Transcript Windows Server 2008 R2 - Center

[email protected]
Windows Clients and Windows Server 2008 NAP:
Session objectives
See why using the built functionality of Windows in
both the client and server makes a compelling
argument for introducing this technology into your
company
Explore the required services and configurations
that an administrator needs to understand in
planning NAP
Targeted as an architecture and deployment
planning overview session
NOT about the detail of deployment:
See Ryan Roseveare’s session SIA308 @ 10h15 on Weds
What is Network Access Protection (NAP)
Additional protection from Malware threats and other
client configuration inconsistencies
Its all about “Defending-in-depth”!
NAP is about stopping the next big virus or vulnerability
by ensuring clients are well maintained and isolated if
deemed unhealthy
Provides centralized definition, integration, and
enforcement of system health requirements to help
prevent the exposure to malware on a private network
NAP is a designed to be a client “Health Checker” - it is not the
best solution for:
blocking unauthorized users
rogue machine control
software distribution control
Why NAP
We do not trust users to install all patches and
updates as required and need to verify that
systems comply with policies
Do the systems have:
current anti-virus software?
current anti-spyware?
current corporate-approved patches?
host-based state-full firewall enabled?
What other configuration settings are required for
adherence to the organization’s security policies?
NAP Walkthrough
Untrusted Network
Boundary
Network
Secure
Network
Here it is.
May I have a health
certificate? Here’s my SoH.
Client
CA
Issue
a health
Clientme
OK?
certificate.
Yes.Needs
Issue fix-up.
You don’t
a health
certificate. Registration AuthNo.
Here’s
yourget
health
certificate.
health certificate.
Go fix up.
Policy Server
I need updates.
Accessing the network
X

Here you go.
Remediation
Server
User notifications
Non-compliant and no Auto Remediation
Complaint / Auto Remediated
NAP Requirements Overview
The NAP platform requires servers running Windows Server
2008 or later and NAP-aware clients:
Windows XP SP3 and later
Windows Server 2008 and later
Set of operating system components that provide a platform
for system health-validated access to networks
An architecture through which policy validation, network
access limitation, automatic remediation, and ongoing
compliance can occur
Optionally, NAP can support additional components supplied
by third-party software vendors or Microsoft
NAP Enforcement Models
Model
Notes
Quarantine Enforcement
IPSec
The most robust solution
Server/domain isolation
Policy can require Health Certs. for
Tunnel/Transport mode
802.1x
Wireless and wired LAN (needs
the correct network hardware
support)
VLAN and Access Control List (ACL)
VPN
Remote / mobile clients (if IPSec
not appropriate)
IPv4/6 Filtering
DHCP
Easiest to configure – needs
compliant DHCP server (2008+)
IP segmentation
None
Compliance reporting only
Often a good starting point for
deployment
N/A
Note: NAP also supports Windows Server 2008 Terminal Services gateway
NAP vs. RAS Quarantine Control
Server 2003 Quarantine Control
Server 2008 NAP
Server: Server 2003+
Server: Server 2008+
Clients: Win 98, ME, 2000, XP+
Clients: Windows XP+ and Server 2003+
Compliance check via custom script/EXE
Compliance via SHA (multiple in Win 7)
RAS clients only
Potentially “wall-to-wall”
Quarantine via IP Filtering
Quarantine depends on Enforcement
model
Enforcement “once-off” during initial
connection via RAS
Health Certificate associated with session
for entire duration (with expiry)
NAP Components
Platform
Components
Enforcement
Components
Health Components
System Health
Agents
= Declare
(patch
state,
virusnetwork
signature,
system
configuration,
etc.).
Agent
(QA)(SHA)
= Reports
clienthealth
status,
coordinates
between
SHAdevice(s);
and
QEC. DHCP, VPN,
Quarantine
Enforcement
Clients
(QEC)
=health
Negotiate
access
with
access
1X, IPSec QECs.
Quarantine
Server
(QS) ==(SHV)
Restricts
client’sdeclarations
network
access
on what
SHV certifies.
System
Validators
= Certify
madebased
byendpoints.
health
agents.
NetworkHealth
Access
Devices
Provide
network
access to
healthy
Health
RequirementAuthority
Servers ==Define
requirements
system
components.
Health Registration
Issueshealth
certificates
to clientsfor
that
pass health
checks.
Remediation Servers = Install necessary patches, configurations, applications. Bring
clients to healthy state.
Remediation Servers
Health Requirement
Servers
Health Policy
Updates
Client
Health
Statements
SHA<n>
NAP Agent
QEC
1
QEC
2
Network
Access
Requests
Health Result
Health Certificate
Health Registration Auth
Network
Policy
Server
SHV<n>
Network Policy Server
System Health Agent Options
Windows SHA
Antivirus settings
Antispyware settings
Firewall settings
Windows Updates Settings
System Center Configuration Manager 2007 (SCCM) SHA
Patch Management
Forefront Client Security (FCS) SHA
3rd party SHAs
Including Avenda, Nortel, UNET …….
Health Registration Authority
Is essentially an access layer abstraction proxy – for
example:
NAP clients can connect to a HRA within the DMZ – via HTTP – without
requiring direct connection to the Policy Server within the private
network
Health Certificates are issued to NAP clients via the HRA web services
(rather than directly by the CA)
Is a role on Windows Server 2008(+) only
Is “stateless” – i.e. can be Load Balanced
There is an HRA Discovery mechanism to publish via
DNS
Network Policy Server
Network Policy Server (NPS) is used by the HRA
to validate the SoH
NPS receives computer credentials and SOH from
HRA(s)
SoH is evaluated by SHVs running on the NPS server,
and results matched against the Health policies
Network policies are then used to authorize or
deny network connection requests
Network Policy Server Configuration
NPS servers configured in the internal network,
receiving the RADIUS requests from the HRAs
Multiple NPS servers configured in Server Group for
high availability
Configuration stored locally
Scripts used to replicate if load balancing required
Configure NPS logging / NAP Reporting
Allows logging to text files or database (ODBC)
Best practice is to log to local database, replicate to
central SQL repository
Network Policy Options
Allow full network access
Allow full network access for limited time
Enforcement is deferred until a later date
Limited network access
Access is restricted to remediation servers
Certification Authority
Issues health certs for NAP-compliant machines via the HRA proxy
These are regular X.509 certificates with a very short lifetime
System Health Authentication OID in the certificate
Certificate Authority requirements:
Enterprise or standalone subordinate CA under a trusted Root CA
Windows Server 2003 or later (needs to support MS Client Cert Enrollment)
Recommended that dedicated health certificate-issuing CAs are
deployed
No revocation is typically required due to short certificate lifetime
High volume of certificates issued could impact other services also relying
on the CA
Notes:
No Enforcement” model needs CA for “Exemption Certificates”
Beware the default CA install behavior when NAP roles are added
to the server’s configuration and CA does not already exist
Try to keep CA “close” to HRA in distributed/large deployments
SoH and Heath Certificate Renewal
Client SoH is revalidated when:
Health certificate approaches 80% of validity time
Some documentation differs on this and states 15
minutes before expiry
Network state changes
Changes in client configuration detected by an SHA
Group policy is updated
Non-NAP capable clients can be issued with
Exemption Certificates
NAP Health Exemptions
Use AutoEnrollment to enroll “Health
Exemption” certificates to systems exempt from
NAP compliance
Define group for DA clients exempt from NAP
Create certificate template with the following attribute:
Custom application policy – “Server Health”
OID = “1.3.6.1.4.1.311.47.1.1”
Grant enroll and autoenroll permissions to group
NAP Client Configuration
Enable NAP Agent
Configure HRA URLs
Install and enable SHAs
For Windows SHA, turn on Security Center
Configure Group Policies for NAP
For IPSec Enforcement model:
Enable IPSec Relying Party
Configure IPSec policy to use health certificates
Configure Host-based firewall to allow IPSecprotected traffic
Remediation Servers
Any service that needs to be available to clients for
remediation to happen
Depend on what SHAs are being used by organization
Remediation Servers need to be reachable from
unhealthy clients
Publish remediation servers externally to the Internet
Use separate IP subnet for remediation servers
Require additional (non-health) client certificate to secure access to
remediation subnet
New features in “R2” and Windows 7
Windows Server 2008 R2
NPS Templates and Templates Management
RADIUS accounting improvements
Full support for international, non-English character
sets using UTF-8 encoding
R2 CA allows non-persisted certificate requests
Server 2008 R2 and Windows 7
Multi-configuration SHV
A single NAP health policy server can be used to deploy
multiple configurations of the same SHV
User interface improvements
[email protected]
Resources
Tech·Ed Africa 2009 sessions will be
made available for download the week
after the event from: www.tech-ed.co.za
www.microsoft.com/teched
www.microsoft.com/learning
International Content & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
10 pairs of MP3
sunglasses to be won
Complete a session
evaluation and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.