Network access protection (NAP) a practical point of view (Part2)
in part one we explained the essentials of network access protection
Now on the health server please start the health and click on configure nap
On the wizard we select the DHCP
Lets give it a name
Next we specify the DHCP servers that we will use as RADUIS client – we click on add
Give the server a name and select a share secret the shard secret is a kind of password so both server can trust each other so write it down
Now the server has been added we proceed to the next step
Skip the next we will select our scopes from the DHCP server
Next we select the machine group we created
Next we create a remediation servers group click new group
We give the group a name and I add a servers to it (don’t forget to add active directory servers to the list )
have group added (note : you can create a web page that will help users )
Now make sure you select the following
Windows security health validator
Enable auto…
Allow full network access
And we done
Now lets review what’s created
Radius client
Connection request policy
Three network policies
Two health policy’s
Everything looks ok
The next step lets configure the windows security health validator and open default configuration ( instead of changing the default you can create new setting and change it in the health policies above )
This the the default
I will use only
· The firewall
· The antispyware
· The updates
My config will look like
No next step we move on to the DHCP server and open the NPS
Select remote RADIUS server group
We R-click and select new
We click add and type the server name or IP
Now the authentication/accounting tab
And we done
Now open policies / connection request policies /create new
Add day and time restriction
Select forward request to the following…..
And finish
Now we open the DHCP console
Go to you scope properties and enable NAP for that scope
Next we go to scope options
Go to advanced
Select default network access protection class
Next we enter all the options we need
The final results
Now the final step create the GPO so the the clients would receive the configuration
Give it a name
Under security filtering remove authenticated users and add the NAP client computers
We add the NAP computers group
Now we edit the policy
Go to
Computer Configuration/Policies/Windows Settings/Security Settings/System Services/ Network Access Protection Agent and set the startup type to automatic
Now go to Network Access Protection\NAP Client Configuration\Enforcement Clients
Enable DHCP Quarantine Enforcement Client
Next you can go to user interface settings
Last step to enable the security center
Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center
And NAP configuration are good to go now
We add the needed machines to our group
Now on the client use Gpupdate /force and restart
Now lets test if the gpo applied or not by running
netsh nap client show grouppolicy
Under admin it should be enabled
Next we test to see if the agent are initialized or not by running
netsh nap client show state
initialized must be yes
Now things to test to make sure that everything working as it should
Try to stop the firewall ( it should start automatically )
Change the windows security health validator ( in my case I added the antivirus settings and since I don’t have AV on the machine the machine becomes limited )
Remember DHCP enforcement reevaluate the policy with each machine try to renew or obtain
now you have an agent on all of your machines that will keep trying to update the machines .now even for the pilot user ( the user that only plugin his laptop few hours a month ) he will get updated as soon as he plugs in 
