70-411: Administering Windows Server 2012

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 10 Configuring Remote Access.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Chapter 11: Dial-Up Connectivity in Remote Access Designs
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Windows Server 2008 Chapter 9 Last Update
Clinic Security and Policy Enforcement in Windows Server 2008.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Chapter 20: Getting from the Office to the Road: VPNs BAI617.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Module 6: Configuring and Troubleshooting Routing and Remote Access
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 11: Remote Access Fundamentals
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 8: Configuring Network Access Protection
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
5.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 5: Planning.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Configuring Network Access Protection
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Module 6: Network Policies and Access Protection.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.
Module 5: Network Policies and Access Protection
Windows Vista Configuration MCTS : Advanced Networking.
Administering Windows Server 2012 Question Answer.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Module 9: Configuring Network Access
Microsoft Windows NT 4.0 Authentication Protocols
Module Overview Installing and Configuring a Network Policy Server
Implementing Network Access Protection
Configuring and Troubleshooting Routing and Remote Access
Server-to-Client Remote Access and DirectAccess
Presentation transcript:

70-411: Administering Windows Server 2012 Chapter 4 Configure a Network Policy Server Infrastructure

Objective 4.1: Configuring a Network Policy Server

RADIUS Terms Network Policy Server (NPS): Microsoft’s RADIUS server. Authorization: The process that determines what a user is permitted to do on a computer system or network. RADIUS client: A server or device that forwards RADIUS requests to a RADIUS server. Access client: A computer or device that contacts or connects to a RADIUS client, which requires authentication and authorization to connect. © 2013 John Wiley & Sons, Inc.

RADIUS servers and clients A Network with RADIUS RADIUS servers and clients © 2013 John Wiley & Sons, Inc.

Configuring RADIUS Server Infrastructures Multiple RADIUS server configurations: Primary RADIUS server and alternate RADIUS servers A RADIUS proxy located between the RADIUS server and the RADIUS clients © 2013 John Wiley & Sons, Inc.

Configuring RADIUS Clients The standard configuration includes: RADIUS server for dial-up or VPN connections RADIUS server for 802.1X wireless or wired connections NAP policy server © 2013 John Wiley & Sons, Inc.

Managing RADIUS Templates Are designed to reduce the amount of time and cost that it takes to configure RADIUS on one or more servers Creating a RADIUS template does not affect the functionality of NPS. A RADIUS template affects only the NPS server when the template is selected and applied when configuring RADIUS. © 2013 John Wiley & Sons, Inc.

Configuring RADIUS Accounting NPS Server Generates an Accounting-Start message RADIUS Accounting Server Sends an acknowledgment RADIUS Client Generates an Accounting-Stop message © 2013 John Wiley & Sons, Inc.

Understanding NPS Authentication Methods Authentication is usually broken down into the following categories: Password-based credentials Certificate-based credentials © 2013 John Wiley & Sons, Inc.

Using Password-Based Authentication The network access server passes the username and password to the NPS server. The NPS server verifies the credentials against the user account database. Processed from the most secure (Microsoft Challenge-Handshake Authentication Protocol v2 or MS-CHAPv2) to the least secure (unauthenticated access) of those enabled options. For stronger security, use certificate authentication or multi-factor authentication. © 2013 John Wiley & Sons, Inc.

Using Certificates for Authentication Much stronger than password-based authentication methods Certificates are: Customized using certificate templates Issued using a Certificate Authority If smart cards are used, certificates must include: Smart Card Logon purpose Client Authentication purpose © 2013 John Wiley & Sons, Inc.

Using Certificates for Authentication Digital certificate required and NPS server must use a server certificate for: Protected Extensible Authentication Protocol Microsoft Challenge-Handshake Authentication Protocol v2 (PEAP-MS-CHAP v2) Protected Extensible Authentication Protocol Transport Layer Security (PEAP-TLS) Extensible Authentication Protocol Transport Layer Security (EAP-TLS) © 2013 John Wiley & Sons, Inc.

Objective 4.2: Configuring NPS Policies

Network Policy Server (NPS) Policies Connection Request Specifies which RADIUS servers perform authentication, authorization, and accounting Network Specifies who is authorized to connect to the network and circumstances under which they can or cannot connect Health Establishes system health validators (SHVs) and other settings that define client computer configuration requirements for NAP-capable computers © 2013 John Wiley & Sons, Inc.

Configuring Connection Request Policies Connection request polices are based on a range of factors such as: The time of day and day of the week The realm name in the connection request The type of connection requested The IP address of the RADIUS client © 2013 John Wiley & Sons, Inc.

Configuring Connection Request Policies When you create a connection request policy, you define these parameters: Type of network access server such as remote access server (VPN dial-up) Condition that species who or what can connect to the network based on one or more RADIUS attributes Settings that are applied to an incoming RADIUS message such as authentication, accounting, and attribute manipulation © 2013 John Wiley & Sons, Inc.

Configuring Connection Request Policies Connection request policy conditions: Are one or more RADIUS attributes that are compared to the attributes of the incoming RADIUS Access-Request message. If there are multiple conditions, all of the conditions in the connection request message and in the connection request policy must match in order for the policy to be enforced by NPS. © 2013 John Wiley & Sons, Inc.

Configuring Network Policies An NPS network policy evaluates remote connections based on these three components: Conditions Constraints Settings © 2013 John Wiley & Sons, Inc.

Multilink and Bandwidth Allocation ISDN includes multiple channels, which allow simultaneous voice and data communications. With multilink and Bandwidth Allocation Protocol (BAP) settings, you can specify: Whether multiple connections form a single connection to increase bandwidth How BAP determines when these extra lines are dropped © 2013 John Wiley & Sons, Inc.

Encryption Options Basic Encryption (MPPE 40-Bit): For dial-up and PPTP-based VPN connections, MPPE is used with a 40-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used. Strong Encryption (MPPE 56-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 56-bit key. For L2TP/IPsec VPN connections, 56-bit DES encryption is used. Strongest Encryption (MPPE 128-Bit): For dial-up and PPTP VPN connections, MPPE is used with a 128-bit key. For L2TP/IPsec VPN connections, 168-bit Triple DES encryption is used. No Encryption: This option allows unencrypted connections that match the remote access policy conditions. Clear this option to require encryption. © 2013 John Wiley & Sons, Inc.

IP Addressing IP settings include these options: Server Must Supply An IP Address Client May Request An IP Address Server Settings Determine IP Address Assignment (the default setting) Assign A Static IP Address © 2013 John Wiley & Sons, Inc.

Managing NPS Templates NPS template types available in Templates Management: Shared Secrets RADIUS Clients Remote RADIUS Servers IP Filters Health Policies Remediation Server Groups © 2013 John Wiley & Sons, Inc.

Objective 4.3: Configuring Network Access Protection (NAP)

Network Access Protection (NAP) NAP is Microsoft’s software for controlling network access for computers based on the health of the host. NAP can be used on any computer that runs Windows and supports NAP. Types of computers that connect to a network: Desktop computers Roaming laptops Unmanaged home computers Visiting laptops © 2013 John Wiley & Sons, Inc.

NAP Built-In Enforcement Methods DHCP IPsec VPN 802.1x Remote Desktop Gateway (RD Gateway) © 2013 John Wiley & Sons, Inc.

DHCP Enforcement To control network access, DHCP enforcement sets the following: DHCP Router option is set to 0.0.0.0 so noncompliant computers do not have a configured default gateway. Subnet mask is set to 255.255.255.255 so that there are no routes to the attached subnet. © 2013 John Wiley & Sons, Inc.

NAP Architecture Components NAP client-side components NAP enforcement points NAP health policy server System Health Agents (SHAs) © 2013 John Wiley & Sons, Inc.

NAP Architecture Components (cont.) Statement of Health (SoH) NAP Agent Health Registration Authority (HRA) Health requirements server Remediation servers © 2013 John Wiley & Sons, Inc.

Installing Network Access Protection Because NAP is offered through NPS, the installation is similar to installing NPS However, you want to add HRA, which is used to issue health certificates to NAP client computers that are compliant with network health requirements. For HRA to function, you need to have a CA available. © 2013 John Wiley & Sons, Inc.

System Health Validators System Health Validators (SHVs) settings define the requirements for client computers that connect to your network. You configure SHVs using the Network Policy Server console. Windows 8 includes a Windows Security Health Validator SHA that monitors the Windows Security Center settings. Windows Server 2012 includes a corresponding Windows Security Health Validator SHV. © 2013 John Wiley & Sons, Inc.

Configuring System Health Validators SHV options: Firewall Settings Antivirus Settings Spyware Protection Settings Automatic Updates Settings Security Updates Settings © 2013 John Wiley & Sons, Inc.

Configuring Health Policies Health policies consist of one or more system health validators and other settings that enable you to define client computer configuration requirements for the NAP-capable computers that attempt to connect to your network. Health policy pairs: NAP-compliant NAP-noncompliant © 2013 John Wiley & Sons, Inc.

Configuring Health Policies NAP enforcement settings: • NAP DHCP-compliant: Allow full network access. • NAP DHCP-noncompliant: Allow limited access. • NAP DHCP nonNAPcapable properties: Allow full network access. © 2013 John Wiley & Sons, Inc.

Configuring Isolation and Remediation If a computer is noncompliant, it should be isolated from production network. When you configure NAP, you can configure either a monitor only policy or an isolation policy. © 2013 John Wiley & Sons, Inc.

Configuring Isolation and Remediation Remediation servers typically consist of: • DHCP servers to provide IP configuration • Naming servers including DNS servers and WINS servers • Active Directory domain controllers (read-only domain controllers are recommended to minimize security risks) • Internet proxy servers so that noncompliant NAP clients can access the Internet © 2013 John Wiley & Sons, Inc.

Configuring Isolation and Remediation Remediation servers typically consist of (continued): • HRAs so that noncompliant NAP clients can obtain a health certificate for the IPsec enforcement method • Web server that contains the troubleshooting URL server, so users can access information on compliance • Anti-virus/anti-malware servers to retrieve updated anti-virus/anti-malware updates • Software update servers so that clients can get Windows updates © 2013 John Wiley & Sons, Inc.

Configuring NAP Client Settings You can use the Enable Security Center in the Group Policy procedure to enable Security Center on NAP-capable clients using Group Policy. Some NAP deployments that use Windows Security Health Validator require Security Center. Open the Services console to start and set the startup type to Automatic in the Network Access Protection Agent service. © 2013 John Wiley & Sons, Inc.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.