20411B-ENU-TrainerHandbook
.pdf
Administering Windows Server® 2012 9-3
How to Use NAP
You can use NAP in three distinct ways: |
MCT |
|
• To validate the health state. When a computer attempts to connect to the network, NAP validates
the computer’s health state against the health-requirement policies that the administrator defines. |
|
You also can define what to do if a computer is not compliant. In a monitoring-only environment, all |
|
|
USE |
computers have their health state evaluated, and NAP logs the compliance state of each computer for analysis. In a limited access environment, computers that comply with the health-requirement policies have unlimited network access. Computers that do not comply with health-requirement policies could find their access limited to a restricted network.
• To enforce health-policy compliance. You can help ensure compliance with health-requirement
policies by choosing to update noncompliant computers automatically with missing software ONLY updates or configuration changes through management software, such as Microsoft® System Center Configuration Manager. In a monitoring-only environment, NAP will ensure that computers update
their network access before they receive required updates or configuration changes. In a limited
access environment, noncompliant computers have limited access until the updates and configuration . changes are complete. In both environments, computers that are compatible with NAP can become
• To limit network access. You can protect your networks by limiting the access of noncompliant
compliant automatically and you can define exceptions for computers that are not NAP compatible.STUDENT USE
computers. You can base limited network access on a specific amount of time, or on what resources that the noncompliant computer can access. In the latter case, you define a restricted network that contains health update resources, and the limited access will last until the noncompliant computer comes into compliance. You also can configure exceptions so that computers that are not compatible with NAP do not have limited network access.
Roaming Laptops
Portability and flexibility are two primary advantages of a laptop, but these features also present a system health threat. Users frequently connect their laptops to other networks. While
exposure to unprotected networks, such as the Internet, could introduce security-related threats to the laptops. NAP allows you to check any laptop’s health state when it reconnects to the organization’s
network, whether through a virtual private network (VPN), a Windows 8 DirectAccess connection, or the workplace network connection.
users are away from your organization, their |
PROHIBITED |
laptops might not receive the most recent software updates or configuration changes. Additionally, |
|
|
9-4 Implementing Network Access Protection
Desktop Computers
Although users typically do not take their desktop computers out of your company’s buildings, they still |
MCT |
|
can present a threat to your network. To minimize this threat, you must maintain these computers with |
||
USE |
||
the most recent updates and required software. Otherwise, these computers are at risk of infection from |
||
websites, email, files from shared folders, and other publicly accessible resources. You can use NAP to |
||
automate health state checks to verify each desktop computer’s compliance with health-requirement |
||
policies. You can check log files to determine which computers do not comply. Additionally, by using |
||
management software, you can generate automatic reports and automatically update noncompliant |
||
computers. When you change health-requirement policies, you can configure NAP to provision |
|
|
computers automatically with the most recent updates. |
|
Visiting Laptops
Organizations frequently need to allow consultants, business partners, and guests to connect to their |
|
|
private networks. The laptops that these visitors bring into your organization might not meet system |
|
|
health requirements and can present health risks. NAP enables you to determine which visiting laptops |
|
|
are noncompliant and limit their access to restricted networks. Typically, you would not require or provideONLY |
||
any updates or configuration changes for visiting laptops. You can configure Internet access for visiting |
. |
|
USESTUDENT |
||
laptops, but not for other organizational computers that have limited access. |
||
|
||
Unmanaged home computers that are not a member of the company’s Active Directory® domain can connect to a managed company network through VPN. Unmanaged home computers provide an
additional challenge because you cannot physically access these computers. Lack of physical access makes enforcing compliance with health requirements, such as the use of antivirus software, more difficult. However, NAP enables you to verify the health state of a home computer every time it makes a VPN connection to the company network, and to limit its access to a restricted network until it meets system health requirements.
• |
IPsec-protected traffic. Internet Protocol |
|
PROHIBITED |
|
|
||
|
security (IPsec) enforcement confines |
|
|
|
communication to compliant computers after |
|
|
|
|
|
|
|
they connect successfully and obtain a valid IP address configuration. IPsec enforcement is the |
|
|
|
strongest form of limited network access or communication in NAP. |
|
|
• Institute of Electrical and Electronics Engineers (IEEE) 802.1X–authenticated network connections. IEEE 802.1X enforcement requires that a computer is compliant to obtain unlimited network access through an IEEE 802.1X–authenticated network connection. Examples of this type of network connection include an authenticating Ethernet switch or an IEEE 802.11 wireless access point (AP).
Administering Windows Server® 2012 9-5
• Remote access VPN connections. VPN enforcement requires that a computer is compliant to obtain |
MCT |
|
unlimited network access through a remote access VPN connection. For noncompliant computers, |
||
network access is limited through a set of IP packet filters that the VPN server applies to the VPN |
||
USE |
||
connection. |
||
• DirectAccess connections. DirectAccess connections require that a computer is compliant to obtain |
||
|
||
unlimited network access through a DirectAccess server. For noncompliant computers, network access |
||
is limited to the set of computers that are defined as infrastructure servers by using the infrastructure |
||
tunnel. Compliant computers can create the separate intranet tunnel that provides unlimited access |
||
to intranet resources. DirectAccess connections use IPsec enforcement. |
|
|
• Dynamic Host Configuration Protocol (DHCP) address configurations. DHCP enforcement requires that a computer is compliant to obtain an unlimited access Internet Protocol version 4 (IPv4) address configuration from a DHCP server. For noncompliant computers, network access is restricted with an
IPv4 address configuration that limits access to the restricted network. |
ONLY |
|||
|
|
|
||
These network access or communication methods, or NAP enforcement methods, are useful separately or |
||||
together for limiting noncompliant computer access or communication. A server that is running Network |
||||
|
|
|
. |
|
Policy Server (NPS) in Windows Server 2012 acts as a health policy server for all of these NAP enforcement |
||||
methods. |
|
|
|
|
NAP Platform Architecture |
|
|
||
The following table describes the components of a |
|
|
|
|
|
USESTUDENT |
|||
NAP-enabled network infrastructure. |
|
|||
|
|
|
||
|
|
|
|
|
Components |
Description |
|
|
|
|
|
|||
|
|
|
|
|
NAP clients |
These computers support the NAP platform for communication and for |
|
|
|
|
validation prior to network access of a system’s health. |
|
|
|
|
|
|
|
|
NAP enforcement |
• These are computers or network-access devices that use NAP or that you |
|
|
|
points |
can use with NAP to require evaluation of a NAP client’s health state, and |
|
|
|
|
then provide restricted network access or communication. NAP |
|
|
|
|
enforcement points use a NPS that is acting as a NAP health policy server to |
|
||
|
evaluate the health state of NAP clients, whether to allow network access or |
|
||
|
communication, and the set of remediation actions that a noncompliant |
PROHIBITED |
||
|
NAP client must perform. |
|||
|
|
|
||
|
• NAP enforcement points include the following: |
|
|
|
|
o Health Registration Authority (HRA). A computer that runs Windows |
|
|
|
|
Server 2012 and Internet Information Services (IIS), and that obtains |
|
|
|
|
health certificates from a certification authority (CA) for compliant |
|
|
|
|
computers. |
|
|
|
|
|
|
|
|
|
|
Administering Windows Server® 2012 |
MCT |
||
|
|
9-7 |
|
||
Lesson 2 |
|
|
|||
Overview of NAP Enforcement Processes |
USE |
||||
When a client attempts to access or communicate on the network, it must present its system health |
|||||
|
|
||||
state or proof-of-health compliance. If a client cannot prove that it is compliant with system-health |
|
|
|||
requirements, such as that it has the latest operating system and antivirus updates installed, then you |
|
|
|||
can limit its access to, or communication on, the network to a restricted network that contains server |
|
|
|||
resources. You can restrict this access until you remedy the health-compliance issues. After the updates |
|
|
|||
install, the client requests access to the network or attempts the communication again. If compliant, the |
|||||
client receives unlimited access to the network or the communication is allowed. |
.ONLY |
||||
|
|
||||
Lesson Objectives |
|
|
|||
After completing this lesson, you will be able to: |
|
|
|||
• Describe the general NAP enforcement processes. |
|
|
|||
• |
Discuss IPsec enforcement. |
|
|
||
• |
Describe 802.1x enforcement. |
STUDENT |
|||
• |
|
|
|||
• |
|
|
|||
• |
Between a NAP client and a HRA |
|
|||
|
|||||
|
USE |
||||
|
The NAP client sends its current system |
|
|||
|
health state to the HRA and requests a health |
|
|||
|
certificate. If the client is compliant, the HRA |
|
|||
|
sends a health certificate to the NAP client. If |
|
|||
|
the client is noncompliant, the HRA sends |
|
|||
|
remediation instructions to the client. |
|
|
|
|
|
|
|
|
||
• Between a NAP client and a remediation server |
|
|
|||
|
Although the NAP client has unlimited intranet access, it accesses the remediation server to ensure |
|
|
||
|
that it remains compliant. If the NAP client has limited access, it communicates with the remediation |
||||
|
server to become compliant, based on instructions from the NAP health policy server. |
PROHIBITED |
|||
• Between an HRA and a NAP health policy server |
|||||
|
The HRA sends RADIUS messages to the NAP health policy server that contains the NAP client’s |
||||
|
system health state. The NAP health policy server sends RADIUS messages to indicate that the NAP |
||||
|
client has: |
||||
|
o Unlimited access because it is compliant. Based on this response, the HRA obtains a health |
||||
|
certificate, and then sends it to the NAP client. |
||||
|
o Limited access until it performs a set of remediation functions. Based on this response, the HRA |
||||
|
does not issue a health certificate to the NAP client. |
||||
|
|
|
|||
•Between a NAP client and a DHCP server MCT
The NAP client, also the DHCP client, communicates with the DHCP server to obtain a valid IPv4
address configuration and to indicate its current system health state.
The DHCP server allocates an IPv4 address configuration for the restricted network, and then providesUSE remediation instructions (if the DHCP client is noncompliant), or it allocates an IPv4 address
configuration for unlimited access (if the DHCP client is compliant).
.ONLY
•IP address
•Transmission Control Protocol (TCP) port number
•User Datagram Protocol (UDP) port number
IPsec enforcement restricts communication to compliant computers after they have connected successfully and obtained a valid IP address configuration. IPsec enforcement is the strongest form of limited network access or communication in NAP.
The components of IPsec enforcement consist of an HRA that is running Windows Server 2012 and an |
STUDENT |
|
IPsec enforcement client in one of the following operating systems: |
||
|
|
|
• Windows XP Service Pack 3 |
USE |
|
• |
Windows Vista |
|
• |
Windows 7 |
|
• |
Windows 8 |
|
• |
Windows Server 2008 |
|
• Windows Server 2008 R2 |
|
|
• |
Windows Server 2012 |
|
The HRA obtains X.509 certificates for NAP clients when the clients prove that they are compliant. These health certificates then authenticate NAP clients when they initiate IPsec-protected communications with other NAP clients on an intranet.
IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming communication attempts sent from computers that cannot negotiate IPsec protection by using health certificates. Unlike 802.1X and VPN enforcement, in which enforcement occurs at the network entry point, each individual computer performs IPsec enforcement. Because you can take advantage of IPsec policy settings, the enforcement of health certificates can be done for any of the following:
PROHIBITED
•All computers in a domain
•Specific computers on a subnet
9-10 Implementing Network Access Protection
• |
A specific computer |
MCT |
|||
• |
A specific set of TCP or UDP ports |
||||
• A set of TCP or UDP ports on a specific computer |
USE |
||||
Considerations for IPsec enforcement |
|||||
When selecting an IPsec NAP enforcement method, consider the following points: |
|||||
• |
IPsec enforcement is more complex to implement than other enforcement methods, because it |
||||
|
requires an HRA and a CA. |
.ONLY |
|||
• No additional hardware is required to implement IPsec enforcement. There is no need to upgrade |
|||||
|
switches or Wireless Application Protocols (WAPs), which you would have to do if you select 802.1X |
||||
|
enforcement. |
||||
• You can implement IPsec enforcement in any environment. |
|||||
• IPsec enforcement is very secure and difficult to circumvent. |
|||||
• |
You can configure IPsec to encrypt communication for additional security. |
||||
|
STUDENT |
||||
• IPsec enforcement is applied to IPv4 and IPv6 communication. |
|
||||
802.1x Enforcement |
|
||||
With 802.1X enforcement, a computer must |
|
|
|||
|
|
||||
be compliant to obtain unlimited network |
|
|
|||
access through an 802.1X-authenticated network |
|
|
|||
connection, such as to an authenticating Ethernet |
|
|
|||
switch or an IEEE 802.11 wireless AP. |
|
|
|||
For noncompliant computers, network access is |
|
|
|||
limited through a restricted access profile that |
|
|
|||
|
|
USE |
|||
the Ethernet switch or wireless AP places on the |
|
|
|||
connection. The restricted access profile can |
|
|
|||
specify either IP packet filters, or a virtual local area |
|
|
|||
network (VLAN) identifier (ID) that corresponds to |
|
|
|||
the restricted network. 802.1X enforcement imposes |
|
||||
health policy requirements every time a computer attempts an 802.1X-authenticated network connection. |
|||||
802.1X enforcement also monitors the health status of the connected NAP client actively, and then applies |
|||||
the restricted access profile to the connection if the client becomes noncompliant. |
PROHIBITED |
||||
The components of 802.1X enforcement consist of NPS in Windows Server 2012 and an EAP Host |
|||||
enforcement client in Windows 8, Windows 7, Windows Vista, Windows XP Service Pack 3, Windows |
|||||
Server 2008, Windows Server 2008 R2, and Windows Server 2012. 802.1X enforcement provides strong |
|||||
limited network access for all computers that access the network through an 802.1X-authenticated |
|||||
connection. |
|||||
To implement 802.1X enforcement, you must ensure that the network switches or wireless APs support |
|||||
802.1X authentication. The switches or wireless APs then act as an enforcement point for NAP clients. The |
|||||
health status of the client is sent as part of the authentication process. |
|||||
When a computer is noncompliant, the switch places the computer on a separate VLAN or uses packet |
|||||
filters to restrict access to only remediation servers. |
|||||
|
|
|
|||
|
|
Administering Windows Server® 2012 |
MCT |
||
|
|
9-11 |
|
||
Considerations for 802.1X enforcement |
|
|
|||
When considering the 802.1X NAP enforcement method, consider the following points: |
|
|
|||
• The switch or wireless AP that connects with the client enforces noncompliant computer isolation. |
USE |
||||
|
This makes it very difficult to circumvent, and therefore very secure. |
||||
|
|
|
|||
• Use 802.1X enforcement for internal computers. This type of enforcement is appropriate for local area |
|||||
|
network (LAN) computers with both wired and wireless connections. |
|
|
||
• You cannot use 802.1X enforcement if your switches and wireless APs do not support the use of |
.ONLY |
||||
|
802.1X for authentication. |
||||
VPN Enforcement |
|||||
|
|
||||
VPN enforcement imposes health-policy |
|
|
|
||
|
|
|
|||
requirements every time that a computer |
|
|
|
||
attempts to obtain a remote access VPN |
|
STUDENT |
|||
connection to the network. VPN enforcement |
|
||||
also actively monitors the health status of the |
|
||||
|
|
|
|||
NAP client, and applies the restricted network’s |
|
|
|
||
IP packet filters to the VPN connection if the client |
|
|
|
||
becomes noncompliant. |
|
|
|
||
The components of a VPN enforcement consist |
|
|
|
||
of NPS in Windows Server 2012 and a VPN |
|
|
|
||
enforcement client that is part of the remote |
|
|
|
||
access client in: |
|
|
|||
• |
Windows 8 |
|
|
||
• |
Windows 7 |
|
|
||
• |
Windows Vista |
USE |
|||
• |
Windows XP SP3 |
||||
|
|
||||
• |
Windows Server 2008 |
|
|
||
• Windows Server 2008 R2 |
|
|
|||
• |
Windows Server 2012 |
|
|
||
•VPN enforcement is best suited in situations in which you are using VPN already. It is unlikely that PROHIBITED you will implement VPN connections on an internal network to use VPN enforcement.
•Use VPN enforcement to ensure that staff members connecting from home computers are not introducing malware to your network. Users often do not maintain their home computers correctly,
and they can represent a high risk. Many users do not have antivirus software, or do not apply Windows updates regularly.appliestothroughVPNpackets
9-12 Implementing Network Access Protection
• Use VPN enforcement to ensure that roaming laptops are not introducing malware to your network. |
|
|
|||
|
Roaming laptops are more susceptible to malware than computers directly on the corporate network, |
||||
|
because they may be unable to download virus updates and Windows updates from outside the |
MCT |
|||
|
USE |
||||
|
corporate network. They also are more likely to be in environments where malware is present. |
||||
DHCP Enforcement |
|||||
|
|
|
|||
DHCP enforces health-policy requirements |
|
|
.ONLY |
||
|
|
||||
every time that a DHCP client attempts to lease |
|
|
|||
or renew an IP address configuration. DHCP |
|
|
|||
enforcement also actively monitors the NAP |
|
|
|||
client’s health status and, if the client becomes |
|
|
|||
noncompliant, renews the IPv4 address |
|
|
|||
configuration for access only to the restricted |
|
|
|||
network. |
|
|
|||
|
|
|
|
||
The components of DHCP enforcement consist |
|
|
|
||
of a DHCP Enforcement service that is part of the |
|
|
|
||
DHCP Server service in Windows Server 2012 and |
|
|
|
||
a DHCP enforcement client that is part of the |
|
|
|||
DHCP Client service in: |
STUDENT |
||||
• |
Windows 8 |
||||
• |
Windows 7 |
||||
• |
Windows Vista |
||||
• |
Windows XP SP3 |
||||
• |
Windows Server 2008 |
||||
• |
Windows Server 2008 R2 |
||||
USE |
|||||
• |
Windows Server 2012 |
||||
Because DHCP enforcement relies on a limited IPv4 address configuration that a user who has |
|||||
|
|
||||
administrator-level access can override, it is the weakest form of limited network access in NAP. |
|
|
|||
DHCP address configuration limits network access for the DHCP client through its IPv4 routing table. |
|
DHCP enforcement sets the DHCP Router option value to 0.0.0.0, so the noncompliant computer does not |
|
have a configured default gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4 |
PROHIBITED |
|
|
address to 255.255.255.255 so that there is no route to the attached subnet.