microsoft ® official course module 9 implementing network access protection
TRANSCRIPT
![Page 1: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/1.jpg)
Microsoft® Official Course
Module 9
Implementing Network Access Protection
![Page 2: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/2.jpg)
Module Overview
Overview of Network Access Protection
Overview of NAP Enforcement Processes
Configuring NAP•Monitoring and Troubleshooting NAP
![Page 3: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/3.jpg)
Lesson 1: Overview of Network Access Protection
What Is Network Access Protection?
NAP Scenarios
NAP Enforcement Methods•NAP Platform Architecture
![Page 4: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/4.jpg)
What Is Network Access Protection?
•NAP can:• Enforce health-requirement policies on client computers• Ensure client computers are compliant with policies• Offer remediation support for computers that do not meet health requirements
•NAP cannot:• Prevent authorized users with compliant computers from performing malicious activity on the network• Restrict network access for computers that are running Windows versions previous to Windows XP SP2, when exception rules are configured for those computers
![Page 5: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/5.jpg)
NAP Scenarios
NAP helps you to verify the health state of:
Roaming laptops
Desktop computers Unmanaged home computers
Visiting laptops
![Page 6: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/6.jpg)
NAP Enforcement Methods
Method Key Points
IPsec enforcement for IPsec-protected communications
• Computer must be compliant to communicate with other compliant computers
• This is the strongest NAP enforcement type, and can be applied per IP address or protocol port number
802.1X enforcement for IEEE 802.1X-authenticated wired or wireless connections
• Computer must be compliant to obtain unlimited access through an 802.1X connection (authentication switch or access point)
VPN enforcement for remote access connections
• Computer must be compliant to obtain unlimited access through a Remote Access Service connection
DirectAccess
• Computer must be compliant to obtain unlimited network access
• For noncompliant computers, access is restricted to a defined group of infrastructure servers
DHCP enforcement for DHCP-based address configuration
• Computer must be compliant to receive an unlimited access IPv4 address configuration from DHCP
• This is the weakest form of NAP enforcement
![Page 7: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/7.jpg)
NAP Platform Architecture
Intranet
Remediation Servers
InternetNAP Health Policy Server
DHCP server
Health Registration Authority
IEEE 802.1X devices
Active Directory
VPN server
Restricted network
NAP client with limited access
Perimeter network
![Page 8: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/8.jpg)
Lesson 2: Overview of NAP Enforcement Processes
NAP Enforcement Processes
IPsec Enforcement
802.1x Enforcement
VPN Enforcement•DHCP Enforcement
![Page 9: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/9.jpg)
NAP Enforcement Processes
HRA
VPN Server
DHCP Server
IEEE 802.1X Network Access Devices
Health Requirement Server
Remediation Server
NAP Client NAP Health Policy Server
RADIUS Messages
SystemHealthUpdates
HTTP or HTTP over S
SL Messages
SystemHealth
RequirementQueries
DHCP Messages
PEAP Messages over PPP PEAP Messages over EAPOL
![Page 10: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/10.jpg)
IPsec Enforcement
•Key points of IPsec NAP enforcement include:• The IPsec NAP enforcement comprises a health certificate server and an IPsec NAP EC• The health-certificate server issues X.509 certificates to
quarantine clients when they are verified as compliant. Certificates are then used to authenticate NAP clients when they initiate IPsec-secured communications with other NAP clients on an intranet.
• IPsec enforcement confines the communication on a network to those nodes that are considered compliant • You can define requirements for secure communications with compliant clients on a per-IP address or a per-TCP/UDP port-number basis
![Page 11: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/11.jpg)
802.1x Enforcement
• Key points of 802.1X wired or wireless NAP enforcement:• Computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection • Noncompliant computers are limited through a restricted-access profile that the Ethernet switch or wireless AP places on the connection • Restricted access profiles can specify IP packet filters or a VLAN identifier that corresponds to the restricted network • 802.1X enforcement actively monitors the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant
![Page 12: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/12.jpg)
VPN Enforcement
•Key points of VPN NAP enforcement:• Computer must be compliant to obtain unlimited network access through a remote access VPN connection • Noncompliant computers have network access limited through a set of IP packet filters that the VPN server applies to the VPN connection• VPN enforcement actively monitors the health status of the NAP client and then applies the IP packet filters for the restricted network to the VPN connection if the client becomes noncompliant
![Page 13: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/13.jpg)
DHCP Enforcement
•Key points of DHCP NAP enforcement:• Computers must be compliant to obtain an unlimited access IPv4 address configuration from a DHCP server • Noncompliant computers have IPv4 address configuration, allowing access to restricted network only• DHCP enforcement actively monitors the health status of the NAP client, renewing the IPv4 address configuration for access only to the restricted network if the client becomes noncompliant
![Page 14: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/14.jpg)
Lesson 3: Configuring NAP
What Are System Health Validators?
What Is a Health Policy?
What Are Remediation Server Groups?
NAP Client Configuration•Demonstration: Configuring NAP
![Page 15: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/15.jpg)
What Are System Health Validators?
System health validators are server software counterparts to system health agents
• Each SHA on the client has a corresponding SHV in NPS • SHVs allow NPS to verify the statement of health made by its corresponding SHA on the client • SHVs contain the required configuration settings on client computers • The Windows Security SHV corresponds to the Microsoft SHA on client computers
![Page 16: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/16.jpg)
What Is a Health Policy?
To make use of the Windows Security Health Validator, you must configure a health policy and assign the SHV to it• Health policies consist of one or more SHVs and other
settings, which you can use to define configuration requirements for NAP-capable computers that attempt to connect to your network
• You can define client health policies in NPS by adding one or more SHVs to the health policy
• NAP enforcement is accomplished by NPS on a per-network policy basis
• After you create a health policy by adding one or more SHVs to the policy, you can add the health policy to the network policy, and enable NAP enforcement in the policy
![Page 17: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/17.jpg)
What Are Remediation Server Groups?
With NAP enforcement in place, you should specify remediation server groups so the clients have access to resources that bring noncompliant NAP-capable clients into compliance• A remediation server hosts the updates that the NAP agent
can use to bring noncompliant client computers into compliance with the health policy that NPS defines
• A remediation server group is a list of servers on the restricted network that noncompliant NAP clients can access for software updates
![Page 18: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/18.jpg)
NAP Client Configuration
• Some NAP deployments that use Windows Security Health Validator require that you enable Security Center
• The Network Access Protection service is required when you deploy NAP to NAP-capable client computers
• You must configure the NAP enforcement clients on the NAP-capable computers
• Most NAP client settings can be configured with Group Policy objects
![Page 19: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/19.jpg)
Demonstration: Configuring NAP
In this demonstration, you will see how to:• Install the NPS server role• Configure NPS as an NAP health policy server• Configure health policies• Configure network policies for compliant computers• Configure network policies for noncompliant computers• Configure the DHCP server role for NAP• Configure client NAP settings• Test NAP
![Page 20: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/20.jpg)
Lesson 4: Monitoring and Troubleshooting NAP
What Is NAP Tracing?
Demonstration: Configuring NAP Tracing
Troubleshooting NAP•Troubleshooting NAP with Event Logs
![Page 21: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/21.jpg)
What Is NAP Tracing?
• NAP tracing identifies NAP events and records them to a log file based on the one of the following tracing levels:• Basic• Advanced• Debug
• You can use tracing logs to:• Evaluate the health and security of your network• For troubleshooting and maintenance
• NAP tracing is disabled by default, which means that no NAP events are recorded in the trace logs
![Page 22: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/22.jpg)
Demonstration: Configuring NAP Tracing
In this demonstration, you will see how to: • Configure tracing from the GUI• Configure tracing from the command line
![Page 23: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/23.jpg)
Troubleshooting NAP
You can use the following netsh NAP command to help you to troubleshoot NAP issues:
• netsh NAP client show state
• netsh NAP client show config
• netsh NAP client show group
![Page 24: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/24.jpg)
Troubleshooting NAP with Event Logs
Event ID Meaning
6272 Successful authentication has occurred
6273 Successful authentication has not occurred
6274 A configuration problem exists
6276 NAP client quarantined
6277 NAP client is on probation
6278 NAP client granted full access
![Page 25: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/25.jpg)
Lab: Implementing NAP
Exercise 1: Configuring NAP Components
Exercise 2: Configuring VPN Access•Exercise 3: Configuring the Client Settings to Support NAP
Logon Information
Virtual Machines: 20411B-LON-DC120411B-LON-RTR20411B-LON-CL2
User name Adatum\AdministratorPassword Pa$$w0rdEstimated Time: 60 minutes
![Page 26: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/26.jpg)
Lab Scenario
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and data center in London support head office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
To help increase security and compliance requirements, A. Datum is required to extend their VPN solution to include NAP. You need to establish a way to verify and, if required, automatically bring client computers into compliance whenever they connect remotely by using the VPN connection. You will accomplish this goal by using NPS to create system health-validation settings, network and health policies, and configuring NAP to verify and remediate client health.
![Page 27: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/27.jpg)
Lab Review
The DHCP NAP enforcement method is the weakest enforcement method in Windows Server 2012. Why is it a less preferable enforcement method than other available methods?
Could you use the remote access NAP solution alongside the IPsec NAP solution? What benefit would this scenario provide?•Could you have used DHCP NAP enforcement for the client? Why or why not?
![Page 28: Microsoft ® Official Course Module 9 Implementing Network Access Protection](https://reader035.vdocuments.net/reader035/viewer/2022062221/56649e725503460f94b71ad1/html5/thumbnails/28.jpg)
Module Review and Takeaways
Review Questions•Tools