Transcript Example Title with Registration Microsoft® and Trademark SQL

Week #7 Network Access Protection
• Overview of Network Access Protection
• How NAP Works
• Configuring NAP
• Monitoring and Troubleshooting NAP
1
What Is Network Access Protection?
Network Access Protection can:
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not
meet health requirements
Network Access Protection cannot:
• Prevent authorized users with compliant computers
from performing malicious activity
• Restrict network access for computers that are running
Windows versions previous to Windows XP SP2
2
NAP Scenarios
NAP benefits the network infrastructure by verifying
the health state of:
• Roaming laptops
• Desktop computers
• Visiting laptops
• Unmanaged home computers
3
NAP Enforcement Methods
Method
Key Points
• Computer must be compliant to communicate
IPsec enforcement for IPsecprotected communications
with other compliant computers
• The strongest NAP enforcement type, and can be
applied per IP address or protocol port number
802.1X enforcement for IEEE
802.1X-authenticated wired
or wireless connections
• Computer must be compliant to obtain unlimited
VPN enforcement for remote
access connections
• Computer must be compliant to obtain unlimited
access through an 802.1X connection
(authentication switch or access point)
access through a RAS connection
• Computer must be compliant to receive an
DHCP enforcement for DHCPbased address configuration
unlimited access IPv4 address configuration from
DHCP
• This is the weakest form of NAP enforcement
4
NAP Platform Architecture
VPN Server
Active
Directory
IEEE 802.1X
Devices
Health
Registration
Authority
Internet
Perimeter
Network
DHCP Server
Intranet
NAP Health
Policy Server
Restricted
Network
Remediation
Servers
NAP Client with
limited access
5
NAP Architecture Interactions
Remediation
Server
RADIUS Messages
HRA
Health Requirement
Server
System
Health
Requirement
Queries
System
Health
Updates
DHCP Server
NAP Health
Policy Server
NAP Client
VPN Server
IEEE 802.1X
Network Access Devices
6
NAP Client Infrastructure
Remediation Server 1
Remediation Server 2
SHA_1
SHA_2
SHA_3
...
SHA API
NAP Agent
NAP EC API
NAP EC_A
NAP EC_B
NAP Client
NAP EC_C
...
7
NAP Server-Side Infrastructure
Health Requirement
Server 1
Health Requirement
Server 2
SHV_1
SHV_2
SHV_3
...
NAP Health
Policy Server
SHV API
NAP Administration Server
NPS Service
RADIUS
NAP ES_A
NAP ES_B
NAP ES_C
Windows-based NAP
Enforcement Point
...
8
Communication Between NAP Platform Components
SHA1
Remediation
Server 1
Health
Requirement
Server 1
Remediation
Server 2
Health
Requirement
Server 2
SHA2
SHA API
SHV_1
SHV_2
SHV_2
NAP Health
Policy
Server
SHV API
NAP Administration Server
NAP Agent
NAP
Client
NAP EC API
NAP EC_A NAP EC_B
NPS Service
RADIUS
Windows-based
NAP
Enforcement
Point
NAP ES_B NAP ES_A
9
NAP Enforcement Processes
Remediation
Server 1
Health
Requirement
Server 1
To validate network access based on system health, a network
infrastructure must provide the following functionality:
Remediation
Server 2
Health
Requirement
Determines
whether
Server
2
• Health policy validation:
computers
are compliant with health policy requirements
SHV_2
SHA1
SHA2
• Network
access
limitation: LimitsSHV_1
access for
noncompliant computers
SHA API
SHV_2
NAP Health
Policy
Server
SHV API
• Automatic remediation: Provides necessary
updates
to
NAP Administration
Server
allow
a noncompliant computer to become compliant
NAP Agent
NAP
Client
NPS Service
• Ongoing compliance: Automatically updates compliant
NAP EC API
computers
so that they adhere to ongoing changes
RADIUS in
health policy requirements
NAP EC_A NAP EC_B
Windows-based
NAP
Enforcement
Point
NAP ES_B NAP ES_A
10
How IPsec Enforcement Works
VPN Server
Key Points of IPsec NAP Enforcement: Active
Directory
IEEE 802.1X
Devices
• Comprised of a health certificate server and an IPsec NAP EC
• Health certificate server issues X.509 certificates to quarantine
Health
clients when they are verified as compliant
Registration
Authority
Internet
• Certificates are then used to authenticate NAP clients when
NAP Health
DHCP
Server
they initiate IPsec-secured
communications
with other
Policy Server
Intranet
Perimeter
NAP clients
on an intranet
Network
• IPsec Enforcement confines the communication on a network
to those nodes that are considered compliant
Restricted
Network
• You can define requirements for secure communications with
Remediation
compliant clients
on a per-IP address or a
NAP Client with
Servers
per-TCP/UDP port number basis
limited access
11
How 802.1X Enforcement Works
VPN
Server or Wireless NAP Enforcement:
Key Points of 802.1X
Wired
Active
Directory
IEEE 802.1X
Devices
• Computer must be compliant to obtain unlimited network
access through an 802.1X-authenticated network connection
• Noncompliant computers are limited through a
restricted-access profile that the Ethernet switch or
wireless AP place on the connection
Health
Registration
Authority
packet
filters
• Restricted access profiles can specify IP
or a
Internet
virtual LAN (VLAN) identifier (ID) that corresponds to the NAP Health
DHCP Server
restricted Perimeter
network
Policy Server
Intranet
Network
• 802.1X enforcement actively monitors the health status of the
connected NAP client and applies the restricted access profile
to the connection if the client becomes noncompliant
Restricted
Network
Remediation
NAPand
Client
with
802.1X enforcement
consists of NPS in Windows Server 2008
an
Servers
limited
access
EAPHost EC in Windows Vista, Windows XP with SP2 (with the NAP
Client for Windows XP), and Windows Server 2008
12
How VPN Enforcement Works
VPN Server
Key Points of VPN NAP Enforcement:
Active
Directory
IEEE 802.1X
Devices
• Computer must be compliant to obtain unlimited network
access through a remote access VPN connection
• Noncompliant computers have network access limited through
Health
a set of IP packet filters that are applied to the
VPN connection
Registration
by the VPN server
Authority
Internet
• VPN enforcement actively monitors the health status of the NAP
NAPHealth
DHCP Server
client and Perimeter
applies the IP packet filters for Intranet
the restricted network
Policy Server
to the VPN Network
connection if the client becomes noncompliant
Restricted
Network
VPN enforcement consists of NPS in Windows Server 2008 and a VPN EC
Remediation
as part of the remote
access client in Windows Vista, Windows
XP with
NAP Client
with
Servers
limited2008
access
SP2 (with the NAP Client for Windows XP), and Windows Server
13
How DHCP Enforcement Works
VPN Server
Key Points of DHCP NAP Enforcement:
Active
Directory
IEEE 802.1X
Devices
• Computer must be compliant to obtain an unlimited access
IPv4 address configuration from a DHCP server
• Noncompliant computers have network access limited by an
Health
IPv4 address configuration that allows access
only to the
Registration
restricted network
Authority
Internet
• DHCP enforcement actively monitors the health status of theNAP Health
NAP client and
renews the DHCP
IPv4Server
address configuration
for access
Policy Server
Intranet
Perimeter
only to the restricted
Network network if the client becomes noncompliant
Restricted
DHCP enforcement consist of a DHCP ES that
is part of the DHCP Server
Network
service in Windows Server 2008 and a DHCP EC that is part of the DHCP
Remediation Vista, Windows XP with SP2 (with NAP Client
Client service in Windows
NAP Client with
Servers
limited access
for Windows XP), and Windows Server 2008
14
What Are System Health Validators?
System Health Validators are server software
counterparts to system health agents
• Each SHA on the client has a
corresponding SHV in NPS
• SHVs allow NPS to verify the
statement of health made by its
corresponding SHA on the client
• SHVs contain the required
configuration settings on
client computers
• The Windows Security SHV
corresponds to the Microsoft SHA
on client computers
15
What Is a Health Policy?
To make use of the Windows Security Health Validator, you
must configure a Health Policy and assign the SHV to it
• Health policies consist of one or more SHVs and other settings that
allow you to define client computer configuration requirements for
NAP-capable computers that attempt to connect to your network
• You can define client health policies in NPS by adding one or more
SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network
policy basis
• After you create a health policy by adding one or more SHVs to
the policy, you can add the health policy to the network policy and
enable NAP enforcement in the policy
16
What Are Remediation Server Groups?
With NAP enforcement in place, you should specify remediation
server groups so the clients have access to resources that bring
noncompliant NAP-capable clients into compliance
• A remediation server hosts the updates that the NAP agent can
use to bring noncompliant client computers into compliance with
the health policy that NPS defines
• A remediation server group is a list of servers on the restricted
network that noncompliant NAP clients can access for
software updates
17
NAP Client Configuration
• Some NAP deployments that use Windows Security Health Validator
require that you enable Security Center
• The Network Access Protection service is required when you deploy
NAP to NAP-capable client computers
• You also must configure the NAP enforcement clients on the
NAP-capable computers
18
What Is NAP Tracing?
• NAP tracing identifies NAP events and records them to a
log file based on the one of the following tracing levels:
• Basic
• Advanced
• Debug
• You can use tracing logs to:
• Evaluate the health and security of your network
• For troubleshooting and maintenance
• NAP tracing is disabled by default, which means that no
NAP events are recorded in the trace logs
19
Configuring NAP Tracing
• You can configure NAP tracing by using one of the
following tools:
• The NAP Client Management console
• The Netsh command-line tool
• To enable logging functionality, you must be a member
of the Local Administrators group
• Trace logs are located in the following directory:
%systemroot%\tracing\nap
20