Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Network Access Protection

Published byBrett Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "Implementing Network Access Protection"— Presentation transcript:

1 Implementing Network Access Protection
20411B 9: Implementing Network Access Protection Presentation: 90 minutes Lab: 60 minutes After completing this module, students will be able to: Describe how Network Access Protection (NAP) can help protect your network. Describe the various NAP enforcement processes. Configure NAP. Monitor and troubleshoot NAP. Required materials To teach this module, you need the Microsoft® Office PowerPoint file® 20411B_09.pptx. Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not display correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Module 9 Implementing Network Access Protection

2 Monitoring and Troubleshooting NAP
Module Overview 9: Implementing Network Access Protection Monitoring and Troubleshooting NAP

3 Lesson 1: Overview of Network Access Protection
20411B Lesson 1: Overview of Network Access Protection 9: Implementing Network Access Protection NAP Platform Architecture

4 What Is Network Access Protection?
20411B What Is Network Access Protection? 9: Implementing Network Access Protection NAP can: Enforce health-requirement policies on client computers Ensure client computers are compliant with policies Offer remediation support for computers that do not meet health requirements NAP cannot: Prevent authorized users with compliant computers from performing malicious activity on the network Restrict network access for computers that are running Windows versions previous to Windows XP SP2, when exception rules are configured for those computers Describe NAP capabilities and characteristics by expanding on the information that the slide includes. What NAP can do: Enforce health-requirement policies on client computers that are running Windows® XP Service Pack 3 (SP3), Windows Vista®, Windows® 7, and Windows 8. Ensure that client computers remain compliant with existing policies. Offer remediation support for computers that do not meet the health requirements for full network access. What NAP cannot do: Prevent authorized users with compliant computers from performing malicious activity on the network. Restrict network access for computers that are running Windows versions that are previous to Windows XP Service Pack 2 (SP2), if you configure exception rules for those computers. NAP has three important and distinct uses: Health state validation. Validates a computer’s health against health policies Health policy compliance. Updates client computers that do not meet the requirements Limited access enforcement. Isolates noncompliant computers onto a remediation network with limited access Emphasize that NAP is a compliance tool, not a security tool. NAP provides an extra security layer, but it is not a complete security solution. NAP is enforced and supported by the following methods, which will be discussed in detail later: Internet Protocol Security (IPsec)-protected traffic IEEE 802.1X-authenticated connections Virtual private network (VPN) connections Dynamic Host Configuration Protocol (DHCP) address configurations Explain that unlike Network Access Quarantine Control (NAQC), NAP offers continuous health-state monitoring of connected computers. You can configure exception rules that will not limit access to computers that are not NAP capable, or to those that are running Windows versions that are previous to Windows XP SP3 or client operating systems from other vendors.

5 NAP Scenarios NAP helps you to verify the health state of:
20411B NAP Scenarios 9: Implementing Network Access Protection NAP helps you to verify the health state of: Roaming laptops Visiting laptops Describe each scenario, and ask students whether any of these scenarios might apply in their organizations. Unmanaged home computers Desktop computers

6 NAP Enforcement Methods
20411B NAP Enforcement Methods 9: Implementing Network Access Protection Method Key Points IPsec enforcement for IPsec- protected communications Computer must be compliant to communicate with other compliant computers This is the strongest NAP enforcement type, and can be applied per IP address or protocol port number 802.1X enforcement for IEEE X-authenticated wired or wireless connections Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point) VPN enforcement for remote access connections Computer must be compliant to obtain unlimited access through a Remote Access Service connection DirectAccess Computer must be compliant to obtain unlimited network access For noncompliant computers, access is restricted to a defined group of infrastructure servers DHCP enforcement for DHCP- based address configuration Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP This is the weakest form of NAP enforcement Briefly explain each of the methods. Emphasize that the next lesson covers these methods in more detail.

7 NAP Platform Architecture
20411B NAP Platform Architecture 9: Implementing Network Access Protection Intranet Remediation Servers Internet NAP Health Policy Server DHCP server Health Registration Authority IEEE 802.1X devices Active Directory VPN server Restricted network NAP client with limited access Perimeter network Use the slide to highlight each of the following components: NAP clients NAP enforcement points NAP health policy servers Health requirement servers AD DS Restricted networks

8 Lesson 2: Overview of NAP Enforcement Processes
20411B Lesson 2: Overview of NAP Enforcement Processes 9: Implementing Network Access Protection DHCP Enforcement

9 NAP Enforcement Processes
20411B NAP Enforcement Processes 9: Implementing Network Access Protection HRA VPN Server DHCP Server IEEE 802.1X Network Access Devices Health Requirement Server Remediation Server NAP Client NAP Health Policy Server RADIUS Messages System Health Updates HTTP or HTTP over SSL Messages Requirement Queries DHCP Messages PEAP Messages over PPP PEAP Messages over EAPOL The interactions for the computers and devices of a NAP-enabled network infrastructure depend on the NAP enforcement methods chosen for unlimited network connectivity. The architecture’s client side and server side have processes that enable policy validation for the client, or remediation of network access to help the client become compliant with the requirements for unrestricted network access.

10 Key points of IPsec NAP enforcement include:
20411B IPsec Enforcement 9: Implementing Network Access Protection Key points of IPsec NAP enforcement include: The IPsec NAP enforcement comprises a health certificate server and an IPsec NAP EC The health-certificate server issues X.509 certificates to quarantine clients when they are verified as compliant. Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet. IPsec enforcement confines the communication on a network to those nodes that are considered compliant You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port-number basis Explain the following IPsec enforcement process: The IPsec enforcement client component sends its current health state to the HRA. The HRA sends the NAP client’s health-state information to the NAP health-policy server. The NAP health-policy server evaluates the NAP client’s health-state information, determines whether the NAP client is compliant, and sends the results to the HRA. If the NAP client is not compliant, the results include health-remediation instructions. If the health state is compliant, the HRA obtains a health certificate for the NAP client. The NAP client now can initiate IPsec-protected communication with other compliant computers by using its health certificate for IPsec authentication. It then responds to communications initiated from other compliant computers that authenticate by using their own health certificate. If the health state is not compliant, the HRA informs the NAP client how to correct its health state, and does not issue a health certificate. The NAP client cannot initiate communication with other computers that require a health certificate for IPsec authentication. However, the NAP client can initiate communications with remediation servers to correct its health state. The NAP client sends update requests to the appropriate remediation servers. The remediation servers provide the NAP client with the required updates for compliance with health requirements. The NAP client updates its health-state information. The NAP client sends its updated health-state information to the HRA, and the HRA sends the updated health-state information to the NAP health-policy server. Assuming that all the required updates were made, the NAP health-policy server determines that the NAP client is compliant, and then sends that result to the HRA. The HRA obtains a health certificate for the NAP client. The NAP client now can initiate IPsec- protected communication with other compliant computers.

11 20411B 802.1x Enforcement 9: Implementing Network Access Protection Key points of 802.1X wired or wireless NAP enforcement: Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP places on the connection Restricted access profiles can specify IP packet filters or a VLAN identifier that corresponds to the restricted network 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant Explain how 802.1X enforcement works for a NAP client that is initiating an 802.1X-authenticated connection on the intranet. The following steps explains this in more detail: The NAP client and the Ethernet switch or wireless AP begins 802.1X authentication. The NAP client sends its user or computer authentication credentials to the NAP health policy server, which also is acting as an authentication, authorization, and accounting (AAA) server. If the authentication credentials are not valid, NAP terminates the connection attempt. If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client. The NAP client sends its health-state information to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the Ethernet switch or wireless AP. If the NAP client is not compliant, the results include a limited-access profile for the Ethernet switch or wireless AP, and health-remediation instructions for the NAP client. If the health state is compliant, the Ethernet switch or wireless AP completes the 802.1X authentication, and the NAP client has unlimited intranet access. If the health state is not compliant, the Ethernet switch or wireless AP completes the 802.1X authentication, but limits the client’s access to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provision the NAP client with the required updates for compliance with health policy. The NAP client updates its health-state information. The NAP client restarts 802.1X authentication and sends its updated health-state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the NAP client is compliant, and instructs the Ethernet switch or wireless AP to allow unlimited access. The Ethernet switch or wireless AP completes the 802.1X authentication, and the NAP client has unlimited intranet access.

12 Key points of VPN NAP enforcement:
20411B VPN Enforcement 9: Implementing Network Access Protection Key points of VPN NAP enforcement: Computer must be compliant to obtain unlimited network access through a remote access VPN connection Noncompliant computers have network access limited through a set of IP packet filters that the VPN server applies to the VPN connection VPN enforcement actively monitors the health status of the NAP client and then applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant Explain the following process on how VPN enforcement works for a NAP client that is initiating a VPN connection to the intranet: The NAP client initiates a connection to the VPN server. The NAP client sends its user authentication credentials to the NAP health policy server, which also is acting as an AAA server. If the authentication credentials are not valid, NAP terminates the VPN connection. If the authentication credentials are valid, the NAP health policy server requests the health state from the NAP client. The NAP client sends its health-state information to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and then sends the results to the NAP client and the VPN server. If the NAP client is not compliant, the results include a set of packet filters for the VPN server and health-remediation instructions for the NAP client. If the health state is compliant, the VPN server completes the VPN connection, and the NAP client has unlimited intranet access. If the health state is not compliant, the VPN server completes the VPN connection but, based on the packet filters, limits the access of the NAP client to the restricted network. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provide the NAP client with the required updates for health-policy compliance. The NAP client updates its health-state information. The NAP client restarts authentication with the VPN server and sends its updated health-state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health-policy server determines that the NAP client is compliant, and instructs the VPN server to allow unlimited access. The VPN server completes the VPN connection, and the NAP client has unlimited intranet access.

13 Key points of DHCP NAP enforcement:
20411B DHCP Enforcement 9: Implementing Network Access Protection Key points of DHCP NAP enforcement: Computers must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server Noncompliant computers have IPv4 address configuration, allowing access to restricted network only DHCP enforcement actively monitors the health status of the NAP client, renewing the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant Explain the following process on how DHCP enforcement works for a NAP client that is attempting an initial DHCP configuration on the intranet: The NAP client sends a DHCP request message containing its health-state information to the DHCP server. The DHCP server sends the health-state information of the NAP client to the NAP health policy server. The NAP health policy server evaluates the health-state information of the NAP client, determines whether the NAP client is compliant, and sends the results to the NAP client and the DHCP server. If the NAP client is not compliant, the results include a limited-access configuration for the DHCP server and health-remediation instructions for the NAP client. If the health state is compliant, the DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client and completes the DHCP message exchange. If the health state is not compliant, the DHCP server assigns an IPv4 address configuration for limited access to the restricted network to the NAP client, and then completes the DHCP message exchange. The NAP client can send traffic only to the remediation servers on the restricted network. The NAP client sends update requests to the remediation servers. The remediation servers provide the NAP client with the required updates for health-policy compliance. The NAP client updates its health-state information. The NAP client sends a new DHCP request message containing its updated health-state information to the DHCP server. The DHCP server sends the updated health-state information of the NAP client to the NAP health policy server. Assuming that all required updates are made, the NAP health policy server determines that the NAP client is compliant, and then instructs the DHCP server to assign an IPv4 address configuration for unlimited intranet access. The DHCP server assigns an IPv4 address configuration for unlimited access to the NAP client, and then completes the DHCP message exchange.

14 Lesson 3: Configuring NAP
20411B Lesson 3: Configuring NAP 9: Implementing Network Access Protection Demonstration: Configuring NAP

15 What Are System Health Validators?
20411B What Are System Health Validators? 9: Implementing Network Access Protection System health validators are server software counterparts to system health agents Each SHA on the client has a corresponding SHV in NPS SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client SHVs contain the required configuration settings on client computers The Windows Security SHV corresponds to the Microsoft SHA on client computers Consider opening the NPS console, and under Network Access Protection in the console tree, expand System Health Validators, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the details pane, double-click Default Configuration. Point out the settings for Windows 8 and for Windows XP. Describe some of the options that are available to create a health policy with which client computers must comply.

16 20411B What Is a Health Policy? 9: Implementing Network Access Protection To make use of the Windows Security Health Validator, you must configure a health policy and assign the SHV to it Health policies consist of one or more SHVs and other settings, which you can use to define configuration requirements for NAP-capable computers that attempt to connect to your network You can define client health policies in NPS by adding one or more SHVs to the health policy NAP enforcement is accomplished by NPS on a per-network policy basis After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy, and enable NAP enforcement in the policy Show students how a health policy looks like by opening the NPS console.

17 What Are Remediation Server Groups?
20411B What Are Remediation Server Groups? 9: Implementing Network Access Protection With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance A remediation server hosts the updates that the NAP agent can use to bring noncompliant client computers into compliance with the health policy that NPS defines A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates Show students how to configure a remediation server group by opening the NPS console.

18 NAP Client Configuration
20411B NAP Client Configuration 9: Implementing Network Access Protection Some NAP deployments that use Windows Security Health Validator require that you enable Security Center The Network Access Protection service is required when you deploy NAP to NAP-capable client computers You must configure the NAP enforcement clients on the NAP-capable computers Most NAP client settings can be configured with Group Policy objects Show students how to complete the client-side configuration tasks, or do so with the demonstration steps that the next topic provides, and use this topic to enhance your demonstration.

19 Demonstration: Configuring NAP
20411B Demonstration: Configuring NAP 9: Implementing Network Access Protection In this demonstration, you will see how to: Install the NPS server role Configure NPS as an NAP health policy server Configure health policies Configure network policies for compliant computers Configure network policies for noncompliant computers Configure the DHCP server role for NAP Configure client NAP settings Test NAP Leave all virtual machines in their current state for subsequent demonstrations. Preparation Steps You will need to use the 20411B-LON-DC1 and 20411B-LON-CL1 virtual machines to perform this demonstration. Demonstration Steps Install the NPS server role Switch to LON-DC1 and sign in as Adatum\administrator with the password Pa$$w0rd. If necessary, on the taskbar, click Server Manager. In the details pane, click Add roles and features. In the Add Roles and Features Wizard, click Next. On the Select installation type page, click Role-based or feature based installation, and then click Next. On the Select destination server page, click Next. On the Select server roles page, select the Network Policy and Access Services check box. Click Add Features, and then click Next twice. On the Network Policy and Access Services page, click Next. On the Select role services page, verify that the Network Policy Server check box is selected, and then click Next. On the Confirm installation selections page, click Install. Verify that the installation was successful, and then click Close. Close the Server Manager window. (More notes on the next slide)

20 9: Implementing Network Access Protection
20411B 9: Implementing Network Access Protection Configure NPS as a NAP health policy server Pause your mouse pointer in the lower-left corner of the taskbar, and then click Start. On the Start screen, click Network Policy Server. In the navigation pane, expand Network Access Protection, expand System Health Validators, expand Windows Security Health Validator, and then click Settings. In the right pane under Name, double-click Default Configuration. In the navigation pane, click Windows 8/Windows 7/Windows Vista. In the details pane, clear all check boxes except the A firewall is enabled for all network connections check box. Click OK to close the Windows Security Health Validator dialog box. Configure health policies In the navigation pane, expand Policies. Right-click Health Policies and then click New. In the Create New Health Policy dialog box, under Policy name, type Compliant. Under Client SHV checks, verify that Client passes all SHV checks is selected. Under SHVs used in this health policy, select the Windows Security Health Validator check box. Click OK. In the Create New Health Policy dialog box, under Policy Name, type Noncompliant. Under Client SHV checks, select Client fails one or more SHV checks. (More notes on the next slide)

21 9: Implementing Network Access Protection
20411B 9: Implementing Network Access Protection Configure network policies for compliant computers In the navigation pane, under Policies, click Network Policies. Important: Disable the two default policies found under Policy Name by right-clicking the policies, and then clicking Disable. Right-click Network Policies and then click New. On the Specify Network Policy Name and Connection Type page, under Policy name, type Compliant-Full-Access, and then click Next. On the Specify Conditions page, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Compliant, and then click OK. On the Specify Conditions page, click Next. On the Specify Access Permission page, click Next. On the Configure Authentication Methods page, clear all check boxes, select the Perform machine health check only check box, and then click Next. Click Next again. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is selected, and then click Next. On the Completing New Network Policy page, click Finish. Configure network policies for noncompliant computers Right-click Network Policies, and then click New. On the Specify Network Policy Name And Connection Type page, under Policy name, type Noncompliant-Restricted, and then click Next. (More notes on the next slide)

22 9: Implementing Network Access Protection
20411B 9: Implementing Network Access Protection In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK. On the Specify Conditions page, click Next. On the Specify Access Permission page, verify that Access granted is selected, and then click Next. On the Configure Authentication Methods page, clear all check boxes, select the Perform machine health check only check box, and then click Next. Click Next again. On the Configure Settings page, click NAP Enforcement. Click Allow limited access. Clear the Enable auto-remediation of client computers check box. Click Next, and then click Finish. Configure the DHCP server role for NAP Pause your mouse pointer in the lower-left corner of the taskbar, and then click Start. In Start, click Administrative Tools, and then double-click DHCP. In DHCP, expand LON-DC1.Adatum.com, expand IPv4, right-click Scope [ ] Adatum, and then click Properties. In the Scope [ ] Adatum Properties dialog box, click the Network Access Protection tab, click Enable for this scope, and then click OK. In the navigation pane, under Scope [ ) Adatum, click Policies. Right-click Policies, and then click New Policy. In the DHCP Policy Configuration Wizard, in the Policy Name box, type NAP Policy, and then click Next. (More notes on the next slide)

23 9: Implementing Network Access Protection
20411B 9: Implementing Network Access Protection On the Configure Conditions for the policy page, click Add. In the Add/Edit Condition dialog box, in the Criteria list, click User Class. In the Operator list, click Equals. In the Value list, click Default Network Access Protection Class, and then click Add. Click OK, and then click Next. On the Configure settings for the policy page, click No, and then click Next. On the subsequent Configure settings for the policy page, in the Vendor class list, click DHCP Standard Options. In the Available Options list, select the 006 DNS Servers check box. In the IP address box, type , and then click Add. In the Available Options list, select the 015 DNS Domain Name check box. In the String value box, type restricted.adatum.com, and then click Next. On the Summary page, click Finish. Close DHCP. Configure client NAP settings Switch to the LON-CL1 computer, and then sign in as Adatum\administrator with the password Pa$$w0rd. On the Start screen, type napclcfg.msc, and then press Enter. In NAPCLCFG – [NAP Client Configuration (Local Computer)], in the navigation pane, click Enforcement Clients. In the results pane, right-click DHCP Quarantine Enforcement Client, and then click Enable. Close NAPCLCFG – [NAP Client Configuration (Local Computer)]. (More notes on the next slide)

24 9: Implementing Network Access Protection
20411B 9: Implementing Network Access Protection Pause your mouse in the lower-left of the taskbar, and then click Start. On the Start screen, type Services.msc, and then press Enter. In Services, in the results pane, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup type list, click Automatic. Click Start, and then click OK. On the Start screen, type gpedit.msc, and then press Enter. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Security Center. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK. Close the console window. Pause your mouse pointer in the lower-right of the taskbar, and then click Settings. In the Settings list, click Control Panel. In Control Panel, click Network and Internet. In Network and Internet, click Network and Sharing Center. In Network and Sharing Center, in the left pane, click Change adapter settings. Right-click Local Area Connection, and then click Properties. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4). In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address automatically. (More notes on the next slide)

25 9: Implementing Network Access Protection
20411B 9: Implementing Network Access Protection Click Obtain DNS server address automatically, and then click OK. In the Local Area Connection Properties dialog box, click OK. Test NAP Pause your mouse in the lower-left of the taskbar, and then click Start. On the Start screen, type cmd.exe, and then press Enter. At the command prompt, type the following command, and then press Enter: Ipconfig Switch to services. In Services, in the results pane, double-click Windows Firewall. In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click Disabled. Click Stop, and then click OK. In the System Tray area, click the Network Access Protection pop-up warning. Review the information in the Network Access Protection dialog box. Click Close. Note: You may not receive a warning in the System Tray area, depending upon the point at which your computer becomes non-compliant. Notice that the computer has a subnet mask of and a Domain Name System (DNS) Suffix of restricted.Adatum.com. Leave all windows open.

26 Lesson 4: Monitoring and Troubleshooting NAP
9: Implementing Network Access Protection Troubleshooting NAP with Event Logs

27 20411B What Is NAP Tracing? 9: Implementing Network Access Protection NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels: Basic Advanced Debug You can use tracing logs to: Evaluate the health and security of your network For troubleshooting and maintenance NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs The students should be aware that logging is disabled by default, and that they must enable it if they want to troubleshoot NAP-related problems or evaluate the overall health and security of their organization’s computers.

28 Demonstration: Configuring NAP Tracing
20411B Demonstration: Configuring NAP Tracing 9: Implementing Network Access Protection In this demonstration, you will see how to: Configure tracing from the GUI Configure tracing from the command line Revert all virtual machines. Preparation Steps You require the 20411B-LON-DC1 and 20411B-LON-CL1 virtual machines to perform this demonstration. These should already be running from the preceding demonstration. Demonstration Steps Configure tracing from the GUI Switch to LON-CL1. Pause your mouse in the lower-left of the taskbar, and then click Start. On the Start screen, type napclcfg.msc, and then press Enter. In the NAPCLCFG – [NAP Client Configuration (Local Computer)] console, in the navigation pane, right-click NAP Client Configuration (Local Computer) from the console tree, and then click Properties. On the General tab, click Enabled, and in the Basic list, click Advanced, and then click OK. Configure tracing from the command line Switch to the command prompt. At the command prompt, type the following command, and then press Enter: netsh nap client set tracing state = enable

29 20411B Troubleshooting NAP 9: Implementing Network Access Protection You can use the following netsh NAP command to help you to troubleshoot NAP issues: netsh NAP client show state netsh NAP client show config netsh NAP client show group Describe, and where appropriate, demonstrate each of these commands.

30 Troubleshooting NAP with Event Logs
9: Implementing Network Access Protection Event ID Meaning 6272 Successful authentication has occurred 6273 Successful authentication has not occurred 6274 A configuration problem exists 6276 NAP client quarantined 6277 NAP client is on probation 6278 NAP client granted full access Describe each of the events.

31 Exercise 3: Configuring the Client Settings to Support NAP
20411B Lab: Implementing NAP 9: Implementing Network Access Protection Exercise 3: Configuring the Client Settings to Support NAP Exercise 1: Configuring NAP Components As the first step in implementing compliance and security, you should configure NAP components, such as certificate requirements, health and network policies, and connection-request policies. Exercise 2: Configuring VPN Access After configuring NAP, you will configure a VPN server, and then enable the PING protocol through the firewall for testing purposes. Exercise 3: Configuring the Client Settings to Support NAP In this exercise, you will enable a client VPN to connect to the Adatum network. You then will enable and configure the required client-side NAP components. Virtual Machines: B-LON-DC1 20411B-LON-RTR 20411B-LON-CL2 User name Adatum\Administrator Password Pa$$w0rd Logon Information Estimated Time: 60 minutes

32 20411B Lab Scenario 9: Implementing Network Access Protection A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center in London support head office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure. To help increase security and compliance requirements, A. Datum is required to extend their VPN solution to include NAP. You need to establish a way to verify and, if required, automatically bring client computers into compliance whenever they connect remotely by using the VPN connection. You will accomplish this goal by using NPS to create system health-validation settings, network and health policies, and configuring NAP to verify and remediate client health.

33 20411B Lab Review 9: Implementing Network Access Protection Could you have used DHCP NAP enforcement for the client? Why or why not? Question The DHCP NAP enforcement method is the weakest enforcement method in Windows Server Why is it a less preferable enforcement method than other available methods? Answer It is less preferable because a manually assigned IP address on the client machine circumvents DHCP NAP enforcement. Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would this scenario provide? Yes. You can use one or all of the NAP solutions in an environment. One benefit is that this solution would use IPsec to secure communication on the intranet, and not just the tunnel between the Internet host and the Routing and Remote Access server. Could you have used DHCP NAP enforcement for the client? Why or why not? No. It would not have worked, because the IP addresses assigned to the Routing and Remote Access client are coming from a static pool on the Routing and Remote Access server itself.

34 Module Review and Takeaways
20411B Module Review and Takeaways 9: Implementing Network Access Protection Tools Review Questions Question What are the three main client configurations that you need to configure for most NAP deployments? Answer Some NAP deployments that use Windows Security Health Validator require that you enable Security Center. The Network Access Protection service is required when you deploy NAP to NAP-capable client computers. You also must configure the NAP enforcement clients on the NAP-capable computers. You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events? NAP trace logging is disabled by default, but you should enable it if you want to troubleshoot NAP-related problems or evaluate the overall health and security of your organization’s computers. You can use the NAP Client Management console or the netsh command-line tool to enable logging functionality. On a client computer, what steps must you perform to ensure that its health is assessed? You must perform the following steps to ensure that it can be assessed for health: Enable the NAP enforcement client. Enable the Security Center. Start the NAP agent service. (More notes on the next slide)

35 9: Implementing Network Access Protection
20411B 9: Implementing Network Access Protection Tools Tool Use For Where to find it Services Enable and configure the NAP service on client computers. Click Start, click Control Panel, click System and Maintenance, click Administrative Tools, and then double-click Services. Netsh nap Using netsh, you can create scripts to configure a set of NAP automatically, and display the configuration and status of the NAP client service. Open a command window with administrative rights, and then type netsh –c nap. You can type help to get a full list of available commands. Group Policy Some NAP deployments that use Windows Security Health Validator require that Security Center is enabled. Enable the Turn on Security Center (Domain PCs only) setting in the Computer Configuration/Administrative Templates/Windows Components/Security Center sections of Group Policy.

Download ppt "Implementing Network Access Protection"

Similar presentations

Configuring and Troubleshooting Network Connections

Configuring and Troubleshooting Network Connections
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Chapter 13 Securing Windows Server 2008

Chapter 13 Securing Windows Server 2008
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Agenda Introduction Network Access Protection platform architecture

Agenda Introduction Network Access Protection platform architecture
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.

Providing 802.1X Enforcement For Network Access Protection Mudit Goel Development Manager Windows Enterprise Networking Microsoft Corporation.
Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.

Network Access Protection Platform Architecture Joseph Davies Technical writer Windows Networking and Device Technologies Microsoft Corporation.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.

Sreenivas Addagatla - Development Lead Lambert Green - Test Lead Microsoft Corporation.
Windows Server 2008 Network Access Protection (NAP) Technical Overview.

Windows Server 2008 Network Access Protection (NAP) Technical Overview.
Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India

Windows Network Policy Server Fundamentals Ranjana Jain MCSE, MCT, RHCE, CISSP, CIW Security Analyst IT Pro Evangelist Microsoft India
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Implementing Dynamic Host Configuration Protocol

Implementing Dynamic Host Configuration Protocol

Similar presentations

Ads by Google