nstall the Broup Polic" Mana*e)ent feature11111111111111111111111111111111111111111111111111111111111111111111111115
Confi*ure #P. as a #&P health polic" ser/er1111111111111111111111111111111111111111111111111111111111111111111111115
Confi*ure #&P $ith a $i=ard1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 16
Confi*ure .6,s111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 17
Confi*ure 56CP on #P.111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 18
@pen the 56CP console11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 18
>nable #&P settin*s for the scope1111111111111111111111111111111111111111111111111111111111111111111111111111111111111 18
Confi*ure the default user class11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 18
Confi*ure the default #&P class11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 19
Confi*ure #&P client settin*s in Broup Polic"1111111111111111111111111111111111111111111111111111111111111111111111119
Confi*ure securit" filters for the #&P client settin*s BP@1111111111111111111111111111111111111111111111111120
Confi*ure C;2>#411111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 21
2nstall +indo$s ,ista on C;2>#4111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 21
Confi*ure 4CPA2P on C;2>#411111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 21
4est net$or% connecti/it" for C;2>#41111111111111111111111111111111111111111111111111111111111111111111111111111111111122
Confi*ure 5C1 as a re)ediation ser/er111111111111111111111111111111111111111111111111111111111111111111111111111111111 23
:ene$ 2P addressin* on C;2>#411111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 23
Coin C;2>#41 to the Contoso1co) do)ain111111111111111111111111111111111111111111111111111111111111111111111111111124
&dd C;2>#41 to the #&P client co)puters securit" *roup111111111111111111111111111111111111111111111111111124
>nable :un on the .tart )enu11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 25
,erif" Broup Polic" settin*s111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 25
,erif"in* #&P functionalit"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 26
,erification of #&P auto-re)ediation1111111111111111111111111111111111111111111111111111111111111111111111111111111111111 26
,erification of health polic" enforce)ent11111111111111111111111111111111111111111111111111111111111111111111111111111111 27
Confi*ure +.6, to re3uire an anti/irus application1111111111111111111111111111111111111111111111111111111111127
:elease and rene$ the 2P address on C;2>#41111111111111111111111111111111111111111111111111111111111111111127
,ie$ the client restriction state1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 28
&llo$ C;2>#41 to beco)e co)pliant111111111111111111111111111111111111111111111111111111111111111111111111111111111 28
.ee &lso111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 28
&ppendi8111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 29
.et 9&C beha/ior of the ele/ation pro)pt for ad)inistrators111111111111111111111111111111111111111111111111111129
:e/ie$ #&P client e/ents1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 29
:e/ie$ #&P ser/er e/ents11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 30
Step"by"Step Guide: Demonstrate DHCP NAP
Enforcement in a Test Lab
#et$or% &ccess Protection '#&P( is a ne$ technolo*" introduced in +indo$s ,ista- and
+indo$s .er/er- 20081 '#&P can also be deplo"ed on co)puters runnin* +indo$s
.er/er 2008 :2 and +indo$s 7(1 #&P includes client and ser/er co)ponents that allo$ "ou to
create and enforce health re3uire)ent policies that define the re3uired soft$are and s"ste)
confi*urations for co)puters that connect to "our net$or%1 #&P enforces health re3uire)ents b"
inspectin* and assessin* the health of client co)puters7 li)itin* net$or% access $hen client
co)puters are dee)ed nonco)pliant7 and re)ediatin* nonco)pliant client co)puters for
unrestricted net$or% access1 #&P enforces health re3uire)ents on client co)puters that are
atte)ptin* to connect to a net$or%1 #&P also pro/ides on*oin* health co)pliance enforce)ent
$hile a co)pliant client co)puter is connected to a net$or%1
2n addition7 #&P pro/ides an application pro*ra))in* interface '&P2( set that allo$s non-
Microsoft soft$are /endors to inte*rate their solutions into the #&P fra)e$or%1
#&P enforce)ent occurs at the )o)ent $hen client co)puters atte)pt to access the net$or%
throu*h net$or% access ser/ers7 such as a ,P# ser/er runnin* :outin* and :e)ote &ccess7 or
$hen clients atte)pt to co))unicate $ith other net$or% resources1 4he $a" that #&P is
enforced depends on the enforce)ent )ethod "ou choose1
#&P enforces health re3uire)ents for the follo$in*
2nternet Protocol securit" '2Psec(-protected co))unications
2nstitute of >lectrical and >lectronics >n*ineers '2>>>( 802110-authenticated connections
,irtual pri/ate net$or% ',P#( connections
5"na)ic 6ost Confi*uration Protocol '56CP( confi*uration
4er)inal .er/ices Bate$a" '4. Bate$a"(
4he step-b"-step instructions in this paper $ill sho$ "ou ho$ to deplo" a #&P 56CP
enforce)ent test lab so that "ou can better understand ho$ 56CP enforce)ent $or%s1
!n tis guide
4his paper contains an introduction to #&P and instructions for settin* up a test lab and deplo"in*
#&P $ith the 56CP enforce)ent )ethod usin* t$o ser/er co)puters and one client co)puter1
4he test lab lets "ou create and enforce client health re3uire)ents usin* #&P and 56CP1
4he follo$in* instructions are for confi*urin* a test lab usin* the )ini)u) nu)ber of
co)puters1 2ndi/idual co)puters are needed to separate the ser/ices pro/ided on the
net$or% and to clearl" sho$ the desired functionalit"1 4his confi*uration is neither
desi*ned to reflect best practices nor does it reflect a desired or reco))ended
!mportant
confi*uration for a production net$or%1 4he confi*uration7 includin* 2P addresses and all
other confi*uration para)eters7 is desi*ned onl" to $or% on a separate test lab net$or%1
Scenario o#er#ie$
2n this test lab7 #&P enforce)ent for 56CP net$or% access control is deplo"ed $ith a ser/er
runnin* +indo$s .er/er 2008 or +indo$s .er/er 2008 :2 that has 56CP and the #et$or%
Polic" .er/er '#P.( ser/ice installed7 and a client co)puter runnin* +indo$s ,ista or +indo$s 7
$ith the #&P a*ent ser/ice runnin* and 56CP enforce)ent client co)ponent enabled1 &
co)puter runnin* +indo$s .er/er- 2003 is also used in the test lab as a do)ain controller and
5#. ser/er1 4he test lab $ill de)onstrate ho$ #&P-capable client co)puters are pro/ided
net$or% access based on their co)pliance $ith net$or% health re3uire)ents1
NAP enforcement processes
.e/eral processes are re3uired for #&P to function properl" polic" /alidation7 #&P enforce)ent
and net$or% restriction7 re)ediation7 and on*oin* )onitorin* to ensure co)pliance1
Po%icy #a%idation
."ste) health /alidators '.6,s( are used b" #P. to anal"=e the health status of client
co)puters1 .6,s are incorporated into net$or% polices that deter)ine actions to be ta%en based
on client health status7 such as the *rantin* of full net$or% access or the restrictin* of net$or%
access1 6ealth status is )onitored b" client-side #&P co)ponents called s"ste) health a*ents
'.6&s(1 #&P uses .6&s and .6,s to )onitor7 enforce7 and re)ediate client co)puter
confi*urations1
+indo$s .ecurit" 6ealth &*ent '+.6&( and +indo$s .ecurit" 6ealth ,alidator '+.6,( are
included $ith the +indo$s ,ista7 +indo$s .er/er 20087 +indo$s 77 and +indo$s
.er/er 2008 :2 operatin* s"ste)s7 and enforce the follo$in* settin*s for #&P-capable
co)puters
4he client co)puter has fire$all soft$are installed and enabled1
4he client co)puter has anti/irus soft$are installed and runnin*1
4he client co)puter has current anti/irus updates installed1
4he client co)puter has antisp"$are soft$are installed and runnin*1
4he client co)puter has current antisp"$are updates installed1
Microsoft 9pdate .er/ices is enabled on the client co)puter1
2n addition7 if #&P-capable client co)puters are runnin* +indo$s 9pdate &*ent7 #&P can /erif"
that the )ost recent soft$are securit" updates are installed based on one of four possible /alues
that )atch securit" se/erit" ratin*s fro) the Microsoft .ecurit" :esponse Center 'M.:C(1
4his test lab $ill use the +.6& and +.6, to re3uire that client co)puters ha/e turned on
+indo$s !ire$all7 and ha/e an anti/irus application installed1
6
NAP enforcement and net$or& restriction
#&P enforce)ent settin*s allo$ "ou to li)it net$or% access of nonco)pliant clients to a restricted
net$or%7 to defer restriction to a later date7 or to )erel" obser/e and lo* the health status of #&P-
capable client co)puters1 4he follo$in* settin*s are a/ailable
A%%o$ fu%% net$or& access1 4his is the default settin*1 Clients that )atch the polic"
conditions are dee)ed co)pliant $ith net$or% health re3uire)ents7 and are *ranted
unrestricted access to the net$or% if the connection re3uest is authenticated and authori=ed1
4he health co)pliance status of #&P-capable client co)puters is lo**ed1
A%%o$ %imited access1 Client co)puters that )atch the polic" conditions are dee)ed
nonco)pliant $ith net$or% health re3uire)ents7 and are placed on the restricted net$or%1
A%%o$ fu%% net$or& access for a %imited time1 Clients that )atch the polic" conditions are
te)poraril" *ranted full net$or% access1 #&P enforce)ent is dela"ed until the specified date
and ti)e1
Dou $ill create t$o net$or% policies in this test lab1 & co)pliant polic" $ill *rant full net$or%
access to an intranet net$or% se*)ent1 & nonco)pliant polic" $ill de)onstrate net$or% restriction
b" issuin* a 4CPA2P confi*uration to the client co)puter that places it on a restricted net$or%1
'emediation
#onco)pliant client co)puters that are placed on a restricted net$or% )i*ht under*o
re)ediation1 :e)ediation is the process of updatin* a client co)puter so that it )eets current
health re3uire)ents1 2f additional resources are re3uired for a nonco)pliant co)puter to update
its health state7 these resources )ust be pro/ided on the restricted net$or%1 !or e8a)ple7 a
restricted net$or% )i*ht contain a !ile 4ransfer Protocol '!4P( ser/er that pro/ides current /irus
si*natures so that nonco)pliant client co)puters can update their outdated si*natures1
Dou can use #&P settin*s in #P. net$or% policies to confi*ure auto)atic re)ediation so that
#&P client co)ponents auto)aticall" atte)pt to update the client co)puter $hen it is
nonco)pliant1
4his test lab includes a de)onstration of auto)atic re)ediation1 4he Enab%e auto"remediation
of c%ient computers settin* $ill be enabled in the nonco)pliant net$or% polic"7 $hich $ill cause
+indo$s !ire$all to be turned on $ithout user inter/ention1
(ngoing monitoring to ensure comp%iance
#&P can enforce health co)pliance on co)pliant client co)puters that are alread" connected to
the net$or%1 4his functionalit" is useful for ensurin* that a net$or% is protected on an on*oin*
basis as health policies and the health of client co)puters chan*e1 Client co)puters are
)onitored $hen their health state chan*es7 and $hen the" initiate re3uests for net$or%
resources1 4his test lab includes a de)onstration of on*oin* )onitorin* $hen the clientEs 56CP-
issued address is rene$ed1 4he #&P client co)puter sends a state)ent of health '.o6( $ith the
56CP address re3uest7 and is *ranted full or restricted access based on its current health state1
7
DHCP NAP enforcement o#er#ie$
4he test en/iron)ent described in this *uide includes a do)ain controller runnin* +indo$s
.er/er 20037 a )e)ber ser/er runnin* +indo$s .er/er 2008 or +indo$s .er/er 2008 :27 and a
client co)puter runnin* +indo$s ,ista or +indo$s 71 4he do)ain controller7 )e)ber ser/er7 and
the client co)puter co)pose a pri/ate intranet and are connected throu*h a co))on hub or
la"er 2 s$itch1 Pri/ate addresses are used throu*hout the test lab confi*uration1 4he pri/ate
net$or% 25 19211681010A24 is used for the intranet1 4he do)ain controller is na)ed 5C1 and is
the pri)ar" do)ain controller for the do)ain na)ed Contoso1co)1 4he )e)ber ser/er is na)ed
#P.1 and is confi*ured as a 56CP ser/er and a net$or% polic" ser/er1 4he client is na)ed
C;2>#41 and is confi*ured for auto)atic addressin* throu*h 56CP1 4he follo$in* fi*ure sho$s
the confi*uration of the test en/iron)ent1
5e0f1224-af8b-4b2c-9e7f-339aead191d6
Hard$are and soft$are re)uirements
4he follo$in* are re3uired co)ponents of the test lab
4he product disc for +indo$s .er/er 2008 or +indo$s .er/er 2008 :21
4he product disc for +indo$s ,ista Fusiness7 +indo$s ,ista >nterprise7 or +indo$s ,ista
9lti)ate1 Dou can also use the product discs for +indo$s 7 6o)e Pre)iu)7 +indo$s 7
Professional7 or +indo$s 7 9lti)ate1
4he product disc for +indo$s .er/er 2003 $ith .er/ice Pac% 2 '.P2(1
@ne co)puter that )eets the )ini)u) hard$are re3uire)ents for +indo$s .er/er 2003 $ith
.P21
4his lab de)onstrates #&P support for the &cti/e 5irector"- director" ser/ice in
+indo$s .er/er 20031 Dou can also )a%e the do)ain controller in this lab run
+indo$s .er/er 2008 or +indo$s .er/er 2008 :211
@ne co)puter that )eets the )ini)u) hard$are re3uire)ents for +indo$s .er/er 2008 or
+indo$s .er/er 2008 :21
@ne co)puter that )eets the )ini)u) hard$are re3uire)ents for +indo$s ,ista or
+indo$s 71
&n >thernet hub or la"er 2 s$itch1
Steps for configuring te test %ab
4here are three o/erall sta*es re3uired to set up this test lab7 one sta*e for each co)puter1
11 Confi*ure 5C11
5C1 is a ser/er co)puter runnin* the +indo$s .er/er 2003 .tandard >dition operatin*
s"ste)1 5C1 is confi*ured as a do)ain controller $ith &cti/e 5irector" and the pri)ar" 5#.
ser/er for the intranet subnet1
21 Confi*ure #P.11
Note
8
#P.1 is a ser/er co)puter runnin* +indo$s .er/er 2008 or +indo$s .er/er 2008 :21
#P.1 is confi*ured $ith the #et$or% Polic" .er/er '#P.( ser/ice7 $hich functions as a #&P
health polic" ser/er and a :e)ote &uthentication 5ial-in 9ser .er/ice ':&529.( ser/er1
#P.1 $ill also be confi*ured $ith the 56CP ser/ice and function as a #&P enforce)ent
ser/er1
31 Confi*ure C;2>#411
C;2>#41 is a client co)puter runnin* +indo$s ,ista or +indo$s 71 C;2>#41 $ill be
confi*ured as a 56CP client and a #&P client1
Dou )ust be lo**ed on as a )e)ber of the 5o)ain &d)ins *roup or a )e)ber of the
&d)inistrators *roup on each co)puter to co)plete the tas%s described in this *uide1 2f
"ou cannot co)plete a tas% $hile "ou are lo**ed on $ith an account that is a )e)ber of
the &d)inistrators *roup7 tr" perfor)in* the tas% $hile "ou are lo**ed on $ith an account
that is a )e)ber of the 5o)ain &d)ins *roup1
&fter the #&P co)ponents are confi*ured7 this *uide $ill pro/ide steps for a de)onstration of
#&P enforce)ent and auto-re)ediation1 4he follo$in* sections pro/ide details about ho$ to
perfor) these tas%s1
Configure DC*
5C1 is a co)puter runnin* +indo$s .er/er 2003 .tandard >dition $ith .P27 $hich pro/ides the
follo$in* ser/ices
& do)ain controller for the Contoso1co) &cti/e 5irector" do)ain1
& 5#. ser/er for the Contoso1co) 5#. do)ain1
5C1 confi*uration consists of the follo$in* steps
2nstall the operatin* s"ste)1
Confi*ure 4CPA2P1
2nstall &cti/e 5irector" and 5#.1
Create a user account and *roup in &cti/e 5irector"1
Create a #&P client co)puter securit" *roup1
4he follo$in* sections e8plain these steps in detail1
!nsta%% te operating system on DC*
2nstall +indo$s .er/er 2003 .tandard >dition $ith .P2 as a stand-alone ser/er1
11 .tart "our co)puter usin* the +indo$s .er/er 2003 product disc1
21 +hen pro)pted for a co)puter na)e7 t"pe DC*1
Note
To insta%% te operating system on DC*
9
Configure TCP+!P on DC*
Confi*ure the 4CPA2P protocol $ith a static 2P address of 19211681011 and the subnet )as% of
25512551255101
11 Clic% Start7 clic% 'un7 and then t"pe ncpa,cp%1
21 :i*ht-clic% Loca% Area Connection7 and then clic% Properties1
31 Clic% !nternet Protoco% -TCP+!P.7 and then clic% Properties1
41 .elect /se te fo%%o$ing !P address1 4"pe *01,*23,4,* ne8t to !P address and
155,155,155,4 ne8t to Subnet mas&1
51 ,erif" that Preferred DNS ser#er is blan%1
61 Clic% (67 clic% C%ose7 and then close the Net$or& Connections $indo$1
Configure DC* as a domain contro%%er and DNS ser#er
5C1 $ill ser/e as the onl" do)ain controller and 5#. ser/er for the Contoso1co) do)ain1
11 4o start the &cti/e 5irector" 2nstallation +i=ard7 clic% Start7 clic% 'un7 t"pe dcpromo7
and then press >#4>:1
21 2n the Acti#e Directory !nsta%%ation 7i8ard dialo* bo87 clic% Ne9t1
31 @peratin* s"ste) co)patibilit" infor)ation is displa"ed1 Clic% Ne9t a*ain1
41 ,erif" that Domain contro%%er for a ne$ domain is selected7 and then clic% Ne9t1
51 ,erif" that Domain in a ne$ forest is selected7 and then clic% Ne9t t$ice1
61 @n the !nsta%% or Configure DNS pa*e7 select No: ;ust insta%% and configure DNS on
tis computer7 and then clic% Ne9t1
71 4"pe Contoso,com ne8t to <u%% DNS name for ne$ domain7 and then clic% Ne9t1
81 Confir) that the Domain NetB!(S name sho$n is C(NT(S(7 and then clic% Ne9t1
91 &ccept the default Database <o%der and Log <o%der directories7 and then clic% Ne9t1
101 &ccept the default folder location for Sared System =o%ume7 and then clic% Ne9t1
111 ,erif" that Permissions compatib%e on%y $it 7indo$s 1444 or 7indo$s
Ser#er 144> operating systems is selected7 and then clic% Ne9t1
121 ;ea/e the 'estore ?ode Pass$ord and Confirm Pass$ord te8t bo8es blan%7 and then
clic% Ne9t1
131 :e/ie$ the su))ar" infor)ation pro/ided7 and then clic% Ne9t1
141 +ait $hile the $i=ard co)pletes confi*uration of &cti/e 5irector" and 5#. ser/ices7 and
then clic% <inis1
151 +hen pro)pted to restart the co)puter7 clic% 'estart No$1
161 &fter the co)puter is restarted7 lo* in to the C@#4@.@ do)ain usin* the &d)inistrator
account1
To configure TCP+!P on DC* To configure DC* as a domain contro%%er and DNS ser#er
10
Create a user account in Acti#e Directory
#e8t7 create a user account in &cti/e 5irector"1 4his account $ill be used $hen lo**in* in to
#P.1 and C;2>#411
11 Clic% Start7 point to Administrati#e Too%s7 and then clic% Acti#e Directory /sers and
Computers1
21 2n the console tree7 double-clic% Contoso,com7 ri*ht-clic% /sers7 point to Ne$7 and then
clic% /ser1
31 2n the Ne$ (b;ect " /ser dialo* bo87 ne8t to <u%% name7 t"pe /ser* /ser7 and in /ser
%ogon name7 t"pe /ser*1
41 Clic% Ne9t1
51 2n Pass$ord7 t"pe the pass$ord that "ou $ant to use for this account7 and in Confirm
pass$ord7 t"pe the pass$ord a*ain1
61 Clear the /ser must cange pass$ord at ne9t %ogon chec% bo87 and select the
Pass$ord ne#er e9pires chec% bo81
71 Clic% Ne9t7 and then clic% <inis1
81 ;ea/e the &cti/e 5irector" 9sers and Co)puters console open for the follo$in*
procedure1
Add user* to te Domain Admins group
#e8t7 add the ne$l" created user to the 5o)ain &d)ins *roup so this user can be used for all
confi*uration acti/ities1
11 2n the &cti/e 5irector" 9sers and Co)puters console tree7 clic% /sers1
21 2n the details pane7 double-clic% Domain Admins1
31 2n the Domain Admins Properties dialo* bo87 clic% the ?embers tab7 and then clic%
Add1
41 9nder Enter te ob;ect names to se%ect -e9amp%es.7 t"pe /ser*7 the user na)e that
"ou created in the precedin* procedure7 and then clic% (6 t$ice1
51 ;ea/e the &cti/e 5irector" 9sers and Co)puters console open for the follo$in*
procedure1
Create a security group for NAP c%ient computers
#e8t7 create a securit" *roup for use $ith Broup Polic" securit" filterin*1 4his securit" *roup $ill
be used to appl" #&P client co)puter settin*s to onl" the co)puters "ou specif"1 C;2>#41 $ill be
added to this securit" *roup after it is <oined to the do)ain1
11 2n the &cti/e 5irector" 9sers and Co)puters console tree7 ri*ht-clic% contoso,com7 point
To create a user account in Acti#e Directory To add a user to te Domain Admins group To create a security group for NAP c%ient computers
11
to Ne$7 and then clic% Group1
21 2n the Ne$ (b;ect " Group dialo* bo87 under Group name7 t"pe NAP c%ient computers1
31 9nder Group scope7 choose G%oba%7 under Group type7 choose Security7 and then
clic% (61
41 Close the &cti/e 5irector" 9sers and Co)puters console1
Configure NPS*
!or the test lab7 #P.1 $ill be runnin* +indo$s .er/er 2008 or +indo$s .er/er 2008 :27 and
$ill host the #P. ser/ice7 $hich pro/ides :&529. authentication7 authori=ation7 and accountin*1
#P.1 confi*uration consists of the follo$in* steps
2nstall the operatin* s"ste)1
Confi*ure 4CPA2P1
Coin the co)puter to the do)ain1
2nstall the #P. and 56CP ser/er roles1
2nstall the Broup Polic" Mana*e)ent feature1
Confi*ure #P. as a #&P health polic" ser/er1
Confi*ure 56CP1
Confi*ure #&P client settin*s in Broup Polic"1
!nsta%% 7indo$s Ser#er 1443 or 7indo$s Ser#er 1443 '1
11 .tart "our co)puter b" usin* the +indo$s .er/er 2008 or +indo$s .er/er 2008 :2
product C51
21 +hen pro)pted for the installation t"pe7 choose Custom1
31 !ollo$ the instructions that appear on "our screen to finish the installation1
Configure TCP+!P properties on NPS*
11 Clic% Ser#er ?anager1
21 9nder Ser#er Summary7 clic% =ie$ Net$or& Connections1
31 2n the Net$or& Connections dialo* bo87 ri*ht-clic% Loca% Area Connection7 and then
clic% Properties1
41 2n the Loca% Area Connection Properties dialo* bo87 clear the !nternet Protoco%
=ersion 2 -TCP+!P#2. chec% bo81 4his step $ill reduce the co)ple8it" of the lab7
particularl" for those $ho are not fa)iliar $ith 2P/61
51 2n the Loca% Area Connection Properties dialo* bo87 clic% !nternet Protoco% =ersion @
To insta%% 7indo$s Ser#er 1443 or 7indo$s Ser#er 1443 '1 To configure TCP+!P properties on NPS*
12
-TCP+!P#@.7 and then clic% Properties1
61 .elect /se te fo%%o$ing !P address1 2n !P address7 t"pe *01,*23,4,11 2n Subnet mas&7
t"pe 155,155,155,41
71 .elect /se te fo%%o$ing DNS ser#er addresses1 2n Preferred DNS ser#er7 t"pe
*01,*23,4,*1
81 Clic% (67 and then clic% C%ose to close the Loca% Area Connection Properties dialo*
bo81
91 Close the Net$or& Connections $indo$1
101 5o not close the Ser#er ?anager $indo$1 2t $ill be used in the ne8t procedure1
111 #e8t7 chec% net$or% co))unication bet$een #P.1 and 5C1 b" runnin* the ping
co))and fro) #P.11
121 Clic% Start7 clic% 'un7 in (pen t"pe cmd7 and then press >#4>:1
131 2n the co))and $indo$7 t"pe ping DC*1
141 ,erif" that the response reads G:epl" fro) 192116810111H
151 Close the co))and $indo$1
Aoin NPS* to te contoso,com domain
11 2n .er/er Mana*er7 under Ser#er Summary7 clic% Cange System Properties1
21 2n the System Properties dialo* bo87 on the Computer Name tab7 clic% Cange1
31 2n the Computer Name+Domain Canges dialo* bo87 under Computer name7 t"pe
NPS*1
41 2n the Computer Name+Domain Canges dialo* bo87 under ?ember of7 choose
Domain7 and then under Domain7 t"pe Contoso,com1
51 Clic% ?ore1 9nder Primary DNS suffi9 of tis computer7 t"pe Contoso,com7 and then
clic% (6 t$ice1
61 +hen pro)pted for a user na)e and pass$ord7 t"pe /ser* and the pass$ord for the
user account that "ou added to the 5o)ain &d)ins *roup7 and then clic% (61
71 +hen "ou see a dialo* bo8 that $elco)es "ou to the Contoso1co) do)ain7 clic% (61
81 +hen "ou are pro)pted that "ou )ust restart the co)puter7 clic% (61
91 @n the System Properties dialo* bo87 clic% C%ose1
101 +hen "ou are pro)pted to restart the co)puter7 clic% 'estart No$1
111 &fter the co)puter has been restarted7 clic% S$itc /ser7 then clic% (ter /ser and lo*
on to the C@#4@.@ do)ain $ith the /ser* account "ou created1
To ;oin NPS* to te contoso,com domain
13
/ser Account Contro%
+hen "ou confi*ure the +indo$s ,ista7 +indo$s .er/er 20087 +indo$s 77 and +indo$s
.er/er 2008 :2 operatin* s"ste)s7 "ou are re3uired to clic% Continue in the /ser Account
Contro% '9&C( dialo* bo8 for so)e tas%s1 .e/eral of the confi*uration tas%s to follo$ re3uire
9&C appro/al1 +hen pro)pted7 al$a"s clic% Continue to authori=e these chan*es1 &lternati/el"7
see the &ppendi8 of this *uide for instructions about ho$ to set 9&C beha/ior of the ele/ation
pro)pt for ad)inistrators1
!nsta%% te NPS and DHCP ser#er ro%es
#e8t7 install the #P. and 56CP ser/er roles on #P.11
11 Clic% Start7 and then clic% Ser#er ?anager1
21 9nder 'o%es Summary7 clic% Add ro%es7 and then clic% Ne9t1
31 @n the Se%ect Ser#er 'o%es pa*e7 select the DHCP Ser#er and Net$or& Po%icy and
Access Ser#ices chec% bo8es7 and then clic% Ne9t t$ice1
41 @n the Se%ect 'o%e Ser#ices pa*e7 select the Net$or& Po%icy Ser#er chec% bo87 and
then clic% Ne9t t$ice1
51 @n the Se%ect Net$or& Connection Bindings pa*e7 /erif" that *01,*23,4,1 is selected7
and then clic% Ne9t1
61 @n the Specify !P#@ DNS Ser#er Settings pa*e7 /erif" that contoso,com is listed under
Parent domain1
71 4"pe *01,*23,4,* under Preferred DNS ser#er !P address7 and clic% =a%idate1 ,erif"
that the result returned is =a%id7 and then clic% Ne9t1
81 @n the Specify 7!NS Ser#er Settings pa*e7 accept the default settin* of 7!NS is not
re)uired on tis net$or&7 and then clic% Ne9t1
91 @n the Add or Edit DHCP Scopes pa*e7 clic% Add1
101 2n the Add Scope dialo* bo87 t"pe NAP Scope ne8t to Scope Name1 #e8t to Starting !P
Address7 t"pe *01,*23,4,>7 ne8t to Ending !P Address7 t"pe *01,*23,4,*47 and ne8t to
Subnet ?as&7 t"pe 155,155,155,41
111 .elect the Acti#ate tis scope chec% bo87 clic% (67 and then clic% Ne9t1
121 @n the Configure DHCP#2 State%ess ?ode pa*e7 select Disab%e DHCP#2 state%ess
mode for tis ser#er7 and then clic% Ne9t1
131 @n the Autori8e DHCP Ser#er pa*e7 select /se current credentia%s1 ,erif" that
C(NT(S(Buser* is displa"ed ne8t to /sername7 and then clic% Ne9t1
141 @n the Confirm !nsta%%ation Se%ections pa*e7 clic% !nsta%%1
151 ,erif" the installation $as successful7 and then clic% C%ose1
161 ;ea/e .er/er Mana*er open for the follo$in* procedure1
To insta%% te NPS and DHCP ser#er ro%es
14
!nsta%% te Group Po%icy ?anagement feature
Broup Polic" $ill be used to confi*ure #&P client settin*s in the test lab1 4o access these
settin*s7 the Broup Polic" Mana*e)ent feature )ust be installed on a co)puter runnin*
+indo$s .er/er 20081
11 2n .er/er Mana*er7 under <eatures Summary7 clic% Add <eatures1
21 .elect the Group Po%icy ?anagement chec% bo87 clic% Ne9t7 and then clic% !nsta%%1
31 ,erif" the installation $as successful7 and then clic% C%ose to close the Add <eatures
7i8ard dialo* bo81
41 Close .er/er Mana*er1
Configure NPS as a NAP ea%t po%icy ser#er
4o ser/e as a #&P health polic" ser/er7 #P.1 )ust /alidate the s"ste) health of clients a*ainst
the confi*ured net$or% health re3uire)ents1 !or this test lab7 confi*uration of #P. as a #&P
health polic" ser/er is perfor)ed usin* the #&P confi*uration $i=ard1 4he #&P $i=ard helps "ou
confi*ure each #&P co)ponent to $or% $ith the #&P enforce)ent )ethod "ou choose1 4hese
co)ponents are displa"ed in the #P. console tree7 and include
System Hea%t =a%idators1 ."ste) health /alidators '.6,s( define confi*uration
re3uire)ents for co)puters that atte)pt to connect to "our net$or%1 !or the test lab7 +.6,
$ill be confi*ured to re3uire onl" that +indo$s !ire$all is enabled1
Hea%t Po%icies1 6ealth policies define $hich .6,s are e/aluated7 and ho$ the" are used in
the /alidation of the confi*uration of co)puters that atte)pt to connect to "our net$or%1
Fased on the results of .6, chec%s7 health policies classif" client health status1 4he t$o
health policies in this test lab correspond to a co)pliant health state and a nonco)pliant
health state1
Net$or& Po%icies1 #et$or% policies use conditions7 settin*s7 and constraints to deter)ine
$ho can connect to the net$or%1 4here )ust be a net$or% polic" that $ill be applied to
co)puters that are co)pliant $ith the health re3uire)ents7 and a net$or% polic" that $ill be
applied to co)puters that are nonco)pliant1 !or this test lab7 co)pliant client co)puters $ill
be allo$ed unrestricted net$or% access1 Clients deter)ined to be nonco)pliant $ith health
re3uire)ents $ill ha/e their access restricted throu*h 56CP to specif" a restricted subnet1
#onco)pliant clients $ill also be optionall" updated to a co)pliant state and subse3uentl"
*ranted unrestricted net$or% access1
Connection 'e)uest Po%icies1 Connection re3uest policies are conditions and settin*s that
/alidate re3uests for net$or% access and *o/ern $here this /alidation is perfor)ed1 2n this
test lab7 a connection re3uest polic" is used that re3uires 56CP as the net$or% access
ser/er for client authentication1
'AD!/S C%ients and Ser#ers1 :&529. clients are net$or% access ser/ers1 2f "ou specif" a
:&529. client7 then a correspondin* :&529. ser/er entr" is re3uired on the :&529. client
de/ice1 :e)ote 56CP ser/ers are confi*ured as :&529. clients on #P.1 & re)ote 56CP
To insta%% te NPS ser#er ro%e
15
ser/er is not used in this test labI therefore7 it $ill not be necessar" to confi*ure :&529.
clients and ser/ers1
'emediation Ser#er Groups1 :e)ediation ser/er *roups allo$ "ou to specif" ser/ers that
are )ade a/ailable to nonco)pliant #&P clients so that the" can re)ediate their health state
and beco)e co)pliant $ith health re3uire)ents1 2f these ser/ers are re3uired7 the" are
auto)aticall" a/ailable to co)puters on the restricted access subnet $hen "ou add the) to
re)ediation ser/er *roups1 4his test lab includes a de)onstration of the use of a re)ediation
ser/er *roup to pro/ide do)ain ser/ices to a client $ith restricted net$or% access1
Configure NAP $it a $i8ard
4he #&P confi*uration $i=ard helps "ou to set up #P. as a #&P health polic" ser/er1 4he $i=ard
pro/ides co))onl" used settin*s for each #&P enforce)ent )ethod7 and auto)aticall" creates
custo)i=ed #&P policies for use $ith "our net$or% desi*n1 Dou can access the #&P confi*uration
$i=ard fro) the #P. console1
11 Clic% Start7 clic% 'un7 t"pe nps,msc7 and then press >#4>:1
21 2n the #et$or% Polic" .er/er console tree7 clic% NPS -Loca%.1
31 2n the details pane7 under Standard Configuration7 clic% Configure NAP1 4he #&P
confi*uration $i=ard $ill start1 .ee the follo$in* e8a)ple1
91a88efd-0af3-40b4-be70-b7824d9423ce
41 @n the Se%ect Net$or& Connection ?etod for /se $it NAP pa*e7 under Net$or&
connection metod7 select Dynamic Host Configuration Protoco% -DHCP.7 and then
clic% Ne9t1
51 @n the Specify NAP Enforcement Ser#ers 'unning DHCP pa*e7 clic% Ne9t1 Fecause
this #&P health polic" ser/er has 56CP installed locall"7 $e do not need to add :&529.
clients1
61 @n the Specify DHCP Scopes pa*e7 clic% Ne9t1 4he test lab $ill use onl" one 56CP
scopeI therefore7 no scope conditions are re3uired1
71 @n the Configure /ser Groups and ?acine Groups pa*e7 clic% Ne9t1 Dou do not
need to confi*ure *roups for this test lab1
81 @n the Specify a NAP 'emediation Ser#er Group and /'L7 clic% Ne9t1 :e)ediation
ser/ers $ill be confi*ured later in this test lab1
91 @n the Define NAP Hea%t Po%icy pa*e7 /erif" that 7indo$s Security Hea%t =a%idator
and Enab%e auto"remediation of c%ient computers chec% bo8es are selected7 and then
clic% Ne9t1
101 @n the Comp%eting NAP Enforcement Po%icy and 'AD!/S C%ient Configuration pa*e7
clic% <inis1
111 ;ea/e the #P. console open for the follo$in* procedure1
To configure NPS using te NAP $i8ard
16
Configure SH=s
.6,s define confi*uration re3uire)ents for co)puters that atte)pt to connect to "our net$or%1
!or the test lab7 the +.6, $ill be confi*ured to re3uire onl" that +indo$s !ire$all is enabled1
9se one of the follo$in* procedures7 dependin* on $hether "ou are runnin* +indo$s
.er/er 2008 or +indo$s .er/er 2008 :21
11 2n the #et$or% Polic" .er/er console tree7 double-clic% Net$or& Access Protection7 and
then clic% System Hea%t =a%idators1
21 2n the details pane7 under Name7 double-clic% 7indo$s Security Hea%t =a%idator1
31 2n the 7indo$s Security Hea%t =a%idator Properties dialo* bo87 clic% Configure1
41 Clear all chec% bo8es e8cept A fire$a%% is enab%ed for a%% net$or& connections1 .ee
the follo$in* e8a)ple1
cf2c67e2-15ec-4bde-9664-4648cba747c6
51 Clic% (6 to close the 7indo$s Security Hea%t =a%idator dialo* bo87 and then clic% (6
to close the 7indo$s Security Hea%t =a%idator Properties dialo* bo81
61 Close the #et$or% Polic" .er/er console1
11 2n the #et$or% Polic" .er/er console tree7 open Net$or& Access ProtectionASystem
Hea%t =a%idatorsA7indo$s Security Hea%t =a%idatorASettings1
21 2n the details pane7 under Name7 double-clic% Defau%t Configuration1
31 2n the 7indo$s Security Hea%t =a%idator dialo* bo87 in the left pane7 select
7indo$s C+7indo$s =ista7 and then under Coose po%icy settings for 7indo$s
Security Hea%t =a%idator7 clear all the chec% bo8es e8cept for A fire$a%% is enab%ed for
a%% net$or& connections1
41 Clic% (6 to close the 7indo$s Security Hea%t =a%idator dialo* bo87 and then close
the #et$or% Polic" .er/er console1
Configure DHCP on NPS*
#P.1 is the )e)ber ser/er that $ill pro/ide 56CP addressin*1 4he 56CP ser/ice $as partiall"
confi*ured durin* installation $ith .er/er Mana*er1 +e $ill confi*ure scope options further for
#&P1
(pen te DHCP conso%e
11 Clic% Start7 clic% 'un7 t"pe dcpmgmt,msc7 and then press >#4>:1
21 ;ea/e this $indo$ open for all 56CP confi*uration tas%s1
To configure SH=s in 7indo$s Ser#er 1443 To configure system ea%t #a%idators in 7indo$s Ser#er 1443 '1 To open te DHCP conso%e
17
Enab%e NAP settings for te scope
!irst7 enable the default #&P profile for the #&P scope1
11 2n the 56CP console7 double-clic% nps*,contoso,com7 and then double-clic% !P#@1
21 :i*ht-clic% Scope D*01,*23,4,4E NAP Scope7 and then clic% Properties1
31 @n the Net$or& Access Protection tab7 under Net$or& Access Protection Settings7
choose Enab%e for tis scope7 /erif" that /se defau%t Net$or& Access Protection
profi%e is chosen7 and then clic% (61
Configure te defau%t user c%ass
#e8t7 confi*ure scope options for the default user class1 4hese ser/er options are used $hen a
co)pliant client co)puter atte)pts to access the net$or% and obtain an 2P address fro) the
56CP ser/er1
11 2n the 56CP console tree7 under Scope D*01,*23,4,4E NAP Scope7 ri*ht-clic% Scope
(ptions7 and then clic% Configure (ptions1
21 @n the Ad#anced tab7 /erif" that Defau%t /ser C%ass is chosen ne8t to /ser c%ass1
31 .elect the 442 DNS Ser#ers chec% bo87 in !P Address7 under Data entry7 t"pe
*01,*23,4,*: and then clic% Add1
41 .elect the 4*5 DNS Domain Name chec% bo87 in String #a%ue7 under Data entry7 t"pe
contoso,com7 and then clic% (61 4he contoso1co) do)ain is a full-access net$or%
assi*ned to co)pliant #&P clients1
Note
4he 44> 'outer option is confi*ured in the default user class if a default *ate$a" is
re3uired for client co)puters1 Fecause all co)puters in the test lab are located on
the sa)e subnet7 this option is not re3uired1
Configure te defau%t NAP c%ass
#e8t7 confi*ure scope options for the default net$or% access protection class1 4hese ser/er
options are used $hen a nonco)pliant client co)puter atte)pts to access the net$or% and obtain
an 2P address fro) the 56CP ser/er1
11 2n the 56CP console tree7 under Scope D*01,*23,4,4E NAP Scope7 ri*ht-clic% Scope
(ptions7 and then clic% Configure (ptions1
21 @n the Ad#anced tab7 ne8t to /ser c%ass7 choose Defau%t Net$or& Access Protection
C%ass1
31 .elect the 442 DNS Ser#ers chec% bo87 in !P Address7 under Data entry7 t"pe
*01,*23,4,*7 and then clic% Add1
To enab%e te defau%t NAP profi%e To configure defau%t user c%ass scope options To configure defau%t NAP c%ass scope options
18
41 .elect the 4*5 DNS Domain Name chec% bo87 in String #a%ue7 under Data entry7 t"pe
restricted,contoso,com7 and then clic% (61 4he restricted1contoso1co) do)ain is a
restricted-access net$or% assi*ned to nonco)pliant #&P clients1
Note
4he 44> 'outer option is confi*ured in the default #&P class if a default *ate$a" is
re3uired for client co)puters to reach the 56CP ser/er or re)ediation ser/ers on a
different subnet1 Fecause all co)puters in the test lab are located on the sa)e
subnet7 this option is not re3uired1
Configure NAP c%ient settings in Group Po%icy
4he follo$in* #&P client settin*s $ill be confi*ured in a ne$ Broup Polic" ob<ect 'BP@( usin* the
Broup Polic" Mana*e)ent feature on #P.1
#&P enforce)ent clients
#&P &*ent ser/ice
.ecurit" Center user interface
&fter these settin*s are confi*ured in the BP@7 securit" filters $ill be added to enforce the
settin*s on co)puters "ou specif"1 4he follo$in* section describes these steps in detail1
11 @n #P.17 clic% Start7 clic% 'un7 t"pe gpme,msc7 and then press >#4>:1
21 2n the Bro$se for a Group Po%icy (b;ect dialo* bo87 ne8t to Contoso,com7 clic% the
icon to create a ne$ BP@7 t"pe NAP c%ient settings for the na)e of the ne$ BP@7 and
then clic% (61
31 4he Broup Polic" Mana*e)ent >ditor $indo$ $ill open1 #a/i*ate to Computer
Configuration+Po%icies+7indo$s Settings+Security Settings+System Ser#ices1
41 2n the details pane7 double-clic% Net$or& Access Protection Agent1
51 2n the Net$or& Access Protection Agent Properties dialo* bo87 select the Define tis
po%icy setting chec% bo87 choose Automatic7 and then clic% (61
61 2n the console tree7 open Net$or& Access ProtectionBNAP C%ient
ConfigurationBEnforcement C%ients1
71 2n the details pane7 ri*ht-clic% DHCP Fuarantine Enforcement C%ient7 and then clic%
Enab%e1
81 2n the console tree7 ri*ht-clic% NAP C%ient Configuration7 and then clic% App%y1
Note
2f "ou are runnin* +indo$s .er/er 2008 :27 "ou can s%ip this step1
91 2n the console tree7 na/i*ate to Computer ConfigurationBPo%iciesBAdministrati#e
Temp%atesB7indo$s ComponentsBSecurity Center1
101 2n the details pane7 double-clic% Turn on Security Center -Domain PCs on%y.7 choose
To configure NAP c%ient settings in Group Po%icy
19
Enab%ed7 and then clic% (61
111 Close the Group Po%icy ?anagement Editor $indo$1
121 2f "ou are pro)pted to appl" settin*s7 clic% Ges1
Configure security fi%ters for te NAP c%ient settings GP(
#e8t7 confi*ure securit" filters for the #&P client settin*s BP@1 4his pre/ents #&P client settin*s
fro) bein* applied to ser/er co)puters in the do)ain1
11 @n #P.17 clic% Start7 clic% 'un7 t"pe gpmc,msc7 and then press >#4>:1
21 2n the Broup Polic" Mana*e)ent Console 'BPMC( tree7 na/i*ate to <orest:
Contoso,comBDomainsBContoso,comBGroup Po%icy (b;ectsBNAP c%ient settings1
31 2n the details pane7 under Security <i%tering7 clic% Autenticated /sers7 and then clic%
'emo#e1
41 +hen "ou are pro)pted to confir) the re)o/al of dele*ation pri/ile*e7 clic% (61
51 2n the details pane7 under Security <i%tering7 clic% Add1
61 2n the Se%ect /ser: Computer: or Group dialo* bo87 under Enter te ob;ect name to
se%ect -e9amp%es.7 t"pe NAP c%ient computers7 and then clic% (61
71 Close the BPMC1
Note
C;2>#41 $ill be added to the #&P client co)puters securit" *roup after it is <oined to
the do)ain1
Configure CL!ENT*
C;2>#41 is a co)puter runnin* +indo$s ,ista or +indo$s 7 that "ou $ill use to de)onstrate
ho$ #&P can be used $ith 56CP to help protect a net$or% fro) nonco)pliant client co)puters1
C;2>#41 confi*uration is perfor)ed in the follo$in* steps
2nstall the operatin* s"ste)1
Confi*ure 4CPA2P1
,erif" net$or% connecti/it"1
Coin the co)puter to the do)ain1
&dd C;2>#41 to the #&P client co)puters securit" *roup and restart the co)puter1
>nable 'un on the Start )enu1
,erif" Broup Polic" settin*s1
4he follo$in* sections e8plain these steps in detail1
To configure security fi%ters for te NAP c%ient settings GP(
20
!nsta%% 7indo$s =ista on CL!ENT*
11 .tart "our co)puter usin* the product discs for +indo$s ,ista or +indo$s 71
21 +hen pro)pted for the installation t"pe7 choose Custom !nsta%%ation1
31 +hen pro)pted for a co)puter na)e7 t"pe CL!ENT*1
41 @n the Se%ect your computerHs current %ocation pa*e7 clic% 7or&1
51 !ollo$ the rest of the instructions that appear on "our screen to finish the installation1
Configure TCP+!P on CL!ENT*
11 Clic% Start7 clic% 'un7 and then t"pe ncpa,cp%1
!mportant
Dou )ust enable the 'un co))and to co)plete this step1 !or )ore
infor)ation about ho$ to enable the 'un co))and7 see 4o enable :un on
the .tart )enu procedure later in this docu)ent1
21 :i*ht-clic% Loca% Area Connection7 and then clic% Properties1
31 2n the Loca% Area Connection Properties dialo* bo87 clear the !nternet Protoco%
=ersion 2 -TCP+!P#2. chec% bo81 4his $ill reduce the co)ple8it" of the lab7 particularl"
for those $ho are not fa)iliar $ith 2P/61
41 Clic% !nternet Protoco% =ersion @ -TCP+!P#@.7 and then clic% Properties1
51 ,erif" that (btain an !P address automatica%%y and (btain DNS ser#er address
automatica%%y are selected1
61 Clic% (67 and then clic% C%ose to close the Loca% Area Connection Properties dialo*
bo81
71 Close the Net$or& Connections and Net$or& and Saring Center $indo$s1
Test net$or& connecti#ity for CL!ENT*
Fecause C;2>#41 has not <oined the do)ain7 it has not "et recei/ed Broup Polic" settin*s to
start the #&P &*ent ser/ice1 +hen the #&P &*ent ser/ice is not runnin*7 C;2>#41 is e/aluated
as non-#&P-capable1 F" default7 the #&P confi*uration $i=ard pro/ides restricted access to non-
#&P-capable clients1 :un the ping co))and fro) C;2>#41 to confir) the loss of net$or%
co))unication bet$een C;2>#41 and 5C11
11 Clic% Start7 clic% A%% Programs7 clic% Accessories7 ri*ht-clic% Command Prompt7 and
then clic% 'un as administrator1
21 2n the co))and $indo$7 t"pe ping *01,*23,4,*7 and then press >#4>:1
31 ,erif" that the response reads GP2#B trans)it failed1H
To insta%% te operating system on CL!ENT* To configure TCP+!P on CL!ENT* To use te ping command to cec& net$or& connecti#ity
21
41 2n the co))and $indo$7 t"pe ipconfig7 and then press >#4>:1
51 2n the co))and output7 /erif" that the /alue of Connection"specific DNS Suffi9 is
restricted,contoso,com and that the /alue of Subnet ?as& is 155,155,155,1551
C;2>#41 is confi*ured $ith a classless net$or% address7 causin* its net$or% access to
be restricted1
61 2n the co))and $indo$7 t"pe route print "@7 and then press >#4>:1
71 2n the co))and output7 belo$ Acti#e 'outes7 /erif" that a Net$or& Destination of
*01,*23,4,* is not displa"ed1 Fecause C;2>#41 has a classless net$or% address and no
acti/e route to contact 5C17 it does not ha/e access to do)ain ser/ices1
81 2n the co))and output7 belo$ Acti#e 'outes7 /erif" that a Net$or& Destination of
*01,*23,4,1 is displa"ed1 4his is the 2P address of #P.17 $hich ser/es as the #&P
56CP enforce)ent ser/er for the test lab1 4he #&P 56CP enforce)ent ser/er is
auto)aticall" a/ailable to clients on the restricted net$or%1 Dou do not ha/e to add this
ser/er to a re)ediation ser/er *roup1
91 ;ea/e the co))and $indo$ open for the follo$in* procedure1
Configure DC* as a remediation ser#er
#e8t7 confi*ure 5C1 as a re)ediation ser/er so that C;2>#41 has access to 5#. and &cti/e
5irector" $hen it is *ranted restricted access1
11 @n #P.17 clic% Start7 clic% 'un7 t"pe nps,msc7 and then press >#4>:1
21 2n the #et$or% Polic" .er/er console tree7 open Po%icies7 and then clic% Net$or&
Po%icies1
31 2n the details pane7 double-clic% NAP DHCP Non NAP"Capab%e1
41 @n the Settings tab7 under Net$or& Access Protection7 clic% NAP Enforcement1
51 9nder 'emediation Ser#er Group and Troub%esooting /'L7 clic% Configure1
61 2n the 'emediation Ser#ers and Troub%esooting /'L dialo* bo87 under 'emediation
Ser#er Group7 clic% Ne$ Group1
71 2n the Ne$ 'emediation Ser#er Group dialo* bo87 under Group Name7 t"pe Domain
ser#ices7 and then clic% Add1
81 2n the Add Ne$ Ser#er dialo* bo87 under <riend%y name7 t"pe DC*1 9nder !P address
or DNS name7 t"pe *01,*23,4,*7 and then clic% (6 t$ice1
91 ,erif" that the ne$ re)ediation ser/er *roup is selected under 'emediation Ser#er
Group7 and then clic% (6 to close the 'emediation Ser#ers and Troub%esooting /'L
dialo* bo81
101 Clic% (6 to close the NAP DHCP Non NAP"Capab%e Properties $indo$1
111 2n the details pane7 double-clic% NAP DHCP Noncomp%iant1
121 Clic% the Settings tab7 clic% NAP Enforcement7 and then7 under 'emediation Ser#er
To configure DC* as a remediation ser#er
22
Group and Troub%esooting /'L7 clic% Configure1 !ro) the list under 'emediation
Ser#er Group7 select Domain ser#ices7 and then clic% (6 t$ice1 5C1 has no$ been
enabled as a re)ediation ser/er for non-#&P-capable and nonco)pliant co)puters1
131 ;ea/e the #et$or% Polic" .er/er console open for the follo$in* procedure1
'ene$ !P addressing on CL!ENT*
#e8t7 obtain a ne$ 2P address profile for C;2>#41 fro) 56CP1
11 @n C;2>#417 in the Administrator: Command Prompt $indo$7 t"pe ipconfig +rene$7
and then press >#4>:1
21 2n the co))and $indo$7 t"pe ping *01,*23,4,*7 and then press >#4>:1
31 ,erif" that the response reads G:epl" fro) 192116810111H
41 2n the co))and $indo$7 t"pe ipconfig7 and then press >#4>:1
51 2n the co))and output7 /erif" that the /alue of Connection"specific DNS Suffi9 is
restricted,contoso,com and that the /alue of Subnet ?as& is 155,155,155,1551
Fecause the #&P &*ent ser/ice is not runnin* on C;2>#417 restricted access to the
net$or% is still enforced1
61 2n the co))and $indo$7 t"pe route print "@7 and then press >#4>:1
71 2n the co))and output7 belo$ Acti#e 'outes7 /erif" that a Net$or& Destination of
*01,*23,4,* is displa"ed1 Fecause 5C1 is a )e)ber of the re)ediation ser/ers *roup7
C;2>#41 has been *ranted access to do)ain ser/ices on the restricted net$or%1
81 Close the co))and $indo$1
Aoin CL!ENT* to te Contoso,com domain
Fecause C;2>#41 no$ has access to do)ain ser/ices7 it can be <oined to the do)ain1
11 Clic% Start7 ri*ht-clic% Computer7 and then clic% Properties1
21 9nder Computer name: domain: and $or&group settings7 clic% Cange settings1
31 2n the System Properties dialo* bo87 clic% Cange1
41 2n the Computer Name+Domain Canges dialo* bo87 select Domain7 and then t"pe
Contoso,com1
51 Clic% ?ore7 and in Primary DNS suffi9 of tis computer7 t"pe Contoso,com1
61 Clic% (6 t$ice1
71 +hen pro)pted for a user na)e and pass$ord7 t"pe the user na)e and pass$ord for
the 9ser1 account7 and then clic% (61
81 +hen "ou see a dialo* bo8 that $elco)es "ou to the Contoso1co) do)ain7 clic% (61
91 +hen "ou see a dialo* bo8 that tells "ou that "ou )ust restart the co)puter to appl"
To rene$ !P addressing on CL!ENT* To ;oin CL!ENT* to te Contoso,com domain
23
chan*es7 clic% (61
101 2n the System Properties dialo* bo87 clic% C%ose1
111 2n the dialo* bo8 that pro)pts "ou to restart the co)puter7 clic% 'estart Later1
Note
Fefore "ou restart the co)puter7 "ou )ust add it to the #&P client co)puters securit"
*roup so that C;2>#41 $ill recei/e #&P client settin*s fro) Broup Polic"1
Add CL!ENT* to te NAP c%ient computers security group
&fter <oinin* the do)ain7 C;2>#41 )ust be added to the #&P client co)puters securit" *roup so
that it can recei/e #&P client settin*s1
11 @n 5C17 clic% Start7 point to Administrati#e Too%s7 and then clic% Acti#e Directory
/sers and Computers1
21 2n the console tree7 clic% Contoso,com1
31 2n the details pane7 double-clic% NAP c%ient computers1
41 2n the NAP c%ient computers Properties dialo* bo87 clic% the ?embers tab7 and then
clic% Add1
51 2n the Se%ect /sers: Contacts: Computers: or Groups dialo* bo87 clic% (b;ect Types7
select the Computers chec% bo87 and then clic% (61
61 9nder Enter te ob;ect names to se%ect -e9amp%es.7 t"pe CL!ENT*7 and then clic% (61
71 ,erif" that CL!ENT* is displa"ed belo$ ?embers7 and then clic% (61
81 Close the &cti/e 5irector" 9sers and Co)puters console1
91 :estart C;2>#41 to appl" the ne$ securit" *roup )e)bership1
Enab%e 'un on te Start menu
4he run co))and is useful for se/eral procedures in the test lab1 4o )a%e it readil" a/ailable7 $e
$ill enable 'un on the Start )enu1
11 &fter C;2>#41 has been restarted7 clic% S$itc /ser7 clic% (ter /ser and then lo* on
to the C@#4@.@ do)ain $ith the /ser* account "ou created1
21 :i*ht-clic% Start7 and then clic% Properties1
31 2n the Tas&bar and Start ?enu Properties $indo$7 select Start menu7 and then clic%
Customi8e1
41 2n the Customi8e Start ?enu $indo$7 select the 'un command chec% bo87 and then
clic% (6 t$ice1
To add CL!ENT* to te NAP c%ient computers security group To enab%e 'un on te Start menu
24
=erify Group Po%icy settings
&fter it has been restarted7 C;2>#41 $ill recei/e Broup Polic" settin*s to enable the #&P &*ent
ser/ice and 56CP enforce)ent client1 4he co))and line $ill be used to /erif" these settin*s1
11 Clic% Start7 clic% 'un7 t"pe cmd7 and then press >#4>:1
21 2n the co))and $indo$7 t"pe nets nap c%ient so$ grouppo%icy7 and then press
>#4>:1
31 2n the co))and output7 under Enforcement c%ients7 /erif" that the Admin status of the
DHCP Fuarantine Enforcement C%ient is Enab%ed1
41 2n the co))and $indo$7 t"pe nets nap c%ient so$ state7 and then press >#4>:1
51 2n the co))and output7 under Enforcement c%ient state7 /erif" that the !nitia%i8ed status
of the DHCP Fuarantine Enforcement C%ient is Ges1
61 Close the co))and $indo$1
=erifying NAP functiona%ity
4he follo$in* procedures are used to /erif" that the #&P infrastructure is functionin* correctl"
,erification of #&P auto-re)ediation1 C;2>#41 is auto)aticall" re)ediated $hen +indo$s
!ire$all is turned off7 causin* +indo$s !ire$all to be turned bac% on1
,erification of #&P polic" enforce)ent1 #&P polic" is re/ised to be )ore restricti/e7 causin*
C;2>#41 to be nonco)pliant $ith polic" and unable to re)ediate itself1 +hen C;2>#41 is in
a nonco)pliant state7 its net$or% access $ill be restricted1
=erification of NAP auto"remediation
4he #&P 56CP nonco)pliant net$or% polic" specifies that nonco)pliant co)puters should be
auto)aticall" re)ediated1 9se the follo$in* procedure to /erif" that C;2>#41 is auto)aticall"
re)ediated to a co)pliant state $hen +indo$s !ire$all is turned off1
11 @n C;2>#417 clic% Start7 and then clic% Contro% Pane%1
21 Clic% Security7 clic% Security Center7 and then clic% 7indo$s <ire$a%%1
31 2n the 7indo$s <ire$a%% dialo* bo87 clic% Cange settings1
41 2n the 7indo$s <ire$a%% Settings dialo* bo87 clic% (ff -not recommended.7 and then
clic% (61
51 2n +indo$s .ecurit" Center7 "ou $ill see that the status of +indo$s !ire$all is displa"ed
as (ff and is then displa"ed as (n1
61 Dou )i*ht see a )essa*e in the notification area that indicates the co)puter does not
)eet health re3uire)ents1 4his )essa*e is displa"ed because +indo$s !ire$all has
been turned off1 Clic% this )essa*e for )ore infor)ation about the health status of
To #erify Group Po%icy settings on CL!ENT* To #erify tat CL!ENT* is remediated automatica%%y $en 7indo$s <ire$a%% is turned off
25
C;2>#411 .ee the follo$in* e8a)ple1
6a91f72c-b24f-42a9-8619-666a48dac69a
71 4he #&P client $ill auto)aticall" turn +indo$s !ire$all on to beco)e co)pliant $ith
net$or% health re3uire)ents1 4he follo$in* )essa*e $ill appear in the notification area
Tis computer meets te re)uirements of tis net$or&1 .ee the follo$in* e8a)ple1
738a6c72-9e64-42e6-8c9d-fa276bd1056f
Fecause auto-re)ediation occurs rapidl"7 "ou )i*ht not see one or both of these
)essa*es1
=erification of ea%t po%icy enforcement
#et$or% health polic" enforce)ent $ill be /erified b" confi*urin* an additional re3uire)ent in
net$or% polic" that is not )et b" C;2>#417 and de)onstratin* that C;2>#41 is subse3uentl"
placed on the restricted net$or%1
Configure 7SH= to re)uire an anti#irus app%ication
Confi*ure #P.1 so that anti/irus soft$are is a re3uire)ent for s"ste) health1 Fecause no
anti/irus pro*ra) is installed on C;2>#41 and the #&P client co)ponents cannot re)ediate its
health7 C;2>#41 $ill be nonco)pliant1
11 @n #P.17 in the #et$or% Polic" .er/er console7 open NPS -Loca%.7 then Net$or&
Access Protection7 then System Hea%t =a%idators1
21 9nder Name7 double-clic% 7indo$s Security Hea%t =a%idator1
31 2n the 7indo$s Security Hea%t =a%idator Properties dialo* bo87 clic% Configure1
41 2n the 7indo$s Security Hea%t =a%idator dialo* bo87 under =irus Protection7 select
the An anti#irus app%ication is on chec% bo81
51 Clic% (67 and then clic% (6 a*ain to close the 7indo$s Security Hea%t =a%idator
Properties $indo$1
'e%ease and rene$ te !P address on CL!ENT*
4o ree/aluate the health state of C;2>#41 a*ainst the ne$ net$or% health re3uire)ents7 turn
+indo$s !ire$all off1 C;2>#41 $ill auto)aticall" re)ediate the +indo$s !ire$all settin*7 but
because an anti/irus pro*ra) is not installed7 the health re3uire)ent for an anti/irus pro*ra)
cannot be )et1 4herefore7 C;2>#41 $ill re)ain in a nonco)pliant state and $ill obtain an 2P
address confi*uration for the restricted net$or%1
11 @n C;2>#417 in the 7indo$s <ire$a%% dialo* bo87 clic% Cange settings1
21 2n the 7indo$s <ire$a%% Settings dialo* bo87 clic% (ff -not recommended.7 and then
To configure te system ea%t #a%idator po%icy to re)uire anti#irus soft$are To re%ease and ten rene$ te !P address on CL!ENT*
26
clic% (61
31 2n +indo$s .ecurit" Center7 "ou $ill see that +indo$s !ire$all is initiall" displa"ed as
off7 and then displa"ed as on1 &lthou*h +indo$s !ire$all is turned on7 C;2>#41 cannot
install an anti/irus application auto)aticall"7 so it $ill re)ain in a nonco)pliant state and
its net$or% access $ill be restricted1
=ie$ te c%ient restriction state
Fecause the client co)puter is in a nonco)pliant state7 the 56CP ser/er $ill assi*n an 2P
address to the client co)puter for the restricted net$or%1 Dou can tell that the client is on the
restricted net$or% because the 56CP ser/er assi*ns a connection-specific 5#. suffi8 of
restricted1contoso1co)1 4he follo$in* fi*ure sho$s an e8a)ple1
dfe2e27b-da4a-4a77-9dea-fdd439f97d82
Dou )i*ht see a )essa*e in the notification area that indicates the co)puter does not )eet the
corporate securit" re3uire)ents1
=ie$ te c%ientHs restriction state $it Nets
Dou can also chec% the restriction state of the co)puter usin* a #&P #etsh co))and1
11 @n C;2>#417 at the co))and pro)pt7 t"pe nets nap c%ient so$ state7 and then
press >#4>:1
21 .croll up the co))and $indo$ to displa" the C%ient state section1 4he 'estriction state
should be H:estricted1H
A%%o$ CL!ENT* to become comp%iant
#e8t7 confi*ure #P.1 to re)o/e the anti/irus health re3uire)ent so that C;2>#41 can be
co)pliant1 Dou can use ipconfig to release and rene$ the 2P address on C;2>#41 to *enerate a
ne$ .o61
11 @n #P.17 open the #et$or% Polic" .er/er console1
21 5ouble-clic% 7indo$s Security Hea%t =a%idator1
31 2n the 7indo$s Security Hea%t =a%idator Properties dialo* bo87 clic% Configure1
41 2n the 7indo$s Security Hea%t =a%idator dialo* bo87 under =irus Protection7 clear the
An anti#irus app%ication is on chec% bo81
51 Clic% (6 t$ice to co)plete confi*uration of the +.6,1
61 @n C;2>#417 t"pe ipconfig +re%ease7 and then t"pe ipconfig +rene$ at the ele/ated
co))and pro)pt to obtain a ne$ 2P address confi*uration $ith unrestricted access1
71 ,erif" that ne$ 2P address confi*uration is assi*ned the connection-specific 5#. suffi8 of
contoso,com1
To use a Nets command to so$ te NAP c%ientHs ea%t state To configure NPS* ea%t re)uirements to a%%o$ CL!ENT* to become comp%iant
27
See A%so
httpAA*o1)icrosoft1co)Af$lin%AJ;in%2dK56443
Appendi9
4his appendi8 $ill help "ou $ith troubleshootin* techni3ues and the settin* of optional features in
+indo$s .er/er 2008 or +indo$s .er/er 2008 :2 and +indo$s ,ista or +indo$s 71
Set /AC bea#ior of te e%e#ation prompt for
administrators
F" default7 9ser &ccount Control '9&C( is enabled in +indo$s .er/er 2008 or +indo$s
.er/er 2008 :2 and +indo$s ,ista or +indo$s 714his ser/ice $ill pro)pt for per)ission to
continue durin* se/eral of the confi*uration tas%s described in this *uide1 2n all cases7 "ou can
clic% Continue in the 9&C dialo* bo8 to *rant this per)ission7 or "ou can use the follo$in*
procedure to chan*e the 9&C beha/ior of the ele/ation pro)pt for ad)inistrators1
11 Clic% Start7 point to A%% Programs7 clic% Accessories7 and then clic% 'un1
21 4"pe secpo%,msc7 and press >#4>:1
31 2n the /ser Account Contro% dialo* bo87 clic% Continue1
41 2n the left pane7 double-clic% Loca% Po%icies7 and then clic% Security (ptions1
51 2n the ri*ht pane7 double-clic% /ser Account Contro%: Bea#ior of te e%e#ation
prompt for administrators in Admin Appro#a% ?ode1
61 !ro) the drop-do$n list bo87 choose E%e#ate $itout prompting7 and then clic% (61
71 Close the Loca% Security Po%icy $indo$1
'e#ie$ NAP c%ient e#ents
:e/ie$in* infor)ation contained in #&P client e/ents can assist "ou $ith troubleshootin*1 2t can
also help "ou to understand #&P client functionalit"1
11 Clic% Start7 point to A%% Programs7 clic% Accessories7 and then clic% 'un1
21 4"pe e#ent#$r,msc7 and press >#4>:1
31 2n the left tree7 na/i*ate to E#ent =ie$er-Loca%.BApp%ications and Ser#ices
LogsB?icrosoftB7indo$sBNet$or& Access ProtectionB(perationa%1
41 Clic% an e/ent in the )iddle pane1
51 F" default7 the Genera% tab is displa"ed1 Clic% the Detai%s tab to /ie$ additional
To set /AC bea#ior of te e%e#ation prompt for administrators To re#ie$ NAP c%ient e#ents in E#ent =ie$er
28
infor)ation1
61 Dou can also ri*ht-clic% an e/ent and then clic% E#ent Properties to open a ne$ $indo$
for re/ie$in* e/ents1
'e#ie$ NAP ser#er e#ents
:e/ie$in* infor)ation contained in +indo$s ."ste) e/ents on "our #&P ser/ers can assist "ou
$ith troubleshootin*1 2t can also help "ou to understand #&P ser/er functionalit"1
11 Clic% Start and then clic% 'un1
21 4"pe e#ent#$r,msc7 and press >#4>:1
31 2n the left tree7 na/i*ate to E#ent =ie$er-Loca%.BCustom =ie$sBSer#er 'o%esBNet$or&
Po%icy and Access Ser#ices1
41 Clic% an e/ent in the )iddle pane1
51 F" default7 the Genera% tab is displa"ed1 Clic% the Detai%s tab to /ie$ additional
infor)ation1
61 Dou can also ri*ht-clic% an e/ent and then clic% E#ent Properties to open a ne$ $indo$
for re/ie$in* e/ents1
To re#ie$ NAP ser#er e#ents in E#ent =ie$er
29