Advanced Server Management

Chapter 7

Implementing Network Access

Protection

1
Chapter Overview

Overview of Network Access Protection

Overview of NAP Enforcement Processes
Configuring NAP
 Monitoring and Troubleshooting NAP

2
Lesson 1: Overview of Network Access
Protection

What Is Network Access Protection?

NAP Scenarios
NAP Enforcement Methods
 NAP Platform Architecture

3
What is Network Access Protection?

NAP can:
 Enforce health-requirement policies on client computers
 Ensure client computers are compliant with policies
 Offer remediation support for computers that do not
meet health requirements
 NAP cannot:
 Prevent authorized users with compliant computers from
performing malicious activity on the network
 Restrict network access for computers that are running
Windows versions previous to Windows XP SP2, when
exception rules are configured for those computers

4
NAP Scenarios

NAP helps you to verify the health state of:

Roaming laptops Visiting laptops

Desktop computers Unmanaged home 5

computers
 NAP Enforcement Methods
Method
IPsec enforcement for IPsec-
protected communications
802.1X enforcement for IEEE
802.1X-authenticated wired or
wireless connections
VPN enforcement for remote
access connections
DirectAccess
DHCP enforcement for DHCP-
based address configuration
Key Points
• Computer must be compliant to communicate with
other compliant computers
• This is the strongest NAP enforcement type, and can be
applied per IP address or protocol port number
• Computer must be compliant to obtain unlimited access
through an 802.1X connection (authentication switch or
access point)
• Computer must be compliant to obtain unlimited access
through a Remote Access Service connection
• Computer must be compliant to obtain unlimited
network access
• For noncompliant computers, access is restricted to a
defined group of infrastructure servers
• Computer must be compliant to receive an unlimited
access IPv4 address configuration from DHCP
6
• This is the weakest form of NAP enforcement
 NAP Platform Architecture

VPN server
Active IEEE 802.1X
Directory devices

Health
Registration
Authority
Internet
NAP Health
DHCP server
Perimeter Intranet Policy Server
network

Restricted
network
Remediation
Servers NAP client with
limited access

7
Lesson 2: Overview of NAP Enforcement Processes

NAP Enforcement Processes

IPsec Enforcement
802.1x Enforcement
VPN Enforcement
 DHCP Enforcement

8
 NAP Enforcement Processes
Remediation RADIUS Messages
HRA
Server
Health Requirement
Server
ges
ss a System
System Me
Health S SL Health
over Requirement
Updates T P
r HT Queries
o
T TP
H
P M e ssages
DHC
DHCP Server
PEAP
Messa
ge s over
PE P PP
NAP Client AP NAP Health
M ess
a Policy Server
ge
so
ver
E AP
OL VPN Server

IEEE 802.1X
9
Network Access Devices
IPsec Enforcement

 Key points of IPsec NAP enforcement include:

 The IPsec NAP enforcement comprises a health certificate
server and an IPsec NAP Enforcement Client (EC).
 The health-certificate server issues X.509 certificates to quarantine
clients when they are verified as compliant. Certificates are then used
to authenticate NAP clients when they initiate IPsec-secured
communications with other NAP clients on an intranet.
 IPsec enforcement confines the communication on a
network to those nodes that are considered compliant
 You can define requirements for secure communications
with compliant clients on a per-IP address or a
per-TCP/UDP port-number basis

10
802.1x Enforcement

 Key points of 802.1X wired or wireless NAP enforcement:

 Computer must be compliant to obtain unlimited
network access through an 802.1X-authenticated
network connection
 Noncompliant computers are limited through a
restricted-access profile that the Ethernet switch or
wireless AP places on the connection
 Restricted access profiles can specify IP packet filters or
a VLAN identifier that corresponds to the restricted
network
 802.1X enforcement actively monitors the health status
of the connected NAP client and applies the restricted
access profile to the connection if the client becomes
noncompliant 11
VPN Enforcement

Key points of VPN NAP enforcement:

 Computer must be compliant to obtain unlimited
network access through a remote access VPN
connection
 Noncompliant computers have network access limited
through a set of IP packet filters that the VPN server
applies to the VPN connection
 VPN enforcement actively monitors the health status of
the NAP client and then applies the IP packet filters for
the restricted network to the VPN connection if the
client becomes noncompliant

12
DHCP Enforcement

 Key points of DHCP NAP enforcement:

 Computers must be compliant to obtain an unlimited
access IPv4 address configuration from a DHCP server
 Noncompliant computers have IPv4 address
configuration, allowing access to restricted network only
 DHCP enforcement actively monitors the health status of
the NAP client, renewing the IPv4 address configuration
for access only to the restricted network if the client
becomes noncompliant

13
Lesson 3: Configuring NAP

What Are System Health Validators?

What Is a Health Policy?
What Are Remediation Server Groups?
NAP Client Configuration
 Demonstration: Configuring NAP

14
What are System Health Validators?

 System health validators are server software

counterparts to system health agents
 Each SHA on the client has a corresponding SHV in NPS
 SHVs allow NPS to verify the statement of health made
by its corresponding SHA on the client
 SHVs contain the required configuration settings on
client computers
 The Windows Security SHV corresponds to the
Microsoft SHA on client computers

15
 What is a Health Policy?
To make use of the Windows Security Health Validator, you
must configure a health policy and assign the SHV to it
 Health policies consist of one or more SHVs and other settings, which
you can use to define configuration requirements for NAP-capable
computers that attempt to connect to your network
 You can define client health policies in NPS by adding one or more
SHVs to the health policy
 NAP enforcement is accomplished by NPS on a per-network
policy basis
 After you create a health policy by adding one or more SHVs to
the policy, you can add the health policy to the network policy,
and enable NAP enforcement in the policy

16
What Are Remediation Server Groups?

With NAP enforcement in place, you should specify

remediation server groups so the clients have access to
resources that bring noncompliant NAP-capable clients
into compliance
 A remediation server hosts the updates that the NAP agent can
use to bring noncompliant client computers into compliance with
the health policy that NPS defines
 A remediation server group is a list of servers on the restricted
network that noncompliant NAP clients can access for
software updates

17
NAP Client Configuration

 Some NAP deployments that use Windows Security

Health Validator require that you enable Security Center

 The Network Access Protection service is required when

you deploy NAP to NAP-capable client computers

 You must configure the NAP enforcement clients on the

NAP-capable computers

 Most NAP client settings can be configured with Group

Policy objects

18
Demonstration: Configuring NAP

In this demonstration, you will see how to:

 Install the NPS server role
 Configure NPS as an NAP health policy server
 Configure health policies
 Configure network policies for compliant computers
 Configure network policies for noncompliant computers
 Configure the DHCP server role for NAP
 Configure client NAP settings
 Test NAP

19
Lesson 4: Monitoring and Troubleshooting NAP

What Is NAP Tracing?

Demonstration: Configuring NAP Tracing
Troubleshooting NAP
 Troubleshooting NAP with Event Logs

20
What is NAP Tracing?

 NAP tracing identifies NAP events and records them to a

log file based on the one of the following tracing levels:
 Basic
 Advanced
 Debug

You can use tracing logs to:

 Evaluate the health and security of your network
 For troubleshooting and maintenance

 NAP tracing is disabled by default, which means that no

NAP events are recorded in the trace logs

21
Demonstration: Configuring NAP Tracing

In this demonstration, you will see how to:

 Configure tracing from the GUI
 Configure tracing from the command line

22
Troubleshooting NAP
You can use the following netsh NAP command to help
you to troubleshoot NAP issues:

 netsh NAP client show state

 netsh NAP client show config

 netsh NAP client show group

23
Troubleshooting NAP with Event Logs

Event ID Meaning

6272 Successful authentication has occurred

6273 Successful authentication has not occurred

6274 A configuration problem exists

6276 NAP client quarantined

6277 NAP client is on probation

6278 NAP client granted full access

24
Thanks!

25