Windows Server 2008, released in February, is an integral part of Microsoft's Network Access Protection (NAP) initiative, the software giant's long-awaited proprietary network access control architecture. This tip will explain the software setup processes needed to handle NAP elements. While this piece covers the bare-bones, out-of-the-box NAP functionality, for additional features and functionality consider either Microsoft's Forefront...
software or a third-party NAP-compliant add-on product.
Live webcast: Network Access Control
Network Access Control: Lessons learned from the front lines
Join us for a live webcast Wednesday, Sept. 24 at 12:00 noon ET, as special guest and network access control expert David Strom discusses five common pitfalls of NAC implementations, drawn from real-world case studies. David will also answer your questions live. Reserve your spot today!
Let's start by opening up the Network Policy Server and configuring NAP in the pull-down box:
Note the various network connection methods that are supported, including DHCP, 802.1x and VPNs. Pick whichever method will be used to enable endpoints to connect to the protected network, then give that selection a name. Consider reviewing the additional requirements listed at the bottom of the configuration screen in the supplied help file. Unlike the average vendor help documents, they are actually quite good at describing not only the various bits and pieces of required network infrastructure, but also which elements of NAP are and aren't supported in this first go-round.
For example, wired 802.1x enables policies to be set up for connection request and networks and NAP health.
At this point, I recommend choosing DHCP for testing purposes. Problems may result for those who are configuring a standalone Windows Server 2008 server and choose either of the 802.1x connections. Microsoft's Web support page on PEAP-TLS authentication and Windows Server 2008 has more information.
Next, add a pointer to RADIUS clients, such as any authenticating switches. These aren't client PCs, but anything else that needs to talk to the RADIUS server in the process of authenticating a user.
Next, set up groups of machines that will have similar policy requirements, such as guest workers or HR staff. These groups must already be set up in Active Directory. Consider going into the Server Manager/Configuration/Groups section and adding these.
The next step is to set up a group of remediation servers to store the updated software and fix client PCs that don't comply with policy requirements. A URL can also be included that provides information for users that fail the posture evaluation on what they need to become compliant, as seen in this screen here:
The next step is to set up a health policy using the validator that comes with the NAP server. On this screen, there's an option that determines what happens when a PC doesn't pass muster: it can be shunted to a restricted network, or granted access (note the two check boxes at the bottom of the screen in the following screenshot).
And that's it. Click finish and go back into the Network Policy Server manager screen and, under the NAP menu tree, right-click on the System Health Validator to see its properties sheet, as shown below:
There will be two tabs, one for XP clients and another for Vista clients; the Vista tab has a few more items to configure. What about older Windows and non-Windows clients? Well, they aren't covered under NAP. Network access for these machines must be managed with additional third-party software.
Here, tell the validator to examine each PC, checking to see if its firewall is turned on, antivirus updates are installed, and the like. Once completed, go back to the Policy Server's policies menu tree and make sure all the various policies have been set up correctly. Here is a screen showing the various networking policies that have been set up by the wizard:
Click OK, and you have set up your first NAP server! Some services may need to be tweaked to make sure they startup at boot time, but otherwise no other steps are required.
Again, remember that this is a bare-bones configuration. Antivirus vendor agents and others will be needed to hook into the server, but otherwise you're ready to take advantage of NAP and Windows Server 2008.
About the author:
David Strom is a St. Louis, Mo.-based author, speaker, podcaster and consultant who writes frequently about information security topics.