20411B-ENU-TrainerHandbook
.pdf
oTo log periodic status, such as interim authentication requests, select Periodic authentication MCT23 status.
5.To configure the number of concurrent sessions that you want to allow between the NPS server and
the SQL Server database, type a number in Maximum number of concurrent sessions. USE
6.To configure the SQL Server data source, click Configure. The Data Link Properties dialog box opens. On the Connection tab, specify the following:
oTo specify the server’s name on which the database is stored, type or select a name in Select or enter a server name. Administering Windows Server® 2012 8-
oTo specify the authentication method with which to sign in to the server, click Use Windows NT integrated security, or click Use a specific user name and password, and then type your credentials in User name and Password.
o |
.ONLY |
To allow a blank password, select Blank password. |
|
o |
To store the password, select Allow saving password. |
oTo specify to which database to connect on the computer that is running SQL Server, click Select
the database on the server, and then select a database name from the list. STUDENT
7.To test the connection between the NPS server and the computer that is running SQL Server, click
Test Connection.
connection-request failure and success events in the Event Viewer system log.
Configuring NPS Event Logging |
USE |
||||
To configure NPS event logging by using the |
|||||
Windows interface, perform the following tasks: |
|||||
1. |
Open the Network Policy Server (NPS) |
PROHIBITED |
|||
|
snap-in. |
||||
|
|
|
|||
2. |
Right-click NPS (Local), and then click |
|
|
||
|
Properties. |
|
|
|
|
|
|
|
|
||
3. |
On the General tab, select each of the following options, as required, and then click OK: |
|
|
||
|
o |
Rejected authentication requests |
|
|
|
|
o |
Successful authentication requests |
|
|
|
Note: To complete this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group.
Using the event logs in Event Viewer, you can monitor NPS errors and other events that you configure NPS to record.
8-24 Installing, Configuring, and Troubleshooting the Network Policy Server Role
NPS records connection-request failure events in the System and Security event logs by default. |
MCT |
|||
Connection-request failure events consist of requests that NPS rejects or discards. Other NPS |
||||
authentication events are recorded in the Event Viewer system sign in the basis of settings that you |
||||
USE |
||||
specify in the NPS snap-in. Therefore, the Event Viewer security log might record some events containing |
||||
sensitive data. |
||||
Connection-Request Failure Events |
||||
Although NPS records connection-request failure events by default, you can change the configuration |
||||
according to your logging needs. NPS rejects or ignores connection requests for a variety of reasons, |
||||
|
|
|||
including the following: |
.ONLY |
|||
• The RADIUS message is not formatted according to RFCs 2865 or 2866. |
||||
• The RADIUS client is unknown. |
||||
• The RADIUS client has multiple IP addresses and has sent the request on an address other than the |
||||
|
one that you define in NPS. |
|||
• |
The message authenticator (also known as a digital signature) that the client sent is invalid because |
|||
|
|
|||
|
the shared secret is invalid. |
|
|
|
• NPS was unable to locate the user name’s domain. |
|
|
||
• NPS was unable to connect to the user name’s domain. |
|
|
||
• NPS was unable to access the user account in the domain. |
STUDENT |
|||
When NPS rejects a connection request, the information in the event text includes the user name, access |
||||
server identifiers, the authentication type, the name of the matching network policy, the reason for the |
||||
rejection, and other information. |
||||
Connection Request Success Events |
||||
Although NPS records connection request success events by default, you can change the configuration |
||||
according to your logging needs. |
||||
|
|
|||
When NPS accepts a connection request, the information in the event text includes the user name, access |
USE |
|||
server identifiers, the authentication type, and the name of the first matching network policy. |
||||
Logging Schannel Events |
||||
Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security |
||||
protocols, such as SSL and TLS. These protocols provide identity authentication and secure, private |
||||
|
PROHIBITED |
|||
communication through encryption. |
|
|||
|
|
|
||
|
|
|
||
Logging of client-certificate validation failures is a secure channel event and is not enabled on the NPS server, by default. You can enable additional secure channel events by changing the following registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003):
Administering Windows Server® 2012 8-25
Lab: Installing and Configuring a Network Policy Server |
MCT |
|||
|
Scenario |
|
||
|
|
|
|
|
|
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT |
|
|
|
|
office and data center is located in London, to support the London office and other locations. A. Datum |
|
|
|
|
has recently deployed a Windows Server 2012 server and client infrastructure. |
|
|
|
|
A. Datum is expanding its remote-access solution to the entire organization. This will require multiple VPN |
|||
|
|
|
USE |
|
|
servers that are located at different points to provide connectivity for its employees. You are responsible |
|||
|
for performing the tasks necessary to support these VPN connections. |
.ONLY |
||
|
Objectives |
|
||
|
After completing this lab, you will be able to: |
|
||
|
• Install and configure NPS to support RADIUS. |
|||
|
• Configure and test a RADIUS client. |
|
||
|
Lab Setup |
|
||
|
|
|
|
|
|
Estimated Time: 60 minutes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual Machines |
20411B-LON-DC1 |
|
|
|
|
20411B-LON-RTR |
|
|
|
|
20411B-LON-CL2 |
|
|
|
|
|
|
|
|
User Name |
Adatum\Administrator |
|
|
|
|
|
|
|
|
Password |
Pa$$w0rd |
STUDENT |
|
|
|
|
||
|
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must |
|
|
|
complete the following steps:
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V ManagerUSE.
2.In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials:
•• User name: Adatum\Administrator PROHIBITED Password: Pa$$w0rd
5.Perform steps 2 through 4 for 20411B-LON-RTR and 20411B-LON-CL2.
|
|
|
|
|
1. |
Create a RADIUS Client by using the following properties: |
MCT |
||
|
o Template: LON-RTR |
USE |
||
2. |
Leave the console open, and then switch to LON-RTR. |
|||
3. |
Logon as Adatum\Administrator with the password Pa$$w0rd. |
|||
4. |
Open Routing and Remote Access, and Disable Routing and Remote Access. |
|||
5. |
Select Configure and Enable Routing and Remote Access. |
|
|
|
6. |
Reconfigure LON-RTR as a VPN Server: |
|
|
|
|
o Local Area Connection 2 is the public interface |
|
|
|
|
o The VPN server allocates addresses from the pool: 172.16.0.100 > 172.16.0.110 |
|
|
|
|
o The server is configured with the option Yes, setup this server to work with a RADIUS server. |
|||
|
o |
Primary RADIUS server: LON-DC1 |
ONLY. |
|
|
|
|
||
|
o |
Secret: Pa$$w0rd |
|
|
|
The VPN service starts. |
|
|
|
1. |
Switch to LON-DC1. |
|
|
|
2. |
Switch to the Network Policy Server console. |
|
|
|
3. |
Disable the two existing network policies. These would interfere with the processing of the policy that |
|||
|
you are about to create. |
STUDENT |
||
4. |
Create a new Network Policy by using the following properties: |
|||
|
o |
Policy name: Adatum VPN Policy |
||
|
o |
Type of network access server: Remote Access Server(VPN-Dial up) |
USE |
|
|
o Condition: NAS Port Type = Virtual (VPN) |
|||
|
o |
Permission: Access granted |
||
|
o |
Authentication methods: default |
||
|
PROHIBITED |
|||
|
o |
Constraints: default |
||
|
o |
Settings: default |
||
1. |
Switch to LON-CL2 and sign in as Adatum\Administrator with the password Pa$$w0rd. |
|||
2. |
Create a new VPN connection with the following properties: |
|||
|
o Internet address to connect to: 10.10.0.1 |
|||
|
o Destination name: Adatum VPN |
|||
|
o Allow other people to use this connection: true |
|||
|
|
|
||
|
|
|
Administering Windows Server® 2012 |
MCT |
||
|
|
|
8-29 |
|
|
|
Module Review and Takeaways |
|
|
|
|
||
|
Review Questions |
|
|
USE |
||
|
Question: How can you make the most effective use of the NPS logging features? |
|||||
|
|
|
|
|||
|
Question: What consideration must you follow if you choose to use a nonstandard port |
|
|
|
||
|
assignment for RADIUS traffic? |
|
|
|
|
|
|
Question: Why must you register the NPS server in Active Directory? |
.ONLY |
||||
|
Tools |
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tool |
Use for |
Where to find it |
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
Network Policy |
Managing and creating Network Policy |
Network Policy Server on the |
|
|
|
|
Server |
|
Administrative Tools menu |
|
|
|
|
|
|
|
|
|
|
|
Netsh command- |
Creating administrative scripts for |
In a Command Prompt window, |
|
|
|
|
line tool |
configuring and managing the Network |
type netsh –c nps to administer |
|
|
|
|
|
Policy Server role |
from a command prompt |
|
|
|
|
|
|
|
|
|
|
|
Event Viewer |
Viewing logged information from |
|
PROHIBITEDUSESTUDENT |
||
|
Event Viewer on the Administrative |
|||||
|
|
application, system, and security events |
Tools menu |
|
|
|
MCT USE ONLY. STUDENT USE PROHIBITED
|
|
9-1 |
|
|
|
|
|
|
|
Module 9 |
|
MCT |
||
|
USE |
|||
Implementing Network Access Protection |
|
|||
Contents: |
|
|||
|
.ONLY |
|||
Module Overview |
9-1 |
|||
Lesson 1: Overview of Network Access Protection |
9-2 |
|||
Lesson 2: Overview of NAP Enforcement Processes |
9-7 |
|||
Lesson 3: Configuring NAP |
9-14 |
|||
Lesson 4: Monitoring and Troubleshooting NAP |
9-19 |
|||
Lab: Implementing NAP |
9-23 |
|||
|
|
|||
Module Review and Takeaways |
9-29 |
|
|
|
Module Overview
Your network is only as secure as the least-secure computer attached to it. Many programs and tools exist to help you to secure your network-attached computers, such as antivirus or malware detection software. However, if the software on some of your computers is not up to date, or not enabled or configured correctly, then these computers continue to pose a security risk.
Computers that remain within the office environment and always connect to the same network are |
|
relatively easy to keep configured and updated. Computers that connect to different networks, especiallySTUDENT |
|
unmanaged networks, are less easy to control. For example, it is difficult to control laptop computers that |
|
|
USE |
users use to connect to customer networks or public Wi-Fi hotspots. Furthermore, unmanaged computers |
|
that are seeking to connect remotely to your network, such as users connecting from their home |
|
computers, also pose a challenge. |
|
Network Access Protection (NAP) enables you to create customized health-requirement policies to validate computer health before allowing access or communication. Additionally, NAP updates compliant
computers automatically to ensure their ongoing compliance, and can limit the access of noncompliant |
PROHIBITED |
|
|
computers to a restricted network until they become compliant. |
|
Objectives |
|
After completing this module, you will be able to: |
|
• Describe how NAP can help protect your network. |
|
• Describe the various NAP enforcement processes. |
|
• Configure NAP. |
|
• Monitor and troubleshoot NAP. |
|
