Microsoft Official Course

Module 8

Implementing Network Access

Protection
Module Overview

Overview of Network Access Protection

Overview of NAP Enforcement Processes
Configuring NAP
Configuring IPsec Enforcement for NAP
• Monitoring and Troubleshooting NAP
Lesson 1: Overview of Network Access Protection

What Is Network Access Protection?

NAP Scenarios
NAP Enforcement Methods
• NAP Platform Architecture
What Is Network Access Protection?

• NAP can:
• Enforce health-requirement policies on client computers
• Ensure client computers are compliant with policies
• Offer remediation support for computers that do not
meet health requirements
• NAP cannot:
• Prevent authorized users with compliant computers from
performing malicious activities on the network
• Restrict network access for computers that are running
Windows versions older than Windows XP SP2, when
exception rules are configured for those computers
NAP Scenarios

NAP helps you to verify the health state of:

Roaming laptops Visiting laptops

Desktop computers Unmanaged home

computers
 NAP Enforcement Methods
Method
IPsec enforcement for IPsec-
protected communications
802.1X enforcement for IEEE
802.1X-authenticated wired or
wireless connections
VPN enforcement for remote
access connections
DirectAccess
DHCP enforcement for DHCP-
based address configuration
Key points
• Computer must be compliant to communicate with other
compliant computers
• This is the strongest NAP enforcement type, and can be
applied per IP address or protocol port number
• Computer must be compliant to obtain unlimited access
through an 802.1X connection (authentication switch or
access point)
• Computer must be compliant to obtain unlimited access
through a Remote Access Service connection
• Computer must be compliant to obtain unlimited network
access
• For noncompliant computers, access is restricted to a
defined group of infrastructure servers
• Computer must be compliant to receive an unlimited
access IPv4 address configuration from DHCP
• This is the weakest form of NAP enforcement
 NAP Platform Architecture

VPN server
Active IEEE 802.1X
Directory devices

Health
Registration
Authority
Internet
DHCP server NAP Health
Perimeter Intranet Policy server
network

Restricted
network
Remediation NAP client with
servers limited access
Lesson 2: Overview of NAP Enforcement
Processes

NAP Enforcement Processes

IPsec Enforcement
802.1X Enforcement
VPN Enforcement
• DHCP Enforcement
 NAP Enforcement Processes
Remediation HRA RADIUS Messages
Server
Health Requirement
Server
g es
e ssa System
System LM
SS Health
Health r
ove Requirement
Updates T TP Queries
o rH
T TP
H
P M e s s a ge s
DHC
DHCP Server
P EA P
M es s a
ges o
PE ve r P P
AP P
NAP Client Me NAP Health
ss a Policy Server
ge
so
v er
EA
PO VPN Server
L

IEEE 802.1X
Network Access Devices
IPsec Enforcement

• Key points of IPsec NAP enforcement include:

• The IPsec NAP enforcement is comprised of a health
certificate server and an IPsec NAP enforcement client
• The health-certificate server issues X.509 certificates to
quarantine clients when they are verified as compliant.
Certificates are then used to authenticate NAP clients when they
initiate IPsec-secured communications with other NAP clients on
an intranet.
• IPsec enforcement confines the communication on a
network to those nodes that are considered compliant
• You can define requirements for secure communications
with compliant clients on a per-IP address or a
per-TCP/UDP port-number basis
802.1X Enforcement

• Key points of 802.1X wired or wireless NAP enforcement:

• Computer must be compliant to obtain unlimited
network access through an 802.1X-authenticated
network connection
• Noncompliant computers are limited through a
restricted-access profile that the Ethernet switch or
wireless AP places on the connection
• Restricted access profiles can specify IP packet filters or a
VLAN identifier that corresponds to the restricted
network
• 802.1X enforcement actively monitors the health status
of the connected NAP client and applies the restricted
access profile to the connection if the client becomes
noncompliant
VPN Enforcement

• Key points of VPN NAP enforcement:

• Computer must be compliant to obtain unlimited
network access through a remote access VPN
connection
• Noncompliant computers have network access limited
through a set of IP packet filters that the VPN server
applies to the VPN connection
• VPN enforcement actively monitors the health status of
the NAP client and then applies the IP packet filters for
the restricted network to the VPN connection if the client
becomes noncompliant
DHCP Enforcement

• Key points of DHCP NAP enforcement:

• Computers must be compliant to obtain an unlimited
access IPv4 address configuration from a DHCP server
• Noncompliant computers have IPv4 address
configuration, allowing access to restricted network only
• DHCP enforcement actively monitors the health status of
the NAP client, renewing the IPv4 address configuration
for access to the restricted networks only if the client
becomes noncompliant
Lesson 3: Configuring NAP

What Are System Health Validators?

What Is a Health Policy?
What Are Remediation Server Groups?
NAP Client Configuration
• Demonstration: Configuring NAP
What Are System Health Validators?

System health validators are server software

counterparts to system health agents

• Each SHA on the client has a corresponding SHV in NPS

• SHVs allow NPS to verify the SoH made by its
corresponding SHA on the client
• SHVs contain the required configuration settings on client
computers
• The Windows Security SHV corresponds to the Microsoft
SHA on client computers
 What Is a Health Policy?

To make use of the Windows Security Health Validator, you

must configure a health policy and assign the SHV to it
• Health policies consist of one or more SHVs and other settings, which
you can use to define configuration requirements for NAP-capable
computers that attempt to connect to your network
• You can define client health policies in NPS by adding one or more
SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network
policy basis
• After you create a health policy by adding one or more SHVs to
the policy, you can add the health policy to the network policy,
and enable NAP enforcement in the policy
What Are Remediation Server Groups?

With NAP enforcement in place, you should specify

remediation server groups so the clients have access to
resources that bring noncompliant NAP-capable clients into
compliance
• A remediation server hosts the updates that the NAP agent can
use to bring noncompliant client computers into compliance with
the health policy that NPS defines
• A remediation server group is a list of servers on the restricted
network that noncompliant NAP clients can access for
software updates
NAP Client Configuration

• Some NAP deployments that use Windows Security Health

Validator require that you enable Security Center

• The Network Access Protection service is required when

you deploy NAP to NAP-capable client computers

• You must configure the NAP enforcement clients on the

NAP-capable computers

• Most NAP client settings can be configured with Group

Policy Objects
Demonstration: Configuring NAP

In this demonstration, you will see how to:

• Install the NPS server role
• Configure NPS as an NAP health policy server
• Configure health policies
• Configure network policies for compliant computers
• Configure network policies for noncompliant computers
• Configure the DHCP server role for NAP
• Configure client NAP settings
• Test NAP
Lesson 4: Configuring IPsec Enforcement for
NAP

What Is IPsec?
IPsec Authentication and Encryption Options
NAP with IPsec Enforcement Components
How IPsec Enforcement Works
Planning IPsec Logical Networks
Configuring the HRA Server
• Configuring the Certification Authority
What Is IPsec?

• IPsec is a protocol suite for protecting IP

communications.
• IETF standardized IPsec with a series of Request
For Comments (RFCs).
• IPsec is built in to most operating systems.

• Protection of IP communications happens

seamlessly and does not require configuration of
applications and services for support.
In a common corporate deployment, IPsec relies on the following
components:
• AD DS. AD DS provides the common infrastructure and is a
prerequisite for common
implementations of a Microsoft-based public key infrastructure
(PKI). In addition, you can use Group
Policy to standardize on security related settings for IPsec.
• PKI. You can use Active Directory Certificate Services (AD CS)
to distribute certificates automatically to
ease the administrative overhead of implementing IPsec.
Configuring a CA for IPsec is discussed in
more detail in the Configuring the Certification Authority topic
later in this module.
• Two or more computers running a supported version of
Windows and joined to the same domain.
The computers can be client computers or server-based
computers.
IPsec Authentication and Encryption Options

• Authentication:
• Kerberos v5
• Certificate authentication
• Preshared key

• Encryption:
• DES
• Triple DES
• AES

• Data integrity:
• Same encryption standards as IPsec encryption
• Data Encryption Standard (DES). DES uses a 56-bit
key, which is considered insecure today.
• Triple DES (3DES). 3DES (pronounced “triple des”)
uses three 56-bit keys by applying DES three times
for encryption.
• Advanced Encryption Standard (AES). Multiple key
lengths are supported: 128, 192, and 256 bits.
Security increases as the key length size increases. The
vast majority of new IPsec implementations use
AES today because it provides the strongest security and
does not require additional administrative
effort.

system statement of health (SSoH)

System Statement of Health Response (SSoHR).
certificates for remote procedure call (RPC
NAP with IPsec Enforcement Components

You can implement NAP with IPsec enforcement by

configuring the following components:
• Certification authority
• HRA server
• Computer running NPS role
• IPsec enforcement client
How IPsec Enforcement Works

IPsec NAP enforcement includes:

• Policy validation

• NAP enforcement

• Network restriction

• Remediation

• Ongoing monitoring of compliance

• Use IPsec policies to create logical networks. IPsec enforcement
divides a physical network into three
logical networks. A computer is a member of only one logical network
at any time. The logical
networks are:
o Secure network. Computers on the secure network have health
certificates and require that
incoming communication be authenticated by using these certificates.
o Boundary network. Computers on the boundary network have health
certificates but do not
require IPsec authentication of incoming communication attempts.
o Restricted network. Computers on the restricted network do not have
health certificates.
Planning IPsec Logical Networks
HRA
VPN NAP Administration Server
802.1X Network Policies
DHCP NAP Health Policies
SHAs NPS proxy Connection Request Policies
NAP Agent SHVs
NAP ECs
NAP Enforcement SHAs
Non- Servers NPS Servers
compliant NAP NAP Agent
Client NAP ECs
Certificate Services
Email Servers
NAP Policy Servers
Compliant
Non-NAP- NAP Client
Secure
Capable Client Remediation
Servers
Servers

Restricted Boundary Secure Network

Network Network
Configuring the HRA Server

To support IPsec NAP enforcement, you must

configure an HRA server. This process involves the
following steps:
1. Configure authentication requirements
2. Configure CAs
3. Configure the request policy
 Configuring the Certification Authority

To obtain and issue certificates, the HRA must be

associated with a CA. To configure the HRA to issue
health certificates, complete the following tasks:
1. Choose a CA type
2. Verify CA security settings
3. Configure additional settings such as CA wait time and
health certificate validity period
Lesson 5: Monitoring and Troubleshooting NAP

What Is NAP Tracing?

Demonstration: Configuring NAP Tracing
Troubleshooting NAP
• Troubleshooting NAP with Event Logs
What Is NAP Tracing?

• NAP tracing identifies NAP events and records them to a

log file based on the one of the following tracing levels:
• Basic
• Advanced
• Debug

• You can use tracing logs to:

• Evaluate the health and security of your network
• For troubleshooting and maintenance

• NAP tracing is disabled by default, which means that no

NAP events are recorded in the trace logs
Demonstration: Configuring NAP Tracing

In this demonstration, you will see how to:

• Configure tracing from the GUI
• Configure tracing from the command line
Troubleshooting NAP

You can use the following netsh NAP commands to

help you to troubleshoot NAP issues:
• Netsh NAP client show state

• Netsh NAP client show config

• Netsh NAP client show group

Troubleshooting NAP with Event Logs

Event ID Meaning

6272 Successful authentication has occurred

6273 Successful authentication has not occurred

6274 A configuration problem exists

6276 NAP client quarantined

6277 NAP client is on probation

6278 NAP client granted full access

Lab: Implementing Network Access Protection

Exercise 1: Configuring NAP Components

Exercise 2: Configuring Virtual Private Network
Access
• Exercise 3: Configuring the Client Settings to
Support NAP
Logon Information
Virtual machines: 20411C-LON-DC1, 20411C-LON-RTR,
20411C-LON-CL2
User name: Adatum\Administrator
Password: Pa$$w0rd

Estimated Time: 60 minutes

Lab Scenario

A. Datum is a global engineering and

manufacturing company with its head office in
London, United Kingdom. An Information
Technology (IT) office and data center in London
support the head office and other locations. A.
Datum has recently deployed a Windows
Server 2012 server and client infrastructure.
To help increase security and meet compliance
requirements, A. Datum is required to extend their
VPN solution to include NAP. You need to
establish a way to verify and, if required,
automatically bring client computers into
Lab Scenario

compliance whenever they connect remotely by

using the VPN connection. You will accomplish this
goal by using NPS to create system health
validation settings and network and health policies,
and to configure NAP to verify and remediate client
health.
Lab Review

The DHCP NAP enforcement method is the weakest

enforcement method in Windows Server 2012. Why
is it a less preferable enforcement method than
other available methods?
Could you use the remote access NAP solution
alongside the IPsec NAP solution? What benefit
would this scenario provide?
• Could you have used DHCP NAP enforcement for
the client? Why or why not?
Module Review and Takeaways

Review Question(s)
• Tools