Jayson Ferron CIO Interactive Security Training WSV206

Windows Clients and Windows Server 2008 NAP: Why they are better together In the talk you see why using the built functionality of Windows in both the client and server makes a compelling argument for introducing this technology into your company We will explore the required services and configurations that an administrator needs to understand in planning NAP We will cover new features that are in Windows 7 and Server 2008 r2

What is Network Access Protection (NAP) Protect from Malware threats We will talk about using malware prevention technologies, how NAP provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network What is required to Setup NAP What’s new With Windows 7 and Server 2008 With demos along the way

Network Access Protection Overview The NAP platform requires servers running Windows Server 2008 or later and NAP-aware clients: Windows XP SP3 and later Windows Server 2008 and later Additional Hardware Switched network that supports 802.1X Set of operating system components that provide a platform for system health-validated access to networks An architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occur Additional components supplied by third-party software vendors or Microsoft

Why NAP We do not trust users to install all patches and updates as required and need to Verify that system are in compliance Do the systems have: current anti-virus software? current anti-spyware? current corporate-approved patches? host-based statefull enabled? What other configuration settings are required for adherence to the organization’s security policies?

NAP is an Additional Layer in Network Security Network Access Protection is not a silver bullet for network security NAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthy NAP is not designed for: blocking unauthorized users rogue machine control software distribution control NAP is a flexible health control solution that is reliant on other mechanisms to solve these issues

Accessing the network Remediation Server NPS May I have a health certificate? Here’s my SoH. Client OK? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Yes. Issue health certificate. Here’s your health certificate. Client NAP Walkthrough Untrusted Network Boundary Network Secure Network CA Issue me a health certificate. Here it is. DHCP HRA X

Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC. NAP Components Network Policy Server Network Policy Server Client NAP Agent Health Policy Updates Health Statements Network Access Requests Health Requirement Servers Remediation Servers Health Components System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). System Health Validators (SHV) = Certify declarations made by health agents. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Enforcement Components Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. Health Registration Authority = Issues certificates to clients that pass health checks. Platform Components Health Requirement Servers = Define health requirements for system components. Health Result Health Certificate Health Registration Authority Network Access Devices = Provide network access to healthy endpoints. SHA SHV QEC 1 QEC 2

System Health Agent Options Allows for multiple configurations of SHA deployments Windows SHA Antivirus settings Antispyware settings Firewall settings Windows Updates Settings System Center Configuration Manager 2007 (SCCM) SHA Patch Management Forefront Client Security (FCS) SHA 3rd party SHAs

SoH Renewal Processing Client SoH is revalidated when: Health certificate approaches 80% of validity time Network state changes Changes in client configuration detected by an SHA Group policy is updated

How NAP Integrates with IPsec NAP evaluates computer health and issues a “health certificate” through a Health Registration Authority (HRA) Compliant hosts receive a health certificate Noncompliant hosts are denied Non NAP-capable hosts receive “health exemption” certificates through AutoEnrollment IPsec policy is configured to require health certificate for Tunnel and/or Transport Mode Can be combined with optional user-level authentication

NAP Components Network Policy Server (NPS) Certification Authority (CA) Health Registration Authority (HRA) NAP Agent with IPSec Relying Party

Health Registration Authority The Health Registration Authority (HRA) is used to issue health certificates to clients that satisfy health checks Web service receiving requests from the NAP clients HRA is a new Windows Server 2008 or Windows Server 2008 R2 role Health certificates are regular X.509 certificates with a very short lifetime (on the order of hours) System Health Authentication OID in the certificate

Network Policy Server Network Policy Server (NPS) is used by the HRA to validate the SoH NPS receives computer credentials and SOH from HRA using RADIUS protocol SoH is evaluated by SHVs running on the NPS server, and results matched against the Health policies Network policies are then used to authorize or deny network connection requests

Network Policy Options Allow full network access Allow full network access for limited time Enforcement is deferred until a later date Limited network access Access is restricted to remediation servers

Network Policy Server (NPS) Name Title Company

Certification Authority Issues health certificates for NAP-compliant machines Certificate Authority requirements: Enterprise or standalone subordinate CA under a trusted Root CA Windows Server 2003 or later Recommended that dedicated health certificate-issuing CAs are deployed No revocation is typically required due to short certificate lifetime High volume of certificates issued could impact other services also relying on the CA

Certification Authority (CA

IPsec Relying Party The IPsec Relying Party is a component of the NAP Agent that obtains a health certificate from the Health Registration Authority (HRA) Also interacts with the following: Certificate store: Stores the health certificate IPSec components in Windows: Ensures that health certificates are used for IPSec-based communication Host-based firewall (such as Windows Firewall): Ensures that IPSec-protected traffic is allowed by the firewall

Health Registration Authority (HRA) Configuration Exposed to the Internet to receive health information and issue certificates to external clients Forefront TMG/UAG can be used to securely publish HRA web services Forwards requests to internal NPS and CA servers NPS proxy installed on the HRA servers Multiple HRAs load balanced for high availability Use of HRA Discovery to publish HRA information using DNS

Network Policy Server (NPS) Configuration NPS servers configured in the internal network, receiving the RADIUS requests from the HRAs Multiple NPS servers configured in Server Group for high availability Configuration stored locally, use scripts to replicate Configure NPS logging Allows logging to text files or database (ODBC) Best practice is to log to local database, replicate to central SQL repository

Certification Authority (CA) Configuration Microsoft Certificate Services required Can be configured either as Stand-Alone or Enterprise CA Requires security permissions to enable HRA to request and manage certificates Also certificate template permissions for Enterprise CAs Best practice is to dedicate CA to Health Certificates Volume of certificate requests would overwhelm existing CAs and make certificate database management hard Windows Server 2008 R2 CA allows non-persisted certificate requests

NAP Client Configuration Enable NAP Agent service and IPsec Relying Party Configure HRA URLs Install and enable SHAs For Windows SHA, turn on Security Center Configure IPSec policy to use health certificates

NAP Health Exemptions Use AutoEnrollment to enroll “Health Exemption” certificates to systems exempt from NAP compliance Define group for DA clients exempt from NAP Create certificate template with the following attribute: Custom application policy – “Server Health” OID = “ ” Grant enroll and autoenroll permissions to group

Remediation Servers Any service that needs to be available to clients for remediation to happen Depend on what SHAs are being used by organization Remediation Servers need to be reachable from unhealthy clients Publish remediation servers externally to the Internet Use separate DA server and IPv6 subnet for remediation servers Require additional (non-health) client certificate to secure access to remediation subnet

New for Windows 7 and Windows Server 2008 R2

Network Policy Server (NPS) new features in Windows Server 2008 R2: NPS Templates and Templates Management RADIUS accounting improvements Full support for international, non-English character sets using UTF-8 encoding

Network Access Protection (NAP) new features in Windows Server 2008 R2 and Windows 7 Multi-configuration SHV NAP client user interface improvements.

Multi-Configuration SHV SHVs define configuration requirements for computers that attempt to connect to your network, via wired, wireless, or VPN With multi-configuration SHV, a single NAP health policy server can be used to deploy multiple configurations of the same SHV

Accessing the network Remediation Server NPS May I have a health certificate? Here’s my SoH. Client OK? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Yes. Issue health certificate. Here’s your health certificate. Client NAP Walkthrough Untrusted Network Boundary Network Secure Network CA Issue me a health certificate. Here it is. DHCP HRA X

Putting it all together

Windows Clients and Windows Server 2008 R2 NAP: Why They Are Better Together In the talk you seen why using the built functionality of Windows in both the client and server make a compelling argument for introducing this technology into your company. We have will explore the required services and configurations that a administrator need to understand in planning NAP. We covered some of new features that are in Windows 7 and Server 2008 r2

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

Windows Server Resources Make sure you pick up your copy of Windows Server 2008 R2 RC from the Materials Distribution Counter Learn More about Windows Server 2008 R2: Technical Learning Center (Orange Section): Highlighting Windows Server 2008 and R2 technologies Over 15 booths and experts from Microsoft and our partners Over 15 booths and experts from Microsoft and our partners

Complete an evaluation on CommNet and enter to win! Required Slide

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide