Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy

[patris1]

کد:

http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part1.html

Thomas Shinder

PART-1

Network Access Protection is a new technology included with Windows Server 2008 that allows you to control what machines are allowed to connect to other machines on your network. Network Access Protection (or NAP) enables you to set system health policies that must be met before a machine is allowed network access. If the machines meet the requirements in the network access policies, then they are allowed on the network. If not, then the machine may be disallowed from connecting to any machine on the network, or you might configure policies that allow the machine to connect to remediation server that allow the machine to remediate and try to connect to the network again after remediation is successful.
The are a number of ways you can enforce a NAP policy. The simplest method is to use NAP with DHCP enforcement. Unfortunately, this is also the least secure method, since a user can manually configure an IP address on a machine and bypass the NAP DHCP policy enforcement. The most secure method of NAP enforcement is IPsec. When using IPsec NAP enforcement, when a machine is compliant with NAP access policy, the machine is issued a health certificate that allows the machine to create a secure IPsec connection to other machines participating on the NAP “virtual” network. Unfortunately, NAP with IPsec enforcement is the most complex configuration.
NAP by itself is an extremely complex technology with hundreds of “moving parts”. If you misconfigured any of these hundreds of moving parts, the deployment will fail and it can take quite a while to figure out what when wrong. When using NAP with IPsec enforcement, you find that there are even more “moving parts” and troubleshooting becomes even more complex. There is also a great dependence on Group Policy, which again, adds to the complexity of the solution because you often need to troubleshoot problems with Group Policy when setting forth on a NAP deployment.
So, with all the talk of complexity and innumerable “moving parts”, it might sound like I’m trying to dissuade you from implementing NAP with IPsec policy enforcement. No! That’s no true. I just want you to know that it’s a complex setup and configuration and that you should be patient with your testing and deployment. The more time you spend test and understanding how the solution works, the better chance you’ll have at your deployment being a success.
NAP with IPsec policy enforcement is a very powerful method of deploying your NAP solution. You actually get two solutions in one: first, you get the NAP network access control that enables you to block unhealthy machines from connecting to your network and second, you get the power of IPsec domain isolation that prevents rogue machines from connecting to your network. NAP with IPsec domain isolation allows you to create a “virtual network” within the confines of your physical networks. Machines in the IPsec “virtual network” can be on the same network segment or VLAN segment, but virtually segmented from one another by IPsec. Machines without IPsec Health Certificates will be unable to communicate with healthy machines on the network.
In this article I am going to take you from start to finish in putting together a NAP solution using IPsec policy enforcement. The initial environment is very simple, as you can see in the figure below.

Figure 1
The machines we are using in the example network are:
WIN2008DC
This is a Windows Server 2008 Enterprise edition machine is a domain controller in the msfirewall.org domain. The only other server role installed on this machine is the Certificate Authority server role. I made this machine an Enterprise Root CA. If you want to mirror this configuration, make the machine a domain controller first, and then after the machine is promoted to domain controller, install the CA role and choose the Root CA option. If you want to mirror my enterprise CA configuration, name the CA msfirewall-WIN2008DC-CA.
WIN2008SRV1
This is a Windows Server 2008 Enterprise edition machine and is a member server in the msfirewall.org domain. No other server roles are configured on the machine. We will install the NPS server role on the machine and make the machine a subordinate CA later, but if you want to built out this lab, just install Windows Server 2008 on the machine and follow the instructions as we go through them in this article series.
VISTASP1
This is a Vista machine with service pack 1 installed. The machine is joined to the msfirewall.org domain. I used a default install of Vista and then installed SP1 on the machine afterwards. If you have an integrated SP1 installation available, that will work fine too.
VISTASP1-2
This is a Vista machine with SP1 installed, like VISTASP1. This machine is installed in a workgroup names WORKGROUP. We’ll join the machine to the domain later when testing the NAP and IPsec polices.
The major steps that we’ll carry out in this article series include the following:

• Configure the Domain Controller
• Install and Configure the Network Policy Server, Health Registration Authority and Subordinate CA
• Configure the NAP IPsec Enforcement Policy on the Network Policy Server
• Configure VISTASP1 and VISTASP1-2 for Testing
• Test the Health Certificate and Auto-remediation Configuration
• Verify NAP Policy Enforcement on VISTASP1
• Configure and Test IPsec Policies

My goal in this article series is to show you with generous screen shots how to configure the solution and show you that it actually works. When putting this article together, I’ve built on the shoulders of giants and want to thank Jeff Sigman from Microsoft for the fantastic work he’s done with making NAP available and understandable for the masses. This article builds on the step by step guide he created for setting up NAP with IPsec enforcement in a test lab. It is my hope that after you see how the configuration works, with tons of screenshots, that you’ll be excited about the NAP with IPsec enforcement solution and that you’ll be willing to get it a test in your own test lab.
Configure the Domain Controller

In this section we’ll perform the following steps:

• Confirm the Enterprise Root CA Configuration on the domain controller
• Create the NAP CLIENTS security group
• Create the NAP Exempt security group
• Create and configure a Certificate Template for NAP Exempt Computers
• Make the Certificate Template Available for Publishing through Group Policy
• Distribute the NAP Exemption Health Certificate through Group Policy Autoenrollment

The rational for each step is provided at the beginning of each section.
Confirm the Enterprise Root CA Configuration

Verify that certificate requests do not require administrator approval. Perform the following steps on the domain controller, WIN2008DC:

1. Click Start, point to Administrative Tools, and then click Certification Authority.
2. In the left pane of the console, right-click the name of the CA, and then click Properties.

Figure 2

1. Click the Policy Module tab, and then click Properties.

Figure 3

1. Verify that Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate is selected.

Figure 4

1. Click OK twice, and then close the Certification Authority console.

Create the NAP CLIENTS Group

Next, create a group for use with Group Policy security filtering. What we will do is create a Group Policy Object that applies to machines that NAP policy will apply to, and then configure the GPO for use only by members of this group. In this way, we don’t need to create an OU for the NAP clients. All we need to do is add the NAP clients to the security group. VISTASP1 and VISTASP1-2 will be added to this group after they are join the domain.
Perform the following steps on WIN2008DC:

1. In the left pane of the Active Directory Users and Computers console, right-click msfirewall.org, point to New, and then click Group.

Figure 5

1. In the New Object - Group dialog box, under Group name, type NAP Clients. Under Group scope, choose Global, under Group type, choose Security, and then click OK.

Figure 6

1. Leave the Active Directory Users and Computers console open for the following procedure.

Create the NAP Exempt Group

There will be machines on your network that need to communicate with members of the secure network, but who should not be expected to meet NAP security requirements. These are typically network infrastructure machines, such as domain controllers, DHCP servers and others that need to communicate with machines on the secure network.
On our example network, WIN2008SRV1 need to be able to connect to the members of the secure network in order to give them health certificates, that will be used to establish secure IPsec communications between members in the secure network. So, we will place this machine is it’s own group, and then configure a health certificate that will be automatically deployed to this machine. The health certificate will be deployed to this machine by using autoenrollment, so that the machine issuing the Health Certificates don’t need to pass NAP policy first before receiving the certificate.
Perform the following steps on WIN2008DC:

1. In the Active Directory Users and Computers console, right-click msfirewall.org, point to New, and then click Group.

Figure 7

1. In Group name, type IPsec NAP Exemption. Under Group scope, choose Global, under Group type, choose Security, and then click OK.

Figure 8

1. Leave the Active Directory Users and Computers console open for a procedure that follows.

Figure 9
Create and Configure a Certificate Template for NAP Exempt Computers

A certificate template must be created for computers that are given exemptions from NAP health checks. This certificate template will be configured with two application policies: client authentication and system health authentication. This certificate template will be configured with the System Health Authentication OID so that it can be used to communicate with the NAP compliant computers on the secure network.
After we create the certificate template, we will publish the certificate template so that it’s available to the Active Directory to machines that are members of the NAP Exempt group. After publishing the certificate template to the Active Directory, we’ll configure Group Policy so that the certificate is automatically assigned to members of the NAP Exempt group using Autoenrollment.
Perform the following steps on WIN2008DC:

1. Click Start, click Run, type certtmpl.msc, and then press ENTER.
2. In the middle pane of the Certificate Template Console, right-click Workstation Authentication, and then click Duplicate Template. This template is used because it is already configured with the client authentication application policy.

Figure 10

1. In the Duplicate Template dialog box, select the Windows 2003 Server, Enterprise Edition option and click OK.

Figure 11

1. Under Template display name, type System Health Authentication. Put a checkmark in the Publish certificate in Active Directory check box.

Figure 12

1. Click the Extensions tab, and then click Application Policies. Then click the Edit button.

Figure 13

1. In the Edit Application Policies Extension dialog box, click Add.

Figure 14

1. In the Add Application Policy dialog box, select the System Health Authentication policy and click OK.

Figure 15

1. Click OK in the Edit Application Policy Extension dialog box.

Figure 16

1. Click the Security tab and click Add. In the Select Users, Computers or Groups dialog box, enter NAP Exempt in the Enter the object name to select text box and click Check Names. Then click OK.

Figure 17

1. Click IPsec NAP Exemption, and then click the Allow check boxes next to Enroll and Autoenroll and then click OK.

Figure 18

1. Close the certificate templates console.

Make the Certificate Template Available for Publishing through Group Policy

Perform the following steps to enable the new certificate template to be available through Active Directory Group Policy. After we do this, we’ll be able to make this certificate available to members of the NAP Exempt group through autoenrollment.
Perform the following steps on WIN2008DC:

1. Click Start, click Run, type certsrv.msc, and then press ENTER.
2. Expand the server name in the left pane of the console, and in the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

Figure 19

1. Click System Health Authentication, and then click OK.

Figure 20

1. In the left pane of the console, click Certificate Templates, and in the details pane under Name, verify that System Health Authentication is displayed.

Figure 21

1. Close the Certification Authority console.

Distribute the NAP Exemption Health Certificate through Group Policy Autoenrollment

Now that we’ve published the certificate template, we can make it available to domain machines that belong to the NAP Exempt group. We do this by using autoenrollment.
Perform the following steps on WIN2008DC to enable autoenrollment of this certificate:.

1. Click Start and then click Run. Enter gpmc.msc in the Open text box and click OK.
2. In the Group Policy Management console, expand the msfirewall.org domain name and right click the Default Domain Policy and click Edit

Figure 22

1. In the left pane of the Group Policy Management Editor, open Computer Configuration\Windows Settings\Security Settings\Public Key Policies. In the middle pane of the console, double-click Certificate Services Client – Auto-Enrollment.

Figure 23

1. In the Certificate Services Client – Auto-Enrollment Properties dialog box, select the Enable option from the Configuration Model drop down list box. Put a checkmark in the Renew Expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates checkboxes. Click OK.

Figure 24

1. Close the Group Policy Management Editor.

1. Close the Group Policy Management console.

Summary

In this, part 1 of our article series on putting together a NAP solution using IPsec enforcement, we covered the configuration requirements for the domain controller computer. This included confirming the enterprise root CA configuration, creating the NAP CLIENTS and NAP Exempt security groups, creating and configuring a certificate template for NAP example computers, making the certificate template available for publishing through group policy, and distributing the NAP exemption health certificate through group policy autoenrollment. In the next article in this series, we will install the Network Policy Server and the Health Registration authorities and create a NAP policy. See you then! -Tom

---

موضوعات مشابه:

• بستن پورت USB از طریق Group Policy در Windows Server 2008 R2
• In-Place Upgrade from Windows Server 2003 Domain Controller to Windows Server 2008
• Deploying IPsec Server and Domain Isolation using Windows Server 2008 Group Policy
• Group Policy Objects Strategy in Windows Server 2008

---

[patris1]

کد:

http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part2.html

PART-2

In part 1 of this series on how to use IPsec enforcement with NAP heath policies, I described the example network and called out the major steps required to get the NAP with IPsec enforcement policy working. As a refresher, here is the list of the high level steps required to reach a working solution:

• Configure the Domain Controller
• Install and Configure the Network Policy Server, Health Registration Authority and Subordinate CA
• Configure the NAP IPsec Enforcement Policy on the Network Policy Server
• Configure VISTASP1 and VISTASP1-2 for Testing
• Test the Health Certificate and Auto-remediation Configuration
• Verify NAP Policy Enforcement on VISTASP1
• Configure and Test IPsec Policies

In the first article in the series, we began with the steps required to configure the domain controller in our NAP with IPsec enforcement environment. In this, part 2 of the article series, we’ll move on to the second step, which is to install and configure the Network Policy Server, the Health Registration Authority and the subordinate CA.
Install and Configure Network Policy Server, Health Registration Authority and Subordinate CA

Now we’ll move our attention to the Network Policy Server. The Network Policy Server or NPS machine takes on the RADIUS server role. NPS is the new name for the former Microsoft Internet Access Server (IAS). There are actually two components to the new NPS server: the RADIUS component (which includes new support for NAP) and the RRAS component. We’re not interested in the RRAS component in this scenario so we won’t install or configure RRAS.
We will need to do the following to get the NPS server, along with the co-located Health Registration Authority and subordinate CA installed and configured on this machine:

• Add the network policy server to the NAP Exempt Group
• Restart the Network Policy Server
• Request a computer certificate for the Network Policy Server
• View the computer and health certificate installed on the Network Policy Server
• Install the Network Policy Server, Health Registration Authority and Subordinate CA
• Configure the Subordinate CA on the Network Policy Server
• Enable Permissions for the Health Registration Authority to request, issue and manage certificates
• Configure the Health Registration Authority to use the subordinate CA to issue health certificates

Let’s now get into the details of each of these steps.
Add the Network Policy Server to the NAP Exempt Group

We need to make the WIN2008SRV1 computer a member of the NAP Exempt Group so that it autoenrolls the Health Certificate we created for it. This will allow this computer, which will act as the NAP policy server and Health Registration Authority to communicate with machines that are in the secure network, even though this machine isn’t subject to NAP requirements.
Perform the following steps on the WIN2008DC domain controller:

1. On WIN2008DC, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the left pane of the Active Directory Users and Computers console, expand msfirewall.org. Click on the Users node.
3. Double click on the NAP Exempt group in the right pane of the console.
4. Click the Members tab, click Add, click Object Types, select the Computers check box, and then click OK.

Figure 1

1. Under Enter the object names to select (examples), type WIN2008SRV1, and then click Check Names. Click OK, and then click OK in the NAP Exempt Properties dialog box..

Figure 2

Figure 3

1. Close the Active Directory Users and Computers console.

Restart the Network Policy Server

To activate the new domain membership and security group membership settings, restart WIN2008SRV1.

1. Restart WIN2008SRV1.
2. After the computer has been restarted, log on as Administrator.

Request a Computer Certificate for the Network Policy Server

The WIN2008SRV1 machine will need a computer certificate to support SSL connections to the server. The SSL connections will come from NAP clients when they connect to the Health Registration Authority Web server on the NPS server machine. Note that in this example the NPS server and the Health Registration Authority are on the same machine. You don’t have to do it that way – you can put the Health Registration Authority and the NPS server on different machines. In that scenario, you would need to install the NPS service on the HRA machine and configure that machine was a RADIUS proxy, since the HRA is the network access server in this scenario and the NAS needs to be able to inform the NPS service of the client’s status.
Perform the following steps on the WIN2008SRV1 NPS machine:

1. On WINS2008SRV1, click Start, click Run, type mmc, and then press ENTER.
2. Click File, and then click Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add. In the Certificates snap-in dialog box, select the Computer account option and click Next.

Figure 4

1. In the Select Computer dialog box, select the Local Computer option and click Finish.

Figure 5

1. Click OK in the Add or Remove Snap-ins dialog box.

Figure 6

1. In the Certificates console, expand the Certificates (Local Computer) node and then expand the Personal node. Click on the Certificates node, then right click on it and point to All Tasks and then click Request New Certificate. .

Figure 7

1. Click Next on the Certificate Enrollment page.

On the Request Certificates page, you can see a list of certificate templates that are available to this computer. Note that while there are many more certificate templates available, these are the only ones available to this computer, based on the permissions configured on the certificate templates. Put a checkmark in the Computer checkbox and click Enroll. Note that you can get full and complete details of this certificate by clicking on the Properties button.

Figure 8

1. Click Finish in the Certificate Installation Result dialog box .

Figure 9

1. Leave the console window open for the following procedure.

Figure 10
View the Computer and Health Certificate Installed on the Network Policy Server

Next, verify that WIN2008SRV1 has an SSL certificate and a NAP exemption certificate.

1. In the left pane of the Certificates console, open Certificates (Local Computer)\Personal\Certificates.In the right pane, verify that a certificate was autoenrolled by WIN2008SRV1 with Intended Purposes of System Health Authentication and Client Authentication. This certificate will be used for NAP client IPsec exemption.

Figure 11

1. In the right pane, verify that a certificate was enrolled with Intended Purposes of Client Authentication and Server Authentication. This certificate will be used for server-side SSL authentication.

Figure 12

1. Close the Certificates console. If you are prompted to save settings, click No.

Install the Network Policy Server, Health Registration Authority, and Subordinate Certificate Server roles

Next, install role services to make WIN2008SRV1 a NAP health policy server, NAP enforcement server, and NAP CA server.
Perform the following steps on WIN2008SRV1:

1. In Server Manager, under Roles Summary, click Add Roles, and then click Next.

Figure 13

1. On the Select Server Roles page, select the Active Directory Certificate Services and Network Policy and Access Services check boxes, and then click Next twice.

Figure 14

1. On the Select Role Services page, select the Health Registration Authority check box, click Add Required Role Services in the Add Roles Wizard window, and then click Next.

Figure 15

1. On the Choose the Certification Authority to use with the Health Registration Authority page, choose Install a local CA to issue health certificates for this HRA server, and then click Next.

Figure 16

1. On the Choose Authentication Requirements for the Health Registration Authority page, choose No, allow anonymous requests for health certificates, and then click Next. This choice allows computers to be enrolled with health certificates in a workgroup environment. We’ll see an example of a workgroup computer receiving a Health Certificate later.

Figure 17

1. On the Choose a Server Authentication Certificate for SSL Encryption page, choose Choose an existing certificate for SSL encryption (recommended), click the certificate displayed under this option, and then click Next.

Note:
You can view the properties of certificates in the local computer certificate store by clicking a certificate, clicking Properties, and then clicking the Details tab. A certificate used for SSL authentication must have a Subject field value that corresponds to the fully qualified domain name of the HRA server (for example, NPS1.Contoso.com), and an Enhanced Key Usage field value of Server Authentication. The certificate must also be issued from a root CA that is trusted by the client computer.

Figure 18

1. On the Introduction to Active Directory Certificate Services page, click Next.
2. On the Select Role Services page, verify that the Certification Authority check box is selected, and then click Next.

Figure 19

1. On the Specify Setup Type page, click Standalone, and then click Next.

Figure 20

1. On the Specify CA Type page, click Subordinate CA, and then click Next. We choose to use a subordinate CA because this is a more secure option, as it gives us the option to revoke the certificate of the subordinate CA at the root CA level. The subordinate CA is responsible for issuing certificates, while the job of the root CA is to sign the certificates of the issuing subordinate CAs. This allows you to have many subordinate CAs and a single root CA. In a production environment, you’ll likely put the root CA offline and bring it online only to sign certificates of new subordinate CAs.

Figure 21

1. On the Set Up Private Key page, click Create a new private key, and then click Next.

Figure 22

1. On the Configure Cryptography for CA page, click Next.
2. On the Configure CA Name page, under Common name for this CA, type msfirewall-WIN2008SRV1-CA, and then click Next.

Figure 23

1. On the Request Certificate from a Parent CA page, choose Send a certificate request to a parent CA, and then click Browse. In the Select Certification Authority window, click Root CA, and then click OK.

Figure 24

1. Verify that WIN2008DC.msfirewall.org\Root CA is displayed next to Parent CA, and then click Next.

Figure 25

1. Click Next three times to accept the default database, Web server, and role services settings, and then click Install.

Figure 26

1. Verify that all installations were successful, and then click Close. Note that the installation results say that Attempt to configure Health Registration Authority failed. Failed to get name of the local Certification Authority. Don’t worry about that. We’ll configure the Health Registration Authority in the next steps.

Figure 27

1. Leave Server Manager open for the next procedure.

Configure the Subordinate CA on the Network Policy Server

The subordinate CA must be configured to automatically issue certificates when NAP clients who meet NAP policy requirements request a certificate. By default, standalone CAs wait for administrator approval before the certificate is issued. We don’t want to wait for administrator approval, so we’ll configure the standalone CA to automatically issue the certificates when the request comes in.
Perform the following steps on WIN2008SRV1:

1. On WIN2008SRV1, click Start, click Run, type certsrv.msc, and then press ENTER.
2. In the Certification Authority console tree, right-click msfirewall-WIN2008SRV1-CA, and then click Properties.

Figure 28

1. Click the Policy Module tab, and then click Properties.

Figure 29

1. Choose Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate, and then click OK.

Figure 30

1. When you are prompted that AD CS must be restarted, click OK. Click OK, right-click msfirewall-WIN2008SRV1-CA, point to All Tasks, and then click Stop Service.

Figure 31

1. Right-click msfirewall-WIN2008SRV1-CA, point to All Tasks, and then click Start Service.

Figure 32

1. Leave the Certification Authority console open for the following procedure.

Enable Permissions for the Health Registration Authority to Request, Issue and Manage Certificates

The Health Registration Authority must be given security permissions to request, issue, and manage certificates. It must also be granted permission to manage the subordinate CA so that it can periodically clear expired certificates from the certificate store.
When the Health Registration Authority is installed on a computer different from the issuing CA, permissions must be assigned to the HRA machine name. In this configuration, HRA and CA are located on the same computer. In this scenario, permissions must be assigned to Network Service.
Perform the following steps on WIN2008SRV1:

1. In the left pane of Certification Authority console, right-click msfirewall-WIN2008SRV1-CA, and then click Properties.
2. Click the Security tab, and then click Add.

Figure 33

1. Under Enter the object names to select (examples), type Network Service, and then click OK.

Figure 34

1. Click Network Service, and under Allow, select the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes, and then click OK.

Figure 35

1. Close the Certification Authority console.

Configure the Health Registration Authority to use the Subordinate CA to Issue Health Certificates

You must tell the Health Registration Authority which CA to use to issue Health Certificates. You can use either a standalone or enterprise CA. In this example network we’re using the standalone CA installed on the WIN2008SRV1 computer.
Perform the following steps on WIN2008SRV1:

1. On WIN2008SRV1, click Server Manager.
2. In Server Manager, open Roles\Network Policy and Access Services\Health Registration Authority(WIN2008SRV1)\Certification Authority.

Note:
If Server Manager was open when you installed the HRA server role, you might need to close it and then open it again to access the HRA console.

1. In the left pane HRA console tree, right-click Certification Authority, and then click Add certification authority.

Figure 36

1. Click Browse, click msfirewall-WIN2008SRV1-SubCA, and then click OK. See the following example.

Figure 37

1. Click OK, and then click Certification Authority and verify that \\WIN2008SRV1.msfirewall.org\msfirewall-WIN2008SRV1-CA is displayed in the details pane. Next, we will configure properties of this standalone CA.

The Health Registration Authority can be configured to use either a standalone or enterprise CA. The CA properties (which we will configure next) that are configured on the Health Registration Authority must correspond to the type of selected CA.

Figure 38

1. Right-click Certification Authority, and then click Properties.

Figure 39

1. Verify that Use standalone certification authority is selected and that the value under The certificates approved by this Health Registration Authority will be valid for is 4 hours, and then click OK. See the following example.

Figure 40

1. Close Server Manager.

Summary

In this, part 2 of our article series on how to use IPsec enforcement with NAP, we went through the procedures that needed to be carried out on the NPS server machine. On this machine we installed and configured the Windows Server 2008 Network Policy Server, Health Registration Authority and subordinate CA. With these components in place, we’ll be ready for our next step, which is to configure NAP IPsec enforcement policy. See you then! –Tom.

[patris1]

کد:

http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part3.html

PART-3

In the second part of our series on configuring NAP with IPsec policy enforcement, we focused on the Network Policy Server. In that article we carried out the following procedures:

• Add the network policy server to the NAP Exempt Group
• Restart the Network Policy Server
• Request a computer certificate for the Network Policy Server
• View the computer and health certificate installed on the Network Policy Server
• Install the Network Policy Server, Health Registration Authority and Subordinate CA
• Configure the Subordinate CA on the Network Policy Server
• Enable Permissions for the Health Registration Authority to request, issue and manage certificates
• Configure the Health Registration Authority to use the subordinate CA to issue health certificates

In this, part 3 of the series, we’ll continue with our work on the NPS server. First we’ll configure a NAP IPsec Enforcement policy on the NPS. After we finish with creating the policy, we move on to the client systems so that we can using them for testing.
Configure the NAP IPsec Enforcement Policy on the Network Policy Server

In this section on configuring a NAP IPsec enforcement policy on the Network Policy Server, we’ll do the following:

• Configure NAP using the NPS NAP wizard
• Configure the Windows Security Health Validator
• Configure the NAP CLIENT Settings in Group Policy
• Limit the Scope of the NAP CLIENT Group Policy by using Security Group Filtering

Let’s get started!
Configure NAP with a wizard

The NAP configuration wizard helps you to set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP policies for use with your network design. You can access the NAP configuration wizard from the NPS console.

1. Click Start, click Run, type nps.msc, and then press ENTER.
2. In the left pane of the Network Policy Server console, click NPS (Local).

Figure 1

1. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IPsec with Health Registration Authority (HRA), and then click Next.

Figure 2

1. On the Specify NAP Enforcement Servers Running HRA page, click Next. Because this NAP health policy server has HRA installed locally, we do not need to add RADIUS clients.

Figure 3

1. On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab.

Figure 4

1. On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.

Figure 5

1. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.

Figure 6

1. Leave the Network Policy Server console open for the following procedure.

Figure 7
Configure the Windows Security Health Validator

By default, the Windows SHV is configured to require firewall, virus protection, spyware protection, and automatic updating. For this test network, we will begin by requiring only that Windows Firewall is enabled. Then we’ll later play with the policies to show how machines can be made compliant and non-compliant.
Perform the following steps on WIN2008SRV1:

1. In the left pane of the Network Policy Server console, open Network Access Protection, and then click System Health Validators. In the middle pane of the console, under Name, double-click Windows Security Health Validator.

Figure 8

1. In the Windows Security Health Validator Properties dialog box, click Configure.

Figure 9

1. Clear all check boxes except A firewall is enabled for all network connections.

Figure 10

1. Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.
2. Close the Network Policy Server console.

Configure the NAP CLIENT Settings in Group Policy

The following NAP client settings will be configured in a new Group Policy object (GPO) using the Group Policy Management console on WIN2008DC:

• NAP enforcement clients – This tells the client machines what enforcement method to use for NAP. In our example we’re using the HRA/IPsec enforcement client.
• NAP Agent service – This is the client side service that allows the client to be NAP aware
• Security Center user interface – This allows the NAP client service to provide information to the users regarding the current security state of the machine

After these settings are configured in the GPO, security filters will be added to enforce the settings on computers you specify. The following section describes these steps in detail.
Perform the following steps on WIN2008DC to create the Group Policy Object and the Group Policy settings for the GPO for the NAP Clients:

1. On WIN2008DC, click Start, click Run, type gpme.msc, and then press ENTER.
2. In the Browse for a Group Policy Object dialog box, next to msfirewall.org, click the icon to create a new GPO, type NAP Client GPO for the name of the new GPO, and then click OK.

Figure 11

1. The Group Policy Management Editor window will open. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services.
2. In the details pane, double-click Network Access Protection Agent.
3. In the Network Access Protection Agent Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.

Figure 12

1. In the left pane of the console, open Network Access Protection\NAP Client Configuration\Enforcement Clients.
2. In the details pane, right-click IPSec Relying Party, and then click Enable.

Figure 13

1. In the left pane of the console, under NAP Client Configuration, open Health Registration Settings\Trusted Server Groups. Right-click Trusted Server Groups, and then click New.

Figure 14

1. In the Group Name window, type HRA Servers, and then click Next.

Figure 15

1. In the Add Servers window, under Add URLs of the health registration authority that you want the client to trust, type https://win2008srv1.msfirewall.org/d...a/hcsrvext.dll, and then click Add. This is the Web site that will process domain-authenticated requests for health certificates.

Figure 16

1. Click Finish to complete the process of adding HRA trusted server groups.
2. In the console tree, click Trusted Server Groups, and then in the details pane, click Trusted HRA Servers. Verify the URL you typed in the details pane under Properties. The URL must be entered correctly, or the client computer will be unable to obtain a health certificate, and will be denied access to the IPsec-protected network.

Figure 17

1. In the left pane of the console, right-click NAP Client Configuration, and then click Apply.
2. In the console tree, navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Security Center.
3. In the details pane, double-click Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.

Figure 18

1. Return to the Network Access Protection\NAP Client Configuration\Enforcement Clients node. Right click Enforcement Clients and then click Refresh. If the IPsec Relying Party status shows as Disabled, right click it again and click Enable. Then click on the NAP Client Configuration node again, then right click it and click Apply. .
2. If you are prompted to apply settings, click Yes.

Limit Scope of NAP CLIENT Group Policy Object using Security Group Filtering

Next, configure security filters for the NAP client settings GPO. This prevents NAP client settings from being applied to server computers in the domain.

1. On WIN2008DC, click Start, click Run, type gpmc.msc, and press ENTER.
2. In the Group Policy Management Console (GPMC) tree, navigate to Forest: msfirewall.org\Domains\msfirewall.org\Group Policy Objects\NAP Client GPO. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.

Figure 19

1. When you are prompted to confirm the removal of delegation privilege, click OK.
2. In the details pane, under Security Filtering, click Add.
3. In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP client computers, and then click OK.

Figure 20

Figure 21

1. Close the Group Policy Management console.

Note that at this time, the NAP client security group currently has no members. VISATASP1 and VISTASP1-2 will be added to this security group after each is joined to the domain.
Configure VISTASP1 and VISTASP1-2 for Testing

Now we ready to start configuring the client components of the system. In this section, we’ll do the following:

• Join VISTASP1 to the domain
• Add VISTASP1 to the NAP CLIENTS Group
• Confirm NAP Group Policy Settings on VISTASP1
• Export the Enterprise Root CA Certificate from VISTASP1
• Import the Root CA Certificate on to VISTASP1-2
• Manually Configure NAP Client Settings on VISTASP1-2
• Star the NAP Agent on VISTASP1-2
• Configure the Windows Firewall with Advanced Security to allow VISTASP1 and VISTASP1-2 to PING Each Other

Join VISTASP1 to the Domain

When configuring VISTASP1, use the following instructions. When configuring VISTASP1-2, perform the verification of health certificate enrollment procedure before you join VISTASP1-2 to the msfirewall.org domain. VISTASP1-2 is not joined to the domain for the verification of health certificate enrollment procedure to illustrate that different health certificates are provisioned on client computers in domain and workgroup environments.
So, we’ll first look at how domain joined machines receive certificates when we join VISTASP1 to the domain, and then we’ll manually configure VISTASP1-2 as a NAP client, and see how non-domain member machines receive health certificates and network access.
Perform the following steps on VISTASP1 to join the machine to the domain:

1. Click Start, right-click Computer, and then click Properties.
2. In the System window, click the Advanced System Settings link.
3. In the System Properties dialog box, click the Computer Name tab, then click Change.

Figure 22

1. In the Computer Name/Domain Changes dialog box, select Domain, and then type msfirewall.org.

Figure 23

1. Click More, and in Primary DNS suffix of this computer, type msfirewall.org.

Figure 24

1. Click OK twice.
2. When prompted for a user name and password, type the Administrator domain account, and then click OK.

Figure 25

1. When you see a dialog box that welcomes you to the msfirewall.org, click OK.

Figure 26

1. When you see a dialog box that prompts you to restart the computer, click OK.

Figure 27

1. In the System Properties dialog box, click Close.
2. In the dialog box that prompts you to restart the computer, click Restart Later. Before you restart the computer, you must add it to the NAP client computers security group.

Figure 28
Add VISTASP1 to the NAP CLIENTS Group

After joining the domain, VISTASP1 must be added to the NAP Clients group so that it can receive NAP client settings from the Group Policy Object that we configured.
Perform the following steps on WIN2008DC:

1. On WIN2008DC, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the left pane of the console, click msfirewall.org.
3. In the details pane, double-click NAP Clients.
4. In the NAP Clients Properties dialog box, click the Members tab, and then click Add.
5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, select the Computers check box, and then click OK.
6. Under Enter the object names to select (examples), type VISTASP1, and then click OK.

Figure 29

1. Verify that VISTASP1 is displayed below Members, and then click OK.

Figure 30

1. Close the Active Directory Users and Computers console.
2. Restart VISTASP1.
3. After VISTASP1 has been restarted, log on as the msfirewall.org domain Administrator.

Confirm NAP Group Policy Settings on VISTASP1

After it has been restarted, VISTASP1 will receive Group Policy settings to enable the NAP Agent service and IPsec enforcement client. The command line will be used to verify these settings.

1. On VISTASP1, click Start, click Run, type cmd, and then press ENTER.
2. In the command window, type netsh nap client show grouppolicy, and then press ENTER.
3. In the command output, under Enforcement clients, verify that the Admin status of the IPSec Relying Party is Enabled. In the command output, under Trusted server group configuration, verify that Trusted HRA Servers is displayed next to Group, that Enabled is displayed next to Require Https, and that the Domain HRA Web site URL you configured in a previous procedure are displayed next to URL.

Figure 31

1. In the command window, type netsh nap client show state, and then press ENTER.
2. In the command output, under Enforcement client state, verify that the Initialized status of the IPSec Relying Party is Yes.

Figure 32

1. Close the command window.

Export the Enterprise Root CA Certificate from VISTASP1

Because VISTASP1-2 is not joined to the domain and does not trust the msfirewall.org root CA, it will fail to trust the SSL certificate on WIN2008SRV1. To allow VISTASP1-2 to access the Health Registration Authority using SSL, you must import a root CA certificate into the Trusted Root Certification Authorities container on VISTASP1-2. This is accomplished by exporting the certificate from VISTASP1 and then importing it on VISTASP1-2.

1. On VISTASP1, click Start, and enter Run in the Search text box and press ENTER
2. In the Run dialog box, enter mmc and click OK.
3. On the File menu, click Add/Remove Snap-in.
4. Click Certificates, click Add, select Computer account, and then click Next.
5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
6. In the console tree, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates. In the details pane, right-click Root CA, point to All Tasks, and then click Export.

Figure 33

1. On the Welcome to the Certificate Export Wizard page, click Next.
2. On the Export File Format page, click Next.

Figure 34

1. On the File to Export page, type a path and name for the CA certificate file in the File name text box. In this example we’ll enter c:\cacert. Click Next.

Figure 35

1. Click Finish on the Completing the Certificate Export Wizard page.
2. Verify that The export was successful is displayed, and then click OK.

Figure 36

1. Copy the CA certificate file to VISTASP1-2

Import the Root CA Certificate on to VISTASP1-2

Now we’re ready to install the CA certificate on VISTASP1-2. After the certificate is installed, VISTASP1-2 will trust our CAs so that it can take advantage of our Health Registration Authority after we manually configure this machine to use NAP.
Perform the following steps on VISTASP1-2:

1. On VISTASP1-2, click Start, and enter Run in the search box.
2. Enter mmc in the Run dialog box, and then press ENTER.
3. On the File menu, click Add/Remove Snap-in.
4. Click Certificates, click Add, select Computer account, and then click Next.
5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
6. In the console tree, open Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.
7. Right click Certificates, point to All Tasks, and then click Import.

Figure 37

1. On the Welcome to the Certificate Import Wizard page, click Next.
2. On the File to Import page, click Browse.
3. Browse to the location where you saved the root CA certificate from VISTASP1, and click Open.
4. On the File to Import page, verify the location of the root CA certificate file is displayed under File name, and then click Next.

Figure 38

1. On the Certificate Store page, select Place all certificates in the following store, verify that Trusted Root Certification Authorities is displayed under Certificate store, and then click Next.

Figure 39

1. On the Completing the Certificate Import Wizard page, click Finish.
2. Verify that The import was successful is displayed, and then click OK.

Figure 40
Manually Configure NAP Client Settings on VISTASP1-2

Because VISTSP1-2 is not joined to the domain, it can’t receive NAP settings from Group Policy. However, we can still configure the machine to receive NAP settings by manually configuring the machine to work with our NAP architecture. After we demonstrate that we can make non-domain machines work with NAP, we’ll join VISTASP1-2 to the domain so that it can receive it’s NAP settings from Group Policy.

1. On VISTASP1-2, click Start, and enter Run in the search box.
2. Enter napclcfg.msc, and then press ENTER.

Figure 41

1. In the NAP Client Configuration console tree, open Health Registration Settings.
2. Right-click Trusted Server Groups, and then click New.

Figure 42

1. Under Group Name, type Trusted HRA Servers, and then click Next.

Figure 43

1. Under Add URLs of the health registration authority that you want the client to trust, type https://win2008srv1.msfirewall.org/d...a/hcsrvext.dll, and then click Add. This is the Web site that will process domain-authenticated requests for health certificates. Because this is the first server in the list, client computers will attempt to obtain a health certificate from this trusted server first.
2. Under Add URLs of the health registration authority that you want the client to trust, type https://win2008srv1.msfirewall.org/n...a/hcsrvext.dll, and then click Add. This is the Web site that will process anonymous requests for health certificates. Because this is the second server in the list, clients will not make requests to this server unless the first server fails to provide a certificate.
3. Click Finish to complete the process of adding HRA trusted server groups.

Figure 44

1. In the left pane of the console, click Trusted Server Groups.
2. In the right pane of the console, click HRA Servers.
3. Verify the URLs you typed in the details pane under Properties. The URLs must be entered correctly, or the client computer will be unable to obtain a health certificate, and will be denied access to the IPsec-protected network.

Figure 45

1. In the NAP Client Configuration console tree, click Enforcement Clients.
2. In the details pane, right-click IPSec Relying Party, and then click Enable.

Figure 46

1. Close the NAP Client Configuration window.

Figure 47
Start the NAP Agent on VISTASP1-2

Now we need to start the NAP Client Service on VISTASP1-2.
Perform the following steps on VISTASP1-2:

1. On VISTASP1-2, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. In the command window, type net start napagent, and then press ENTER.
3. In the command output, verify that The Network Access Protection Agent service was started successfully is displayed.

Figure 48

1. Leave the command window open for the following procedure.

Confirm NAP Policy Settings on VISTASP1-2

VISTASP1-2 will receive NAP client settings from local policy. We can verify these settings from the command line.
Perform the following steps on VISTASP1-2:.

1. In the command prompt, type netsh nap client show configuration, and then press ENTER.
2. In the command output, under Enforcement clients, verify that the Admin status of the IPSec Relying Party is Enabled. Under Trusted server group configuration, verify that Trusted HRA Servers is displayed next to Group, that Enabled is displayed next to Require Https, and that the DomainHRA and NonDomainHRA Web site URLs you configured in the previous procedure are displayed next to URL.

Figure 49

[patris1]

1. In the command window, type netsh nap client show state, and then press ENTER. In the command output, under Enforcement client state, verify that the Initialized status of the IPSec Relying Party is Yes.

Figure 50

1. Close the command prompt.

Configure the Windows Firewall with Advanced Security to allow VISTASP1 and VISTASP1-2 to PING Each Other

Ping will be used to verify the network connectivity of VISTASP1 and VISTASP1-2. To enable VISTASP1 and VISTASP1-2 to respond to ping, an exemption rule for ICMPv4 must be configured in Windows Firewall.
Perform the following steps on VISTASP1 and VISTASP1-2 so that these machines can ping each other through the Windows Firewall with Advanced Security:

1. Click Start, enter Run in the search text box and press ENTER. Type wf.msc in the Run text box, and then press ENTER.
2. In the left pane of the console, right-click Inbound Rules, and then click New Rule.

Figure 51

1. Choose Custom, and then click Next.

Figure 52

1. Choose All programs, and then click Next.

Figure 53

1. Next to Protocol type, select ICMPv4, and then click Customize.

Figure 54

1. Choose Specific ICMP types, select the Echo Request check box, click OK, and then click Next.

Figure 55

1. Click Next to accept the default scope.

Figure 56

1. On the Action page, verify that Allow the connection is chosen, and then click Next.

Figure 57

1. Click Next to accept the default profile.
2. In the Name window, under Name, type Allow Ping Inbound, and then click Finish.

Figure 58

1. Close the Windows Firewall with Advanced Security console.

Next week we’ll test to confirm that VISTASP1 and VISTASP1-2 can ping each other.
Summary

In this, part 3 of our four part series on configure NAP with IPsec policy enforcement, we configured a NAP IPsec policy and then configured the clients for testing. In the next and final installment of the series, we’ll test the clients and see how the security certificates are assigned and removed automatically and how clients are connected and disconnected from the network. See you then! –Tom

[patris1]

کد:

http://www.windowsecurity.com/articles/Deploying-IPsec-Server-Domain-Isolation-Windows-Server-2008-Group-Policy-Part4.html

PART-4

In part 3 of our four part series on configuring NAP with IPsec policy enforcement, we configured a NAP IPsec policy and then configured the clients for testing. In this final installment of the series, we’ll test the clients and see how the security certificates are assigned and removed automatically and how clients are connected and disconnected from the network.
We’ll focus on two primary tasks in this article:

• Test the Health Certificate and Auto-remediation configuration
• Verify NAP Policy enforcement on VISTASP1

Test the Health Certificate and Auto-remediation Configuration

In this section we will perform the following tasks:

• Confirm that both VISTASP1 and VISTASP1-2 have Health Certificates
• Join VISTASP1-2 to the Domain
• Verify Auto-remediation on VISTASP1

Confirm that both VISTASP1 and VISTASP1-2 have Health Certificates

Use the following procedure to verify health certificate enrollment of VISTASP1 in a domain-authenticated environment and VISTASP1-2 in a workgroup environment.
Perform the following steps on both VISTASP1 and VISTASP1-2:

1. Open the Run dialog box and enter mmc, then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, and then click Next.
4. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
5. In the left pane of the console, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.
6. In the details pane, under Issued By, verify the subordinate CA, msfirewall-WIN2008SRV1-CA, is displayed. Verify that Intended Purposes shows System Health Authentication. Because VISTASP1-2 has not yet authenticated to the msfirewall.org domain, the client name is not displayed under Issued To, and the certificate purpose of Client Authentication does not appear. Verify that the certificate on VISTASP1-2 has Intended Purposes of System Health Authentication. This is a valid NAP health certificate for client computers in a workgroup environment. A domain-authenticated health certificate similar to the certificate obtained on VISTASP1.

Figure 1

Figure 2

1. Close the Certificates console.

Join VISTASP1-2 to the Domain

Use the same procedure you used earlier to join VISTASP1 to the msfirewall.org domain to join VISTASP1-2 to the msfirewall.org domain. Log on as the domain administrator after the machine restarts.
Verify of Auto-remediation on VISTASP1

The NAP IPsec with HRA Noncompliant network policy specifies that noncompliant computers should be automatically remediated. The following procedure will verify that VISTASP1 is automatically remediated when Windows Firewall is turned off.

1. On VISTASP1, open the Run dialog box, and enter firewall.cpl, then press ENTER.
2. In Windows Firewall control panel, click Change settings, click Off (not recommended), and then click OK.
3. You might see a message in the notification area that indicates the computer does not meet health requirements. This message is displayed because Windows Firewall has been turned off. Click this message for more detailed information about the health status of VISTASP1. See the following example.

Figure 3

1. The NAP client will automatically turn Windows Firewall on to become compliant with network health requirements. The following message will appear in the notification area: This computer meets the requirements of this network.

Figure 4

1. Because auto-remediation occurs rapidly, you might not see these messages. To renew the NAP notification icon, type napstat at the command prompt, and then press ENTER.

Verify NAP policy enforcement on VISTASP1

Now let’s see how we can verify that NAP policy enforcement is being applied on the client systems. We’ll begin by testing with VISTASP1. To test this, we’ll perform the following procedures:

• Configure the Windows SHV to be more restrictive by requiring that machines have anti-virus applications installed. Since we don’t have any AV software installed on any of the clients, the clients won’t be able to meet the requirements set forth in the SHV.
• Refresh the SoH on VISTAP1. This will cause the client to send a new Statement of Health to the Health Registration Authority and will report that the client is fall out of compliance
• Confirm that the client health certificate is removed. The Health Certificate is removed because the client has fallen out of compliance.
• Restore health policy to a less restrictive state so that the client can be compliant. We will remove the AV requirement so that the client can become compliant again.
• Refresh the SoH on VISTASP1 show that the machine is now compliant with the new policy.
• Confirm that the client health certificate is restored.

Configure WSHV to require an antivirus application

First, configure NAP policy to require an antivirus application, causing CLIENT1 to be noncompliant.
Perform the following steps on WIN2008SRV1:

1. On WIN2008SRV1, click Start, click Run, type nps.msc, and then press ENTER.
2. In the left pane of the console, open Network Access Protection, and then click System Health Validators.

Figure 5

1. In the details pane, double-click Windows Security Health Validator, and then click Configure.

Figure 6

1. In the Windows Security Health Validator dialog box, under Virus Protection, select the check box next to An antivirus application is on.

Figure 7

1. Click OK, and then click OK again to close the Windows Security Health Validator Properties window.
2. Leave the NPS console open for the following procedures.

Refresh the SoH on VISTASP1

Because health policies were changed after VISTASP1 received a health certificate, we need to trigger the sending of a new State of Health from VISTASP1 that will be evaluated against the more restrictive health policies. This will occur when the health certificate on VISTASP1 expires, or when a change in client health status is detected. We can produce a change in health status by turning off the Windows Firewall.
Perform the following steps on VISTASP1:

1. On VISTASP1, click Start, and then click Control Panel.
2. Click Security, click Windows Firewall, and then click Change settings.
3. In the Windows Firewall Settings dialog box, click Off (not recommended), and then click OK.

Figure 8

1. Windows Firewall is turned back on automatically because auto-remediation is enabled. However, because NAP policies now require an antivirus application, VISTASP1 will remain in a noncompliant state and will be unable to obtain a health certificate.

Confirm health certificate removal

Next, view computer certificates on CLIENT1 to verify that the health certificate has been removed.

1. On VISTASP1, open the Run dialog box and type mmc, and then press ENTER.
2. On the File menu, click Add/Remote Snap-in.
3. Click Certificates, click Add, select Computer account, and then click Next.
4. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
5. In the console tree, open Certificates (Local Computer)\Personal.
6. Verify that no health certificate is present.

Figure 9

1. Leave the Certificates console open for the following procedures.

Remove the antivirus health requirement so that VISTASP1 can become compliant

Change NAP policies so that VISTASP1 can become compliant.

1. On WIN2008SRV1, in the left pane of the NPS console, open Network Access Protection, and then click System Health Validators.
2. Double-click Windows Security Health Validator, and then click Configure.
3. In the Windows Security Health Validator dialog box, under Virus Protection, clear the check box next to An antivirus application is on.

Figure 10

1. Click OK, and then click OK again to close the Windows Security Health Validator Properties window.
2. Close the NPS console.

Refresh the SoH on VISTASP1

Perform the preceding procedure to refresh the SoH on VISTASP1 by turning Windows Firewall off. A new SoH will be triggered, and Windows Firewall will be turned on. Because VISTASP1 is now compliant with NAP policies, it will be provisioned with a health certificate.
View computer certificates on VISTASP1 to verify that the health certificate has been restored.

1. On VISTASP1, in the Certificates console, in the console tree, click Personal.
2. Right-click inside the details pane, and then click Refresh. Verify that a health certificate is present.

Figure 11

Figure 12
Summary

In this series on NAP IPsec enforcement I aimed at providing you a visual review of the many movement parts involved with a NAP IPsec enforcement solution. As you saw, there are many components to the solution and that each component must be configured correctly in order to reach a working solution. Many Windows admins have voiced concern over the complexity of NAP with IPsec policy enforcement and due to this concern, have not availed themselves of this exceptionally powerful and effective security technology. Make sure you replicate this demonstration in your own lab before deploying it on your production network, and also be sure to visit the NAP blog on a regular basis to get more information. Check out the NAP blog! Thanks! –Tom