Windows Clients and Windows Server 2008 NAP: Session objectives See why using the built functionality of Windows in both the client and server makes a compelling argument for introducing this technology into your company Explore the required services and configurations that an administrator needs to understand in planning NAP Targeted as an architecture and deployment planning overview session NOT about the detail of deployment: See Ryan Roseveare’s session 10h15 on Weds
What is Network Access Protection (NAP) Additional protection from Malware threats and other client configuration inconsistencies Its all about “Defending-in-depth”! NAP is about stopping the next big virus or vulnerability by ensuring clients are well maintained and isolated if deemed unhealthy Provides centralized definition, integration, and enforcement of system health requirements to help prevent the exposure to malware on a private network NAP is a designed to be a client “Health Checker” - it is not the best solution for: blocking unauthorized users rogue machine control software distribution control
Why NAP We do not trust users to install all patches and updates as required and need to verify that systems comply with policies Do the systems have: current anti-virus software? current anti-spyware? current corporate-approved patches? host-based state-full firewall enabled? What other configuration settings are required for adherence to the organization’s security policies?
Accessing the network Remediation Server Policy Server May I have a health certificate? Here’s my SoH. Client OK? No. Needs fix-up. You don’t get a health certificate. Go fix up. I need updates. Here you go. Yes. Issue health certificate. Here’s your health certificate. Client NAP Walkthrough Untrusted Network Boundary Network Secure Network CA Issue me a health certificate. Here it is. Registration Auth X
User notifications Non-compliant and no Auto RemediationComplaint / Auto Remediated
NAP Requirements Overview The NAP platform requires servers running Windows Server 2008 or later and NAP-aware clients: Windows XP SP3 and later Windows Server 2008 and later Set of operating system components that provide a platform for system health-validated access to networks An architecture through which policy validation, network access limitation, automatic remediation, and ongoing compliance can occur Optionally, NAP can support additional components supplied by third-party software vendors or Microsoft
NAP Enforcement Models ModelNotesQuarantine Enforcement IPSecThe most robust solutionServer/domain isolation Policy can require Health Certs. for Tunnel/Transport mode 802.1xWireless and wired LAN (needs the correct network hardware support) VLAN and Access Control List (ACL) VPNRemote / mobile clients (if IPSec not appropriate) IPv4/6 Filtering DHCPEasiest to configure – needs compliant DHCP server (2008+) IP segmentation NoneCompliance reporting only Often a good starting point for deployment N/A Note: NAP also supports Windows Server 2008 Terminal Services gateway
NAP vs. RAS Quarantine Control Server 2003 Quarantine ControlServer 2008 NAP Server: Server 2003+Server: Server Clients: Win 98, ME, 2000, XP+Clients: Windows XP+ and Server Compliance check via custom script/EXECompliance via SHA (multiple in Win 7) RAS clients onlyPotentially “wall-to-wall” Quarantine via IP FilteringQuarantine depends on Enforcement model Enforcement “once-off” during initial connection via RAS Health Certificate associated with session for entire duration (with expiry)
Quarantine Server (QS) = Restricts client’s network access based on what SHV certifies. Quarantine Agent (QA) = Reports client health status, coordinates between SHA and QEC. NAP Components Network Policy Server Network Policy Server Client NAP Agent Health Policy Updates Health Statements Network Access Requests Health Requirement Servers Remediation Servers Health Components System Health Agents (SHA) = Declare health (patch state, virus signature, system configuration, etc.). System Health Validators (SHV) = Certify declarations made by health agents. Remediation Servers = Install necessary patches, configurations, applications. Bring clients to healthy state. Enforcement Components Quarantine Enforcement Clients (QEC) = Negotiate access with network access device(s); DHCP, VPN, 1X, IPSec QECs. Health Registration Authority = Issues certificates to clients that pass health checks. Platform Components Health Requirement Servers = Define health requirements for system components. Health Result Health Certificate Health Registration Auth Network Access Devices = Provide network access to healthy endpoints. SHA SHV QEC 1 QEC 2
System Health Agent Options Windows SHA Antivirus settings Antispyware settings Firewall settings Windows Updates Settings System Center Configuration Manager 2007 (SCCM) SHA Patch Management Forefront Client Security (FCS) SHA 3rd party SHAs Including Avenda, Nortel, UNET …….
Health Registration Authority Is essentially an access layer abstraction proxy – for example: NAP clients can connect to a HRA within the DMZ – via HTTP – without requiring direct connection to the Policy Server within the private network Health Certificates are issued to NAP clients via the HRA web services (rather than directly by the CA) Is a role on Windows Server 2008(+) only Is “stateless” – i.e. can be Load Balanced There is an HRA Discovery mechanism to publish via DNS
Network Policy Server Network Policy Server (NPS) is used by the HRA to validate the SoH NPS receives computer credentials and SOH from HRA(s) SoH is evaluated by SHVs running on the NPS server, and results matched against the Health policies Network policies are then used to authorize or deny network connection requests
Network Policy Server Configuration NPS servers configured in the internal network, receiving the RADIUS requests from the HRAs Multiple NPS servers configured in Server Group for high availability Configuration stored locally Scripts used to replicate if load balancing required Configure NPS logging / NAP Reporting Allows logging to text files or database (ODBC) Best practice is to log to local database, replicate to central SQL repository
Network Policy Options Allow full network access Allow full network access for limited time Enforcement is deferred until a later date Limited network access Access is restricted to remediation servers
Certification Authority Issues health certs for NAP-compliant machines via the HRA proxy These are regular X.509 certificates with a very short lifetime System Health Authentication OID in the certificate Certificate Authority requirements: Enterprise or standalone subordinate CA under a trusted Root CA Windows Server 2003 or later (needs to support MS Client Cert Enrollment) Recommended that dedicated health certificate-issuing CAs are deployed No revocation is typically required due to short certificate lifetime High volume of certificates issued could impact other services also relying on the CA Notes: No Enforcement” model needs CA for “Exemption Certificates” Beware the default CA install behavior when NAP roles are added to the server’s configuration and CA does not already exist Try to keep CA “close” to HRA in distributed/large deployments
SoH and Heath Certificate Renewal Client SoH is revalidated when: Health certificate approaches 80% of validity time Some documentation differs on this and states 15 minutes before expiry Network state changes Changes in client configuration detected by an SHA Group policy is updated Non-NAP capable clients can be issued with Exemption Certificates
NAP Health Exemptions Use AutoEnrollment to enroll “Health Exemption” certificates to systems exempt from NAP compliance Define group for DA clients exempt from NAP Create certificate template with the following attribute: Custom application policy – “Server Health” OID = “ ” Grant enroll and autoenroll permissions to group
NAP Client Configuration Enable NAP Agent Configure HRA URLs Install and enable SHAs For Windows SHA, turn on Security Center Configure Group Policies for NAP For IPSec Enforcement model: Enable IPSec Relying Party Configure IPSec policy to use health certificates Configure Host-based firewall to allow IPSec- protected traffic
Remediation Servers Any service that needs to be available to clients for remediation to happen Depend on what SHAs are being used by organization Remediation Servers need to be reachable from unhealthy clients Publish remediation servers externally to the Internet Use separate IP subnet for remediation servers Require additional (non-health) client certificate to secure access to remediation subnet
New features in “R2” and Windows 7 Windows Server 2008 R2 NPS Templates and Templates Management RADIUS accounting improvements Full support for international, non-English character sets using UTF-8 encoding R2 CA allows non-persisted certificate requests Server 2008 R2 and Windows 7 Multi-configuration SHV A single NAP health policy server can be used to deploy multiple configurations of the same SHV User interface improvements
International Content & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings from Tech-Ed website. These will only be available after the event. Tech ·Ed Africa 2009 sessions will be made available for download the week after the event from:
Required Slide Complete a session evaluation and enter to win! 10 pairs of MP3 sunglasses to be won
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide