نمایش نتایج: از شماره 1 تا 4 از مجموع 4

موضوع: Using Group Policy Filtering to Create a NAP DHCP Enforcement Policy

  
  1. #1
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272

    Using Group Policy Filtering to Create a NAP DHCP Enforcement Policy

    کد:
    http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part1.html

    Thomas Shinder


    PART-1

    How to implement Group Policy to control DHCP Network Access Policy enforcement. This improves the level of granularity you can apply to DHCP enforcement for NAP clients.
    Network Access Protection is a new network access control feature included with Windows Server 2008. Network Access Protection or NAP allows you to control which computers can participate on your network. The ability to participate on your network is determined by whether or not a NAP client computer can meet the security requirements set forth in your NAP policies.
    NAP has a number of “moving parts” that makes it inherently complex to configure. In addition to the number of moving parts, is the issue of what type of NAP enforcement you want to enable. For example, there are a number of NAP Enforcement Clients that control access to the network based on IP addressing information, or based on whether or not a client has a health certificate that allows it to connect to the network.
    In this article series I will help you put together a simple DHCP NAP enforcement solution. When you use DHCP NAP enforcement, the DHCP server becomes your network access server. This means that it’s the responsibility of the DHCP server to provide the NAP client computers information appropriate to their level of compliance. If the NAP client computer is compliant, it receives IP addressing information that will allow it to connect to other computers on your network. If the NAP client computer is not complaint with your network health policies, then the NAP client will be assigned IP addressing information that limits what computers the client can connect to. Typically, your NAP policy will allow your non-compliant computers to connect to domain controllers and network infrastructure server, as well as machines that will enable the non-compliant computer to remediate and thus become compliant.
    In the DHCP NAP Enforcement scenario, other servers are required. While the DHCP server is the network access server in this scenario, you need a RADIUS server that will contain your NAP policies. There are a number of policies that are stored on the NAP compatible RADIUS server, such as health policies, network policies, and connection request policies. In Windows Server 2008, the Network Policy Server (NPS) is used as the RADIUS server that will contain your NAP policies. The NPS server will work with your DHCP server and inform your DHCP server if the client is NAP compliant or non-compliant with your policies.
    In order to set your heath policy, you will need at least one Security Health Validator (SHV) installed on the NPS server. By default, Windows Server 2008 provides you with the Windows Security Health Validator that you can use to set your network health policies.
    On the client side, there are two components that you need to enable – the NAP Agent and the NAP Enforcement client. The NAP Agent collects the information about the security state of the NAP client computer and the NAP Enforcement Agent is used to enforce NAP policy, depending on the type of NAP enforcement you choose. In the scenario we’ll use in this series, we’ll be enabling the DHCP NAP enforcement agent.
    The example network is a very simple one. It includes three machines:

    • A Windows Server 2008 Domain Controller. No other services are installed on this machine. The IP address assigned to this computer is 10.0.0.2 and this machine is the domain controller in the msfirewall.org domain.
    • A Windows Server 2008 member in the msfirewall.org domain. The IP address of this computer is 10.0.0.3. This computer will have the DHCP and NPS services installed on it, which we will do during the course of this article series.
    • A Windows Vista client computer. This machine is a member of the msfirewall.org domain.
    • In this article series we’ll perform the following procedures:
    • Create a Security Group that the NAP client computers will be placed in
    • Install NPS and DHCP services on the member server
    • Use the NAP wizard to create the NAP DHCP enforcement policy
    • Review the NAP Connection request policy
    • Review the NAP Network policies
    • Review the NAP Health policies
    • Configure the DHCP server to communicate with the NPS server for NAP enforcement
    • Configure the NAP settings in Group Policy
    • Enter the Vista computer into the NAP enforcement computers group
    • Test the solution

    Again, there are a number of “moving parts” to the configuration of NAP, so read through these instructions a couple of times before implementing it in your own lab. Make sure that you understand why we’re doing each step, and never hesitate to contact me at tshinder@isaserver.org if you have any questions about the configuration.
    Let’s get started!
    Create a Security Group for NAP Client Computers

    The first thing we’ll do is create a security group for the computers that will have NAP policy applied to them. Open the Active Directory Users and Computers console and then right click on the Users node. Point to New and click Group.

    Figure 1

    In the New Object – Group dialog box, enter NAP Enforced Computers in the Group Name text box. Select the Global option from the Group scope list and select the Security option from the Group type list. Click OK.

    Figure 2

    Install NPS and DHCP on the NPS Server Machine

    The NPS computer will host the Network Policy Server and the DHCP server roles. Note that you can put the DHCP server on a computer other than the NPS server that will host the NAP policies, but you will still need to configure that “remote” DHCP server as both a DHCP server and a NPS server, and then configure that NPS server for forward the authentication requests to your NAP server. To make things a little easier, we’ll just put the NPS and DHCP server on the same machine.
    In the Server Manager console, click on the Roles node and then click on the Add Roles link as seen in the figure below.

    Figure 3

    Click Next on the Before You Begin page.

    Figure 4

    On the Select Server Roles page, put a checkmark in the DHCP Server and Network Policy and Access Services checkboxes. Click Next.

    Figure 5

    Read the information on the Network Policy and Access Services page and then click Next.

    Figure 6

    We don’t need all the role services provided by the Network Policy and Access Services role. We only need the RADIUS (Network Policy Server) role. Put a checkmark in the Network Policy Server checkbox. Don’t select any of the other options. Click Next.

    Figure 7

    Read the information on the DHCP Server page and click Next.

    Figure 8

    The Server Manager makes life a bit easier on us than in the past, as it offers us the opportunity to configure the DHCP server during the installation process. On the Select Network Connection Bindings page, select the IP address that you want the DHCP server to listen on. The selection you make here depends on the complexity of your DHCP environment, as you might have one of more DHCP relays configured in your organization and thus have more than one IP address bound to the DHCP server. That’s not the case in this scenario, as we have a single IP address bound to this machine. Put a checkmark in the IP address checkbox and then click Next.

    Figure 9

    On the Specify IPv4 DNS Server Settings page, you have the chance to configure some DHCP options. Enter the domain name of your domain in the Parent Domain text box and enter the IP address of your DNS server in the Preferred DNS Server IPv4 Address text box. In this example our domain name is msfirewall.org so we’ll enter that domain name and the IP address of our DNS server is 10.0.0.2, so we’ll enter that IP address. We don’t have an alternate DNS server in this example so we’ll click Next.

    Figure 10

    We don’t have a WINS server on this example network so we won’t enter anything on the Specify IPv4 WINS Server Settings page. Just select the WINS is not required for applications on this network option and click Next.

    Figure 11

    In the Add or Edit DHCP Scopes page, click the Add button. In the Add Scope dialog box, enter the Scope Name, Starting IP Address, Ending IP Address, Subnet Mask, Default Gateway, and select a lease duration. The figure below shows our entries for these options on the example network. Click OK in the Add Scope dialog box.

    Figure 12

    Click Next on the Add or Edit DHCP Scopes dialog box.

    Figure 13

    We are not using IPv6 on this example network, so select the Disable DHCPv6 stateless mode for this server option and click Next.

    Figure 14

    In order to operate in our domain, this DHCP server needs to be authorized in Active Directory. Select the Use current credentials option if you’re logged in as a domain administrator. If not, then select the Use alternate credentials option and click Specify. In this example I’m logged on as a domain admin and so we’ll select the Use current credentials option and then click Next.

    Figure 15

    Review your settings in the Confirm Installation Selections page and click Install.

    Figure 16

    Click Close on the Installation Results page after you see that the installation of the NPS and DHCP servers has completed successfully.

    Figure 17

    Summary

    In this, part 1 in our series of using NAP DHCP enforcement we went over some basic NAP concepts. Then we created a security group for our NAP client computers and then finished up with installing the DHCP and NPS server components of the solution. In the second part of the series, we’ll use the NAP wizard to create a NAP DHCP enforcement policy and then take a closer look at the settings created by the wizard. See you then! –Tom




    موضوعات مشابه:

  2. #2
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part2.html
    PART-2

    In the first part of this series on how to configure a DHCP NAP enforcement policy we went through some of the basics of how NAP works, and then installed the DHCP and NPS services on the NAP policy server. In this, part two of the series, we’ll look at how to use the NAP policy wizard to automatically create the Network, Health and Connection policies that will be used to control access to the network.
    Use the NAP Wizard to Create a NAP DHCP Enforcement Policy

    Now we can begin the fun part – creating the NAP DHCP Enforcement Policy. After we run the wizard, the wizard will create the following policies:

    • Health Policies
    • Connection Request Policies
    • Network Policies
    • Remediation Server Group policies

    We’ll take a closer look at each of these policies after we finish the wizard.
    Open the Network Policy Server console from the Administrative Tools menu. From there, you will see in the middle pane of the console the Getting Started page. In the Standard Configuration section, select the Network Access Protection (NAP) option from the Select a configuration scenario from the list and then click the link below to open the scenario wizard.
    Now click the Configure NAP link.

    Figure 1

    On the Select Network Connection Method For Use with NAP page, in the Network connection method section select the Dynamic Host Configuration Protocol (DHCP) option from the drop down list. Remember, when we use NAP, we have to choose an enforcement method, and that’s what you’re doing here. The DHCP server becomes the “network access server” in this scenario and it’s the DHCP server that’s responsible for the level of network access the NAP client can have.
    The Policy name text box will automatically be populated with NAP DHCP for the name that will be appended to a number of policies created by the wizard. We’ll see this later when we finish the NAP wizard.
    Click Next.

    Figure 2

    On the Specify NAP Enforcement Server Running DHCP Server page, you can include the IP address of the DHCP server that will act as the network access servers. You use this option when the DHCP server and the NPS server hosting the NAP policies are not located on the same server.
    If you want to add remote DHCP NAP enforcement servers, they must be configured as RADIUS clients, which means that you need to configure those machines as NPS servers as well. The difference is that these NPS servers do not host the NAP policy settings. They just proxy the RADIUS requests to the NPS server hosting the NAP policy settings. I recommend that configuration in a large production environment, where the DHCP server and the NAP servers will both be relatively busy. In addition, it’s likely that you’ll have multiple DHCP servers in your company, and you want all of them to be able to communicate with your NAP policy server or servers.
    In this example network we are co-locating the DHCP and NPS servers on the same machine, so we won’t add any remote DHCP servers to the list. Click Next.

    Figure 3

    You have the option to enable NAP on a per-scope basis when using DHCP enforcement. If you don’t want to apply NAP enforcement policy to all DHCP scopes, you can enter the scopes that you do want NAP policy applied to on the Specify DHCP Scopes page. In our example network, we want to enable NAP policy on all scopes, so we won’t enter any specific scopes on this page. Click Next.

    Figure 4

    You can also allow or deny access to specific groups of users or computers in your NAP policy. In this example we will apply policy to all machines and users. Click Next.

    Figure 5

    All computers need access to certain servers on the network. These include infrastructure servers, such as Active Directory, DNS, DHCP and WINS servers. All machines will need access to remediation servers, which are machines that non-compliant machines can access in order to reach compliance.
    In the Specify a NAP Remediation Server Group and URL page, you click the Group button to open the New Remediation Server Group dialog box. In the New Remediation Server Group dialog box, enter a group name in the Group Name text box. In this example we’ll name the group Network Services.
    Click the Add button in the New Remediation Server Group dialog box. This brings up the Add New Server dialog box where you can servers that will be members of the remediation group. In the Add New Server dialog box, enter a name for the server in the Friendly name text box. In this example we’ll enter a name for the domain controller, so we’ll enter DC into this text box. The IP address of the domain controller is 10.0.0.2, so we’ll enter that into the IP address or DNS name text box. If you know the name of the DNS server, you can enter the name in the text box and then click the Resolve button.
    Click OK in the Add New Server dialog box.

    Figure 6

    You now see the name of the remediation server group and the IP address of the server that you added to the group. Remember, the purpose of this group is to remove it from the restrictions of NAP policy. The domain controller in this example is a machine that all domain members needs to be able to communicate with in order to log on. If you don’t allow your NAP clients, compliant or not, to connect to the domain controller, then they won’t be able to log on to the network in order to try to become compliant after log on.
    Click OK in the New Remediation Server Group dialog box.

    Figure 7

    Click Next on the Specify a NAP Remediation Server Group and URL page. Note that we also have the option to enter a Troubleshooting URL on this page. We won’t use one in this example, but it’s something that you can include if you want to point users to a Web page that shows them how to become compliant if their computers end up becoming non-compliant and are unable to auto-remediate.

    Figure 8

    On the Define NAP Health Policy page, you have the option to select which System Health Validators you want to use to define the Health Policy. By default, there is only a single System Health Validator included with Windows Server 2008, which is the Windows Security Health Validator. Third party vendors have the option to include their own System Health Validators that you can install into the NAP policy server. However, I’m unaware of any of them at this time.
    Make sure that there is a checkmark in the Windows Security Health Validator checkbox. Also, put a checkmark in the Enable auto-remediation of client computers checkbox. This option allows the NAP client components to try to remediate the problem itself if possible. For example, if the Windows Firewall is disabled, the NAP agent will try to enable the Windows Firewall itself.
    In the Network Access restrictions for NAP-ineligible client computers, you determine what you want to do with machines that are not NAP capable. You have two options:

    • Deny full network access to NAP-ineligible client computers. Allow access to a restricted network only
    • Allow full network access to NAP-ineligible client computers

    The first option is the more secure one, while the second option is the more liberal one. You selection depends on your design goals for NAP. You might want to allow non-NAP capable computers complete access to the network during your NAP deployment and then after your complete your NAP deployment, then you turn the switch and force all machines to be NAP compliant.
    Click Next on the Define NAP Health Policy page.

    Figure 9

    On the Completing NAP Enforcement Policy and RADIUS Client Configuration page you can see the Health Policies, Connection Request Policy, Network Policies and Remediation Server Group that will be created by the wizard. We’ll take a closer look at each of these policies in a little bit.

    Figure 10

    Notice that there is a Configuration Details link. When you click that link it will bring up a Web page that provides details about each of the policies that will be created by the wizard.

    Figure 11

    Summary

    In this, part 2 of our series on DHCP enforcement for NAP clients, we went through the NAP policy wizard and explored each of the options provided by the wizard. We saw that the NAP policy wizard makes it relatively simple to create a comprehensive NAP policy, as it creates a number of Network, Health, and Connection policies that control what machines can participate in the network. In the next part of this series, we’ll look at each of these rules in more detail and explain the function and rationale behind each of these rules. See you then! –Tom




  3. #3
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part3.html
    PART-3

    In part 2 of this series on configuration NAP for DHCP enforcement, we went over the NAP configuration wizard in the NPS console. The NAP configuration wizard created a number of policies, including connection request policies, health policies and network policies. In this, part 3 of the article series, we’ll look more closely at these policies and see what they do in the NAP DHCP enforcement solution.
    Connection Request Policy

    A connection request policy allows you to designate whether connection requests are processed locally or forwarded to remote RADIUS servers. In the figure below you can see that the wizard created a NAP DHCP connection request policy that has specific conditions and settings. As you can see in the figure below, the single condition applied to this policy is that it is applied at all times for all days of the week, and that the only Setting is that the Authentication provider is the Local Computer (the machine that is running the NPS service).
    Let’s double click on this policy and see what shows up.

    Figure 1
    On the Overview tab, you can see that the policy is enabled and that the network connection method is DHCP. This means that the DHCP server is the network access server for this network and the DHCP network access server communicates with the RADIUS (NPS) server to determine whether or not to allow access to the network, and what type of access the computer should be allowed to the network based on the client health state.

    Figure 2
    On the Conditions tab you can see the conditions that appeared in the NPS console earlier. The only conditions applied to this rule is that it is applied at all hours for all days of the week.

    Figure 3
    On the Settings page, click the Authentication link in the left pane of the page. Here you can see that the Authentication settings are set to Authenticate requests on this server. This RADIUS (NPS) server is the server that performs the authentication. In some cases you might want to put the DHCP server on a machine separate from the NPS server that is doing the authentication. In that case, you would still need to install NPS on the DHCP server machine, but then you would configure that NPS server to forward authentication requests to a remote RADIUS (NPS) server by using the Forward requests to the following remote RADIUS server group for authentication as seen in the figure below.
    Click OK in the NAP DHCP Properties dialog box.

    Figure 4
    As you can see, the connection request policy sets conditions and authentication settings for the overall NAP policy. Now let’s take a look at the NAP Network Policies.
    Network Policies

    NAP Network Policies allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect. You can see that the NAP wizard has created three Network Policies for our overall NAP policy:

    • NAP DHCP Compliant This Network Rule applies to machines that are NAP compliant
    • NAP DHCP Noncompliant This Network Rule applies to machines that are not NAP compliant
    • NAT DHCP Non NAP-Capable This Network Rule applies to machines that aren’t able to process NAP policies

    In the following three figures, you can see the Conditions and Settings for each of these rules. The main difference between these three rules is the level of access each of these rules provides clients to the network. For fully compliant DHCP clients, full access is allowed to the network. For non-compliant or unable to apply NAP machines, then they are allowed limited network access with the hope that they will be able to use that limited network access to remediate and then meet compliance requirements.

    Figure 5

    Figure 6

    Figure 7
    Let’s double click on one of these rules and see what lies beneath. When you double click on the NAP DHCP Noncompliant Properties rule, the first tab you see is the Overview tab. Here we can see that the policy is enabled, that the Access Permission is to Grant access and that the users dial-in properties should be ignored (since DHCP clients aren’t dialing into the network). Finally, you can see that the Network connection method is DHCP server.

    Figure 8
    On the Conditions tab, you can see that the NAP DHCP Noncompliant Health Policy will be applied when the NAP DHCP Noncompliant Properties Network Rule is applied. We’ll look at the Health Policies in more details in a little bit.

    Figure 9
    On the Constraints page, the wizard has configured the constraints on the Network Policy. The only constraint is that only a health check should be applied and that there are no other authentication requirements.

    Figure 10
    Click on the Settings tab and then click on the NAP Enforcement link in the left pane of the dialog box. In the right pane you can see that the wizard has configured the level of access allowed for this Network Policy. In this case the wizard has configured the policy to Allow limited access. Limited access is defined as access only to IP addresses, network IDs, and servers that are required for basic network services and to enable remediation. You can add more of these by clicking the Configure button in the Remediation Server Group and Troubleshooting URL frame.
    If you click the Configure button, you’ll see that the Network Services group that we created appears as the remediation server group that applies to this network policy.
    Note that based on our selections in the wizard, the Network Policy is also configured to enable Auto remediation, as there is a checkmark in the Enable auto-remediation of client computers checkbox.


    Figure 11
    Health Policies

    Health Policies are used with NAP to allow you to designate the configuration required to NAP-capable client computers to access the network. In essence, the Health Policies are used to determine if the machine meets that definition of a compliant computer. As you can see in the figure below, the wizard has created two Health Policies:

    • NAP DHCP Compliant
    • NAP DHCP Noncompliant

    The purpose of each one should be clear. The compliant policy defines computers who are compliant with out network health policies and the non-compliant policy defines what it is to be non-compliant with our network health policy.
    In the figure below you can see that I have double clicked on the NAP DHCP Noncompliant entry to bring up the NAP DHCP Noncompliant Properties dialog box. Here you can see that in order to meet the requirements of this policy, the client must fail one or more SHV checks using the Windows Security Health Validator. That all there is to it! Guess what the definition of the DHCP compliant policy is? You guessed it. The client passes all of the SHV checks for the Windows Security Health Validator.


    Figure 12
    When you expand the Network Access Protection node in the left pane of the Network Policy Server console, you’ll see that there are two nodes: the System Health Validator node and the Remediation Server Group node. Click on the System Health Validator node.
    Here you can see in the right pane of the console a list of System Health Validators that are used to determine the Health Policy we saw earlier. By default, there’s only a single SHV, which is the Windows Security Health Validator. When you click on this SHV, you can see in the bottom pane under the SHV a list of error code configurations. You can see that the wizard has set for each of these error codes that the client should be deemed non-compliant.
    Let’s take a closer look by double clicking on the Windows Security Health Validator entry.

    Figure 13
    This brings up the Windows Security Health Validator Properties dialog box. Here you can see the Error code resolution settings. These error code resolution settings are used to determine how to handle situations where various error codes are encountered during the NAP enforcement process. The defaults configured by the wizard are the most secure and I recommend that you keep them as they are.
    Click the Configure button to configure the settings for this SHV.

    Figure 14
    This brings up the Windows Security Health Validator dialog box, which has two tabs: a Windows Vista tab and a Windows XP tab. In this example we’ll focus on the Windows Vista tab since that’s the only client we’ll be testing when we complete the configuration.
    The Windows Security Health Validator allows you to configure the following:

    • Firewall You can force a firewall to be enabled on the Vista client in order to be compliant with health policy
    • Virus Protection You can force that virus protection be enabled in order to be complaint. In addition, you can require that the virus protection be up to date in order to be compliant.
    • Spyware Protection You can force that an antispyware application be enabled to be compliant. In addition, you can force that the antispyware application be up to date in order to be compliant.
    • Automatic Updating When automatic updating is enabled, the NAP agent on the client will try to fix the problem. For example, if the user disables the Windows Firewall, the NAP agent on the client machine will try to turn the firewall back on
    • Security Update Protection When this option is enabled, you can choose to restrict clients from accessing the network based on their current state of security updates. You can use the drop down list seen in the figure below to set what type of security updates are required. You also have the option to set the minimum number of hours allowed since the client has checked for new security updates and whether you want to allow the clients to use Windows Server Update Servers or Windows Update (Microsoft Update is allowed by default).


    Figure 15
    The figure below shows the SHV settings for the Windows Security Health Validator for the Windows XP client. Notice that the anti-malware options aren’t included here.

    Figure 16
    Summary

    In this, part 3 of our article series on NAP DHCP enforcement, we looked at the details of the Health, Network and Connection Request policies created by the NAP wizard. In addition, we took a detailed look at the of the Windows Security Health Validator. In the next and last part of the series, we’ll examine the DHCP server setup and then test our NAP policies. See you then! –Tom




  4. #4
    نام حقيقي: 1234

    مدیر بازنشسته
    تاریخ عضویت
    Jul 2009
    محل سکونت
    5678
    نوشته
    5,634
    سپاسگزاری شده
    2513
    سپاسگزاری کرده
    272
    کد:
    http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part4.html
    PART-4

    In the first three articles in this series on how to configure a NAP DHCP Enforcement policy, we went over the basics of NAP and then created a DHCP Enforcement policy on the NPS server that hosts the NAP policies. In this, part 4 and the final article in the series, we’ll finish up the configuration by settings up the DHCP server to work with the NPS server and the NAP policies, and then configure Group Policy so that NAP policy and NAP components are automatically configured for any machine that belongs to the NAP computers security group in Active Directory. At the end, we’ll finish up by testing the solution to see if it actually works.
    Configure the DHCP Server

    Now that we have the NAP policies set up with the help of the NAP wizard, we can move our attention to configuration of the DHCP server. Remember, the DHCP server is the network access server in a DHCP NAP scenario, and so we need to configure the DHCP server to communicate with the NAP components in order to work.
    Open the DHCP console from the Administrative Tools menu. In the DHCP console, expand the server name, then expand the IPv4 node, and then expand the Scope node. Click on the Scope Options node. Right click on an empty area in the right pane as seen in the figure below, and click the Configure Options command.

    Figure 1

    In the Scope Options dialog box, click on the Advanced tab. In the Vendor class drop down box, make sure that it says DHCP Standard Options. In the User class drop down list box, make sure that you select the Default Network Access Protection Class entry. The DHCP option that we’re going to configure here will be applied to clients to identify themselves as NAP clients that are non-compliant.
    In the list of Available Options, find the 006 DNS Servers entry and put in the IP address of the DNS server in the IP address text box and then click Add.

    Figure 2

    Find the 015 DNS Domain Name option and enter in the String value text box a name that will be used by non-compliant NAP clients. This will allow you to easily identify non-compliant computers. Click OK.

    Figure 3

    You will now see entries for both the None and the Default Network Access Protection Class. The latter class options will be assigned to non-compliant computers when DHCP enforcement is used with NAP.

    Figure 4

    But before NAP can use these settings, we need to configure the scope to work with NAP. Click on the Scope node under the IPv4 node in the left pane of the console and then right click it. In the Scope Properties dialog box, click the Network Access Protection tab. Select the Enable for this scope option and then select the Use default Network Acce3ss Protection profile option.
    The Use custom profile option looks interesting, but there is no documentation on the Internet, including the www.microsoft.com Web site, that provides any information on how this option might be used. I’ll blog about this in the future if I figure out how to make this work.
    Click OK in the Scope Properties dialog box.

    Figure 5

    Configure NAP Settings in Group Policy

    While we can manually configure NAP on each machine that will participate in our NAP security framework, manual configuration is not very scalable. To solve this problem, Microsoft has included the necessary Group Policy extensions required to make NAP configurable from Group Policy.
    There are three things we need to do in Group Policy to centralize the configuration:

    • Enable the NAP Agent on the machines participating in NAP
    • Configure the NAP Enforcement Agent (in this case, it will be the DHCP NAP Enforcement Agent)
    • Configure the Group Policy Object to apply only to machines that belong to the security group containing the machines that will participate in NAP network access controls.

    Before performing the following steps, you need to create a Group Policy Object named NAP Client Settings. This can be done in the Group Policy Management Console. If you don’t know how to do this, check the Help in the Group Policy Management console, as it’s quite easy. Make sure that the Group Policy Object is in the domain that your computers are in.
    Enable the NAP Agent

    After you create the NAP Client Settings Group Policy Object, open that GPO in the Group Policy Management Editor. You can do that by right clicking on the GPO in the Group Policy Management Console and then clicking the Edit command.
    In the Group Policy Management Editor, expand the Computer Configuration node and then expand the Policies node. Expand the Windows Settings node and then click the System Services node.
    In the System Services node, you’ll see an entry in the right pane for Network Access Protection Agent. Double click on that entry. In the Network Access Protection Agent Properties dialog box, put a checkmark in the Define this policy setting checkbox and then select the Automatic option. Click OK.
    These steps enable the NAP agent on co9mputers where this GPO is enforced. The NAP Agent has to be enabled in order for NAP processing to work correctly.

    Figure 6

    Enable the DHCP Enforcement Client

    The next step is to enable the DHCP Enforcement Client on the NAP enabled computers. In the Group Policy Management editor, expand the Computer Configuration, expand the Windows Settings node, and then expand the Network Access Protection node. Expand the NAP Client Configuration node and then click on the Enforcement Clients node.
    When on the Enforcement Clients node, the right pane of the console will show the various enforcement clients available for NAP. You can enable one or more enforcement methods; you are not limited to a single enforcement client. In this example we are using only DHCP enforcement, so right click on the DHCP Quarantine Enforcement Client entry and click Enable, as seen in the figure below.

    Figure 7

    Click on the NAP Client Configuration node in the left pane of the console as seen in the figure below. Right click on the NAP Client Configuration node and then click Apply. This applies the Enforcement Client settings into Group Policy.
    I have found that there times when the Enforcement Client settings do not “take”. This has lead to a confusing and time consuming troubleshooting exercise for me in the past. What you might want to do is after you apply the Enforcement Client settings is to close the Group Policy Management Console and the Group Policy Management Editor and then open them again and check the Enforcement Client Settings. If you find that the Enforcement Client Settings are not enabled, then enable them again. Usually after the second attempt they will keep.

    Figure 8

    Use Group Policy Security Filtering to Apply the GPO to the NAP Enforced Computers Security Group

    Our final step in Group Policy is to apply the GPO settings in the NAP Client Settings GPO to the computers that belong to the NAP Enforced Computers security group that we created earlier. Open the Group Policy Management console and then expand the forest name and then expand the domains node. Then expand your domain name and click on the NAP Client Settings GPO.
    In the right pane of the console you’ll see a section named Security Filtering. You can use this feature to apply the Group Policy settings in this GPO to the security group we created for the NAP client computers.
    In the Security Filtering section, click on the Authenticated Users entry and click the Remove button.

    Figure 9

    You will see a Group Policy Management dialog box asking if Do you want to remove this delegation privilege? Click OK.

    Figure 10

    Now click the Add button. This will bring up the Select User, Computer or Group dialog box. Enter NAP Enforced Computers in the Enter the object name to select text box, and click Check Names to confirm that the group can be found. Then click OK.

    Figure 11

    You will now see in the Security Filtering section the security group that the NAP enabled computers will be placed in.

    Figure 12

    Enter the Vista Computer into the NAP Enforced Computers Security Group

    With the Group Policy settings in place, we are ready to put our Vista client computer into the NAP Enforced Computers security group. Open the Active Directory Users and Computers console and click the Users node in the left pane of the console.
    Double click on the NAP Enforce Computers entry. This brings up the NAP Enforced Computers Properties dialog box. Click the Members tab and then click the Add button.
    In the Select Users, Contacts, Computers or Groups dialog box, enter the name of the computer that will participate in NAP enforcement. In this example, we have a domain member computer named VISTA2 and we’ll enter that into the Enter the object names to select text box.

    Figure 13

    If the machine that you want to participate in the NAP enforcement group hasn’t yet joined the domain, you can instead create the computer account in the Active Directory by using the Add Computer option in the Active Directory Users and Computers console. You can then later join this machine to the domain. In the example network that we’re using in this article, the VISTA2 computer is already a domain member.
    At this point you might want to consider running the gpupdate /force command on the domain controller. Also, if your NAP enforced computers are already joined to the domain, you might want to restart those computers so that the new Group Policy settings are applied.
    The most problematic area in the NAP solution are the Group Policy timings. In a production network you’ll have plenty of time to wait for Group Policy propagation, but in a lab environment we tend to get impatient and want things to work right away. If you find that the settings aren’t being applied to the client, then be patient. Restart the client a couple of times or run the gpupdate /force command on the client. If NAP still isn’t working, then recheck all of your settings in the NAP configuration and also in Group Policy. There are a lot of “moving parts” and it’s easy to miss a step.
    Now let’s see the NAP solution in action.
    Test the Solution

    Remember that when you’re using DHCP enforcement, the clients must be using DHCP to obtain IP addressing information. When you open a command prompt and run the ipconfigcommand, you will IP addressing information for the DHCP client. In the figure below, you can see that the this client is not NAP compliant, as it received the domain name restricted.msfirewall.org, which is a DHCP option we created for non-compliant NAP clients.

    Figure 14

    At the command prompt, run the Route Print command. Notice the routes to the DHCP server and the domain controller. Notice that there are no other routing interfaces to the on subnet network ID. This means that this NAP client will be able to reach the DHCP server and the domain controller, but no other machines on the network. This machine is locked down because the routing table entries prevent access to any other IP addresses except those we’ve configured in NAP (remember that the domain controller is in the remediation group, and the DHCP is automatically allowed since it is the network access server that controls the level of network access).

    Figure 15

    These findings are what you would see if the machine were not joined to the domain or if the NAP settings aren’t being applied to the client.
    Now let’s see what things look like when the NAP settings are applied.
    Run the ipconfig command again and you’ll see that you get the non-restricted domain name assigned to the client.

    Figure 16

    Run the Route Print command. Here you’ll see that we have a default gateway configured. In addition, we now have a routing interface to the on subnet network ID. The special routing interfaces to the DHCP server and the domain controller have been removed.

    Figure 17

    Let’s test the auto-remediation feature. Recall that we enabled auto-remediation in the Windows Security SHV. This allows the NAP Agent to try and fix security problems that might crop up on the NAP client. For example, if the firewall is disabled on the NAP client, the NAP Agent can turn the firewall back on.
    In the figure below, you can see that I’ve turned off the Windows Firewall on the Vista client. Try this on your own Vista client.

    Figure 18

    Wait a few second. Bam! You’ll see that the state of the Windows firewall automatically changes to being on again without any intervention on your part.

    Figure 19

    Note that you didn’t see anything in the system tray for this. If you want to see a system tray notification, then you’ll need to configure things so that the NAP Agent will not be able to auto-remediate. If you go back to the Windows SHV on the NPS server, you can change it so that an AV program is required. If there is no AV program on the client, then you’ll see a system tray notification balloon regarding the security configuration of the computer does not meet network requirements. If you click the balloon, you’ll see a dialog box like that in the figure below.

    Figure 20

    Summary

    In this, the last part of our four part series on using DHCP enforcement with NAP, we went over the DHCP server configuration and then set things up in Group Policy to automate policy deployment. We then finished up by testing the solution and confirming the NAP DHCP policy enforcement actually worked. And it did! In the future I’ll do more articles NAP configuration using different enforcement methods. Then we’ll take a closer look at more sophisticated options, such as using multiple NAP and DHCP servers (or enforcement servers). See you then! –Tom




کلمات کلیدی در جستجوها:

1

nap agent group policy rules

napHow does NAP determine if a client is non-compliant with specific requirements2gpo force dhcpstep by step guide: demonstrate dhcp nap enforcement in a test lab enforcement is faildhcpdhcp scope propertiesusing radius authentication isa server network policy servernapagent gpo permissionsconfigure کردن NAP-DHCPturn DC domain controller to radius server mikrotik windows server 2008If a client is found non-compliant the NPS will attempt to make it compliant.65force nap policiesactivate nap gpocreate option NAPenforced nap dhcp command lineusing group policy to access dhcp serverset dhcp scope from group policynap configuration group policy not appliedNAP and GPOconfiguring nap dhcp

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •