The biggest challenge for any network admin is to identify and restrict
machines not complying with security standards from entering the network. To
meet this challenge most organizations either ban the unauthorized machines from
accessing the network or allow them only after a process of manual screening.
But both these options seem non-realistic, in terms that the first can cause
loss of productivity and the second would consume hell lot of administrative
time. So, to solve such issues Windows Server 2008 is coming up with NAP or
Network Access Protection. Here the complete process of screening the machines
entering the network is automated and driven by customizable policies. The
machine is granted access to the network if and only if it passes all the
screening tests. These tests can include a check for Firewall status (on or
off), Antivirus Status (installed and updated or not), Windows Updates (on or
off), Phishing Filter (on or off), etc.
Not only screening but a NAP server along with a remediation server can even
go ahead and turn the settings on or off depending on the policies before
letting the machine enter the network. So, for example, if your laptop's
Firewall is disabled and you try entering a network protected by NAP, it will
automatically enable the firewall before letting it enter the network. In this
article we will see how to install NAP and ensure that no machine without
Firewall, Antivirus, and Anti-phishing enters the network.
|
Pre-requisites
Of course the first thing which you will require is a machine running
Windows Server 2008 Beta 32- or 64-bit version. Next is a client with either
Windows XP SP3 Beta or Windows Vista. This is because NAP requires an agent
called the SVA or Security Validation Agent to be installed on the client
machines and this agent is only available with either Windows XP SP3 Beta or
Vista. Microsoft is also planning to release some agents for non-Microsoft OSs,
but they are still in the pipeline. So till then live with Windows XP SP3 or
Windows Vista.
Installation
Once you are done with the pre-requisites, the installation is actually very
simple. All you have to do is go to the 'Server Manager' —> Roles —> Add Roles.
A new wizard appears. Here select the Network Policy and Access Services and
follow the wizard till it asks you for Role Services. Now select all the
available services and continue. Once you process you'll see a new Window which
asks you to provide a Certification Authority. Select the first option 'Install
a local CA to issue health certificates for the HRA server.' Proceed till it
asks you to choose a Server Authentication Certificate for SSL Encryption. Now
select the second option 'Create a self-signed certificate for SSL encryption'
and proceed. Click on next till the wizard finishes and starts the installation
process.
To successfully deploy NAP you need to install all the service components listed in the image. select all of them and proceed the wizard to install them |
Configuring DHCP
You can configure NAP at different protocol levels. For instance it can work
with VPN, Dial-in Connection, DHCP, Terminal Server Gateways, etc, but here we
are going to use it via DHCP. We configure a DHCP server, which has NAP
capability, and a NAP server to validate the requests coming to the DHCP server
and allow the DHCP server to give IPs to only those machines which pass the NAP
policies. For this, configure the DHCP server on a machine which supports NAP.
Of course the best option would be to install it on the same machine where the
NAP server is running. So first install the DHCP role from the 'Server
Management' interface. The installation is very simple. Just select the DHCP
role and keep clicking the next option till the installation ends.
In this screen you can set which all components should be enabled in your client machines so that the NAP server will allow them to enter the network |
Once done, from the Administrative Tools open the DHCP MMC and create a new
scope for your network. We are not covering the configuration of DHCP here as we
presume our readers would know how to do so. After the required changes right
click on the Scope and click on the property option. A new Window pops up. Now
go to the Network Access Protection tab and click on the radio buttons 'Enable
for this scope' and 'Use default Network Access Protection profile' under
Network Access Protection Settings. Apply the changes and restart your DHCP
server.
Configuring NAP
Now comes the most important part. For configuring NAP policies go to
Administrative Tools and click 'Network Policy Server' option. From the left
pane of the new Window, click NPS (local) option. At the center of the Window is
a drop-down menu called 'Select a Configuration Scenario,' here select the
Network Access protection (NAP) option. Now click on the option 'Configure NAP,'
just below the drop-down menu. At the first page of the new wizard, expand the
drop-down menu and select DHCP and press Next. Keep pressing Next with the
default values until the wizard ends. Once done, your NAP policies for the DHCP
server are ready.
Do the above-mentioned settings to make sure that DHCP server takes feedback from NAP server |
The only thing you have to do is to set the System Health Validator settings.
Essentially, here you need to define the reasons for the machines to be either
granted access or denied to join the network. To configure it, click and expand
the NAP option at the left pane of the window. Now click on the System Health
validator option. Double click on Windows System Health validator option at the
center top of the window. A new window appears. Next, click on the configure
option. In the next window you see two tabs: one for configuring the SHV
settings of Windows XP and the other for Windows Vista. From here you can select
and define the cases to which SHV will deny or grant access to the machines
joining the network. So, for instance, if you select the checkbox which says 'A
firewall is enabled for all network connections' then only those machines with a
firewall enabled will get access to the network. Same is applicable for Virus
Protection, Spyware protection, and Updates. Once you select the desired
settings close this Window and your NAP is ready to be used.