07_NAP

8/13/2019 07_NAP

1/29

www

.technocorp.co.in

Implementing Network

Access Protection

8/13/2019 07_NAP

2/29

www

.technocorp.co.in Module 7

Implementing Network AccessProtection

8/13/2019 07_NAP

3/29

www

.technocorp.co.in

Module Overview

Overview of Network Access Protection How NAP Works

Configuring NAP

Monitoring and Troubleshooting NAP

8/13/2019 07_NAP

4/29

www

.technocorp.co.in

Lesson 1: Overview of Network AccProtection

What Is Network Access Protection? NAP Scenarios

NAP Enforcement Methods

NAP Platform Architecture

8/13/2019 07_NAP

5/29

www

.technocorp.co.in

What Is Network Access Protection?Network Access Protection can:

Enforce health-requirement policies on client computers

Ensure client computers are compliant with policies

Offer remediation support for computers that do notmeet health requirements

Network Access Protection cannot:

Enforce health requirement policies on client computers

Ensure client computers are compliant with policies

8/13/2019 07_NAP

6/29

www

.technocorp.co.in

NAP ScenariosNAP helps you verify the health state of:

Roaming laptops

Desktop computers

Visiting laptops

Unmanaged home computers

8/13/2019 07_NAP

7/29

www

.technocorp.co.in

NAP Enforcement MethodsMethod Key Points

IPsec enforcement for IPsec-protected communications

Computer must be compliant to communicawith other compliant computers

The strongest NAP enforcement type, and capplied per IP address or protocol port num

802.1X enforcement for IEEE802.1X-authenticated wiredor wireless connections

Computer must be compliant to obtain unlimaccess through an 802.1X connection(authentication switch or access point)

VPN enforcement for remoteaccess connections

Computer must be compliant to obtain unlimaccess through a RAS connection

DirectAccess

Computer must be compliant to obtain unlim

network access

For noncompliant computers, access restricdefined group of infrastructure servers

DHCP enforcement for DHCP-based address configuration

Computer must be compliant to receive anunlimited access IPv4 address configurationDHCP

This is the weakest form of NAP enforcemen

8/13/2019 07_NAP

8/29

www

.technocorp.co.in

NAP Platform Architecture

Intranet

Remediation

Servers

InternetNAP He

ServerDHCP Server

Health

Registration

Authority

IEEE 802

Devices

Active

Directory

VPN Server

RestrictedNetwork

NAP Client with

limited access

PerimeterNetwork

8/13/2019 07_NAP

9/29

www.technocorp.co.in

Lesson 2: How NAP Works

NAP Enforcement Processes IPsec Enforcement

802.1x Enforcement

VPN Enforcement

DHCP Enforcement

8/13/2019 07_NAP

10/29

www.technocorp.co.in

NAP Enforcement ProcessesHRA

VPN Server

DHCP Server

IEEE 802.1X

Network Access Devices

Health Requirement Server

Remediation

Server

NAP Client NAP Hea

Server

RADIUS Messages

SystemHealth

Updates

System

Healt

Requiremen

Querie

8/13/2019 07_NAP

11/29

www.technocorp.co.in

IPsec Enforcement

Intranet

Remediation

Servers

InternetNAP He

ServerDHCP Server

Health

Registration

Authority

IEEE 802

Devices

Active

Directory

VPN Server

RestrictedNetwork

NAP Client with

limited access

PerimeterNetwork

Key Points of IPsec NAP Enforcement:

Comprised of a health certificate server and an IPsec NAP EC

Health certificate server issues X.509 certificates to quarantineclients when they are verified as compliant

Certificates are then used to authenticate NAP clients whenthey initiate IPsec-secured communications with otherNAP clients on an intranet

IPsec Enforcement confines the communication on a networkto those nodes that are considered compliant

You can define requirements for secure communications withcompliant clients on a per-IP address or aper-TCP/UDP port number basis

8/13/2019 07_NAP

12/29

www.technocorp.co.in

802.1x Enforcement

Intranet

Remediation

Servers

InternetNAP He

ServerDHCP Server

Health

Registration

Authority

IEEE 802

Devices

Active

Directory

VPN Server

RestrictedNetwork

NAP Client with

limited access

PerimeterNetwork

Key Points of 802.1X Wired or Wireless NAP Enforcement:

Computer must be compliant to obtain unlimited network

access through an 802.1X-authenticated network connection

Noncompliant computers are limited through arestricted-access profile that the Ethernet switch orwireless AP place on the connection

Restricted access profiles can specify IP packet filters or avirtual LAN (VLAN) identifier (ID) that corresponds to therestricted network

802.1X enforcement actively monitors the health status of theconnected NAP client and applies the restricted access profileto the connection if the client becomes noncompliant

8/13/2019 07_NAP

13/29

www.technocorp.co.in

VPN Enforcement

Intranet

Remediation

Servers

InternetNAP He

ServerDHCP Server

Health

Registration

Authority

IEEE 802

Devices

Active

Directory

VPN Server

RestrictedNetwork

NAP Client with

limited access

PerimeterNetwork

Key Points of VPN NAP Enforcement:

Computer must be compliant to obtain unlimited network

access through a remote access VPN connection

Noncompliant computers have network access limited througha set of IP packet filters that are applied to the VPN connectionby the VPN server

VPN enforcement actively monitors the health status of the NAPclient and applies the IP packet filters for the restricted networkto the VPN connection if the client becomes noncompliant

8/13/2019 07_NAP

14/29

www.technocorp.co.in

DHCP Enforcement

Intranet

Remediation

Servers

InternetNAP He

ServerDHCP Server

Health

Registration

Authority

IEEE 802

Devices

Active

Directory

VPN Server

RestrictedNetwork

NAP Client with

limited access

PerimeterNetwork

Key Points of DHCP NAP Enforcement:

Computer must be compliant to obtain an unlimited access

IPv4 address configuration from a DHCP server

Noncompliant computers have IPv4 address configuration,allowing access to restricted network only

DHCP enforcement actively monitors the health status of theNAP client, renewing the IPv4 address configuration for accessonly to the restricted network if the client becomes noncompliant

8/13/2019 07_NAP

15/29

8/13/2019 07_NAP

16/29

www.technocorp.co.in

What Are System Health Validators?System Health Validators are server software counterparts to system health agen

Each SHA on the client has acorresponding SHV in NPS

SHVs allow NPS to verify thestatement of health made by itscorresponding SHA on the client

SHVs contain the requiredconfiguration settings onclient computers

The Windows Security SHVcorresponds to the Microsoft SHA

on client computers

8/13/2019 07_NAP

17/29

www.technocorp.co.in

What Is a Health Policy?To make use of the Windows Security Health Validator, you must configure a Health

and assign the SHV to it

Health policies consist of one or more SHVs and other settings thatallow you to define client computer configuration requirements forNAP-capable computers that attempt to connect to your network

You can define client health policies in NPS by adding one or moreSHVs to the health policy

NAP enforcement is accomplished by NPS on a per-networkpolicy basis

After you create a health policy by adding one or more SHVs tothe policy, you can add the health policy to the network policy andenable NAP enforcement in the policy

8/13/2019 07_NAP

18/29

www.technocorp.co.in

What Are Remediation Server GrouWith NAP enforcement in place, you should specify remediation server groups so t

clients have access to resources that bring noncompliant NAP-capable clients int

compliance

A remediation server hosts the updates that the NAP agent canuse to bring noncompliant client computers into compliance withthe health policy that NPS defines

A remediation server group is a list of servers on the restrictednetwork that noncompliant NAP clients can access for

software updates

8/13/2019 07_NAP

19/29

ww

w.technocorp.co.in

NAP Client Configuration

Some NAP deployments that use Windows Security Health Validatorrequire that you enable Security Center

The Network Access Protection service is required when you deployNAP to NAP-capable client computers

You also must configure the NAP enforcement clients on theNAP-capable computers

8/13/2019 07_NAP

20/29

ww

w.technocorp.co.in

Demonstration: How to ConfigureNetwork Access Policies

Install the NPS server role

Configure NPS as a NAP health policy server

Configure health policies

Configure network policies for compliant computers

Configure network policies for noncompliant computers

Configure the DHCP server role for NAP

Configure client NAP settings

Test NAP

8/13/2019 07_NAP

21/29

ww

w.technocorp.co.in

Lesson 4: Monitoring andTroubleshooting NAP

What Is NAP Tracing?

Demonstration: How to Configure NAP Tracing

Troubleshooting NAP with Netsh

NAP Event Logs

8/13/2019 07_NAP

22/29

ww

w.technocorp.co.in

What Is NAP Tracing? NAP tracing identifies NAP events and records them to a

log file based on the one of the following tracing levels:

Basic Advanced

Debug

You can use tracing logs to:

Evaluate the health and security of your network

For troubleshooting and maintenance

NAP tracing is disabled by default, which means that noNAP events are recorded in the trace logs

8/13/2019 07_NAP

23/29

ww

w.technocorp.co.in

Demonstration: How to Configure NTracing

In this demonstration, you will see how to:

Configure tracing from the GUI

Configure tracing from the command-line

8/13/2019 07_NAP

24/29

ww

w.technocorp.co.in

Troubleshooting NAP with NetshYou can use the following netsh NAP command to help you to troubleshoot NAP iss

netsh NAP client show state

netsh NAP client show group

netsh NAP client show config

8/13/2019 07_NAP

25/29

ww

w.technocorp.co.in

NAP Event Logs

Event ID Meaning

6272 Successful authentication has occurred

6273 Successful authentication has not occurred

6274 A configuration problem exists

6276 NAP client quarantined

6277 NAP client is on probation

6278 NAP client granted full access

8/13/2019 07_NAP

26/29

ww

w.technocorp.co.in

Lab: Implementing NAP into a VPNRemote Access Solution Exercise 1: Configuring NAP Components

Exercise 2: Configuring Client Settings to support NAP

Estimated time: 60minutes

Logon information

Virtual machines 6421B-NYC-DC16421B-NYC-EDGE16421B-NYC-CL1

User name Contoso\Administrator

Password Pa$$w0rd

8/13/2019 07_NAP

27/29

ww

w.technocorp.co.in

Lab ScenarioContoso, Ltd. is required to extend their virtual private network solution to

include Network Access Protection.

As a Contoso, Ltd. technology specialist, you need to establish a way to

bring client computers automatically into compliance. You will do this byusing Network Policy Server, creating client compliance policies, and

configuring a NAP server to check the current health of computers.

8/13/2019 07_NAP

28/29

ww

w.technocorp.co.in

Lab Review

The DHCP NAP enforcement method is the weakest enforcemethod in Microsoft Windows Server 2008 R2. What makespreferable than other ways?

Could you use the remote access NAP solution alongside theNAP solution? What benefit would be realized by using suchscenario?

Could you have used DHCP NAP enforcement for the client?why not?

8/13/2019 07_NAP

29/29

ww

w.technocorp.co.in

Module Review and Takeaways

Review Questions

Tools