Ahmed Hussein Online

Network access protection (NAP) a practical point of view (Part1)

August 26th, 2011

 

Network access protection is one of the best features in windows 2008 and above it increase you compliance level and give you insight about you machines status .

I have seen many people jump to comparing NAP to a NAC infrastructure . well this totally unfair maybe the first thing that NAP is absolutely free but the cheapest NAC system will cost you at least five digits .a second thing NAP function is a very different from NAC as you will see.

Now the really important notes

NAP enforcement is AND not OR this means you can have all your enforcement types in one network . personally I always like to start with DHCP enforcement its soo easy to implement but also very affective .

NAP is not to protect you from malicious users its designed to be a compliance tool so stop thinking that it should stop a hacker it will not but it will help making the malicious users life a lot more complicated .

This learning guide is the steps taken from Microsoft TechNet but with rearranging the topics to seem a bit logical for some one that does not know the technology (there is no point in reinventing the wheel). I also added my personal experience into it and explained any other technology that might be needed in the process.

The soul purposes of this guide is to give some idea about the technology .you can use it to deploy your own Solution but I don’t recommended it as every infrastructure is a bit different than the other . Please remember the golden rules “60% planning 30% deployment 10% maintenance “

Benefits of NAP

Protect the network

NAP provides information, tools, and methods that help to protect the network from security risks.

  • Network health analysis. NAP allows network administrators to evaluate and track the health state of the enterprise on an ongoing basis.
  • Policy validation. NAP provides verification of the effectiveness of existing security policies and allows you to monitor the effect of new policies.
  • Identify risks. By creating a health profile for the network, NAP allows you to identify and resolve potential security risks.
  • Enhanced network health. NAP improves the overall health of your network by restricting the access of noncompliant computers and remediating their health.
  • Policy compliance. NAP provides a mechanism for enforcing ongoing compliance with network health policies.
  • Access control. NAP provides an additional layer of protection and allows you to make policy decisions at the point of network access.

Minimize cost and complexity

Because NAP is built into the Windows operating system, it is cost-effective and less complex to deploy than other solutions.

  • Automate policy enforcement. NAP clients are automatically granted full or restricted access based on settings that you define.
  • Automate client remediation. Computers that are noncompliant with network health policies can be automatically brought into compliance. This can be implemented no matter if noncompliant computers have their access restricted.
  • Leverage built-in features. NAP allows you to leverage existing services and protocols used on the network.
  • Leverage existing infrastructure. By providing a choice of enforcement methods, NAP can integrate easily into your existing infrastructure.
  • Add new features easily. NAP allows you to easily introduce new health requirements or change the scope of existing requirements.

Implement an extensible solution

NAP is a standards-based solution with many partners providing extensions to its functionality.

  • Leverage technology standards. The SoH protocol used by NAP has been published as a Trusted Network Connect (TNC) specification. This helps to ensure interoperability across vendors and network technologies.
  • Choose from multiple vendors. NAP allows you to integrate access controls across multiple vendors in areas such as client security, update management, networking, and system integration.

What is NAP ?

Network Access Protection (NAP) is a new technology introduced in Windows Vista and Windows Server 2008. NAP includes client and server components that allow you to create and enforce health requirement policies that define the required software and system configurations for computers that connect to your network. NAP enforces health requirements by inspecting and assessing the health of client computers, limiting network access when client computers are deemed noncompliant, and remediating noncompliant client computers for unlimited network access. NAP enforces health requirements on client computers that are attempting to connect to a network. NAP can also provide ongoing health compliance enforcement while a compliant client computer is connected to a network.

NAP enforcement occurs at the moment client computers attempt to access the network through network access servers, such as a virtual private network (VPN) server running Routing and Remote Access, or when clients attempt to communicate with other network resources. The way in which NAP is enforced depends on the enforcement method you choose. NAP enforces health requirements for the following:

  • Internet Protocol security (IPsec)-protected communications
  • Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated connections
  • VPN connections
  • Dynamic Host Configuration Protocol (DHCP) configuration
  • Terminal Services Gateway (TS Gateway) connections

Terminology

Term

Definition

Access Control Server (ACS)

The Cisco implementation of a RADIUS solution. ACS is a required component of the NAP-NAC interoperability solution.

Authentication, authorization, and accounting (AAA) server

See Network Policy Server (NPS).

Boundary network

For IPsec, a logical portion of a network that can be accessed by computers in the restricted network and the secure network. Computers in the restricted network do not comply with health policies and have limited network access; computers in the secure network comply with health policies and have unlimited network access.

Connection request policies

Conditions and settings that validate requests for network access and govern where this validation is performed.

Deferred enforcement

A method that allows a noncompliant computer unlimited access until a specified date and time when network access becomes restricted. This provides a client computer additional time to remediate before the health requirement policy is enforced. Noncompliant NAP client computers are notified that access will be restricted on the specified date.

Enforcement mode

A degree of network access granted to noncompliant computers. There are three available enforcement modes: reporting mode, deferred enforcement, and full enforcement.

Exempted computer

A computer that is allowed full network access regardless of health state.

Exemption certificate

An X.509 certificate that exempts computers from NAP health checks. Server computers can use exemption certificates to participate in IPsec-protected communications on NAP-enabled networks that use IPsec enforcement.

Full enforcement

The process of evaluating client compliance with NAP and immediately enforcing restricted network access for noncompliant clients. Noncompliant NAP client computers are notified that their network access might be restricted.

Health certificate

An X.509 certificate that asserts the health compliance of a NAP client computer. A health certificate typically has a short lifetime on the order of days or hours.

Health certificate enrollment protocol (HCEP)

The protocol that the NAP client uses to request health certificates from the health registration authority (HRA).

Health policies

Conditions that define which SHVs are evaluated and how they are used in validating the health status of NAP-capable computers that attempt to connect to or communicate on the network.

Health Registration Authority (HRA)

A computer running Windows Server 2008 and Internet Information Services (IIS) that validates client health and obtains health certificates from a certification authority (CA) on behalf of compliant NAP client computers. HRA plays a central role in NAP Internet Protocol security (IPsec) enforcement.

Health requirement server

A server that communicates with a NAP health policy server and provides information that system health validators (SHVs) use to validate statements of health (SoHs) for compliance. For example, a NAP health policy server might have to contact a health requirement server such as an antivirus signature server to check for the version of the current signature file.

Host Credentials Authorization Protocol (HCAP)

A protocol for exchanging information between an AAA server and a server that contains information required to validate configuration data. The NAP-NAC interoperability solution uses HCAP for communication between NPS and ACS.

Internet Authentication Service (IAS)

See Network Policy Server (NPS).

Internet Protocol security (IPsec)

A framework for a set of protocols to manage security at the network or packet processing layer of the TCP/IP stack. Earlier approaches managed security at the application layer of the TCP/IP stack. A big advantage of IPsec is that administrators can manage security without requiring changes to applications or network infrastructure components.

NAP administration server

A component on a NAP health policy server that is responsible for receiving statements of health (SoHs) from NAP enforcement points, distributing SoHs to the appropriate system health validators (SHVs), and collecting SoH responses (SoHRs) from the SHVs and passing them to the NPS service for evaluation.

NAP enforcement client

A NAP client software component that integrates with network access or communication technologies, such as IPsec, 802.1X, VPN, DHCP, and Terminal Services Gateway (TS Gateway). The NAP enforcement client requests access to a network, communicates the NAP client’s health status to the NAP enforcement point that is providing the network access, and communicates the restricted status of the client computer to other components of the NAP client architecture.

NAP enforcement method

A type of network access or communication that NAP can leverage to restrict network access or communication for noncompliant clients. The enforcement methods included with Windows Vista and Windows Server 2008 are those that protect Internet Protocol security (IPsec) traffic, 802.1X-authenticated connections, remote access virtual private network (VPN) connections, Dynamic Host Control Protocol (DHCP) address configurations, and Terminal Server Gateway connections.

NAP enforcement point

A server or network access device that uses NAP or can be used with NAP to require the evaluation of a NAP client’s health state and provide restricted network access or communication for noncompliant NAP clients. HRAs, 802.1X switches and wireless access points, and NAP-enabled VPN, DHCP, and TS Gateway servers are examples of NAP enforcement points.

NAP enforcement server

A Windows Server 2008 component of the NAP architecture that enforces restricted network access for noncompliant NAP clients. NAP enforcement servers are also NAP enforcement points.

NAP health policy server

A server running NPS that is acting in the role of a NAP health evaluation server. The NAP health policy server has health policies and network policies that are used to evaluate compliance of NAP client computers.

NAP-ineligible computer

A computer that does not have the NAP Agent service installed and cannot provide its health status to NAP server computers. A computer running Windows XP that does not have Service Pack 3 installed is NAP-ineligible.

Network policy

Conditions, settings, and constraints to determine authorization for network connection attempts. Network policy replaces remote access policy in IAS.

Network Policy Server (NPS)

The Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. In the NAP architecture, the server running NPS includes the NAP administration server and the system health validator (SHV) components. The RADIUS clients are the NAP enforcement points such as DHCP servers, HRAs, VPN servers, TS Gateway servers, and 802.1X network access devices. NPS replaces Internet Authentication Service (IAS).

NPS proxy

A RADIUS proxy. For NAP, the NPS service can be configured to proxy health information between a NAP enforcement point and an NAP health policy server. For example, NPS proxy is configured on HRAs and NAP-enabled DHCP servers so that they can function as RADIUS clients to a NAP health policy server.

Perimeter network

A computer host or small network inserted as a neutral or boundary network between a private network and a public network such as the Internet. Firewalls isolate perimeter networks both from the Internet and from the private network. A perimeter network is also known as a screened subnet.

Registration authority

The entity that validates entitlement before issuing a credential in a public key infrastructure (PKI) based on the X.509 standard.

Remediation server

A server that noncompliant client computers can use to update their configurations in order to be compliant with health policy requirements. A server running Microsoft Systems Management Server (SMS) or a file transfer protocol (FTP) server that stores antivirus signatures can be remediation servers.

Remote Authentication Dial-in User Service (RADIUS)

A client/server protocol and software that enables network access servers that are configured as RADIUS clients to forward connection requests to a RADIUS server for authentication, authorization, and accounting (see RFC 2865). In Windows Server 2003, Internet Authentication Service (IAS) is the Microsoft implementation of a RADIUS server and proxy. In Windows Server 2008, the Microsoft implementation of a RADIUS server and proxy is NPS.

Reporting mode

The process of evaluating client compliance with NAP without enforcing restricted network access for noncompliant clients. Noncompliant NAP client computers are not notified of their health status.

Restricted network

For IPsec, a logical portion of the network where client computers that either do not meet health policy requirements or are not capable of asserting their health status are placed. Computers in the restricted network cannot initiate communication to resources in the secure network.

Secure network

For IPsec, a logical portion of a network that client computers can access if they either meet or are exempt from health policy requirements.

Statement of health (SoH)

A declaration from a system health agent (SHA) on a NAP-capable client computer that asserts its health status. SHAs create SoHs and send them to a corresponding system health validator (SHV) on a NAP health policy server.

Statement of health response (SoHR)

The validation of a statement of health (SoH) that a system health validator (SHV) produces and sends to the NAP administration server. The SoHR can contain remediation instructions.

System health agent (SHA)

A NAP-capable client software component that declares a computer’s health state to a NAP Agent in a statement of health (SoH).

System health validator (SHV)

A NAP health policy server software counterpart to a system health agent (SHA). An SHV verifies the statement of health (SoH) made by its corresponding SHA.

  

 

Comparison between enforcement methods

Protection provided

IPsec enforcement design

802.1X enforcement design

VPN enforcement design

DHCP enforcement design

Encrypted communications

Yes

Yes (wireless)
No (wired)

Yes

No

Authenticated communications

Yes

Yes

Yes

No

Software updates

Yes

Yes

Yes

Yes

Operating system updates

Yes

Yes

Yes

Yes

Antivirus software installed

Yes

Yes

Yes

Yes

Antivirus signature up-to-date

Yes

Yes

Yes

Yes

Anti-malware software installed

Yes

Yes

Yes

Yes

Anti-malware signature up-to-date

Yes

Yes

Yes

Yes

Firewall active

Yes

Yes

Yes

Yes

NAP enforcement method

Network restriction method

Protection provided

IPsec enforcement

IPsec policies

Protects resources by authenticating inbound connection.

802.1X enforcement

Virtual LAN (VLAN) or access control list (ACL)

Protects resources accessed using IEEE 802.1X-authenticated wireless or wired devices.

VPN enforcement

IP packet filters

Protects resources accessed using a virtual private network (VPN) connection.

DHCP enforcement

Classless IP subnet and removal of default gateway

Protects resources accessed using an IP address provided by a NAP-enabled DHCP server.

        

key NAP concepts

  • NAP Agent. A service included with Windows Server 2008, Windows Vista, and Windows XP with SP3 that collects and manages health information for NAP client computers.
  • NAP client computer. A computer that has the NAP Agent service installed and running, and is providing its health status to NAP server computers.
  • NAP-capable computer. A computer that has the NAP Agent service installed and running and is capable of providing its health status to NAP server computers. NAP-capable computers include computers running Windows Server 2008, Windows Vista, and Windows XP with SP3.
  • Non-NAP-capable computer. A computer that cannot provide its health status to NAP server components. A computer that has NAP agent installed but not running is also considered non-NAP-capable.
  • Compliant computer. A computer that meets the NAP health requirements that you have defined for your network. Only NAP client computers can be compliant.
  • Noncompliant computer. A computer that does not meet the NAP health requirements that you have defined for your network. Only NAP client computers can be noncompliant.
  • Health status. Information about a NAP client computer that NAP uses to allow or restrict access to a network. Health is defined by a client computer’s configuration state. Some common measurements of health include the operational status of Windows Firewall, the update status of antivirus signatures, and the installation status of security updates. A NAP client computer provides health status by sending a message called a statement of health (SoH).
  • NAP health policy server. A NAP health policy server is a computer running Windows Server 2008 with the Network Policy Server (NPS) role service installed and configured for NAP. The NAP health policy server uses NPS policies and settings to evaluate the health of NAP client computers when they request access to the network, or when their health state changes. Based on the results of this evaluation, the NAP health policy server instructs whether NAP client computers will be granted full or restricted access to the network.

Deploying new health requirements

You can use the same phased approach to add new health requirements to an existing NAP deployment. By creating health policies and network policies that define each possible health state for client computers, you can stage the deployment of individual SHAs and SHVs. This is important due to different release timelines and issues that can be experienced with different SHAs and SHVs, and any associated infrastructure changes. For a summary of health policy and network policy configuration, see Health Policies and Network Policies.

Placement of a NAP Health Policy Server

The NAP health policy server is an essential component of any NAP design. In order for a computer to function as a NAP health policy server, it must be running Windows Server 2008 R2 or Windows Server 2008 and the NPS service must be installed and configured for NAP health evaluation.

The placement of a NAP health policy server on your network determines where NAP client computers will send health credentials for processing. Because the health policy server is a central component of the NAP infrastructure, it must be able to communicate with several other NAP components, such as NAP enforcement points and, if necessary, health requirement servers. To perform domain user authentication for 802.1X and VPN-based connections, the NAP health policy server also requires a connection to a directory service, such as Active Directory Domain Services (AD DS).

When to install a health policy server

All NAP designs described in this guide require that you install at least one NAP health policy server, but you might have more than one health policy server on the network in the following situations:

  • When you need to provide load balancing and failover.
  • When you need to carry out health evaluation locally on multiple enforcement servers.
  • When health policy servers are collocated with multiple domain controllers.

If you use more than one health policy server on your network, policies and settings can be replicated by exporting NPS settings from a primary server and importing these settings to other servers using netsh nps export and netsh nps import commands.

To provide redundancy for a NAP health policy server, you must configure your NAP enforcement servers to forward connection requests to a remote RADIUS server group that contains a primary and secondary health policy server. The NAP configuration of your primary health policy server can be exported to file and then imported to the secondary server so that each is configured identically. If the NAP enforcement server cannot contact the primary health policy server, it will use the secondary health policy server for client health validation.

Placement of a NAP Enforcement Server

NAP enforcement servers grant or deny network access to NAP clients. The type of network access provided depends on the NAP enforcement method you are using. Client computers that are granted access to the network can be allowed unlimited access or their access can be restricted to resources you specify. The level of access is determined after the NAP enforcement server contacts the NAP health policy server. It can be based on several factors, including the authentication method, computer and user identity, and computer health status.

NAP enforcement server

NAP enforcement servers do not typically deny access to authenticated or authorized NAP clients. Their function is to grant access to the network, but this access might be restricted if a client is determined to be noncompliant with health requirements.

When to install an enforcement server

All NAP designs, including the no enforcement design, require a device that provides a level of network access. Because the 802.1X enforcement method uses 802.1X-compliant hardware devices to grant or deny network access, these devices are referred to as NAP enforcement points rather than enforcement servers.

IPsec enforcement server redundancy

To provide HRA server redundancy, configure NAP client computers with more than one HRA server in a trusted server group. Do not configure multiple trusted server groups for redundancy. If there is more than one trusted server group, the NAP client computer will attempt to acquire a health certificate from each group. When you configure more than one URL in a trusted server group and the client does not obtain a health certificate from the URL that is configured first in the order, it will request a health certificate from the next URL in the processing order.

CA response interval

You can also specify a CA response interval in HRA. The CA response interval is the number of minutes that elapse between certificate requests before an HRA server identifies a NAP CA as unavailable. The setting can affect HRA availability because if an HRA server is unable to obtain a certificate from a NAP CA, the HRA will be identified as unresponsive.

802.1X enforcement point redundancy

To provide 802.1X enforcement point redundancy, client computers must be able to connect to more than one device that provides 802.1X network authentication. This is typically accomplished by providing link-level redundancy where client computers are able to use multiple network paths for authentication and authorization.

VPN enforcement server redundancy

To provide VPN server redundancy, client computers must be able to connect to more than one VPN server. This is typically accomplished by using VPN server clustering with network load balancing.

DHCP enforcement server redundancy

To provide DHCP server redundancy, install multiple DHCP servers on a network segment or use a DHCP relay agent that is configured with multiple DHCP servers.

Placement of a NAP Remediation Server

NAP remediation servers provide updates and services to noncompliant client computers. Depending on the design of your remediation network, a remediation server might also be accessible by compliant computers. Some examples of NAP remediation servers include:

  • Antivirus signature servers. If health policies require that computers must have a recent antivirus signature, noncompliant computers must have access to a server to provide these updates.
  • Windows Server Update Services. If health policies require that computers have recent security updates or other software updates, you might provide these by placing WSUS on your remediation network.
  • System Center component servers. System Center Configuration Manager management points, software update points, and distribution points host the software updates required to bring computers into compliance. When you deploy NAP with Configuration Manager, NAP-capable computers require access to computers running these site system roles in order to download their client policy, scan for software update compliance, and download required software updates.
  • Domain controllers. Noncompliant computers might require access to domain services on the noncompliant network for authentication purposes, to download policies from Group Policy, or to maintain domain profile settings.
  • DNS servers. Noncompliant computers must have access to DNS in order to resolve host names.
  • DHCP servers. Noncompliant computers must have access to a DHCP server if the client’s IP profile changes on the noncompliant network or if the DHCP lease expires.
  • Troubleshooting servers. When you configure a remediation server group, you have the option of providing a troubleshooting URL with instructions about how to bring computers into compliance with your health policies. You can provide a different URL for each network policy. These URLs must be accessible on the remediation network.
  • Other services. You might provide access to the Internet on your remediation network so that noncompliant computers can reach remediation services such as Windows Update and other Internet resources.

Placement of a NAP Health Requirement Server

NAP health requirement servers communicate with the NAP health policy server to establish requirements for installed SHVs. An SHV does not always use a health requirement server to obtain health requirements. For example, health requirements for the WSHV are configured only on a health policy server. The design of an SHV determines whether a health requirement server is required. Some examples of NAP health requirement servers include:

  • Antivirus signature servers. An antivirus SHV might contact an antivirus server to determine the date of the most recent antivirus signature.
  • Domain controllers. An SHV might use Active Directory Domain Services (AD DS) to determine whether the client meets current health requirements. For example, the System Center Configuration Manager SHV uses a global catalog server to validate the client’s health state by checking the health state reference published to AD DS.
  • Proprietary servers. As new SHVs are developed, vendors might require that the NAP health policy server communicates with selected vendor services.

When to install a health requirement server

A health requirement server is required only if you have deployed an SHV that uses a health requirement server to obtain current health policy.

Where to place a health requirement server

A health requirement server must be able to communicate with the NAP health policy server. You can install the health requirement server on the same computer as the health policy server if resources are sufficient. If these services are installed on separate computers, the health requirement server must maintain network connectivity to the NAP health policy server.

Planning redundancy for a health requirement server

If health requirement servers support them, you can use scalability and availability technologies, such as network load balancing, to provide redundancy. Alternatively, an SHV vendor might incorporate server redundancy into the functionality or configuration of the SHV.

Isolation scenarios

With NAP, access can be controlled by:

  • Client identity
  • Client health
  • Client identity and client health

Isolation based on identity

Identity-based isolation is performed by each client and server by validating credentials before allowing access to the network or before accepting an incoming network communication. Credentials can be provided in multiple forms as long as both hosts trust the credential provider. This type of network isolation provides clients and servers with protection by blocking access to client computers and users that cannot be authenticated. In this solution, hosts can initiate communication to other computers or accept communications from specific resources only if permitted by an identity-based network policy. NAP health policies can be configured for user- or computer-based identity verification, or a combination of both.

Isolation based on health

Like identity-based isolation, this concept uses a credential to control access to the isolated network. In this scenario, clients and servers within the isolated network need to know the health state of another host before accepting any network communication. Health state is defined by administrative policy using the NAP health policy server. A health policy might require specified antivirus signatures and update levels and other host security settings. Rather than using a corporate directory and authentication service, the client’s health status can provide the credentials for access to the isolated network. Clients and servers that are noncompliant with health requirements cannot communicate with hosts within the isolated network. However, remediation servers are available to those hosts to help them meet health requirements. After health requirements are met, the host can access the isolated network.

Isolation based on identity and health

By combining identity-based isolation with heath evaluation, you have the flexibility to create zones within your network with varied levels of accessibility, trust, and protection. You can confine access to users you trust or provide unrestricted user access. Regardless of the level of authentication required, you can improve levels of protection against network attacks by combining this authentication with health assurance.

 

The following is the things you can enforce out of the box

  • Firewall. If selected, the client computer must have a firewall that is registered with WSC and enabled for all network connections.
  • Virus Protection. If selected, the client computer must have an antivirus application installed, registered with WSC, and turned on.
  • Antivirus is up to date. If selected, the client computer can also be checked to ensure that the antivirus signature file is up-to-date.
  • Spyware Protection. If selected, the client computer must have an antispyware application installed, registered with WSC, and turned on.
  • Antispyware is up to date. If selected, the client computer can also be checked to ensure that the antispyware signature file is up-to-date. Spyware protection applies only to NAP clients running Windows Vista.
  • Automatic Updating. If selected, the client computer must be configured to check for updates from Windows Update. You can choose whether to download and install them.
  • Security Update Protection. If selected, the client computer must have security updates installed based on one of four possible values that match security severity ratings from the Microsoft Security Response Center (MSRC). The client must also check for these updates using a specified time interval. You can use choose to use Windows Server Update Services (WSUS), Windows Update, or both to obtain security updates.

NAP enforcement modes

  • Reporting mode. Noncompliant computers do not receive NAP notifications and no network access restriction occurs. The health status of client computers is logged. To implement reporting mode, use a NAP enforcement setting of Allow full network access in noncompliant network policy.
  • Deferred enforcement mode. Noncompliant computers receive NAP notifications, but no network access restriction occurs until the date that you specify. The health status of client computers is logged. To implement deferred enforcement mode, use a setting of Allow full network access for a limited time in noncompliant network policy.
  • Full enforcement mode. Noncompliant computers receive NAP notifications and network access is restricted. The health status of client computers is logged. To implement full enforcement mode, use a setting of Allow limited access in noncompliant network policy.

NAP Capacity Planning

NAP use decentralized platform so unless you have more than 50000 client don’t worry about it . we usually use load balancing just for the High availability

NAP Requirements

NAP health policy servers

Hardware requirements

Component

Minimum

Recommended

Single CPU speed

2.5 GHz

3.5 GHz or faster

Dual CPU speed

2.0 GHz

3.0 GHz or faster

RAM

2.0 GB

4.0 GB or more

Disk space

10 GB

100 GB or more

NAP enforcement servers

Hardware requirements

Component

Minimum

Recommended

Single CPU speed

2.0 GHz

3.0 GHz or faster

Dual CPU speed

1.5 GHz

2.5 GHz or faster

RAM

2.0 GB

4.0 GB or more

Disk space

10 GB

100 GB or more

NAP CA servers

Hardware requirements

Component

Minimum

Recommended

Single CPU speed

2.0 GHz

3.5 GHz or faster

Dual CPU speed

1.5 GHz

2.5 GHz or faster

RAM

2.0 GB

4.0 GB or more

Disk space

250 GB

1000 GB or more

Average access time

15.0 ms

10.0 ms or less

Average transfer rate

75 MB/second

100 MB/second or faster

Server software requirements

The following table describes server software requirements for a NAP deployment.

Component

Minimum

Minimum role services

NAP health policy server

Windows Server 2008

NPS

HRA

Windows Server 2008

NPS, HRA, IIS

VPN enforcement server

Windows Server 2008

RRAS

DHCP enforcement server

Windows Server 2008

DHCP, NPS

NAP CA

Windows 2000 Server*

AD CS

Remediation server

N/A**

N/A**

Health requirement server

N/A**

N/A**

NAP Client Computers

To access the network, a NAP client first collects information about its health from locally installed software called system health agents (SHAs). Each SHA installed on the client computer provides information about current settings or activity that it is designed to monitor. Information from SHAs is collected by the NAP Agent, which is a service running on the local computer. The NAP Agent service summarizes the health state of the computer and passes this information to one or more NAP enforcement clients. An enforcement client is software that interacts with NAP enforcement points to access or communicate on the network.

SHAs

On client computers, SHAs perform system health updates and publish their status in the form of SoHs to the NAP Agent service. An SoH contains information that NAP health policy servers can use to verify the health state of the client computer. For example, an SoH might contain information that Windows Firewall is turned off.

Each SHA is matched to a system health validator (SHV) on the server side of the NAP platform architecture. The corresponding SHV returns a statement of health response (SoHR) to the client, informing it of what to do if the SHA is not in a required state of health. For example, the SoHR sent by an antivirus SHV might instruct the corresponding antivirus SHA to request the latest version of the antivirus signature file from an antivirus signature server. The SoHR can also include the name or IP address of the antivirus signature server.

The SHA can use a locally installed system health component to assist in system health management functions in conjunction with a remediation server. For example, a software update SHA can use the locally installed software update client software to perform version checking and installation functions with the software update server (the remediation server).

NAP Agent

The NAP Agent is client software that coordinates information between SHAs and NAP enforcement clients. The NAP Agent provides the following services:

  • Collects and caches the SoHs from each SHA. The SoH cache is updated whenever an installed SHA supplies a new or updated SoH.
  • Supplies the list of SoHs to the NAP enforcement clients upon request.
  • Passes notifications to SHAs when network access state changes.
  • Stores the system health state and collects status information from each SHA.
  • Passes SoHRs to the appropriate SHAs.
  • Instructs SHAs about whether to automatically remediate system health.

Enforcement clients

A NAP enforcement client requests access to a network, passes the computer’s health status to a NAP enforcement point that is providing the network access, and informs other components of the NAP client architecture of the level access that is granted. Each NAP enforcement client is defined for a different type of network access or communication. For example, there is a NAP enforcement client for VPN connections and a NAP enforcement client for DHCP configuration. The NAP enforcement client is typically matched to a type of NAP enforcement point. For example, the DHCP NAP enforcement client is designed to work with a DHCP-based NAP server. Some NAP enforcement clients are provided with the NAP platform. Non-Microsoft software vendors can provide others.

DHCP Enforcement Design

Using DHCP enforcement, you can enforce health policy when a computer attempts to lease or renew an Internet Protocol version 4 (IPv4) address. The DHCP server limits the client’s network access to the restricted network by providing a limited IPv4 address configuration. If client computers are configured with a static IP address, DHCP enforcement is not effective.

Reasons to choose DHCP enforcement

The following are the benefits of the DHCP enforcement design.

  • Simple to implement: Does not require that you configure additional hardware on your network and is the easiest to implement of all the NAP enforcement methods in a small deployment scenario.
  • Uses existing network design: If you have already deployed Microsoft DHCP servers on your network, these servers can be upgraded to support NAP with DHCP enforcement.

Components of a DHCP enforcement design

NAP with DHCP enforcement requires that the following components are deployed on your network:

  • A NAP health policy server running Windows Server 2008 R2 or Windows Server 2008 with the Network Policy Server (NPS) role service installed.
  • A NAP DHCP enforcement server running Windows Server 2008 R2 or Windows Server 2008 with the DHCP service and NPS role service installed.
  • DHCP NAP-enabled client computers running Windows 7, Windows Vista, Windows Vista with Service Pack 1 (SP1), Windows XP with SP3, Windows Server 2008, or Windows Server 2008 R2.

DHCP NAP noncompliant client restriction and remediation

1. A NAP client computer detects a change in its health state and sends its health credentials to the DHCP service on a NAP-enabled server.

2. The DHCP service forwards the client’s health credentials to NPS for analysis.

3. NPS determines that the client computer is noncompliant with health requirements and instructs the DHCP service to provide a noncompliant IPv4 address configuration.

4. The DHCP service responds to the client with the results of the health evaluation and provides an IPv4 address configuration for restricted access.

5. Network access of the client computer is restricted to a remediation server only.

6. If required, the client computer requests updates from a remediation server.

7. The remediation server provides required updates to make the client computer compliant with health requirements.

8. A change in health state causes the client computer to send updated health credentials to the DHCP server.

9. The DHCP service forwards the client computer’s health credentials to NPS for analysis.

10. NPS determines that the client computer is compliant with health requirements and instructs the DHCP service to provide a compliant IPv4 address configuration.

11. The DHCP service responds to the client and provides an IPv4 address configuration for full network access.

12. Full network access is restored to the client computer.

DHCP enforcement

In a DHCP enforcement design, noncompliant NAP client computers are provided with classless static host routes to each member device that is configured in a remediation servers group using the NPS console. If remediation servers are located on a subnet different from the subnet on which NAP clients appear, the DHCP server uses the 003 Router option from the default NAP class to provide noncompliant computers with static host routes to remediation servers. The routing device configured in this scope option must be capable of forwarding requests from noncompliant NAP clients to the remediation server. You can also configure classless static host routes to remediation servers by using scope option 121 in the default NAP class.

DHCP Enforcement Configuration

The following sections provide a configuration summary for each component in a NAP deployment that uses the DHCP enforcement method.

NAP health policy server

The NAP health policy server uses the NPS role service with configured health policies and system health validators (SHVs) to evaluate client health based on administrator-defined requirements. Based on results of this evaluation, NPS instructs the DHCP server to provide full access to compliant NAP client computers and to restrict access to client computers that are noncompliant with health requirements.

Configuration summary

The administrator must define the following on the NAP health policy server:

  • RADIUS clients: If DHCP is installed on a separate computer, the NAP DHCP server must be configured as a RADIUS client in NPS. You must also select RADIUS client is NAP-capable.
  • Connection request policy: Source is set to DHCP server. Policy is configured to authenticate requests on this server.
  • Network policies: Source is set to DHCP server. Compliant, noncompliant, and non-NAP-capable policies are set to grant access. Compliant network policy conditions are set to require the client to match compliant health policy. Noncompliant network policy conditions are set to require the client to match noncompliant health policy. Non-NAP-capable network policy conditions are set to require the client is not NAP-capable. Full access is granted for compliant computers. For full enforcement mode, limited access is granted for noncompliant computers. Either full or limited access is granted for non-NAP-capable computers. If policies are filtered by DHCP scope, then MS-Service Class is configured in policy conditions.
  • Health policies: Compliant health policy is set to pass selected SHVs. Noncompliant policy is set to fail selected SHVs.
  • System health validators: Error codes are configured. Depending on the SHV, health checks are configured on the NAP health policy server or the health requirement server.
  • Remediation server groups: Remediation server groups are required to provide access to resources other than the DHCP server. The NAP DHCP server should not be added to remediation server groups.
NAP DHCP server

The NAP DHCP server is a server running Windows Server 2008 or Windows Server 2008 R2 with the DHCP server role installed and running. Additionally, if this server is not also the NAP health policy server, it must have the NPS role service installed, running, and configured to forward connection requests to the NAP health policy server. The NAP DHCP server restricts noncompliant client access by providing a limited IP address configuration to computers that do not meet health requirements. A limited access configuration has a subnet mask of 255.255.255.255 and no default gateway. Static host routes are provisioned to provide access to the DHCP server and any servers that have been added to remediation server groups on the NAP health policy server.

Configuration summary

The administrator must define the following settings on the NAP DHCP server:

  • Remote RADIUS server groups: If connection requests are forwarded from the DHCP server to a NAP health policy server on another computer, you must configure the NPS service on the NAP DHCP server to forward connection requests to the NAP health policy server. This setting is not required if the NAP DHCP server is also the NAP health policy server.
  • NAP-enabled scopes: In order to use a DHCP scope with NAP, you must enable it specifically for NAP in scope properties under NAP settings.
  • Default user class: You must configure any required scope options for computers that are compliant with health requirements.
  • Default NAP class: You must configure any required scope options for computers that are noncompliant with health requirements. A default gateway is not provided to noncompliant computers regardless of whether the 003 Router option is configured here.
DHCP NAP-enabled client computer

A DHCP NAP-enabled client computer is a computer running Windows 7, Windows Vista, Windows Vista with SP1, Windows XP with SP3, Windows Server 2008 R2, or Windows Server 2008. NAP client settings can be configured using Group Policy or local computer policy. For more information about NAP client configuration, see NAP Client Computers.

Configuration summary

The administrator must define the following settings on a DHCP NAP-enabled client computer:

  • NAP Agent service: In order for the client to be considered NAP-capable, the NAP Agent service must be running. You can start the NAP Agent service using Group Policy or local policy settings.
  • IP address configuration: The client network connection must be configured to obtain an IPv4 address configuration automatically.
  • DHCP enforcement client: Can be enabled using either Group Policy or local policy settings. If both are configured, then Group Policy settings will override local policy settings.
  • System health agents: No configuration is required to use WSHA. If other SHAs are required, these must be installed and successfully initialized and registered with the NAP Agent service. WSHA is not supported if the NAP client computer is running Windows Server 2008 or Windows Server 2008 R2.

Now our test environment will contains the following elements

DC+DHCP windows 2008R2

NAP server 2008 R2

WSUS server

Windows 7 ent.

First step creating a computer group to the nap clients ( I will call it NAP client computers )

clip_image002

Next Steps install the Network protection (the Radius client on the DHCP and the health policy server ) we will do the same on both servers

We start the add role wizard

clip_image004

Install only network policy server

clip_image006

And installation done

clip_image008

 

See you In Part 2

Related Posts

Tags: , , , ,
Posted in NAP

2 Responses to “Network access protection (NAP) a practical point of view (Part1)”


  1. MT

    Hi,
    Thanks for excellent writing. Where is part 2 ?

    January 17th, 2013 at 6:32 PM

  2. Ahmed Hussein

    http://ahmedhusseinonline.com/2012/01/network-access-protection-nap-a-practical-point-of-view-part2/

    January 22nd, 2013 at 7:38 AM

Leave a Reply

CAPTCHA Image
*