70-411: Administering Windows Server 2012 Chapter 4 Configure a Network Policy Server Infrastructure
70-411: Administering Windows Server 2012 Chapter 4 Configure a Network Policy Server Infrastructure.
Jan 12, 2016
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
70-411: AdministeringWindows Server 2012
Chapter 4Configure a Network Policy Server
Infrastructure
Objective 4.1: Configuring a Network
Policy Server
© 2013 John Wiley & Sons, Inc. 3
RADIUS TermsNetwork Policy Server (NPS): Microsoft’s
RADIUS server. Authorization: The process that determines
what a user is permitted to do on a computer system or network.
RADIUS client: A server or device that forwards RADIUS requests to a RADIUS server.
Access client: A computer or device that contacts or connects to a RADIUS client, which requires authentication and authorization to connect.
© 2013 John Wiley & Sons, Inc. 4
A Network with RADIUS
RADIUS servers and clients
© 2013 John Wiley & Sons, Inc. 5
Configuring RADIUS Server InfrastructuresMultiple RADIUS server configurations:• Primary RADIUS server and alternate
RADIUS servers• A RADIUS proxy located between the
RADIUS server and the RADIUS clients
© 2013 John Wiley & Sons, Inc. 8
Configuring RADIUS Accounting
© 2013 John Wiley & Sons, Inc. 10
Using Password-Based Authentication
• The network access server passes the username and password to the NPS server.
• The NPS server verifies the credentials against the user account database.o Processed from the most secure (Microsoft
Challenge-Handshake Authentication Protocol v2 or MS-CHAPv2) to the least secure (unauthenticated access) of those enabled options.
• For stronger security, use certificate authentication or multi-factor authentication.
© 2013 John Wiley & Sons, Inc. 11
Using Certificates for Authentication
• Much stronger than password-based authentication methods
• Certificates are:o Customized using certificate templateso Issued using a Certificate Authority
• If smart cards are used, certificates must include:o Smart Card Logon purposeo Client Authentication purpose
Objective 4.2: Configuring NPS Policies
© 2013 John Wiley & Sons, Inc. 14
Network Policy Server (NPS) Policies
•Specifies which RADIUS servers perform authentication, authorization, and accounting
Connection Request
•Specifies who is authorized to connect to the network and circumstances under which they can or cannot connect
Network
•Establishes system health validators (SHVs) and other settings that define client computer configuration requirements for NAP-capable computers
Health
© 2013 John Wiley & Sons, Inc. 15
Configuring Connection Request
PoliciesConnection request polices are based on a range of factors such as: • The time of day and day of the week• The realm name in the connection request• The type of connection requested• The IP address of the RADIUS client
© 2013 John Wiley & Sons, Inc. 18
Configuring Network Policies
An NPS network policy evaluates remote connections based on these three components:• Conditions• Constraints• Settings
© 2013 John Wiley & Sons, Inc. 20
Encryption Options• Basic Encryption (MPPE 40-Bit): For dial-up and PPTP-
based VPN connections, MPPE is used with a 40-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used.
• Strong Encryption (MPPE 56-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 56-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used.
• Strongest Encryption (MPPE 128-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 128-bit key. For L2TP/IPsec VPN connections, 168-bit Triple DES encryption is used.
• No Encryption: This option allows unencrypted connections that match the remote access policy conditions. Clear this option to require encryption.
© 2013 John Wiley & Sons, Inc. 21
IP AddressingIP settings include these options:• Server Must Supply An IP Address• Client May Request An IP Address• Server Settings Determine IP Address
Assignment (the default setting)• Assign A Static IP Address
Objective 4.3: Configuring Network Access Protection (NAP)
© 2013 John Wiley & Sons, Inc. 24
Network Access Protection (NAP)
• NAP is Microsoft’s software for controlling network access for computers based on the health of the host.
• NAP can be used on any computer that runs Windows and supports NAP.
• Types of computers that connect to a network: o Desktop computerso Roaming laptopso Unmanaged home computerso Visiting laptops
© 2013 John Wiley & Sons, Inc. 25
NAP Built-In Enforcement Methods
DHCP IPsec
VPN 802.1x
Remote Desktop Gateway (RD
Gateway)
© 2013 John Wiley & Sons, Inc. 26
DHCP EnforcementTo control network access, DHCP enforcement sets the following:• DHCP Router option is set to 0.0.0.0 so
noncompliant computers do not have a configured default gateway.
• Subnet mask is set to 255.255.255.255 so that there are no routes to the attached subnet.
© 2013 John Wiley & Sons, Inc. 27
NAP Architecture Components
NAP client-side components
NAP enforcement points
NAP health policy server
System Health Agents (SHAs)
© 2013 John Wiley & Sons, Inc. 28
NAP Architecture Components (cont.)
Statement of Health (SoH)
NAP Agent
Health Registration Authority (HRA)
Health requirements server
Remediation servers
© 2013 John Wiley & Sons, Inc. 30
System Health Validators
• System Health Validators (SHVs) settings define the requirements for client computers that connect to your network.
• You configure SHVs using the Network Policy Server console.
• Windows 8 includes a Windows Security Health Validator SHA that monitors the Windows Security Center settings.
• Windows Server 2012 includes a corresponding Windows Security Health Validator SHV.
© 2013 John Wiley & Sons, Inc. 31
Configuring System Health Validators
SHV options:• Firewall Settings• Antivirus Settings• Spyware Protection Settings• Automatic Updates Settings• Security Updates Settings
© 2013 John Wiley & Sons, Inc. 32
Configuring Health Policies
• Health policies consist of one or more system health validators and other settings that enable you to define client computer configuration requirements for the NAP-capable computers that attempt to connect to your network.
• Health policy pairs:o NAP-complianto NAP-noncompliant
© 2013 John Wiley & Sons, Inc. 33
Configuring Health Policies
NAP enforcement settings:• NAP DHCP-compliant: Allow full network
access.• NAP DHCP-noncompliant: Allow limited
access.• NAP DHCP nonNAPcapable properties:
Allow full network access.
© 2013 John Wiley & Sons, Inc. 34
Configuring Isolation and Remediation
• If a computer is noncompliant, it should be isolated from production network.
• When you configure NAP, you can configure either a monitor only policy or an isolation policy.
© 2013 John Wiley & Sons, Inc. 35
Configuring Isolation and Remediation
Remediation servers typically consist of:• DHCP servers to provide IP configuration• Naming servers including DNS servers and
WINS servers• Active Directory domain controllers (read-
only domain controllers are recommended to minimize security risks)
• Internet proxy servers so that noncompliant NAP clients can access the Internet
© 2013 John Wiley & Sons, Inc. 37
Configuring NAP Client Settings
• You can use the Enable Security Center in the Group Policy procedure to enable Security Center on NAP-capable clients using Group Policy.
• Some NAP deployments that use Windows Security Health Validator require Security Center.
• Open the Services console to start and set the startup type to Automatic in the Network Access Protection Agent service.
Related Documents
