کد:
http://www.biztechmagazine.com/article.asp?item_id=382
NAP protects networks by restricting client connections.
By Russell Smith
If you’ve seen the speed at which a rogue machine or dial-up client infected with a virus can wreak havoc on a network, you’ll appreciate new access-control features in Windows Server 2008. Network Access Protection (NAP) replaces Network Access Quarantine Control (NAQC) in Windows Server 2003, which provided the ability to restrict access to a network for dial-up and virtual private network (VPN) clients. The solution was limited and complicated. Scripts were run on clients to check compliance; Connection Manager Profiles had to be used and restricted to dial-up/VPN clients only.
NAP improves on this functionality by additionally restricting clients that connect to a network directly, either wirelessly or physically. Compliance is checked via the Security Center, alleviating the need to write scripts. NAP restricts clients using the following enforcement methods: IP security (IPsec), 802.1x, Dynamic Host Configuration Protocol (DHCP) and VPN.
Enforcement Methods
IPsec is the strongest and most configurable NAP enforcement method, providing end-to-end protection, with enforcement performed on each individual client rather than at the point of access. One of the main advantages of IPsec over 802.1x is that it doesn’t require any supporting network hardware. It does require additional components, such as a Health Registration Authority (HRA), which grants health certificates to clients from a Certificate Server. IPsec enforcement is the most flexible, allowing restrictions based on the computer and/or application.
Often used to secure wireless networks, the main disadvantage of
802.1x is that clients must access the physical network through 802.1x-enabled hardware, such as a wireless access point or 802.1x-enabled switch. 802.1x restricts access by shutting off a switch port or by granting a limited-access profile to the client, which uses either IP packet filters or a VLAN (virtual LAN) Identifier. You should note that 802.1x enforcement is more secure than DHCP, but it can be circumvented — for instance, by connecting a hub to the network backbone. Unlike IPsec, 802.1x prevents noncompliant computers from sending packets on a protected network.
DHCP is the weakest enforcement method. An IP address is dynamically assigned to a client if it meets prerequisites defined by NAP. If those prerequisites are not met, an IP address is still assigned but with routing restrictions. Although DHCP is the easiest way to deploy NAP, any user who has administrative access to a client can statically assign an IP address, thereby gaining access to the network.
The
VPN enforcement method uses IP packet filtering for restricting noncompliant computers. NAP can be configured to work with more than one enforcement method, so VPN enforcement can be used for remote clients and any of the other methods for directly connected clients.
Remediation
Remediation is the ability to transform a noncompliant computer into a compliant one. Usually this is achieved by providing a limited-access profile to a noncompliant system so that it can access remediation servers. Windows Update Services is an example of a remediation server that is NAP-aware. Check this link for software vendors that support NAP:
Windows Server 2008 R2: Network Access Protection: Partners
NAP and 802.1x
Out of the four enforcement methods outlined in this article, 802.1x provides a good balance between ease of deployment and security, assuming your network infrastructure has the hardware to support 802.1x. Most wireless access points (APs) support 802.1x, and many modern Ethernet switches are also 802.1x-enabled. On a small network, you may be prevented from deploying NAP with 802.1x if unmanaged Ethernet hubs make up the backbone.
Install the Network Policy Server (NPS) Role
Open
Server Manager from the Start menu on Windows Server 2008. In Server Manager, select
Add Roles under Roles Summary. Click
Next, select
Network Policy and Access Services and click
Next again. Click past the introduction screen, check
Network Policy Server at the top of the list on the Select Role Services screen and click
Next. Click
Install on the confirmation screen. Check the installation results and click
Close.
Figure 1
Configure the Network Switch as a RADIUS Client
Open the Network Policy Server MMC from Start > Administrative Tools. Right-click
RADIUS Clients under RADIUS Clients and Servers and select
New RADIUS Client from the menu. Enter a Friendly Name and Address (IP or DNS) details for the switch. Type and confirm a shared secret, which should match the configured secret on the switch. Under Additional Options, check the
Access-Request messages must contain the Message-Authenticator attribute box (Figure 1) and click
OK. This option protects NPS from spoofed IP addresses and RADIUS message tampering. The new RADIUS client will appear in the right-hand pane of the Network Policy Server MMC under RADIUS Clients.
Connection Request Policy (CRP)
Start by disabling the default CRP. Expand Policies and then click
Connection Request Policies. In the right-hand pane of the MMC, click
Use Windows authentication for all users and select
Disable from the menu. Right-click
Connection Request Policies in the left-hand pane and select
New from the menu. A new window will open to configure the policy. Type
PEAP under Policy Name and leave the
Type of network access server as Unspecified. Click
Next. On the Specify Conditions screen, click
Add. Under
Select condition, scroll down to RADIUS Client and select
Client IPv4 Address and click
Add. In the Client IPv4 Address dialog box, enter the IP address of the 802.1x-enabled switch and click
OK. The new condition and IP address will appear under Conditions in the New Connection Request Policy window. Click
Next.
While authenticating requests from the switch using NPS on this server, leave
Authenticate requests on this server selected and click
Next. Under Specify Authentication Methods, select
Override network policy authentication settings and click
Add under EAP Types. In the Add EAP dialog, click
Microsoft: Protected EAP (PEAP) and
OK. Click
Next (Figure 2) and
Next again past the Configure Settings window. Click
Finish on the completion screen. The new CRP will appear enabled in the right-hand pane of the NPS MMC under Connection Request Policies.
Figure 2 System Health Validator (SHV)
Use the default SHV. No extra configuration is required.
Figure 3
Health Policy
Health Policies define which SHVs are evaluated and how. You need to configure two policies: one for compliance and one for noncompliance. Under Policies, right-click
Health Policies and select
New. Name the policy Compliant, check Windows Security Health Validator under SHVs used in this health policy and press
OK. Repeat this procedure, but name the policy “Non-compliant,” and select
Client fails one or more SHV checks under Client SHV checks and press
OK (Figure 3).
Network Policy
While creating two network policies (previously, remote access policy), determine the appropriate VLAN for clients based on health policy results: compliant or noncompliant. Right-click
Network Policies under the Policies node and select
New. Name the policy “Non-compliant” and click
Next. On the Specify Conditions screen, click
Add. Select Health Policies under Network Access and click
Add again. In the Health Policies dialog, select
Non-compliant and press
OK. The new condition will appear under “Conditions” in the New Network Policy window. Click
Next. On the Specify Access Permission screen, leave Access granted selected and click
Next. Click
Next past the Configure Authentication Methods and Configure Constraints windows.
On the Configure Settings screen, select
Standard under RADIUS Attributes and click
Add. Select
Tunnel-Medium-Type under
Attributes and press
Add. Leave
Commonly used for 802.1x selected and click
OK twice. Add another attribute; select
Tunnel-Pvt-Group-ID from the list and click
Add. In the Attribute Information dialog box, click
Add, enter the ID of the VLAN for non-compliant computers as a string value, and press
OK twice. Finally, add the Tunnel-Type attribute and click
Add. In the Attribute Information dialog box, click
Add, select
Commonly used for 802.1x and click
OK twice. Close the Add Standard RADIUS Attribute dialog box and review the attributes as shown in Figure 4.
Figure 4 Select
Vendor Specific under RADIUS Attributes and Add on the right-hand side of the dialog. Select
Tunnel-Tag from the list of attributes and click
Add. For the correct Tunnel-Tag attribute, you will need to consult the documentation for your 802.1x-enabled access point. If this information is not available, use a value of 1. Enter the attribute value and click
OK. Close the Add Vendor Specific Attribute dialog.
On the Configure Settings screen, select
NAP Enforcement under
Settings, and select
Allow Limited Access on the right-hand side of the screen (Figure 5). Click
Next and then
Finish on the completion screen.
Figure 5 To create a policy for compliant computers, repeat the steps for the noncompliant policy, but instead:
- Name the policy “Compliant.”
- Add the Compliant Health Policy.
- Specify the appropriate VLAN ID and Tunnel-Tag for compliant computers.
- Select Allow full network access under NAP Enforcement.
Configure a Vista Client
You’ll be relieved that this is much simpler than configuring the server. Open the Group Policy Management Console (GPMC) on Windows Server 2008 and create a new Group Policy Object (GPO) for the domain by right-clicking
Group Policy Objects and selecting
New. Name the policy “NAP” and click
OK. Expand the Group Policy Objects node, right-click the NAP policy and select
Edit from the menu. The Group Policy Management Editor window will open. Expand Computer Configuration > Policies > Windows Settings > Security Settings and click
Services. Find the two services listed below in the right-hand pane, and for each select
Define this policy setting and set the Startup type to
Automatic:
- Network Access Protection Agent
- Wired AutoConfig
Under
Security Settings, expand Network Access Protection > NAP Client Configuration and select
Enforcement Clients. In the right-hand pane, double-click
EAP Quarantine Enforcement Client, check
Enable this enforcement client and click
OK.
Figure 6
Go back to
Security Settings and find
Wired Network (IEEE 802.3 Policies) in the list. Right-click and select
Create a New Windows Vista Policy. On the General tab, give the new policy a name and ensure that
Use Windows Wired Auto Config service for clients is selected. On the Security tab, select
Microsoft: Protected EAP (PEAP) as the authentication method and click
Properties. In the Protected EAP Properties dialog box, check
Enable Quarantine Checks and click
OK (Figure 6). Click
OK again to complete the configuration.
Under
Computer Configuration, expand Administrative Templates > Windows Components and select
Security Center. In the right-hand pane, double-click
Turn on SecurityCenter (Domain PCs only), set the policy to “Enabled” and press
OK.
Close the Group Policy Management Editor window and link the new GPO to an appropriate container in your Active Directory hierarchy so that it will apply to the required Vista client(s). Refresh policy and network connection by restarting a Vista client to which the GPO applies.
Testing NAP
The Vista client to be tested should be connected to a switch port where 802.1x authentication is enabled. If Vista meets the requirements of NAP Health Policy, it should successfully authenticate and connect to the compliant VLAN. If not, authentication should still occur, but the client will be connected to the noncompliant VLAN. You can confirm this by logging on to the switch. If a client doesn’t meet Health Policy requirements, a notification balloon should appear in the task bar.
Additionally, you can test auto-remediation functionality by turning off Windows Firewall on Vista, rendering it noncompliant. Auto-remediation should rectify this problem automatically and issue a new Statement of Health (SoH) to the client, enabling full network access on the compliant VLAN. More advanced testing of this functionality, for Windows Updates or antivirus signatures, would require appropriate remediation servers accessible on the noncompliant VLAN.
Microsoft’s Network Access Control solution is thorough, but without a deep knowledge of networking technologies, it can be complicated to configure. DHCP enforcement is simple to deploy but easily circumvented, and 802.1x requires supporting hardware. For smaller networks, it may be worth considering DHCP enforcement because it can help to enforce IT policy to a limited extent. IPsec is more suitable where encryption may also be of benefit in security sensitive environments.
Making a decision about NAP and the various enforcement methods will largely depend on what you’re trying to achieve and your existing network infrastructure. If you don’t have an infrastructure that supports 802.1x, following through these configuration steps will still help you to understand the components of NAP and how they work together.
CEO Takeaway
Network Access Protection (NAP) will be fully integrated into Windows Server 2008 to control network access for Windows XP (SP3) and Windows Vista.
NAP prevents clients that don’t meet certain prerequisites (such as security configuration or up-to-date antivirus signatures) from accessing the corporate intranet, protecting the network from computers that don’t comply with security policy. In addition, NAP can provide limited access to the network for the purposes of automatic updating to achieve compliance.
- The existing network infrastructure may influence how NAP is deployed and how effective the end-solution is.
- Decide exactly what it is you’re trying to achieve. Each NAP enforcement method has advantages and disadvantages.
- Are you already using IPsec for authentication or encryption? If this is the case, it may make sense to use IPsec as the enforcement method.
- Consider the extra complexity that each NAP enforcement method introduces to the network, and weigh this against the potential benefits.
- Do current servers providing security patches and antivirus signatures support Microsoft NAP?
Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management