Network Access Protection

Network Access Protection

In this section I will look a Network Access
Protection. Network access protection is a system in windows server 2008 that allows
you either to allow or deny computers onto your network based on a number of health checks.
In this video, I will look at what is network access protection or NAP. Next I will look
at the NAP process. This is the process each client go through when it starts up and tries
to access the network. Like most systems on windows server 2008 there are components which
make it work. I will go through each of the NAP components
and explain how they work. With NAP there are a lot of systems that make it work correctly.
Understanding each of these systems provides the foundation for using NAP on your network.
Once you understand the components that make up NAP, I will look at a typical NAP layout.
This NAP layout is only really used on large scale networks. If you have a small network
you may not want or need to go to these lengths, but seeing a network like this does help you
understand the fundamentals of NAP. Lastly I will configure NAP for DHCP.
NAP for DHCP is fairly easy to configure. Once you understand how to configure NAP for
DHCP, you will be able to use NAP on other parts of your network.
NAP, or Network access Protection is a new role in Windows Server 2008. Formally in Windows
Server 2003 it was called network access quarantine control. NAP in a nut shell protects the integrity
of your network. It does this by performing health checks on your computers. Nap can check
your antivirus and spyware is up to date and even check service packs and updates are installed
on the computer. If the computer does not meet the health checks,
NAP can isolate the computer from the rest of the network. This prevents a computer,
for example a computer without antivirus being allowed on the network. I once had an end
user remove the antivirus from her computer because she felt it was slowing the computer
down. If this was to happen with NAP running, you
could isolate the computer from the rest of the network as without antivirus software
the computer could become compromised and infect other computers on the network. With
NAP, you can allow the computer to receive updates so it can pass health checks. For
example have the antivirus software installed. It should be pointed out that NAP does not
offer any protection against malicious users. If you have a dis grunted employee and there
computer passes all the health checks, they can still get on the network can cause a lot
of damage. To understand how NAP works it is a good idea
to understand the process NAP goes through when a computer starts ups. When the computer
start ups it does a health check. You can determine what you want to check for, common
checks include services packs, antivirus and spyware are installed and up to date and a
firewall is enabled. When the computer attempts to access the network,
the health statements is sent to the NAP enforcement point. What is a NAP enforcement point? This
is a point on the network that checks the computers health and determines what parts
of the network that computer will have access to.
There are different type of NAP enforcements points supported by Windows Server 2008. First
there is DHCP server. IP addresses can be allocated to clients based on passing or failing
their health checks. Next there is V P N. When a client connects via a VPN it is first
checked to make sure it passes all the health checks.
A VPN server is an easy place for a network to become infected so it is also a good place
to configure NAP. Next you have the 802.1x access control standard used on network equipment.
If your switches or network devices support it, you can determine which ports are available
to a client depending on if they pass or fail their health checks.
Next you have terminal services gateway. NAP interfaces with terminal services gateway
allowing it to allow or deny clients based on NAP health checks. Nap can also be used
with IP sec. When a computer passes it’s health check it is given a certificate. This
certificate is used with IP sec to make a connection to the server.
When a NAP enforcement point receives a health statement from a client, the statement is
forwarded onto your NAP server. The NAP server can then determine if the health
statement is valid and returns an approve or deny response back to the enforcement point.
This works well to stop a computer accessing the network, but stopping it accessing the
network will also stop it getting any updates and stop it from becoming compliant.
So what do you do when a computer fails it health checks. Firstly you can do nothing.
Simply put, the computer failing the health check is recorded and logged. You can view
the log and see which computers need updates. When you first install NAP on your network
it is recommend that you run NAP in report only mode. The last thing you want to do is
stop a lot of your computers accessing the network when you install NAP.
When you first install NAP, look at the NAP logs and see what needs to be done to bring
your computers up to date. Bring your computers you to date before your starting denying access.
Your end users will thank you for it. In the real world, your end users will probably
will not thank you for it, but in the IT world, no news is often good news. Once you are happy
with your settings you can of course deny access to the network. This can still cause
problems. Denying access to the network means the computer can’t get any updates.
To solve this problem, NAP allows the computer to access a remediation network. When the
client connects to the network it fails its health check and is denied access to the main
network. The client is however allow access to the remediation network when it can access
updates. Once the computer is up to date, it will then
be allowed to access the main network. NAP is very configurable and depending on the
solution you put in place and your needs will determine if you put a remediation network
into place. It is not uncommon for the remediation network to be part of the main network.
In this scenario the computer is allowed access to the network while it is in the process
of being updated. In some NAP configurations you can have both the remediation and main
network on the same network. For example if you using IP Sec for enforcement.
With IP sec, the certificate is allocated only once the health check is passed. Without
the certificate, the client can’t create an IP sec connection. With IP sec, you change
the servers configuration to only allow NAP IP sec connections.
When deploying NAP, consider if you want to isolate the client on their own network or
simply deny them access to parts of the network till they are compliant.
There are many different components that make NAP work. On the client there is a system
health agent or sha. The sha reports the health of the client to a enforcement point. For
example, if you use NAP with DHCP, when the client requests an IP address off the DHCP
server, the DHCP will receive a health statement from the client.
The agent that provides this health statement comes already installed on windows server
2008, windows 7, windows Vista and windows X P with service pack 3. There is room however
for 3rd parties to develop their own sha’s. These 3rd party sha’s could add additional
checks or run on additional operating systems. Once the client has provided a health statement,
this is passed onto a system health validator or shv. The shv is part of the network policy
server component and must be installed on windows server 2008.
With the shv you can also get it to work with radius. This is useful for example if you
want to use 802 dot one X. The last part of a NAP deployment is remediation servers. These
are optional on your network, but if you did install them they would provide things like
updates to antivirus and windows updates through services like w SUS.
As you can see, there is a lot of components to NAP and there are many different ways you
can configure NAP depending on your needs. Let’s have a look at a typical NAP lay out
that may be used in a large company. On this network, when a computer connects
up to the network, one of 3 things happen. Firstly if the computer meets it’s health
requirements it is allow access to the production network. For the computer to do this, it must
support NAP and NAP must also be correctly configured.
If the computer supports NAP but fails it’s heath checks, it is given access to the remediation
network. Since the computer does not meet health checks, it may have a virus on it and
thus makes it potentially dangerous to have on the production network.
To reduce the risk, a read only domain controller can be deployed on the remediation network.
The computer should be able to get updates from this network but since the network is
isolated, should not be able to infect any of the computers in the production network.
Finally is the computer does not support NAP, it is transferred to a guest network. This
may be the case if you have visitors from another company plugging in to your network.
If this is the cases you want them to have access to basic services from your network
like accessing the company web site and internet but nothing else.
To do this, a web proxy could be installed so they can access information but can’t
access any confidential data or any other company systems. As you can see, there are
many different ways you can configure NAP, it all depends on how many servers and networks
you want to set up. To start using NAP you need to decide on what
type of enforcement you want to use. I will start by looking at configuring NAP for DHCP
as configuring NAP for DHCP is very simple to set up and a good way to get your feet
wet. When a client connects to the network, if
they a compliant, they will get full IP configuration and access to the network. If the computer
is not compliant, you have the option to give the client limited IP configuration. When
this occurs, you can add entries to the client routing table so it can access computers on
the network. For example a redemption server. NAP for DHCP is simple to set up and use,
but offers the least amount of security. This is because it does not stop a user manually
setting their own IP address. If an end user has enough I T knowledge, they can manually
set their own IP address and by pass NAP completely. Let’s have a look, how to configure NAP
for DHCP. To run DHCP Nap enforcement on your network,
you first need to installed Network Policy Server. This is essentially the heart of NAP.
To do this, run server manager and then select the option add roles.
The component that I require is part of network policy and Access Services, select network
policy and access server from the list and move on. The component that we require from
network policy and access services is Network policy server.
In this example I will install Network Policy Server on a different server than DHCP. It
is easier for you to install DHCP and network policy server on the same server. It is easier
to run and less steps to configure it, but on larger networks you may need to separate
the two. Network policy server is a fairly fast install,
it should only take a minute or two. Once installed I need to configure it by running
the Network policy admin tool from administrative tools under the start menu.
The first thing that I need to configure is the system health validator. This will determine
what needs to be configured on the client for it to pass it’s health check. To do
this, go down to Network access and protection and expand downwards until you get to settings.
With windows Server 2008 R 2 you can create additional configurations. For example you
could create a different set of requirements to access the companies intranet. In this
case I will modify the default configuration since I only want one set of NAP settings.
In the properties section I can configure what NAP will check for. To demonstrate this
product I will switch off some of the features like spyware and windows update. The only
settings that I will leave on are the windows firewall and antivirus.
Now that I have configured the settings I want NAP to check for, I will add some remediation
servers. These are the servers that the client will be able to access if it fails it’s
health check. In this case I will add my W SUS server so the client can retrieve windows
updates. Have a careful think about what servers you
add here. With DHCP enforcement, these are the only servers the client will be able to
access. You should also consider adding a domain controller and better still a read
only domain controller is you have one. Remember that without access to a domain controller,
the client will not be able to access group policy and other active directory services
which may stop it from becoming compliant. Now that we have the health policy and remediation
server set up, I need to now run the NAP configuration wizard to configure the rest of NAP.
To launch the wizard, all I need to do is select the server at the top of the screen
and then select the option configure NAP. As you can see, the dialog box is quiet large.
To allow it to fit on the screen I will select the option auto hide start bar.
This wizard can be used for any enforcement type that NAP supports. Since we are using
DHCP in this example, I will select dynamic host configuration protocol from the pull
down list. By default, the wizard will also enter in a name for the policy.
If your DHCP server is installed on a different server, you will need to add the DHCP server
as a radius client, in my case I will add my DHCP server called DHCP 1. In order for
the radius server to communicate with the radius client, you need to have a radius secret
set up which is common between the two. If I select the option generate and press
the generate button, windows will generate a rather long shared secret for you to use.
This will give you greater security, but you still need a way to copy the shared secret
from this server. The longer key means you now need some way
of managing the key which may mean storing the key on devices like U S B sticks or even
e-mailing the key to transfer between servers. Having a large key like this does impose more
difficultly in the management of keys but gives you greater security.
A shorter key is often a lot easier to manage and can even just be memorized. In this case,
I will simply manually enter in a key. On this screen, you need to enter in the DHCP
scopes that you are planning on using NAP enforcement on.
In this case, I have already created a scope on the DHCP server called desktop computers.
If you did not enter in a scope on this screen, NAP enforcement would apply to all scopes
installed on that DHCP server. Next you need to decide what computers this
policy will apply to. If you do not enter in any computers or groups of computers in
here, the policy will apply to all computers. On this screen you can set up a remediation
sever group. The remediation server group simply means
the client can access these servers if they fail their health check. On this screen, you
can also enter in a troubleshooting URL. This URL will be shown to the users and should
contain information on how the user can get their computer up to date.
For example, the U R L may have a link for the user to download virus software. You will
also notice here that the windows security health validtor has been selected and will
be used to determine the health of the client. An important setting to take note of is the
setting, enable auto redemption of client computers. This option means that NAP will
attempt to fix any problems on the client when it fails a health check.
For example, if NAP was checking to see if your firewall was running and found it was
off, with auto redemption enabled, NAP will re enable the firewall. Down the bottom of
the screen, you will notice the option, what to do if a NAP ineligible client tries to
access the network. If a computer that does not support NAP, for
example a windows 2000 computer were to attempt to access the network. By default, these types
of computers will be denied access to the network and will only be able to access the
remediation servers. In some environments you may want to give
these computers full access to the network. For example, if you have a few legacy computers
on the network that you are planning to phase out. Setting this setting to allow will still
give them access to the network until you can retire them.
Once IPress finish, the wizard will create the required polices to run NAP with DHCP
on your network. NAP is now configured, but before it can be used with DHCP, DHCP needs
to be configured. To do this, I now need to switch to my DHCP
server. The Network Policy Server setting for NAP are not on my DHCP server, but in
order to access them Network Policy Server needs to be installed locally on the DHCP
server. I have all ready completed the install for
network policy server, to run it, go to administrative tools under the start menu and run Network
policy server. In order for the two Network Policy servers to communicate, the remote
server must be added to the Remote RADIUS server groups.
To add the server, right click on Remote radius servers and select new. In this dialog I need
to enter in the name of my remote server, in this case the servers name is NAP. If I
now go to the authentication and accounting screen, I need to enter in the shared secret
I set up on the other NPS server. Once I close the dialog the NAP server will
be added as a remote server. This will allow the two servers to communicate with each other,
however by design they won’t. In order to have this network policy server pass on requests
to be authentication on the other network policy server a policy must be created to
tell the server to do this. To do this, right click on connection request
policies and select new. For the policy name I will enter in forward NAP request and select
the type of network access server as DHCP server. I want this server to only forward
on NAP traffic, so to do this, press add and then go than the list until you get to identity.
Add identity and then select health checks only. This means, this rule will only forward
NAP health checks onto the other Network policy server. On the next screen is where you need
to specific where to send the NAP requests. In this case I will select the group that
I created earlier. On the next screen, I can configure additional options. This is more
for when you are using 3d party RADIUS servers. In this case I don’t need to add anything.
Once I reach the end of the wizard and press finish the new policy will be created. Whenever
creating network policies , pay careful attention to the order of the polices. In this case,
I want to forward NAP requests to be the first policy.
If anther policy matches before forward NAP requests than my forward NAP requests will
be ignored. That’s all the configuration that is required for the network policy server
installed on the DHCP server. I can now close network policy server and
open the DHCP admin tool from administrative tools under the start menu. Once inside the
DHCP admin, I need to expand down to IP version 4 right click and select properties.
From the properties, select the tab network access protection. You will notice that by
default, DHCP will grant full access to the network when the network policy server in
unavailable. Otherwise you can set it to restricted access or drop client packets which means
ignore the client completely. If you change the default server behavior,
this means that if your network policy server is not contactable for any reasons, no client
will be able to access your production network till it is back up again.
If you change the option, you would probably at the minimum want to make sure that you
have at least two network policy servers configure on your network for redundancy. The only time
you could get away having one would be when your network policy server and DHCP are stored
on the same server. If IPress the button enable on all scopes,
network access protection will be enabled on all scopes on the DHCP server. If you want
more control, you can expand down to IP version 4 and select the scope that you want to enable
NAP on. Selecting the scope and accessing the properties,
I can again go into the network access protection tab, but this time the settings will only
apply to this scope. To enable NAP on this scope I need to select the option “enable
for this scope” In this particular case I will use the default
network access protection profile, but if you need to you could set up different network
access protection profiles for different scopes. To configure network access protection further,
you need to set some scope options. If I now go into the scope options and then
select the tab advanced, I can select “default network access protection class”. This will
give me the settings that the DHCP server will allocate to the client when it fails
it’s health checks. You can set as many or as few options as you
want in here. You can also set options that are completely different to the main options,
for example I could set a completely different DNS server. This different DNS server will
be allocated only to client who fail their health checks.
If I go back into scope options, you will notice the setting I just added and also you
will also notice the class is shown on the far right hand side. The other two settings
with a class of none will be allocate to clients that pass their health checks. This concludes
the server set up, now let’s have a look what needs to be configure on the client.
In order for the client to start using NAP there are a number of things that need to
be set. Luckily for us these can be set using group policy. Firstly you need to enable the
security center. Be aware that in Windows 7 the security center has changed to the action
center. Next I need to go into computer configuration
in group policy and then into windows settings and security settings and set two settings.
First is enable the NAP service. Without the NAP service running, the client will not be
able to issue a health statement to the enforcement point. The second setting tells NAP the enforcement
type or types that we will be using. Let’s have a look at how to set this up on a windows
7 client using group policy. First of all I need to create a group policy
for NAP on my domain controller. To do this, run group policy management from administrative
tools under the start menu. In this example, I will create a new group policy for my domain
by right click on the domain and selecting create new G P O in this domain and link it
here. In your domain, since there are own a few
settings that need to be set, you may want to just modify and existing group policy.
Once I have create the group policy called DHCP NAP, I need to edit it. Expand down in
group policy through administrative templates, Windows components and down to security center.
Even though security center has change in windows 7 to action center, the group policy
setting remains the same. All I need to do here is change the settings to enable. The
next settings I need to change are not under administrative templates so I will reduce
administrative templates and go into windows settings and then into security settings.
In security settings I can go into system services. In system services, you can enable
and disable services on the client computer. The network access protection service agent
shown here is disabled by default on windows clients. To enable any NAP enforcement this
service needs to be running. I will select automatic so the services will
always be running. To configure the type of NAP enforcement I want to use, I need to leave
system services and go into Network access protection. Under network access protection
I need to select NAP client configuration and select enforcement clients.
You can see in here all the different types of NAP enforcement that could be used. Since
I am using DHCP enforcement, I will enable DHCP quarantine enforcement client. You could
if you wished enable multiple enforcements types if you wished.
These are all the settings that need to be enabled on the client side. I have used a
domain wide group policy to set them, however I could have quiet easily set the settings
on the client. If I now switch to my windows 7 computer, we can see NAP in operation.
(Switch to windows 7 DHCP Nap demo.swf) First of all I want to see the status of NAP
enforcement on this computer. To do this on windows 7, I need to open the action center.
After I open the control panel I need to select the option review your computers status under
System and security. You can see that Network access protection
has been added to the action center. The action center is telling us also that this computer
is not meeting the security standards for NAP. To get some more information about the
problem, press the button view solution. If I scroll down to the bottom, you can see
that NAP did not detect any antivirus software on this computer and thus this is why the
computer did not pass the health check. While in this state, the computer will only be able
to access servers in the remediation group. To see which servers it can access, open a
command prompt from the start menu and run route print. I have added the minus 4 switch
so I only get IP version 4 routes. You can see the first route 10 dot 0 dot 0 dot two
with the subnet mask 255 dot 255 dot 255 dot 255.
This means that any traffic for that IP address will be sent to that server directly. This
IP address is the address of the DHCP server. The next address is the IP address of the
W Sus server which I added into the redemption server group.
Those who understand routing tables really well will quickly see that there is no route
to the 10 dot 0 dot 0 network where this computer is currently located. This means, this computer
can only access other computers on the 10 dot 0 dot 0 network when a route to that computer
is added. This example shows an important fact when
setting up NAP. Notice that my domain controller is not contactable and also D N S servers
and this computer does not have access to the internet. You can also see that DHCP enforcement
is a weak form of protection because a person with I T knowledge could either add their
own routes to the routing table or assign a static IP address to the computer and thus
by pass NAP completely. When you set up DHCP NAP enforcement, make
sure you add servers the computer needs access to, for example domain controllers. Without
access to a domain controller, the computer cannot access group policy which may make
important changes the computer. If I now run an IP config slash all, you will
see that the system quarantine state is set as restricted. This is another way of determining
what the status of NAP is without having to go into the action or security center. To
make this computer compliant I am going to install virus software.
I have accelerated the install to the end as installing virus software is not the focus
of this training video. Once the virus software is installed the computer should be able to
pass a NAP health check. If I now go back to my command prompt and run IP config slash
all, you will see that system quarantine state has changed to not restricted.
If your state does not change straight away, you may need to run an IP config slash renew
to refresh your IP address settings. There is one more feature that I want to demonstrate.
If I open the control panel and then open system and security, I can than open the windows
firewall settings. If now select the option to switch the firewall
settings off, this is one of the checks that NAP does in its health check. Since I Put
the option on for auto remediation, windows will attempt to fix problems that cause a
computer to fail a health check. As you can see, windows has switched the firewall
back on again. This is why auto remediation is a great feature to leave on and will mean
a few less calls to your helpdesk. In summary, there is a lot of planning you
should do before installing NAP on your network. NAP decides on who get’s access to the network
and who get’s denied. I would suggest running NAP in logging mode first. Work out who is
failing there health checks and why. If you can fix these problems before you deny
computers to the network or place them in separate networks you will have a lot less
angry phone calls to the help desk. NAP has its fair share of acronyms. The two most important
are system health agent and system health validator otherwise known as SHA and SHV.
Remember, the agent or SHA issues a statement of health which is inspected by the SHV or
system health validator. Microsoft supplies a SHV, but 3rd party vendors can create their
own. Remember that NAP is very customizable and thus can start becoming very complicated
very quickly. Carefully planning is the key to a good NAP deployment.

51 Replies to “Network Access Protection”

  1. NAP still blows my mind a bit, it's a huge part of security with so many options.
    Thank you for making it a bit easier to understand, and for making all your excellent videos.

  2. Thanks for the comment. You are right, NAP is massive and there are so many different ways that can use it. We I think we could create a whole course just on NAP. 🙂

  3. This series is outstanding. You have clarified concepts using simple graphics and explanations that MS sites spend 140 pages describing in an un user-friendly manner. Thank You for your excellent contribution to the tech world!

  4. What`t the name Mr. Lecturer? Thankx so much for proving us this excellent job. I am preparing to take my 70-642 Exams. These lectures are really proving me me a clear understanding NAP

  5. Great Video, mate. The explanation was really clear. I used to use NAP on Win2K8, but in Win2K8 R2, the way to configure it has a bit changed. Many thanx for this excellent video. Keep up the excellent work !

  6. You are just amazing 🙂
    I just went through all your video twice if not for some of them 3 times… I'm reading a book at the same time…
    and you have a real gift to make all this so called "complicated and technical" stuff easy to understand.
    I wish I can explain all the different tool like in your video!
    Just one thing for this one, It is auto-remediation and not at it is said by the voice auto-redemption although a lot of people would have loved it to be able to get auto-redemption 🙂

  7. Thanks, glad you like the videos.

    We will make sure auto-remediation is said correctly next time. The scripts are recorded by a professional voice actor so somtimes items are said incorrectly, but we are getting better at making sure this does not happen.

  8. The CBT's are very informative and well explained ….

    Thanks you for all the your efforts in providing such grt training exprience

  9. Great Video,
    Can be NAP only configured for a domain controller and not for the entire Forest?
    Thanks for sharing.

  10. NAP is quite configurable so it up to do you decide how you want to configure it and which servers and clients it effects.

  11. I have configured the nap successfully, and it can limit, not healthy client. But it can not automatically update the client. what is the problem?

  12. The non health client is put of a different network to the rest of the network while it is being updated. Thus is needs access to resources on that network for updating, for example it needs access to WSUS. I assume that if they are not updating they do not have access to these resource to provide these updates.

  13. Dont wanna be picky but there was a mistake at 8:10 … it is "their" not "there". 😛

    the video itself is great and helps me very much learning for my exam nonetheless ;). Thanks for making this!

  14. There is useful general information about NAP in the video, but the actual demoed steps in the video do not work for me.
    I tried following the instructions step by step along with the video it didn't work for me at the end.
    The client cannot access DHCP whenever the policy is enabled even though the DHCP/Domain controller server is in the remediation group.
    Doesn't it require a Health Registration Authority?
    The Windows 7 client doesn't give any information why it is failing.  I see no logs other than DHCP not being reachable.

  15. this is good tutorial… please do have any tutorial on to install and configure vpn in windows server 2008 r2?

  16. Aside from a couple typos (minor detail, I know), this was a fantastic tutorial!  Well-paced with great explanations and demonstrations.  Thank you!

  17. Very helpful video, in general i find your videos the best. Can i request you to post another video based on stronger enforcement methods and also explaining different tabs in network and connection policies with conditions and constraints in them and take it to the next level 🙂

  18. These are the best tutorials I've seen for configuring anything on servers. Great pace, explanation, and demonstration.

    I previously commented when I passed my 410 test recently, just passed my 411 the other day.

    Thanks again!

  19. I do have nps installed and I am thinking that it is blocking clients to access it via vpn. how can I confirm?

Leave a Reply

Your email address will not be published. Required fields are marked *